Selected Virus Collection and Research Utilities

1. Archiving and Inventory tools
2. Research Tools
3. Imaging Tools
4. Various Tools

Archiving and Inventory tools

Name: AVID95
Category: Archiving / Inventory Tool
Site:
Contact: fagerland@pki.uib.no

Features: A computer virus crossreference and administrator utility that uses sophisticated database techniques to organize and keep track of a virus collection.

Name: CollectionMaker
Category: Archiving / Inventory Tool
Site: http://best.site.cz/igi/cm/english.htm
Contact:

Features: CollectionMaker uses so-called report files (or logfiles), which are generated by some antiviruses during their run. Those report file includes (except other information) information about files on your disk which are infected by virus. Using this information CollectionMaker is bale to sort your virus collection in handy way. CollectionMaker can create directories with names derived from virus names (they can be extracted from such a logfile) and copies coresponded files there. (e.g. virus A will be in directory A). Afterwards, it is much easier to navigate in such a sorted collection. If you are looking for, for example macrovirus WM97M/Melissa.A, just enter to directory named W97M/Melissa.A...

Name: The Collector
Category: Archiving / Inventory Tool
Site:
Contact:

Features: The Collector Imports RAW REPORTS from VIRUS SCANNERS,CRC,MD5,Signature, REFerence and imports generated by over 8 current virus scanner related utilitys including two major virus scanners. All relevant information it into the database, sorted and polished, available for your viewing pleasure. Displays data in sorted order of Filename or original description or modified description (shorter descrip & polished) 16-bit CRC value or 32-bit CRC or md5 value search signature or filesize or Search Sig MD5 Checksum or Mcaffe description or Both F-Prot.

Name: HomeSlice Weeder for Win32
Category: Archiving / inventory tool
Site: http://www.coderz.net/homeslice/weeder.html
Contact: thehomeslice@mail.com

Features: HSWeeder works exactly like TbWeeder (DOS app), but has more features and is a true 32-bit application. It finds duplicate virus files based upon 32-bit CRC values, and can search inside of zip files without unzipping.

• Finds duplicate virus files based upon 32-bit CRC values
• Searches inside Pkzip files (any version) without unzipping
• Handles up to 2 million files
• Very Fast (200+ files per second when scanning zips)
• Optionally delete any duplicates
• Skip common text files (.diz, source code, read.me, etc)
• Optionally save database for later scanning

Name: HomeSlice Requester
Category: Archiving / inventory tool
Site: http://www.coderz.net/homeslice/request.html
Contact: thehomeslice@mail.com

Features: HS Requester gets any newfprot.log or newavp32.log, then prepares those requested files for your trader, and optionally DCC's it via Mirc or Pirch. Because doing that shit manually takes a long damn time.

• Drag and drop the request file - and you're done! Couldn't be easier.
• Unzips any zipped viruses, then re-zips them for your trader!
• DCC their file via Mirc or Pirch automatically
• Creates a logfile, so you can review
• Limit the number of files that can be requested
• Creates a easy-to-identify, unique Zipname: Spooky.fprot.8.2.1999.v1.zip
• Supports AVP and F-PROT log files

Name: NemSort
Category: Archiving / inventory tool
Site:
Contact:

Features: Nemsort will sort your computer viruses by zipping them each into an individual file with an individual spiffy FILE_ID.DIZ description file for your BBS.

Name: Nome Weed
Category: Archiving / inventory tool
Site: http://ggnome.cjb.net/
Contact:

Features: Author's note: "Cool file weeder utility, the fastest file weeder i know. It can create database which you can use in trading samples, can create duplicates log (simple or detailed). Platform: Windows 95/98/2000, WINNT 4.0, command line Author: [G]-Nome Size: 27K"

Name: PGWeed
Category: Archiving / inventory tool
Site:
Contact:

Features: TbWeeder-like tool that creates more specific .DAT files (U_NEED.LST and I_NEED.LST).

Name: Rose's File Weeder
Category: Archiving / inventory tool
Site: http://come.to/rose_swe
Contact:

Features: TbWeeder-like tool that weeds duplicate files and is capable of smart renaming the weeded files.

Name: TbWeeder
Category: Archiving / inventory tool
Site:
Contact:

Features: TBweeder (Frans Veldman) is an "in house" sorter for ThunderByte Anti-Virus.

TbWeeder is a utility to weed out duplicate files.

