VS2000's 8.8 manual ------------------- Index: 1. Introduction 2. Commands 3. Subcommands 4. Examples 5. Bugs 6. History 7. Copyright 8. Supported logs 1. Introduction --------------- VS2000 has been created to sort virii collections. This program is able to manage log files, create databases and other kind of operations with log files. VS2000 is Win95/98/NT compatible. Only AVP and F-Prot log files are managed directly. 2. Commands ----------- The format for the commands in VS2000 is: VS2000 or or where: is the different options you can use. is the name of the file to process. is the string to search for. is the destination directory. There are 20 main commands and several subcommands. A main command is always required, subcommands are optional and they appear between "{}" symbols. The main commands are: -B Used to create the virii database from a log file. -C Used to compare the virii from a log file. -A Used to add the new virii from a log file to the virii database. -X Used to compare 2 log files and get what's new for each log file. Note: Only AVP and F-Prot log files are supported in "X" command. -S Used to search for strings in the databases. -I Used to process NEWxxx.LOG files using full path of infected files. -P Used to process NEWxxx.LOG files using file names of infected files. -Q Used to manage other kind of logs than F-Prot and AVPDOS32. -F Used to drop duplicate files from two log files. -D Used to manage strings from files. Note: If VS2000 doesn't find the string, the file is not modified. VS2000 accepts multiple strings separated by commas. -H Used to count the number of virii you have in your collection. Note: Count unique virii only works for AVP and F-Prot log files. -R Used to generate reports from virii databases. -L Used to generate lists from virii databases. -W Used to generate a brose list from virii databases. Note: By default, F-Prot names are in the first column. -G Used to generate statistics from virii databases. -O Used to look for a list of wanted stuff from a log file. Note: VS2000 will process only full identified viruses, "unknown" and "damaged" for F-Prot included. -M Used to optimize the speed when you use DAT files. -T Used to generate a file with duplicate virii from a log file. Note: File with duplicates is named with the same name of processed file and "DUP" extension. -E Used to show the time used by VS2000 to process commands. -U Used to make a log with unscanned files. Note: You will have to strip manually the header and bottom information of processed log files, deleting everything but the lines with scanned files. You will have to use "/LIST" for F-Prot and "/O" for AVP in order they report unscanned stuff. Other notes: + VS2000 is able to process up to five log files at the same time: VS2000 -C AVP.LOG F-PROT.LOG DRSOL.LOG AVP2.LOG F-PROT2.LOG VS2000 will detect the kind of logs the files are and it will compare logs looking for new virii. + VS2000 is able to process only one log using -I and -P commands. Example: VS2000 -P NEWAVP.LOG will run. VS2000 -I NEWAVP.LOG NEWFPROT.LOG will not run. 3. Subcommands -------------- Subcommands are: For -B, -C, -A and -X commands: S Used to force VS2000 to manage "Dropper, "Object", etc. in F-Prot's logs. Note: If you use "S" subcommand to build a database, you will have to use "S" with -C and -A main commands too. For -A: L Used to force VS2000 to create NEWxxx.LOG. For -H: U Used to force VS2000 to count unique virii. X Used to force VS2000 to count total virii. For -L: U Used to force VS2000 to list only unique virii. For -G: H Used to force VS2000 to write statistics in HTML format. U Used to force VS2000 to don't count not unique virii. For -R: A Used to force VS2000 to generate alphabetical sorted CLNxxx.LOG logs. N Used to force VS2000 to don't write "NOSEND" virii. Note: If you use "N" subcommand, all virii with "nosend" or "NOSEND" string at path will not be included in CLNxxx.LOG files. Tip: If your private stuff is not located at a directory named "nosend" you can do one of the next two things: 1) You rename the directory with the private stuff to "NOSEND". 