Paste: DrWeb leaked AV base source

Author:	Unknown
Mode:	ini
Date:	Thu, 1 Dec 2011 22:29:15

Plain Text |

Delete Paste

VirBase=0     ;Признак 1 для основной вирусной базы, 0 - для дополнений
;Следующая строка (после 'Creator=') должна содержать не более 93 символов
Creator=Igor Daniloff, Daniloff's Anti-Virus Labs and DialogueScience Inc.
MinVers=428   ;Максимальная версия engine, с которым работает база

[MEMVIR]    ;Секция резидентных вирусов
[TRC13]  ;Trace Int 13h Chaine

[END TRC13]
[TRC21]  ;Trace Int 21h Chaine

;Bolero.1307
MEM 02eh,0ch,74h,000h,30h,002642876h,0ch,1,0ebh,000h,0,Bolero,0,1307,0  ;2ec6 37a
;Uhg.2580
MEM 09ch,0eh,75h,000h,30h,08697e806h,0eh,2,0ebh,06fh,0,Uhg,0,2580,0  ;9c3d 1ff

[END TRC21]
[SCANMEM]  ;Scan Memory Viruses
;STOP -ОБЯЗАТЕЛЬНО!!! после одной или нескольких записей с одинаковым
;стартовым байтом
[END SCANMEM]
[IFSHOOK]  ;Win95 IFS HOOK Viruses

[END IFSHOOK]
[SCANPRC]  ;Scan Windows Memory Processes Viruses

;Win32.HLLW.Nimda.57344 (2) 80 3e 53 75 35
MEM 08bh,18h,04dh,0dh,030h,05c7b275ch,00h,0,000h,000h,0,Win32.HLLW,Nimda,57344,DeleteProc  ;60c0
STOP

;STOP -ОБЯЗАТЕЛЬНО!!! после одной или нескольких записей с одинаковым
;стартовым байтом
[END SCANPRC]
[SCANSYS]  ;Scan Share and System Windows Memory Viruses
;STOP -ОБЯЗАТЕЛЬНО!!! после одной или нескольких записей с одинаковым
;стартовым байтом
[END SCANSYS]
[INTRMEM]
[END INTRMEM]
[END MEMVIR]
[FILEVIR]    ;Секция файловых вирусов
[EASY]    ;Easy viruses -- Above 0x800 bytes from EXE (PE) entry point


;HEURISTIC----------------------------------------------

;DISKPART
FILE   06ah,00000h,020h,08959eedfh,066h,00073h,030h,042e9ab42h,CHK+COM,0,0,0  ;***
       CES   SPECIAL:NoHeuristic,00100h,00004h,00000h,00000h,00000h
;WWHEEL.DLL
FILE   083h,00000h,020h,0e17d502dh,053h,00023h,030h,0567487ddh,CHK+COM,0,0,0  ;***
       CES   SPECIAL:NoHeuristic,00100h,00004h,00000h,00000h,00000h
;HEURISTIC----------------------------------------------