Virus researchers often receive large virus collections which contain many duplicate files. Not all anti-virus vendors use the same virus naming convention, and often a virus sample is renamed to match to the name printed by the scanner used to identify the virus. These renamed files are copied into other collections, causing many renamed but equal files floating around in all kind of virus collections.

TbWeeder can help to identify duplicate files, and automatically delete them.

Duplicate files are files with the same 32-bit CRC and length. To be absolutely sure, TbWeeder will perform a full match - byte by byte - of the files if both files are available.

TbWeeder can also maintain a database so it is not necessary to rescan all files over and over again to search for duplicates.

Name: VGrep
Category: Archiving / Inventory tool
Site: http://www.virusbtn.com/VGrep
Contact: vgrep@virusbtn.com

Features: VGrep is an attempt to provide a solution to a problem which vexes anyone who takes technical support calls in the anti-virus industry. In spite of the best efforts of CARO, there are very little signs of convergence in virus naming 'conventions'. By it's very nature, it is an ugly problem.

What VGrep does is attempt to provide a system to cross-reference this myriad of names. The logic is that if I run X scanner products across our virus collection, I will be able to combine the log files generated by the products (the primary key being the filename, of course) into a table. The reality, of course, is nothing like as easy as this, and this work requires a fair amount of processing power.

Name: VirArc
Category: Archiving / inventory tool
Site: http://home.wirefire.com/nathan/virarc.htm
Contact: nathan@wirefire.com

Features: Archives a virus collection using F-Prot and AVP log files. Windows based.

Name: VirSort
Category: Archiving / inventory tool
Site:
Contact:

Features: A virus collector's tool allowing a virus collector to keep a clean collection of viruses that have been sorted out into uniq infections based upon standard Anti-Viral scanner log files. Virsort is also a tool which allows virus traders to trade viruses between each other, only sending the scannable viruses that each other do not yet have. VIRSORT (for Win95) can create sorted subdirs (and files) that are in the DOS 8.3 file-name convention, or create dirs and filenames in the LongFileName (LFN) format. VIRSORT will NOT overwrite files like it did in the past. When a filename exists that is IDENTICAL to the filename in the database (in 8.3 mode) an error message is created and placed into a file called OVRWRITE.LOG. This file is ONLY created if the sort is in 8.3 mode, and if the name of the database used is VIRSORT.DAT.

Name: VirSort
Category: Archiving / inventory tool
Site:
Contact: chj@ing.ruhr.de

Features: This is a modified version of the original VirSort (above). The source code by the programmer of the original VirSort was changed and recompiled. This version bypasses some problems with the DOS 8.3 filenames as well as this version will sort in modified and truncated samples.
This version also recognizes Generation-1 samples.

Name: VirTake
Category: Archiving / inventory tool
Site:
Contact:

Features:

Author's Note:

"VirTake is the perfect toolkit combinated with VirSort (c) Brian Burdick allow you to maintain a perfectly sorted virii collection, and interchang virii much faster that other that haven't VirTake. VirTake is able to modify the new-vir.log reported by VirSort and the reports of Fridrik Skulason F-Prot, providing a "cleaned" file with only the virii-file name or transforming the new-vir.log or F-Prot report into a execme.bat that copy the virii files from the source directory to a target optional directory."

Name: Virus Collector's Toolbox
Category: Archiving / inventory tool
Site:
Contact:

Features:

1. Catalogs and sorts through your viruses, even ones inside PKzip files WITHOUT UNZIPPING THEM.
2. Handles up to 16,000 virus files!
3. Recurse subdirectories - hunt down your Data file/Config file in your path
4. Extracts virus names from F-PROT/AVPRO/TBAV reports and imports them into the database, automatically!
5. Stores NAME, file size, file date, CRC, Virus name, plus the PKZIP file containing the file (if any) No more rediculous Crc-only databases
6. Catalogs .TD0 .ASM .A86 .C* .OBJ .EXE .COM .VXE .VOM .SYS .BO? .PAS - not just executable files
7. Allows comparing two virus collections and generating a report on what you DO NOT have.
8. Checks duplicates before importing new viruses
9. Converts F-PROT, TBAV or AVPRO report files into DESCRIPT.ION for all you 4Dos users
10. Even finds duplicates INSIDE PKZIP files without uncompressing. That means if you unzipped a file, TOOLBOX will recognize it's already inside the .ZIP!
11. Exports into DBASE/PARADOX/EXCEL/ACCESS compatible comma-delimited file
12. Also prints Sorted reports based upon Name, Size, or CRC value
13. Merges multiple databases, eliminating duplicates automatically
14. Creates a batch file automatically that will delete your duplicates, even dupes inside of PKZIP files
15. It's FREEWARE - Source code included!
16. Enhanced versions for 386 and 486 processors

