VCM1: Obtaining the list of viruses you miss from AVP
by VirusBuster
Before explaining the "how" I would like to explain the "why".
There are several reasons to explain why someone would like to obtain a list with the viruses he misses from AVP aka KAV. One could be in order to make a "most wanted" list or a request of missed stuff. Other reason can be that someone could make a search in Google or similars looking for the worm or virus or whatever he misses and find it. Per example you notice you miss "Backdoor.Iroffer.1209", so you go to Google and look for "iroffer". First result is "iroffer - home" which is the site of the backdoor so you get it without much effort.
Now that you know why is so interesting to have a list with the stuff missed from AVP we are going to see how to obtain it.
First I will explain three methods to obtain the list containing all the viruses detected by AVP and finally I will comment how to use it to obtain the list of missed stuff.
First method: AVLIST
"Virus name lister 1.5 for AntiVirus Software.
This is a Shareware by Jack liu. (/? help)
Support: AVP, F-Prot, Dr.Solomon, NAI Scan 4.x
Usage: AVLIST path
path AntiVirus software path
default path
AVP ..\AV\AVP\
DR.Solomon ..\AV\DR\
F-Prot ..\AV\FP\
Scan 4.x ..\AV\NAI\
for F-Prot
Please do: F-PROT /VIRLIST>F-PROT.LST"AVLIST is a tool coded by Jack liu with just one purpose: generate a list with the missed stuff from AVP, F-Prot, Dr. Solomon and NAI Scan 4.x.
The tool is really simple to use and you only have to tell AVLIST where is the path containing AVP databases. After that you will get a log having all detected stuff by AVP.
Second method: AVP eXtender aka AVPX
"AVPX AVP eXtender release 3.29 (c) 1998-2001 Z0MBiE http://z0mbie.cjb.net
syntax:
AVPX [option[-] ...] [!keyword ...] filemask[.AVC] [outpath[\]]
options:
/no ...do not create obj files (both 16 and 32-bit) -- works faster
/no16 ...do not create only 16-bit obj files
/no32 ...do not create only 32-bit obj files
/l ...keep obj libs (.l16/.l32) files -- do not erase 'em on exit
/k ...keep lnkNNNN.dat files
/names ...extract ONLY virii names
/a ...append to _names instead of overwriting file
/q ...be quiet (but show warnings/errors)
/qq ...be quiet (show nothing)
/nh ...no headers/info
/ns ...no stamms/info
/p ...pause on error/warning messages
/ren ...automatically rename .OBJ files
examples:
AVPX c:\avp\* d:\sux /names /a ...append all known virnames to d:\sux\_names
AVPX . ...will extract all AVCs in the current directory"AVPX is a tool coded by 29A member named Z0MBiE and it is multipurpose.
We do not need to know all its uses, just the commands necessary to get the list of all viruses detected by AVP. For this we follow next steps:
- We create a directory and copy *.AVC there.
- We go to directory having *.AVC and execute AVPX using next commands:
- AVPX . . /names /a
- We execute VS2000 console with next command line:
- VS2000 -DA _NAMES C:\TEST\TEST.EXE~9infected:~20
- We rename _NAMES to AVP.LOG
AVP.LOG will be the log with complete list of viruses detected by AVP.
Third method: AVPVLIST
AVPVLIST is a tool installed along with KAV 4.5 and it is used to make a list of all viruses detected by the antivirus.
The usage of the tool is really simple. The user must indicate the path where the log must be stored and then press "Generate".
After this you must modify the generated file in order to convert it to a valid AVP log file. I use EDIT.COM for this for example.
Valid AVP log format is: path + tabulator + infected: + space + virus ID
Example:
C:\TEST\TEST.COM#9infected: Jerusalem.1808.AFinal step: Using the log with all detected stuff by AVP.
You just have to compare the log you got with your AVP database.
Example using VS2000 console:
VS2000 -C AVP.LOGAnd that is all. You will get NEWAVP.LOG with all the stuff you miss.
