PatternFinder Howto

The PatternFinder tries to figure out what pattern of a virus a scanners looks for. It does this, by systematically overwriting parts of the virus-file and checking whether the scanner still detects the virus.

Necessary software

You need an installed Java 2 Runtime Environment, Standard Edition (JRE) . Every JRE >= 1.2 should be fine, but I just tested it with 1.3.1. You can get it from Sun at http://java.sun.com/j2se/ .

Usage

You have to tell PatternFinder which virus-scanner to use (maybe with path), how to get the virusname from the scanner output and which files to scan, e.g.
java -jar PatternFinder.jar antivir 32 2 "'" "'" Codered2.exe
You can also give more than one file
java -jar PatternFinder.jar antivir 32 2 "'" "'" Codered2.exe Nimda.eml
The full usage is:
java -jar PatternFinder <scannercommand> <# of workers> <# of lines to skip> <prefix> <postfix> <filename> [<filename>...]
The PatternFinder has to parse the output of the virus scanner to determine if one of its testfiles is infected and which virus was detected. Just run your favorite virus scanner on an infected file and look at the output. If it looks like this
/home/kurt/Codered2.exe
 Date: 23.12.2001  Time: 04:19:02  Size: 3818
 VIRUS: file contains a signature of the virus  'Worm/CodeRed.2'
then we have to skip 2 lines to get to the name (the line with the file itself is counted too) and the prefix and posfix of the signature is a single quote ('). If it looks like this
/home/kurt/Codered2.exe
        Found the W32/CodeRed.c.worm virus !!!
then we have to skip 1 line and the prefix is 'Found' and the postfix is ' !!!'. This is what I use:

Virus scanner
 parameters to PatternFinder
F-Prot
 0 "Infection: " ""
H+B EDV antivir
 2 "'" "'"
NAI uvscan
 1 "Found" '!!!'

Hint: If you are running Linux and activated the executable Jar-file support documented in '/usr/src/linux/Documentation/java.txt', you can omit the 'java -jar' if you make the Jar-file executable.

After that, there is a file called 'virus.0.infected' which contains the cleared version of the file that is still detected as being infected and another file called 'virus.0.cleared' that contains everything, but the infected parts. If a file has multiple infections, the algorithm is started several times and you will get files called 'virus.1.infected' and 'virus.1.cleared' a.s.o.

Output

The PatternFinder uses System.err for status messages and System.out for lines like
Worm/CodeRed.2=50ff559c8d855cfeffff50ff55988b40108b08898d58feffffff55e43d040400000f94c13d040800000f94c50acd0fb6c9898d54feffff8b7508817e309a0200000f84c4000000c746309a020000e80a000000436f64655265644949008b1c24ff55d8660bc00f958538feffffc78550
BDS/VirtualRoot=680401000068d0204000e8610100008db8d0204000be00204000a5a5a5a56a0168d0204000e84c010000e80c00000068c0270900e831010000ebef68d8244000683f000f006a0068102040006802000080e8320100000bc075266a0468542040006a046a006848204000ff35d8244000
If this line has no spaces in it, you can put these lines into the 'virussignatures.txt' of ScannerDaemon and it will detect this virus. If you want to do this in one line, use it like
java -jar PatternFinder.jar antivir 32 2 "'" "'" Codered2.exe Nimda.eml >> virussignatures.txt
Important: Do not use it like '> virussignatures.txt' as this will overwrite the old file!

Currently, the PatternFinder does a lousy job on Microsoft Office file formats. This will be fixed in a future version.

How can I help?

If the PatternFinder detects just one long signature, this is very likely to be the one we need to detect this virus. But without deep knowledge about the inner workings of the virus, noone knows for sure.

Please send the patterns you found to the OpenAntiVirus-Project , so that we can include it in our database.
$Id: PatternFinder-Howto.html,v 1.7 2002/02/16 10:27:22 kurti Exp $