Name: Viruskeeper
Category: Archiving / inventory tool
Site: http://www.coderz.net/tally/vk.html
Contact: talli@ponyexpress.net

Features: VirusKeeper One is a full-featured virus collection manager. It will take your virus logs, archive your viruses, give you reports and help you access your viruses. It will generate requests from other people's logs and fill their requests for viruses. VirusKeeper has probably the most careful virus checking of any freeware collection system. With VirusKeeper, your worries about virus handling, collection organization and management are over

1. Accurate parsing of logs, no missing some variants of viruses.
2. Automatic handling and archiving of viruses for safe handling.
3. Easy to use browsing system allowing comparison of AVP and FPROT virus naming.
4. Support for fully, partially and suspiciously IDed viruses, trojans and backdoors, damaged, droppers, object files and more.
5. Trade ratio calculation.
6. Easily view and compare viruses in the browse screen - and Search!
7. Automatic log detection.
8. Automatic handling of private viruses.
9. Automatically zips up undetected viruses.
10. Individual statistics pages for each scanner.
11. Ability to build up database from scanner logs.
12. Simple, one time configuration of system options.
13. Configurable number of viruses per zip.
14. Online/HTML documentation.
15. Makes extra zips of new files for sharing with others.
16. Share/UNshare files according to logs.
17. Run in zipped/non-zipped mode.

Name: Virus Organizer
Category: Archiving / inventory tool
Site: http://www.coderz.net/zulu/virus_collection.htm
Contact:

Features: Another virus collection organizer. By the author of the the Bubbleboy virus. Author's Note: "The program reads an antivirus report file and moves or copies the infected files to a new folder. Inside this one, it creates more folders with the first character of the names of the viruses it contains. Each file is copied with the name of the virus it has and the original extension (in lowercase). In case of duplicated viruses, one file of each is moved or copied. The report file must be from F-PROT or Antiviral Toolkit Pro. Files can be named with the name of the virus exactly as reported by the antivirus or with the type of virus between parentheses at the end. It has an option to keep duplicated viruses in the original folder or to delete them and other option to replace characters that are not supported in the name of the files with the ones you want. Also, optionally, you can replace spaces in the files with other character. Source code included. Read text file for more information."

Name: Virus Quarantine
Category: Archiving / inventory tool
Site: http://www.geocities.com/Vienna/Opera/3503/virusq/
Contact: arcanoi@hotmail.com

Features: Another virus collection organizer.

Name: Virus Sorter New Generation
Category: Archiving / inventory tool
Site: http://jump.to/bcves
Contact:

Features: VSNG stands for "Virus Sorter New Generation". It is a powerful and extremely fast virus collecting and trading tool with extended sorting and statistics capabilities. It is completely command-line based, which makes it ideal for batch usage. It is fully compiled in 32-bit mode, which makes it additionally very fast and uses the system's capabilities.
The program bases on the use of log files created by AV programs.
The virus files are neither moved out of their directory structure nor renamed to provide the user full control for their own sorting system.
It has the ability to process up to 35,000 viruses per second or read 60,000 lines in the same time, managing huge logfiles without problems. Additionally, you have full control over sorting out certain unwanted file types, logging, creating statistics in plain text and HTML at the same time and much useful tools, like ZIP and RAR support and much more!

Name: VirZip
Category: Archiving / inventory tool
Site:
Contact:

Features: Another useful program, this one also uses your F-Protect logfile. It ZIP's up all of your viruses that correspond with the same name. Each virus has it's own ZIP file except in cases where the same virus is both a COM file and an EXE. Very fast, with constant progress report.

Name: VS2000
Category: Archiving / inventory tool
Site: http://www.coderz.net/vtc/utility.htm
Contact:

Features: This program is used to create databases of the viruses you have in your collection using AV log files. VS2000 can detect and process automatically F-Prot/F-Macrow, AVP/AVPDOS32/AVP32 and Dr. Solomon (MS-DOS versions) log files.

Name: VS2WVIR
Category: Archiving / inventory tool
Site:
Contact: RalphRoth@gmx.net

Features: Generates a handy DOS batch file from the F-Prot (Virsort) LOG file of your partner including those viruses you still looking for _ With FMacro to FProt log file converter and an object to executable converter utility _ AWK source, sample batch files and executables included!