2) You edit VS2000.EXE and you change "nosend" and "NOSEND" for what you need. Example: if your private stuff is allocated at "\NOTRADE" you will change "nosend" for "notrad" and "NOSEND" for "NOTRAD". You must make the change two times since it's case-sensitive. For -S: X Used to force VS2000 to don't output to screen. For -I and -P: C Used to force VS2000 to COPY files. M Used to force VS2000 to MOVE files. X Used to force VS2000 to rename files to VS00000x format. For -Q: G Used to force VS2000 to use generic information. The format for INI files is: 1st line: 1) Name of the DAT file to be created. 2) A comma. 3) The string used to identificate the log file. 2nd line: 1) String before the name of the virus. 2) Comma. 3) String before the path of the infected file. Empty if there is not any string before the path. 4) Comma. 5) String after the name of the virus. VS2000 will delete everything after that. Empty if you don't want to delete anything. 6) Comma. 7) String after the path of the virus. VS2000 will delete everything after that. Empty if you don't want to delete anything. 8) Comma. 9) String added to the name of the virus. Empty if you don't want to add anything. Next lines would be as 2nd line. Example: You have in a Cleaner's log: [24.06.2000 23:08:46] Constructing Cleaner Record for VBS.Freelink which was found in P:\New\1999.12\NT000347.vbs You name the DAT as "CLEANER", and you use "Constructing Cleaner" as identificative string. Then you choose: "Record for " as the string before the name of the virus. "found in " as the string before the path for the infected file. " which was" as the string after you will delete in the name of the virus. Nothing as the string after you will delete in the path of the infected file. ".test" as the string to add to the name of the virus. CLEANER,Constructing Cleaner Record for ,found in , which was,,.test If you don't want to add anything to the name of the virus don't put anything. Example: CLEANER,Constructing Cleaner Record for ,found in , which was,, B Used to force VS2000 to build DAT file. C Used to force VS2000 to compare a log. A Used to force VS2000 to add new viruses to DAT file. H Used to force VS2000 to count viruses in DAT files. L Used to force VS2000 to list all log supported. R Used to force VS2000 to run the internal INI file creator. For -D: L Used to force VS2000 to delete the line where the string appears. O Used to force VS2000 to delete all the lines but the ones with the string to search for. No multiple strings allowed. A Used to force VS2000 to add a string in column 1. Space character is represented by "%20". R Used to force VS2000 to replace a string. C Used to force VS2000 to make a case insensitive search. For -W: A Used to force VS2000 to put AVP names in the first column. N Used to force VS2000 to don't put file names. For -T: S Used to force VS2000 to don't check "(exact)" and similar strings. For -O: A Used to force VS2000 to keep all files, not only one for each wanted virus. 4. Examples ----------- VS2000 -B TEST.LOG VS2000 will detect the kind of log TEST.LOG is, and it will create the virii database. VS2000 -BS TEST.LOG VS2000 will detect the kind of log TEST.LOG is, and it will create the database. VS2000 will manage "Dropper", "Object", "kit", "intended", ..., strings. VS2000 -C TEST.LOG VS2000 will detect the kind of log TEST.LOG is, and it will compare the virii with the ones in the virii database looking for new virii. VS2000 -A TEST.LOG VS2000 will detect the kind of log TEST.LOG is, and it will add the new virii in the log to the virii database. VS2000 -ALS TEST.LOG VS2000 will detect the kind of log TEST.LOG is. VS2000 will add the new virii in the log to the virii database. VS2000 will create NEWxxx.LOG with the new virii and it will manage "Dropper", "Object", "kit", ..., strings. VS2000 -R VS2000 will create CLNxxx.LOG with the virii inside the virii databases. VS2000 -RA VS2000 will create CLNxxx.LOG with the virii inside the virii databases, and the virii will be sorted alphabetically. VS2000 -RN VS2000 will create CLNxxx.LOG with the virii inside the virii databasases but those virii that are stored in a path where the string "nosend" appears. VS2000 -L VS2000 will create LSTxxx.LOG with only the names of virii from