;Win32.HLLW.Supernova.40960
FILE   05ch,00001h,007h,01cb341e3h,053h,0003ch,040h,0c1c3640eh,CDL,Win32.HLLW,Supernova,40960  ;***
;Trivial.Anjo.700
FILE   0b4h,00000h,010h,05c6834e4h,0b8h,00017h,030h,035df5035h,DEL,Trivial,Anjo,700  ;***
;Trojan.Aphex.70
FILE   004h,00007h,007h,0419de474h,0dch,00024h,040h,0bde237d8h,CDL,Trojan,Aphex,70  ;***
;Trojan.MulDrop (92) (damaged 88)
FILE   08ch,00016h,007h,0cce6303ch,0fch,0004ch,040h,046647306h,CDL,Trojan,MulDrop,0  ;***
;Trojan.PWS.Murka (4)
FILE   0ech,00009h,007h,0ac0f810ah,094h,00013h,040h,0831cc46bh,CDL,Trojan.PWS,Murka,0  ;***
;BackDoor.Wildek.2 (1) (server)
FILE   034h,0000eh,007h,0712125abh,0c8h,0009fh,040h,058b42c1dh,CDL,BackDoor,Wildek,2  ;***
;BackDoor.Wildek.2 (2) (client)
FILE   00ch,00007h,007h,04aa2ec12h,00ch,00008h,040h,0220f6d22h,CDL,BackDoor,Wildek,2  ;***
;BackDoor.InCommand.16 (10) (regclient)
FILE   030h,00007h,007h,076456f03h,028h,00024h,040h,06d987e6dh,CDL,BackDoor,InCommand,16  ;***
;BackDoor.InCommand.16 (11) (regserv)
FILE   0e0h,0000ch,007h,0a2168f36h,0c4h,00069h,040h,0eec3681eh,CDL,BackDoor,InCommand,16  ;***
;BackDoor.InCommand.17 beta3 (5) (client)
FILE   098h,00012h,007h,0c9e8ecdah,040h,00039h,040h,043a75d37h,CDL,BackDoor,InCommand,17  ;***
;BackDoor.InCommand.17 beta3 (6) (ntpasshack)
FILE   0b8h,00007h,007h,0fcaedaa0h,050h,-019fh,040h,0fb55c64fh,CDL,BackDoor,InCommand,17
;BackDoor.InCommand.17 beta3 (7) (passhack)
FILE   00ch,00007h,007h,048a9d512h,050h,-019fh,040h,0bddf0ab5h,CDL,BackDoor,InCommand,17
;BackDoor.InCommand.17 beta3 (8) (plugin.stub)
FILE   094h,00011h,007h,0d0b8629ch,088h,00036h,040h,0e5f4ed1ah,CDL,BackDoor,InCommand,17
;BackDoor.Zuper
FILE   044h,00001h,007h,00fbd5cf0h,06dh,00045h,040h,075c365e6h,CDL,BackDoor,Zuper,0  ;***


;------------------------------------------------------------------------------------------
;FDOS.MsgBomb
FILE   040h,00008h,007h,043284417h,044h,00046h,040h,0193d4575h,CHK+COM,FDOS,MsgBomb,0  ;***
       CES   INTERPR:CheckSeekLargePacked#,0bed0h,00004h,00040h,0caeah,021d2h
;FDOS.Visual Error
FILE   040h,00008h,007h,043284417h,044h,00046h,040h,0193d4575h,ACT+COM,0,0,0  ;***
       CES   SPECIAL:NoCheckThisFile,00000h,00000h,00000h,00000h,00000h

;------------------------------------------------------------------------------------------

[END EASY]
[POLY]   ;Polymorphic viruses

;Byworm.1200
FILE   0cdh,00000h,010h,0505405e4h,0b8h,001ebh,030h,0a53ceb9bh,COMEXE,Byworm,0,1200  ;***
       CES   ASIS   ,00100h,00004h,00000h,00000h,00000h
       CES   CISS   ,003e6h,003e4h,003e8h,003eah,00000h
;Byworm.1600
FILE   0cdh,00000h,010h,0d402f2e1h,0b8h,00201h,030h,0a7c61399h,COMEXE,Byworm,0,1600  ;***
       CES   ASIS   ,00100h,00004h,00000h,00000h,00000h
       CES   CISS   ,00523h,00521h,00525h,00527h,00000h
;Uhg.2580
FILE   0cdh,00000h,010h,066701057h,09ch,00063h,030h,08697e806h,COMEXE,Uhg,0,2580  ;***
       CES   BYTES  ,-0076h,-0075h,-0078h,00000h,00000h
       CES   INTERPR:CureBombTrack2349#,-0087h,-008ah,00000h,-0082h,00000h


[END POLY]
[CRYPT]  ;Encoded viruses

;Bolero.1307
FILE   059h,00000h,010h,0d97f5bf7h,02eh,000b4h,030h,002642876h,COM,Bolero,0,1307  ;***
       CES   MOVE   ,004a0h,00005h,00000h,00000h,00000h
;Loh.1560
FILE   09ch,00000h,010h,0f81aea10h,0b9h,000ddh,030h,0827dfeb1h,EXE,Loh,0,1560  ;***
       CES   INTERPR:CureOpera1020#,00618h,00618h,00000h,00000h,00618h


[END CRYPT]
[SPECIAL]  ;Special functions
[END SPECIAL]
[MACRO]  ;Macro viruses

[END MACRO]
[MACROSRC] ;Macro Source viruses
[END MACROSRC]
[HEADER]  ;Packed or Header viruses