Name: VSort
Category: Archiving / inventory tool
Site: http://ggnome.cjb.net/
Contact:

Features: Author's Note: VSort is a virus collection sorting tool. It takes as input one or more antivirus scanning logs and produces a batch file (dosort.bat) which will arrange the infected files depending on VSort's options. The look of the collection is fully customizable by command line options (/STYLE:) and configuration file (vsort.cfg). Platform: Windows 95/98/2000, WINNT 4.0, command line Author: [G]-Nome Size: 36K

Name: VWeed
Category: Archiving / inventory tool
Site:
Contact:

Features: Windows version of a TbWeeder-like program to weed out duplicate files.

Name: Virus Collection Helper
Category: Archiving / inventory tool
Site:
Contact:

Features: Tool specifically created to help rename a large number of virus samples.

Name: WinSort
Category: Archiving / inventory tool
Site: http://home.wirefire.com/nathan/winsort.htm
Contact: nathan@wirefire.com

Features: Virus collection organizer like VirusKeeper and VS2000. 32-bit application with integrated ZIP/UNZIP support.

Research Tools

Name: BiNWRITE
Category: Research tool
Site: http://www.hitel.net/~Xevious7/binwrite.html
Contact: Xevious7@www.hitel.net

Features: BiNWRITE stands for Binary writer. It can raw copy binary images of boot sector viruses to disk boot sectors.

Name: DebugSCR
Category: Research tool
Site:
Contact: PC Magazine / Ziff Publications

Features: Creates .SCR debug scripts from binary code.

Name: Decom
Category: Research tool
Site:
Contact: RalphRoth@gmx.net

Features: This is a simple utility that will step through an polymorph (MtE, TPE, SPE, G2, PS_MPC...) decryptor and decrypt the virus it is attached to, then terminate before executing the virus.

When used, DECOM will attempt to follow the execution of the program until the end of the decryptor. It will not execute dangerous INT calls, and will terminate them if one is encountered. It also terminates if DS and ES change, or if a far call or something else is encountered that will cause the lost of control over the programs execution. THIS DOES NOT ABSOLUTELY GUARANTEE SAFETY WHEN RUN! While I have not encountered an polymorph encrypted file that it did not safely decrypt, it is quite possible to program such.

Name: DumpEXE
Category: Research tool
Site:
Contact:

Features: This program can unpack ANY packed exefile.It means that a file packed with an unknown exepacker can be expanded to its original size and format. Supports the following debuggers : Soft-Ice, GameTools & Turbo Debugger.

Name: General Tracer
Category: Research tool
Site: http://home.t-online.de/home/enoch/download.htm#GTR
Contact:

Features: General TRacer is a utility for removing almost all packers & crypters. It has been tested with the following programs... ComprEXE v1.0, PKlite v1.50, Shrink v1.0, LZEXE 91, Crunch v1.0, RJCrush v1.10, TinyProg v3.9, AVpack v1.22, COMpack v4.5, eLITE v2.0, WWPack v3.05b5, Hackstop v1.18/386, Protect! v6.0, Crypt v1.21, DoP-Crypt v1.04, ICE v1.00, ProtEXE v3.10, RCC v1.13 mild/hard, RCC386 v0.61, RCrypt v0.91, RCC-II v1.06, ALEC v1.6, Crackstop v1.02, Guardian Angel v1.0b, SCRAM! v0.8a1, XCOMOR v0.99h, Suckstop v1.11r, LamerStop v1.0, AINexe v2.23, COM2TXT v1.11, COMlock v0.1, COMt v0.1d, Crypt v2.0, cryptCOM v2.0, COMscrambler v0.1, Deepcrypt v0.1b, EXEcode v1.0, EXEguard v1.3, EXEhigh v1.01, EXElock v1.0, JauMingCryptEXE v0.7j, Jmt-cp v0.5a, Kevin EXE filekit v1.15a, Mask v2.3, MegaLite v1.20a+, Mess v1.13b, MutaWWP v1.0, NetRun v3.1, Secure v0.27, PCrypt v3.5, TRAP v1.14, UPStop 0.95

Name: GOAT File Creator Package
Category: Research tool
Site:
Contact: Igor.Muttik@uk.drsolomon.com

Features: GOAT package is a tool for the antivirus researchers.

The GOAT file generator produces executable victim file(s) (COM, EXE [also NE and PE format] or SYS), typically called "sacrificial goat file(s)". These output files are used as baits for the viruses.