databases. VS2000 -LU VS2000 will create LSTxxx.LOG with only the names of unique virii from databases. VS2000 -G VS2000 will create STATS.LOG with the statistics of the virii inside the DAT files. VS2000 -GH VS2000 will create STATS.HTM with the statistics of the virii inside the DAT files. STATS.HTM will have HTML format. VS2000 -GU VS2000 will create STATS.LOG with the statistics of the unique virii inside the DAT files. VS2000 -GHU VS2000 will create STATS.HTM with the statistics of the unique virii inside the DAT files. STATS.HTM will have HTML format. VS2000 -H VS2000 will show the number of virii in the virii databases. VS2000 -HU VS2000 will show the number of unique virii in the virii databases. "warning:" for AVP, "unknown?" and "damaged?" for F-Prot will not be counted. VS2000 -HX VS2000 will show both total and unique virii in the virii databases. VS2000 -S zhengxi VS2000 will search for "zhengxi" in all DAT files. The matches will be reported on screen and STRING.LOG. VS2000 -SX zhengxi VS2000 will search for "zhengxi" in all DAT files. The matches will be reported on STRING.LOG but not in screen. Note: The search is case-insensitive. VS2000 -X MYAVP.LOG OTHERAVP.LOG VS2000 will process both log files and it will generate NEW4LOG1.LOG and NEW4LOG2.LOG files if there are new virii. VS2000 -QB TEST.LOG VS2000 will recognize TEST.LOG style and it will create the DAT file. VS2000 -QC TEST.LOG VS2000 will recognize TEST.LOG style and it will check for new viruses. New viruses will be saved into NEW.LOG file. VS2000 -QA TEST.LOG VS2000 will recognize TEST.LOG style and it will add new viruses to DAT file. VS2000 -QH VS2000 will count viruses into DAT files. VS2000 -QL VS2000 will list supported log files. VS2000 -QGB CLEANER.INI CLEANER.TXT VS2000 will read VS2000.INI and it will create the DAT file. VS2000 -QR VS2000 will help you to create a new INI file. VS2000 -F NEWFPROT.LOG NEWAVP.LOG VS2000 will compare NEWFPROT.LOG and NEWAVP.LOG files, and it will drop duplicated ones from second log, NEWAVP.LOG in this case. VS2000 -D TEST.LOG W95/,W97M/ VS2000 will process TEST.LOG looking for "W95/" and "W97M/" strings. If VS2000 finds them will delete the strings. VS2000 -DL TEST.LOG warning: VS2000 will process TEST.LOG looking for "W95/" string. If it finds it, VS2000 will delete the line with the string. VS2000 -DLC TEST.LOG warning: VS2000 will process TEST.LOG looking for "W95/" string. If it finds it, VS2000 will delete the line with the string. VS2000 will be using a case insensitive search. VS2000 -DR TEST.LOG detected,infected VS2000 will process TEST.LOG looking for "detected" string. If it finds it, VS2000 will replace "detected" by "infected". VS2000 -DO TEST.LOG Trojan VS2000 will process TEST.LOG looking for "Trojan" string. VS2000 will delete all lines from TEST.LOG but the ones with "Trojan" string. VS2000 -DA TEST.LOG C:\Virus%20Collection VS2000 will add "C:\Virus Collection" to every line in TEST.LOG at 1st column. VS2000 -O F-PROT.LOG IWANT.TXT VS2000 will look for virii from IWANT.TXT in F-PROT.LOG. All virii found will be stored in WANTED.LOG. Only 1 file per virus wanted will be saved. VS2000 -OA F-PROT.LOG IWANT.TXT VS2000 will look for virii from IWANT.TXT in F-PROT.LOG. All virii found will be stored in WANTED.LOG. All files with wanted virii will be saved. VS2000 -W VS2000 will create BROWSE.LOG, a browse list of the virii in the database. VS2000 -WA VS2000 will create BROWSE.LOG, a browse list of the virii in the database with AVP names in the first column. VS2000 -WAN VS2000 will create BROWSE.LOG, a browse list of the virii in the database with AVP names in the first column. File names will not appear. VS2000 -WH VS2000 will create BROWSE.HTM, a browse list of the virii in the database in HTML format. VS2000 -WNH VS2000 will create BROWSE.HTM, a browse list of the virii in the database in HTML. File names will not appear. VS2000 -B AVP.LOG -E VS2000 will detect the kind of log AVP.LOG is, and it will create the virii database. VS2000 also will show the elapsed time to process the command. VS2000 -T AVP.LOG VS2000 will create AVP.DUP. This file will have duplicated virii inside AVP.LOG. VS2000 -T F-PROT.LOG