== YAVR (http://agriroot.aua.gr/~nikant/nkvir/) CHANGELOG == ============================================================== version 1.9.4 to version 1.9.5 : release 22-Feb-2004 based on some ideas by Dan Smart - new switches for quarantine or not certain e-mails - YAVRQUARANTEXE if set to ON it sends unknown executables to /virus/virus-could-be as usual if set to OFF it delivers at inbox with a warning (and the X- header ;) - YAVRQUARANTNIG same for nigeria scam - YAVRQUARANTPRN same for porn e-mails read instuctions inside nkvir-rc - X- marks in headers to help your own procmail scripts X-YAVR: MS-EXEC (any MS executable that wasn't identified by signatures) X-YAVR: NIGERIA (nigeria scam) X-YAVR: PORN (porn related) X-YAVR: MACRO (containing macro code) X-YAVR: XML-CODEBASE X-YAVR: IFRAME X-YAVR: CLSID-EXTENSION X-YAVR: SENDMAIL-EXPLOIT - some more Worm.Moodown.b aka Netsky.b signatures - another Mimail.Q version 1.9.3 to version 1.9.4 : release 19-Feb-2004 - another Mimail.Q - Worm.Moodown.b aka Netsky.b (samples by many ppl) version 1.9.2 to version 1.9.3 : release 17-Feb-2004 - bugfix to Novarg signatures by Dan Smart - Worm.Bagle.b signatures version 1.9.1 to version 1.9.2 : release 16-Feb-2004 - additions to nigeria-scam - additions to porn filter - another Mimail.Q - added more signatures of I-Worm.Novarg (samples by dz) version 1.9.0 to version 1.9.1 : release 11-Feb-2004 - added more signatures of I-Worm.Novarg (samples by dz) version 1.8.9 to version 1.9.0 : release 10-Feb-2004 - important structure changes (based on an idea by Brent A. Oswald) - fixup of EICAR test virus signature (I hope..) - added .hta extension for iframe version 1.8.8 to version 1.8.9 : release 30-Jan-2004 - added I-Worm.Mimail.Q - added generic signatures of I-Worm.Novarg (aka MyDoom) version 1.8.7 to version 1.8.8 : release 28-Jan-2004 - added I-Worm.Dumaru.k - added more signatures of I-Worm.Novarg (samples by many ppl.. thanks) - some fixups in porn filter version 1.8.6 to version 1.8.7 : release 27-Jan-2004 - added I-Worm.Novarg (samples by many ppl.. thanks) - added .cmd extension for Windows executable files version 1.8.5 to version 1.8.6 : release 19-Jan-2004 - added I-Worm.Bagle - added I-Worm.Dumaru.g - added Backdoor.Powerspider.a - added I-Worm.Dumaru.c (sample by Fredrik Rodland) version 1.8.4 to version 1.8.5 : release 22-Dec-2003 - added TrojanDropper.JS.Mimail.b (sample by Hernan Fernandez) - added I-Worm.Sober.c (sample by Fredrik Rodland) - added I-Worm.Torvil.d version 1.8.3 to version 1.8.4 : release 17-Dec-2003 - added Trojan.LegendMir - added Bugbear.b-datafile (sample by Fredrik Rodland) - a lot of additions to nigeria-scam - a new porn filter with small capabilities (by default set to OFF, check source) version 1.8.2 to version 1.8.3 : release 04-Dec-2003 - added I-Worm.Mimail.m variant (zip, upx, decompessed) (sample by Hernan Fernandez) - fixed a bug at Nigeria scams scan version 1.8.1 to version 1.8.2 : release 25-Nov-2003 - added I-Worm.Hawawi.g (upx, decompessed) (sample by Bob Proulx) - added I-Worm.Mimail.f variant (zip, upx, decompessed) - added I-Worm.Mimail.damaged version 1.8.0 to version 1.8.1 - added I-Worm.Mimail.e and Mimail.j variants version 1.7.9 to version 1.8.0 : release 17-Nov-2003 - added I-Worm.Klez - a,b,c,d,f,g,i,j variants - additions to Nigeria scam filter version 1.7.8 to version 1.7.9 - added I-Worm.Mimail.i (upx, decompessed) version 1.7.7 to version 1.7.8 - added I-Worm.Mimail.c (zip, upx, decompessed) version 1.7.6 to version 1.7.7 - added Worm.P2P.Darby.b version 1.7.5 to version 1.7.6 : release 03-Nov-2003 - added I-Worm.Sober - added I-Worm.Mimail.g version 1.7.4 to version 1.7.5 : release 23-Oct-2003 - added .chm (windows html help files) extension for possible worms - added worms: Maldal(c,k), Roron(51), Icecubes, Energy, Lirva.e, Brit(-,b,c,d,h) version 1.7.3 to version 1.7.4 : release 10-Oct-2003 - added Swen-upx (someone released Swen compressed... lamers..) (samples by Brian) version 1.7.2 to version 1.7.3 - added I-Worm.Swen version 1.7.1 to version 1.7.2 - added PWS-LegMir.worm (caught by YAVR first, analysed by