Name: List Word Macros
Category: Research tool
Site:
Contact: mike.janda@mpcug.com

Features: LWM will allow you to safely examine the macros present in Word version 6 and templates without the need to load the file into Word and possibly activate a virus or trojan that could delete files, format the drive or install a virus of your system. Since LWM does not use Word (or Windows!) to read the file, there is no chance that any malicious macros can do anything to your system. Just run LWM with the name of the Word template and it will write out a new file with the extension 'mac' containing all the macros listed much like they would be listed in Word (see program notes below for some exceptions).

Name: MakeGoat
Category: Research tool
Site:
Contact:

Features: MakeGoat Goat document generator is a Microsoft Word macro that generates goat documents for virus research. Designed to be easy to use.

Name: MBRFaker
Category: Research tool
Site:
Contact: RalphRoth@gmx.net

Features: MBRFAKER - for testing hybrid viruses. Simulates a harddisc and redirects all writes to the mbr into a file. All hdd disc access is logged to the screen just to examine the virus behaviour. Source code included. Freeware from ROSE. For 80286+ WARNING: DATA LOSS POSSIBLE!

Name: RoseGoat
Category: Research tool
Site:
Contact: RalphRoth@gmx.net

Features: Goat file Generator. ROSEGOAT produces executable victim files (COM/EXE), typically called "sacrificial goat files". These output files are used as baits for viruses. ROSEGOAT produces a batch file TESTIT.BAT to run the goat files. With tons of options for creating different types of goat files.

Name: UNP
Category: Research tool
Site:
Contact:

Features: Executable file expander. Uncompresses files compressed with DIET, EXEPACK, LZEXE, PKLITE and many other file compression utilities. UNP also allows you to convert files from COM to EXE and vice versa, optimize EXE headers and remove overlay data from EXE files.

Name: ViroCrack
Category: Research tool
Site:
Contact:

Features: This software simply cracks encryption using any of the following techniques:

8-bit ADD and SUB
8-bit XOR
8-bit ROR and ROL
8-bit NOT
16-bit ADD
16-bit XOR
16-bit ROR and ROL
16-bit NOT

Which means you can now easily decrypt the majority of computer viruses out there and see what text is inside without having to ever touch a disassemble. Not to mention the fact that there are LOTS of software which uses these encryption algorithms for its internal or external encryption purposes.

Name: Write COM
Category: Research tool
Site:
Contact:

Features: WC was developed to aid virus researchers in capturing a pure virus. The WC program will make a "BAIT" file to the certain specifications that you pass to it via the command line. The WC utility is very useful in isolating new viruses.

Name: XorFind
Category: Research tool
Site:
Contact: machek@k332.feld.cvut.cz

Features: This program can search for XOR-ed texts in files. It can be usefull for identifying viruses (most viruses code their texts by xor).

Imaging Tools

Name: Teledisk
Category: Imaging Tool
Site:
Contact: Sydex

Features: TELEDISK is a program to transfer any diskette into a file and vice-versa. TELEDISK does not require DOS format diskettes to operate - TELEDISK will even copy some "Copy-Protected" formats. Teledisk was (maybe still is) often used to create .TDO images of diskettes infected with boot sector viruses.

Various Tools

Name: AVlist
Category: Various
Site:
Contact:

Features: This program is capable of extracting lists of detected viruses from the DOS versions of F-Prot, AVP and Dr. Solomon. Great to check what viruses still miss from a collection.

Name: DOT2DOC
Category: Various
Site:
Contact:

Features: Converts .DOT Word template files to regular .DOC document files.

Name: F-DCRYPT
Category: Various
Site:
Contact:

Features: F-DCRYPT is a program for recovering the password and decrypting documents produced by Microsoft Word versions 6.0-7.0a and Microsoft Excel versions 5.0-7.0.

Several macro viruses encrypt the documents of the user as part of their destructive payload. If it turns out that the encryption of the document has been done by the virus and is, therefore, unwanted, the user can use this F-DCRYPT utility to display the password and even decrypt the documents.

Name: RenEXTS
Category: Archiving / inventory tool
Site:
Contact:

Features: "RenExts" was written to rename files back to their original extensions. It does this by checking the contents of the file and matching those contents to known formats. It is HIGHLY accurate. I use this program EXCLUSIVELY on my (Phage's [CCTX]) collection. The program scans all the files in the current subdirectories and recurses into any other directories. As it goes it writes output to the screen, to a file called "BadList.Lst" and to a batch file named "RenF.Bat". The theory is this: run the program in the directory that you want checked. Look at the "badlist.lst", if you agree with the results run "RenB.Bat". If you do NOT agree with the results, send me a copy of the files and why you disagree.