VS2000 will create F-PROT.DUP. This file will have duplicated virii inside F-PROT.LOG. VS2000 will difference between "Example.A (exact)" and "Example.A". VS2000 -TS F-PROT.LOG VS2000 will create F-PROT.DUP. This file will have duplicated virii inside F-PROT.LOG. VS2000 will not difference between "Example.A (exact)" and "Example.A". VS2000 -I TEST.LOG VS2000 will remove the virii IDs of TEST.LOG. If you had: "C:\VIRUS\VIRUS1.COM Infection: Barrotes.1310.A (exact)" You will get in TEST.LOG: "C:\VIRUS\VIRUS1.COM" VS2000 -P TEST.LOG VS2000 will remove the virii IDs and the path for the files. If you had: "C:\VIRUS\VIRUS1.COM Infection: Barrotes.1310.A (exact)" You will get in TEST.LOG: "VIRUS1.COM" VS2000 -IC TEST.LOG VS2000 will remove the virii IDs and it will add a "COPY". If you had: "C:\VIRUS\VIRUS1.COM Infection: Barrotes.1310.A (exact)" You will get in TEST.LOG: "COPY C:\VIRUS\VIRUS1.COM" VS2000 -PM TEST.LOG VS2000 will remove the virii IDs, and the path of the files, and it will add a "MOVE". If you had: "C:\VIRUS\VIRUS1.COM Infection: Barrotes.1310.A (exact)" You will get in TEST.LOG: "MOVE VIRUS1.COM" VS2000 -IM TEST.LOG E:\TEST VS2000 will remove the virii IDs, and it will add a "COPY" and a destination path. If you had: "C:\VIRUS\VIRUS1.COM Infection: Barrotes.1310.A (exact)" You will get in TEST.LOG: "COPY C:\VIRUS\VIRUS1.COM E:\TEST" VS2000 -PCX TEST.LOG C:\VIRUS VS2000 will remove the virii IDs and the path for the files. It will add a "COPY", and additional destination path. The files will be renamed to the VS00000x format. If you had: "C:\VIRUS\VIRUS1.COM Infection: Barrotes.1310.A (exact)" You will get in TEST.LOG: "COPY VIRUS1.COM C:\VIRUS\VS000001.COM" VS2000 -U AVP.LOG VS2000 will create UNSCAN.LOG with unscanned files from AVP.LOG. First, you had to remove not scanned files lines. 5. Bugs ------- + First time you run VS2000 under Windows NT, VS2000 doesn't write anything in then screen. If you find more bugs, please report them to darknode@oninet.es explaining the problem and attaching explicative log files if it's needed. 6. History ---------- VS2000 8.8: + Added support to manage generic log files in -Q command: {g} and {r} sub commands. + Included an example of generic log files using INI files for "Cleaner" logs. VS2000 8.7: + -Q command modified. + Bugs fixed in -O and -U commands. VS2000 8.6: + Added -M command. + Some bugs fixed. VS2000 8.5: + Changed the version of Free Pascal Compiler (FPC) from 0.99.12 to 0.99.14a. + Added more details about what VS2000 is doing in each moment. + Some bugs fixed. VS2000 8.4: + Speed improved in almost all commands. + Some bugs fixed. VS2000 8.3: + Added a feature to create a log with unscanned files from a log. + Speed improved a bit. VS2000 8.21: + "New or modified variant of" viruses now processed in F-Prot logs. VS2000 8.2: + "-based" viruses now processed in AVP logs. + A minor bug fixed + Speed improved a bit. VS2000 8.1: + VS2000 8.1's DAT files are not compatible with previous ones. + Added a feature to show the time that VS2000 needs to process commands. + Removed support for AVPLite and F-MacroW log files directly. Added support through -Q command. + VS2000 is now able to manage log files with spaces inside. (AVP32 logs) + Removed {w} subcommand. Users that before used to do as example: "VS2000 -BW AVP.LOG", now they will have to do: "VS2000 -DL AVP.LOG warning: -B AVP.LOG". + Removed {k} subcommand. You will have to make backups of processed files manually. + Some bugs fixed. + Speed increased again. VS2000 8.0: + Speed improved a lot. + Source code optimized. VS2000 7.6: + Speed improved. VS2000 7.5: + Some bugs fixed. VS2000 7.4: + Some improvements added. + Some bugs fixed. VS2000 7.3: + Added a new feature to drop duplicated files from 2 log files. + Added {C} subcommand to -D. VS2000 will be able to make case insensite searchs. + Several bugs fixed and improvements added. VS2000 7.21: + Added {R} subcommand to -D. VS2000 will be able to replace a string in a file. + AVP32's log file style changed: Added support for it. VS2000 7.2: + Added a feature to look for a list of virii inside a log file. + Added {X} subcommand to -H. VS2000 will be able to count total and