;VBS.Britney (5) (chm)
FILE   042h,00244h,007h,0425c4c14h,04bh,0025ah,040h,08ab65befh,CDL,VBS,Britney,0  ;***
;VBS.Britney (6) (chm)
FILE   041h,0022eh,007h,04c45450dh,041h,00240h,040h,0c50b8aa4h,CDL,VBS,Britney,0  ;***
;Bolero.1307 (dropper)
FILE   059h,0003ch,010h,0d97f5bf7h,02eh,000f0h,030h,002642876h,DEL,Bolero,0,1307  ;***
;Trivial.161
FILE   0beh,00000h,010h,07214f6e2h,0b0h,00042h,030h,097d0cc7bh,DEL,Trivial,0,161  ;***
;Trivial.179
FILE   0e8h,00000h,010h,0e0c2efc1h,08dh,0002bh,030h,00f9db3cch,DEL,Trivial,0,179  ;***
;Trivial.Sbvc.30000 (1)
FILE   0b4h,00014h,010h,080e2d81eh,0b4h,0002fh,030h,061751e3ah,DEL,Trivial,Sbvc,30000  ;***
;Trivial.Sbvc.30000 (2)
FILE   0b4h,00016h,010h,0f454e34eh,0b4h,00032h,030h,09ca23396h,DEL,Trivial,Sbvc,30000  ;***



[END HEADER]
[DATA]   ;Data viruses -- First 0x800 bytes of primary section of PE EXE

;Win32.HLLM.Frethem.11
FILE   0a8h,0016ch,007h,0edcf3709h,08ch,0079dh,040h,043d31b16h,CDL,Win32.HLLM,Frethem,11  ;***
;Win32.HLLM.Frethem.12
FILE   0b8h,0016ch,007h,0fda149f9h,02ch,0078bh,040h,0234cec5eh,CDL,Win32.HLLM,Frethem,12  ;***
;Win32.HLLM.Frethem.13
FILE   0e8h,0016ch,007h,0addb6349h,0a0h,00795h,040h,0c31757beh,CDL,Win32.HLLM,Frethem,13  ;***
;Win32.HLLM.Frethem.14
FILE   0e8h,0016ch,007h,0add86049h,0a0h,00795h,040h,0c03576bdh,CDL,Win32.HLLM,Frethem,14  ;***
;Win32.HLLW.Datom (1) (msvxd.exe)
FILE   0d7h,00001h,007h,097314695h,064h,005e1h,040h,09bcf9e16h,CDL,Win32.HLLW,Datom,0  ;***
;Win32.HLLW.Datom (2) (msvxd16.dll)
FILE   0abh,00001h,007h,0eb212ae9h,015h,00699h,040h,0cea2ef0ah,CDL,Win32.HLLW,Datom,0  ;***
;Win32.HLLW.Datom (3) (msvxd32.exe)
FILE   0c3h,00001h,007h,083711281h,023h,0073ch,040h,0cf49a772h,CDL,Win32.HLLW,Datom,0  ;***
;HLLO.2608
FILE   005h,00000h,007h,04e7c57d4h,030h,000b7h,040h,02ca5d932h,DEL,HLLO,0,2608  ;***
;IRC.Projax.56060
FILE   050h,00002h,007h,0555c5117h,046h,000d3h,040h,0addcc952h,DEL,IRC,Projax,56060  ;***
;Trojan.PWS.Zimenok (1) (cfg)
FILE   09eh,0000fh,007h,0de3ae4b6h,020h,00150h,040h,027c3e427h,CDL,Trojan.PWS,Zimenok,0  ;***
;Trojan.PWS.Zimenok (2)
FILE   050h,00010h,007h,010509b43h,0a5h,0036dh,040h,0dedbadfch,CDL,Trojan.PWS,Zimenok,0  ;***
;Trojan.PWS.Zimenok (3)
FILE   005h,00110h,007h,045e99e45h,0c0h,006dah,040h,0e96c0ea9h,CDL,Trojan.PWS,Zimenok,0  ;***
;Trojan.Share.3851
FILE   061h,00004h,007h,07a64661fh,010h,00289h,040h,029005f2fh,CDL,Trojan,Share,3851  ;***
;Trojan.Share.3856
FILE   061h,00004h,007h,07a64661fh,010h,00289h,040h,012006414h,CDL,Trojan,Share,3856  ;***
;BackDoor.BlackRat.16 (1) (downloader)
FILE   056h,00001h,007h,05669d956h,037h,00064h,040h,0ef970de8h,CDL,BackDoor,BlackRat,16  ;***
;BackDoor.BlackRat.16 (2) (server)
FILE   08ch,00018h,007h,0cc69e1e8h,0e8h,00759h,040h,09f025b9ah,CDL,BackDoor,BlackRat,16  ;***