AVERT Webimmune, REF:294942) - added rtf extension to macro scanning and exclusion for nigeria scam ----------------------------------------------------------------------------------------------- In order to keep a better release record version number changes from 7.1 (initial at freshmeat) to 1.7.1. All following versions will go with the x.x.x pattern. You can also now subscribe at http://freshmeat.net/projects/yavr/ if you have a freshmeat acc ----------------------------------------------------------------------------------------------- version 7.0 to version 7.1 - added Worm.Dumaru.A - changed the Sobig.F.bounces recipe.. I think its ok now... version 6.6 to version 7.0 (YAVR RELOADED :p) - reorganized whole script in order to increase speed -- viruses categorized in families so e-mail body checks are decreased (speedup) -- viruses in the wild go on top of list (inside families) so they are checked first (speedup) - added Worm.P2P.VB.ai version 6.5 to version 6.6 - added MS-Blaster (Lovesan), lines 960-979 version 6.4 to version 6.5 - added Sobig.F bounce back e-mails trap, lines 223-235 - added some variant of Blaster, lines 960-973 version 6.3 to version 6.4 (thanks to all who sent me samples. I was on vacation.. :) - added LovGate.I - added Sobig.F - added Mimail.A in many forms.. (zipfile, exefile packed and unpacked) version 6.2 to version 6.3 - changes to CLSID detection - web site for YAVR: http://agriroot.aua.gr/~nikant/nkvir/ version 6.1 to version 6.2 - changes to "name*=" detection version 6.0 to version 6.1 - added another Sobig.gen signature, lines 208-213 version 5.9 to version 6.0 - added new section (lines 932-957) for worms that come in zip files - added Sobig.gen (Sobig.E) signature, lines 941-954, sample by Gunther Richter version 5.8 to version 5.9 - added Sobig.c signature by Fredrik Rodland, lines 196-201 - added Sobig.gen signature, lines 202-207 - added NetThief signature, lines 891-904 version 5.7 to version 5.8 - small change to BugBear killer line (315) just in case someone uses an UPX scrambler on the virus version 5.6 to version 5.7 thanks to all that sent me samples and ready recipes.. - got really mad with BugBear and wrote a killer line (315) that seems to work. - another Magistr.b, lines 497-505 - changes to "name*=" detection version 5.5 to version 5.6 - added Sobig.b signature sent by Fredrik Rodland, lines 190-195 - added LovGate.f signature sent by Fredrik Rodland, lines 833-846 version 5.4 to version 5.5 - minor changes to variables (like $NIGDIR) version 5.3 to version 5.4 - added another Magistr.b signature sent by Fredrik Rodland, lines 450-454 version 5.2 to version 5.3 - added another Magistr.a signature sent by Fredrik Rodland, lines 444-448 version 5.1 to version 5.2 - added I-Worm.Ganda signature, lines 784-797 version 5.0 to version 5.1 - another Magistr.a variant sent by Fredrik Rodland, lines 437-442 - added TrojanDownloader.Win32.Ultraset signature, lines 768-782 - nigeria scam rules change: lots... bored to write them all :) version 4.9 to version 5.0 - possible sendmail header exploit trap by Fredrik Rodland, lines 866-877 - nigeria scam rules change: line 893: Urgent Overture line 919: Federal Ministry of Works and Housing line 926: Gbenga Daniels, Musa Koffi, MANUEL MIGUEL GONZALEZ version 4.8 to version 4.9 - no scan for nigeria scam in e-mails with most common attachments like: do[tc]|xl[sa]|bat|vb[as]|scr|com|exe|pp[sa]|md[abwe]|zip|jpg|gif|tif|png|rar version 4.7 to version 4.8 - nigeria scam rules change: line 897: South African Ministry of Energy and Mineral Resources line 898: Republic of South Africa Contract Award and Monitoring Commitee line 899: YOUR FULL SURPPORT AND C-O-O-P-E-R-A-T-I-O-N line 900: Chief of Military Tactics with the Government of Senegal line 907: KUMALO DILIZA, GILBERT GUIE, Folade Musa, Arthur Neilson line 915: HEAD OF STATE OF IVORY COAST line 916: Chairman of the National Chiropractic Health Care Advisory Committee version 4.6 to version 4.7 - added one more Hybris signature, lines 253-258 - nigeria scam rules change, lines 903 added keywords "ABIDJAN", "COTE D'VOIRE"