Exemple of writing a signature for binary file: Henrique Dias <hdias@aesbuc.pt> Last Change: Tue Sep 30 11:24:13 WEST 2003 This document provides suggestions for write signatures for viruses. pico -> editor (you can use vim, emacs or another editor) xxd -> hex dump of a given file -> Change to directory where you have the infected file or virus $ cd virus/W32_Yaha.u_MM $ ls specimen.zip $ unzip specimen.zip $ xxd setup.exe > hex.txt $ more hex.txt -> Get the application signature from the begin of the hex file: application signatures ---------------------- e9 474554 4d534654 49545346 7f454c46 4d5a000002 4d5a420002 4d5a500002 4d5a900003 4d5a930001 d0cf11e0a1b11ae1 ---------------------- application signature | | |----------| 0000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..........ÿÿ.. 0000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 e000 0000 ............à... 0000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ..º....Í!..LÍ!Th 0000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno 0000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS 0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$....... 0000080: d1e9 2b6c 9588 453f 9588 453f 9588 453f Ñé+l..E?..E?..E? 0000090: ee94 493f 9488 453f 1694 4b3f 8588 453f î.I?..E?..K?..E? ... -> Look at the file for a good signature: ... 0009190: 6b6c 6d41 7172 7775 7677 78ff 09fa ff79 klmAqrwuvwxÿ.úÿy 00091a0: 7a30 3132 3334 3536 3738 392b c63c 2f42 z0123456789+Æ</B 00091b0: 4f44 595e 76c1 bf3e 0d48 544d 4c3e c93c ODY^vÁ.>.HTML>É< 00091c0: 170b 45fb 76d9 9dc7 300d 4a3c 3c46 4f4e ..EûvÙ.Ç0.J<<FON 00091d0: 5428 6010 ee32 0d56 0738 a7ff 6070 ed74 T(`.î2.V.8.ÿ`pít 00091e0: 91d9 6f2d 3838 3539 2db9 62b8 4414 4be8 .Ùo-8859-.b.D.Kè <-- Start 00091f0: 07eb e9a7 1525 742f ad6d 7777 23e1 3558 .ëé..%t/.mww#á5X 0009200: 2a8f 274d 4b29 a021 fa4d 494d 452d 493a *.'MK).!úMIME-I: 0009210: cacd 5a5a a171 aafe 2f5a 5818 ee6d 6978 ÊÍZZ.qªþ/ZX.îmix --> End 0009220: d764 3755 b8bb 827e bb3d cee4 9e62 9c5d .d7U...~.=Îä.b.] 0009230: 9d0a f681 d66f 0d00 3ee3 bd06 3a26 1e11 ..ö.Öo..>ã..:&.. 0009240: 2220 97eb dd6f 1348 48a1 1973 2748 6cbe " .ëÝo.HH..s'Hl. 0009250: 03be 6401 2c64 0901 2079 0044 6880 6f24 ..d.,d.. y.Dh.o$ 0009260: 4556 4441 5fb1 71ef ffd0 5243 5054 2054 EVDA_.qïÿÐRCPT T 0009270: 4f3a 3c19 3e1e 0180 15d2 fe4c 2046 524f O:<.>....ÒþL FRO ... Signature (you can choose another signature): 91d96f2d383835392db962b844144be8 07ebe9a71525742fad6d777723e13558 2a8f274d4b29a021fa4d494d452d493a cacd5a5aa171aafe2f5a5818ee6d6978 -> Change to File-Scan directory after extract the compressed file: $ cd File-Scan-X.XX -> Now, add the signature to the file signature database. $ pico files/signatures.txt date::app_signature::Virus_Name::Position::signature | | | | | | +----+ | | +--------+ | | | | | 20030730::4d5a900003::W32/Yaha.u@MM::0::91d96f2d383835392db962b844144be807ebe9a71525742fad6d777723e135582a8f274d4b29a021fa4d494d452d493acacd5a5aa171aafe2f5a5818ee6d6978 -> Edit the Makefile.PL and change the value of $debug to 1. $ pico Makefile.PL ---Makefile.PL------------------------------- use strict; my $debug = 0; --> Change to 1 my $bufflen = 1024; --------------------------------------------- $ perl Makefile.PL $ make test $ sudo make install $ make clean -> Scan the infected file with example scanner: $ examples/scan.pl ../../virus/W32_Yaha.u_MM/setup.exe ----------------------------------------------------------------------- ... 31744 32768 33792 34816 35840 36864 37888 <--- Position ../../virus/W32_Yaha.u_MM/setup.exe Infection: W32/Yaha.u@MM Results of virus scanning: -------------------------- Objects scanned: 1 Skipped: 0 Suspicious: 0 Infected: 1 Scan Time: 0 wallclock secs ( 0.01 usr + 0.01 sys = 0.02 CPU) ----------------------------------------------------------------------- $ pico files/signatures.txt -> Now, change the position to the new position: date::app_signature::Virus_Name::Position::signature | | | | | | +----+ | +--+ +-----------+ | | | | | 20030730::4d5a900003::W32/Yaha.u@MM::eq37888::91d96f2d383835392db962b844144be807ebe9a71525742fad6d777723e135582a8f274d4b29a021fa4d494d452d493acacd5a5aa171aafe2f5a5818ee6d6978 Conditions: -------------------------------------------------------- 0 Scan all file lt/le n Scan after read n bytes gt/ge n Scan only before read n bytes eq n Scan if n is equal to the bytes read ne n Scan if n is not equal to the bytes read or logical OR operation and logical AND operation -------------------------------------------------------- $ pico Makefile.PL -> Change again the value of $debug to 0. ---Makefile.PL------------------------------- use strict; my $debug = 1; --> Change to 0 my $bufflen = 1024; --------------------------------------------- $ perl Makefile.PL $ make test $ sudo make install $ make clean -> Test the signature with the example scanner: $ examples/scan.pl ../../virus/W32_Yaha.u_MM/specimen.zip ---Result------------------------------------ /tmp/setup.exe Infection: W32/Yaha.u@MM ../../virus/W32_Yaha.u_MM/specimen.zip ZIP archive Results of virus scanning: -------------------------- Objects scanned: 1 Skipped: 0 Suspicious: 0 Infected: 1 Scan Time: 0 wallclock secs ( 0.02 usr 0.00 sys + 0.00 cusr 0.01 csys = 0.03 CPU) For better virus name look at: http://vil.nai.com/vil/default.asp http://www.antivirus.com/vinfo/virusencyclo/ http://www.viruslist.com/