;COM
;BAT.GhostDog.942
FILE   066h,006cbh,020h,04c22310ch,074h,0075fh,030h,032154246h,DEL,BAT,GhostDog,942  ;***
;BAT.GhostDog.1228
FILE   066h,00699h,020h,04c22310ch,074h,0075fh,030h,032154246h,DEL,BAT,GhostDog,1228  ;***
;BAT.Julia.1000
FILE   066h,006afh,020h,04c223119h,074h,0072ch,030h,0590d3638h,DEL,BAT,Julia,1000  ;***
;BAT.Bakk.494
FILE   066h,006c3h,020h,05a126274h,074h,00755h,030h,010310422h,DEL,BAT,Bakk,494  ;***
;BAT.Cls.475
FILE   066h,00729h,020h,0476b0c24h,074h,007a7h,030h,057467d24h,DEL,BAT,Cls,475  ;***
;JS.Fortnight (2)
FILE   03ch,00751h,007h,0284e2b6dh,073h,0079ch,040h,0123d4b66h,DEL,JS,Fortnight,0  ;***


[END DATA]
[TEXT]       ;Text viruses

;Error for BAT.Trivia.39
FILE   049h,0000ah,007h,040464314h,046h,00001h,020h,06f083223h,CHK+COM,0,0,0  ;***
       CES   INTERPR:ErrorBATTrivial39#,00000h,00000h,00000h,00000h,00000h


;BAT.Eris (eris5.bat)
FILE   045h,00032h,007h,05f35281eh,047h,0003bh,040h,04c637b46h,CDL,BAT,Eris,0  ;***
;Perl.Snakebyte.2987
FILE   043h,00231h,007h,04a5f4113h,046h,007b5h,040h,0387b066ah,DEL,Perl,Snakebyte,2987  ;***
;Trojan.FormatC.30
FILE   046h,00007h,007h,00a035b47h,045h,00001h,01ah,017286743h,DEL,Trojan,FormatC,30  ;***
;Trojan.IframeExec
FILE   03ch,00001h,006h,01c396922h,000h,00000h,000h,000000000h,CHK+COM,Trojan,IframeExec,0  ;***
       CES   INTERPR:CheckTrojanIframeExec#,00200h,00020h,00000h,00000h,00000h


[END TEXT]
[SCRSKELET]   ;Script Skeleton viruses


;BAT.Eris
FILE   025h,00000h,020h,0473c3108h,041h,000c1h,030h,01d091437h,DEL,BAT,Eris,0  ;***
;VBS.Generic (59)
FILE   041h,0004ah,020h,071240734h,054h,00070h,030h,0444e4400h,CDL,VBS,Generic,0  ;***
;VBS.Generic (60)
FILE   041h,0003ah,020h,0714e7a3dh,044h,00067h,030h,07d173828h,CDL,VBS,Generic,0  ;***
;VBS.Generic (61)
FILE   04dh,0003fh,020h,053595e01h,053h,0005ah,030h,0631e3963h,CDL,VBS,Generic,0  ;***
;VBS.Generic (62)
FILE   057h,00066h,020h,05a312713h,047h,0003bh,030h,071207f38h,CDL,VBS,Generic,0  ;***
;VBS.Generic (63) (ConvertHex tools)
FILE   045h,00000h,008h,00b17590bh,000h,00000h,000h,000000000h,CHK+COM,VBS,Generic,0  ;***
       CES   INTERPR:CheckVBSConvertHex#,00000h,00000h,00000h,00000h,00000h
;VBS.Generic (64)
FILE   056h,0005ah,020h,059243859h,047h,00023h,030h,018570354h,CDL,VBS,Generic,0  ;***
;VBS.Generic (65) (gascript)
FILE   043h,0002dh,007h,04a595a06h,045h,0001eh,040h,0564f5d56h,CDL,VBS,Generic,0  ;***
;VBS.Generic (66)
FILE   043h,00035h,020h,04e677b07h,04fh,0009ah,030h,04a7c724ah,CDL,VBS,Generic,0  ;***
;VBS.Generic (67)
FILE   048h,00061h,020h,051243051h,052h,000d3h,030h,05f7a251bh,CDL,VBS,Generic,0  ;***
;VBS.Generic (68)
FILE   046h,00023h,020h,0274d2f27h,046h,00001h,030h,0174e0d51h,CDL,VBS,Generic,0  ;***
;VBS.Generic (69)
FILE   057h,00033h,007h,04a5e5803h,045h,00009h,040h,071063971h,CDL,VBS,Generic,0  ;***
;BAT.Generic (55)
FILE   043h,00016h,020h,0737a0957h,04dh,00000h,03bh,008044708h,DEL,BAT,Generic,0  ;***