unique virii at the same time. + Added {U} subcommand to -G. VS2000 will be able to generate statistics with unique virii only. + Added {U} subcommand to -L. VS2000 will be able to generate virii lists with unique virii only. VS2000 7.11: + Added support for Inoculate/VET and AVX log files. + Added a new feature for -D command. VS2000 7.1: + Fixed Panda Antivirus conversion routine. + Some minor bugs fixed. VS2000 7.0: + Added support for F-Secure and Panda Antivirus log files. + Some minor bugs fixed. VS2000 6.9: + Added a feature to generate a file with duplicate virii inside a log. + Fixed the conversion routine from Dr Web to F-Prot log file. + Some minor bugs fixed. VS2000 6.8: + Changed STATS.HTM's style. + Some minor bugs fixed. VS2000 6.7: + Multiple strings for "-D" allowed. VS2000 6.6: + Changed slightly "-L" command. + Added a new feature to "-D" command. + Some minor bugs fixed. VS2000 6.5: + Added a feature to remove strings from log files. ("-D") VS2000 6.4: + Added support for Norton Antivirus log files. + A minor bug fixed. VS2000 6.3: + Added a command to don't show file names in browse list. + Added a command to write browse list in HTML format (BROWSE.HTM). + Added support for Sweep log files. VS2000 6.2: + Added documentation in HLP format. + Added an option to create the browse list in AVP / F-Prot / Infected file format. + Some minor bug fixed. VS2000 6.1: + Browse list added. (BROWSE.LOG) VS2000 6.0: + Statistics can have HTML format. (STATS.HTM) VS2000 5.9: + Added a feature to get statistics. + Fixed some minor bugs. VS2000 5.8: + Fixed some minor bugs. VS2000 5.7SE: + Fixed some minor bugs. VS2000 5.7: + Added a feature to get lists of virii. (name only) + Fixed some minor bug. VS2000 5.6: + Added a feature to don't include "NOSEND" virii in CLNxxx.LOG files. + Added support to process up to 5 logs using -Q command. + Fixed some minor bug. VS2000 5.5: + Removed direct support for Dr Solomon log files. Now the support is included in -Q command. + Fixed some minor bug. VS2000 5.4: + XORT.EXE is not needed anymore in order to sort alphabetically the CLNxxx.LOG files. VS2000 has now his own internal routine to do it. + Due to memory problems since now only 32 bits version will be released. VS2000 5.3: + VS2000 is able to process NEWxxx.LOG files. + VS2000 is able to convert RAV, Nod-Ice, Dr Web and VirusScan log files to F-Prot style in order to process them. + Now it's not needed to force VS2000 to process a log as a specified kind of log, VS2000 will automatically detect the kind of log is in all cases. + Fixed some minor bugs. VS2000 5.2: + Added a feature to compare 2 log files without any database and get what's new for each log. + Fixed some minor bugs. + Since 16 bits versions have memory problems, only 32 bits version will be released. VS2000 5.1: + Added a feature to search for virii strings inside DAT files. VS2000 5.0: + Changed the format for virii databases. Now the DAT files are smaller than in previous versions of VS2000, and now the program is even faster processing log files. + Fixed a bug in the counting of unique virii for F-Prot. + Removed the features to process NEWxxx.LOG files since that's a work for VS2000. VS2000 4.6: + VS2000 now available under: 16 bits real mode: VS2K16RM.EXE 16 bits protected mode: VS2K16PM.EXE (needs RTM.EXE) 32 bits mode: VS2K32.EXE + Some bugs fixed. + VS2000 is able to process only full identified virii for AVP log files. + VS2000 is able to generate CLNxxx.LOG files sorted alphabetically by virii. VS2000 4.5: + VS2000 is a 32 bit application, then it runs faster. + Added support to get unique virii in your collection. VS2000 4.4: + VS2000 is able to process up to 5 log files. + The command line routine has been improved. 7. Copyright ------------ VirSort 2000, VS2000, is (c) 1998 by Brian Burdick. Since version 2.6, VS2000 has been updated by VirusBuster. 8. Supported logs ----------------- VS2000 is able to manage the next log files: AVPLite, AVPDOS32, AVP32, AntiVirus Expert, Dr Solomon, Dr Web, F-MacroW, F-Prot/Command AntiVirus, Inoculate/Vet, Nod-Ice, Norton, Norman, Panda, PER, Romanian AntiVirus, Sweep, VirusBuster, VirusScan. Total supported log files: 20.