[END SCRSKELET]
[MCRSKELET]   ;Macro Skeleton viruses

;W97M.Iron (3)
FILE   043h,00045h,020h,0622f0836h,049h,0006dh,030h,02b0a2178h,WRD,W97M,Iron,0  ;***
;W97M.VMPCK (22)
FILE   043h,00097h,020h,0613d132ch,045h,000c2h,030h,074247032h,WRD,W97M,VMPCK,0  ;***


[END MCRSKELET]
[SEARCH]
;STOP -ОБЯЗАТЕЛЬНО!!! после одной или нескольких записей с одинаковым
;стартовым байтом
[END SEARCH]
[LONGSEARCH]
;STOP -ОБЯЗАТЕЛЬНО!!! после одной или нескольких записей с одинаковым
;стартовым байтом
[END LONGSEARCH]
[WLNGSEARCH]


;Win32.FunLove.4608 (damaged in last sec)
FILE   081h,04d3fh,010h,068042c67h,03dh,00027h,030h,069a10e41h,DEL,Win32,FunLove,4608  ;***
STOP

;STOP -ОБЯЗАТЕЛЬНО!!! после одной или нескольких записей с одинаковым
;стартовым байтом
[END WLNGSEARCH]

[INTRFILE]  ;File Interpretator procedures

;-------------------------------------------------------------------
CheckSeekLargePacked#:
if ((dword CurDat1+CurDat3)>filesize) ret;
openrd;
seek(dword CurDat1);
read(CurDat3);
closerd;
if ((crcsum(free,CurDat3))!=dword CurDat4) ret;
prnvir;
delete;
exit;
end;

;CheckLargePacked#:
;if ((fileEP+dword CurDat1+CurDat3)>filesize) ret;
;openrd;
;seek(fileEP+dword CurDat1);
;read(CurDat3);
;closerd;
;if ((crcsum(free,CurDat3))!=dword CurDat4) ret;
;prnvir;
;delete;
;exit;
;end;

;CutWin32Size#:
;b=headerw(14h)+headerw(6)*28h;
;if (b<7fdh) {
;  if (headerd(b-8)<=headerd(b)) {
;        headerd(b)=a-headerd(b+4);   //Phys Size
;        headerd(b-8)=a-headerd(b+4); //Virt Size
;        headerd(50h)=headerd(b-4)+headerd(b); //Image Size
;  }
;  else {
;        headerd(b)=a-headerd(b+4);   //Phys Size
;        headerd(50h)=headerd(b-4)+headerd(b-8); //Image Size
;  }
;  if (headerd(50h)%headerd(38h)) headerd(50h)=((headerd(50h)/headerd(38h))+1)*headerd(38h);
;  wrheader(b+4);
;}
;else wrheader(2ch);
;ret;
;end;

;CorrectLastSec#:
;if (b<7fdh) {
;        a=headerd(b)&(headerd(3ch)-1);
;        if (a) {
;                seek(headerd(b)+headerd(b+4));
;                for (i=0,i+=4,i<headerd(3ch)-a) virsgd(i)=0;
;                c=writebig(virsg,headerd(3ch)-a);
;                headerd(b)+=headerd(3ch)-a;
;                wrheader(b+4);
;        }
;        setsize(headerd(b)+headerd(b+4));
;}
;ret;
;end;

;CutFromLastPE#:
;if (headerd(28h)>headerd(34h)) headerd(28h)-=headerd(34h);
;a=fileEP+sign CurCut;
;call(CutWin32Size#);
;call(CorrectLastSec#);
;ret;
;end;

;CureWin95Zerg3849#:
;headerd(28h)=virsgd(vir+sign CurDat1);
;call(CutFromLastPE#);
;ret;
;end;

;RemoveLastPESection#:
;a=headerw(14h)+2ch+headerw(6)*28h;
;if (a<7fdh) {
;  seek(headerd(a));
;  call (RemoveVirusCode);
;  for (i=0,i+=4,i<18h) headerd(a+i-14h)=0;
;  headerd(50h)=headerd(a-30h)+headerd(a-2ch); //Image Size
;  if (headerd(50h)%headerd(38h)) headerd(50h)=((headerd(50h)/headerd(38h))+1)*headerd(38h);
;  wrheader(a+4);
;}
;else wrheader(2ch);
;ret;
;end;

;CureLastPESection#:
;--headerw(6);
;headerd(28h)=virsgd(vir+sign CurDat1);
;if (headerd(28h)>=headerd(34h)) headerd(28h)-=headerd(34h);
;call (RemoveLastPESection#);
;ret;
;end;

;SearchWin32RVA#:    //Вход:  a - RVA
;        //Выход: a - смещение, -1 - ошибка
;        //Файл должен быть открыт!
;if ((headerw(14h)+(headerw(6)-1)*28h+18h)<=7d8h) {
;  for (i=0,++i,i<headerw(6)) {
;     if (a<headerd(headerw(14h)+i*28h+18h+0ch)) continue;
;     if (a>headerd(headerw(14h)+i*28h+18h+0ch)+headerd(headerw(14h)+i*28h+18h+10h)) continue;
;     a=a-headerd(headerw(14h)+i*28h+18h+0ch)+headerd(headerw(14h)+i*28h+18h+14h);
;     ret;
;  }
;  a=-1;
;}
;else {
;  seek(offshead+headerw(14h)+18h);
;  read(800h);
;  for (i=0,++i,i<headerw(6)) {
;     if (a<freed(i*28h+0ch)) continue;
;     if (a>freed(i*28h+0ch)+freed(i*28h+10h)) continue;
;     a=a-freed(i*28h+0ch)+freed(i*28h+14h);
;     ret;
;  }
;  a=-1;
;}
;ret;
;end;

;||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

ErrorBATTrivial39#:
++textd(2);
ret;
end;

CureBombTrack2349#:
ip=virsgw(vir+sign CurDat1);
cs=virsgw(vir+sign CurDat2);
sp=virsgw(vir+sign CurDat4);
correct;
ret;
end;

CureOpera1020#:
ab=CurDat2;
call (ReadLastBytes);
for (i=0,++i,i<CurDat2) {virsgb(i)^=ab;--ab;}
a=writebig(virsg,CurDat2);
call(START);
ret;
end;
;-------------------------------------------------------------------

CheckTrojanIframeExec#:
for (i=7,++i,i<CurDat1) {
  if (textd(i)!='<IFR') continue;
  if (textd(i+4)!='AME ') continue;
  if (textd(i+8)!='SRC=') continue;
//  if (word textd(i+12)=='3D') i+=2;
  if (textd(i+12)!='CID:') continue;
  for (j=i+18,++j,j<i+18+CurDat2) {
    if (textd(j)!='HEIG') continue;
    if (textd(j+3)!='GHT=') continue;
//    if (word textd(j+7)=='3D') j+=2;
    if (byte textd(j+7)!='0') continue;
    if (textd(j+8)!=' WID') continue;
    if (textd(j+11)!='DTH=') continue;
//    if (word textd(j+15)=='3D') j+=2;
    if (byte textd(j+15)!='0') continue;
    if (byte textd(j+16)!='>') continue;
    if (byte textd(j+17)==0ah) ++j;
    if (byte textd(j+17)!='<') continue;
    if (textd(j+18)!='/IFR') continue;
    if (textd(j+22)!='AME>') continue;
    prnvir;
    delete;
    exit;
  }
}
ret;
end;

CheckVBSConvertHex#:
for (i=80h,++i,i<780h) {
        if (datad(i)!='Func') continue;
        if (datad(i+4)!='tion') continue;
        if (byte datad(i+8)!=20h) continue;
        for (j=9,++j,j<200h) {
                if (word textd(j)!=2228h) continue;
                aw=0;
                for (k=j+2,k+=2,k<800h) {
                    bw=0;
                    for (l=0,++l,l<2) {
                        bw<|=4;
                        ab=textd(k+l);
                        if ((ab>='0')&&(ab<='9')) {
                           ab-='0';
                        }
                        else if ((ab>='A')&&(ab<='F')) {
                             ab-=37h;
                        }
                        else ret;
                        bw=bw|ab;

                    }
                    freeb(aw)=bw;
                    ++aw;
                }
                if (freed(0)!='On E') ret;
                for (k=0,++k,k<aw) {
                    if ((freed(k)&0dfdfdfffh)=='.SCR') {
                       if ((freed(k+4)&0dfdfdfdfh)!='IPTF') continue;
                       if ((freed(k+8)&0dfdfdfdfh)!='ULLN') continue;
                       if ((freed(k+11)&0dfdfdfdfh)!='NAME') continue;
                          prnvir;
                          delete;
                          exit;
                    }
                }
                ret;
        }
        ret;
}
ret;
end;


[END INTRFILE]
[END FILEVIR]
[BOOTVIR]  ;Boot Viruses
[EASYBOOT]

[END EASYBOOT]
[SEARCHBOOT]
[END SEARCHBOOT]
[INTRBOOT]
[END INTRBOOT]
[END BOOTVIR]
[END]

;Имена вирусов должны идти сразу за секцией VIRNAMES, а после всех имен
обязательно должен быть перевод строки
[VIRNAMES]
Anjo
Aphex
BackDoor
Bakk
BAT
BlackRat
Bolero
Britney
Byworm
Cls
Datom
Eris
FDOS
FormatC
Fortnight
Frethem
FunLove
Generic
GhostDog
HLLO
IframeExec
InCommand
IRC
Iron
JS
Julia
Loh
MsgBomb
MulDrop
Murka
Nimda
Perl
Projax
Sbvc
Share
Snakebyte
Supernova
Trivial
Trojan
Trojan.PWS
Uhg
VBS
VMPCK
W97M
Wildek
Win32
Win32.HLLM
Win32.HLLW
Zimenok
Zuper

// SOURCE: 1764376ba7382c9c9786e3b913633edc3b5f8bedeb6a4e0f43fa163a8d7c949574891cbd51ffcd29fa313725fe15f91eb014701d75ef71de7d1c6fb6f9183e88

New Annotation

Summary:
Author:
Mode:	textPostgreSQLPowerCenter Parameter Fileactionscriptadaada95ans-forth94antantlrantlr4apacheconfapdlapplescriptaspaspect-jassembly-agcassembly-agsassembly-arm32assembly-m68kassembly-macro32assembly-mcs51assembly-parrotassembly-r2000assembly-x86avroawkbbatchbbjbcelbeanshellbibtexbinsource-agccc#c++cfscriptchillcilclipsclojurecmakecobolcoffeescriptcoldfusioncplex-lpcsscsvcvs-commitddartdjangodockerfiledotdoxygendrawj2ddsssleiffelembperlerlangfactorfhtmlforthfortranfortran90foxprofreemarkergcbasicgettextgherkingnuplotgogradlegroovygsphaskellhaxehexhl7v2hlslhtaccesshtmlhxmli4glicalendariconidlinforminiinno-setupinterlisiojamonjavajava module-infojavaccjavafxjavascriptjcljedit-actionsjflexjhtmljmkjsonjspkotlinlatexlexlilypondlispliterate-haskelllogslogtalklotosluam4macroschedulermailmakefilemaplemarkdownmavenmavscriptmetapostmlmodula3moinmqscmustache-templatemxmlmyghtymysqln3netrexxnqcnsis2objective-cobjectrexxoccamomnimarkopensipsoutlinepascalpatchperlphppikepl-sqlpl-sql9pl1plaintexplantumlpop11postscriptpovraypowerdynamopowershellprogressprologpropertiesprotobufpspptlpurepvwavepyrexpythonqdocrakefilercprdrebolredcoderelax-ng-compactrenderman-ribrestrfcrhtmlroffrpm-specrtfrubyrustrviews#s+sassbtscalaschemesdl/prsgmlshellscriptshtmlsipsippslateslaxsmalltalksmartysmi-mibsparqlsql-loadersqrsquidconfstatasvn-commitswiftswigtcltemplate-toolkittextexinfotldtransact-sqltsptwikityposcripturluscriptvalavbscriptvelocityverilogvhdlvisualbasicvrml2wellknowntextxmlxqxslyabyamlzpt
Body:

Done