viruspool.net - Malware research index

As the number of samples has grown steeply in the pas weeks I need to reorganise things a lot to handle them. I will also change the database and the virus listing pages to keep up. This will be done on the secondary server so the information will remain available whil I rebuild significant sections. I hope to finish most of it within a week from now. (Provided the weather remains as rainy as it is now ;-)

The vgrep database has been updated. It now contains detail for 18 scanners and 700000+ samples.

The VGREP database has been updates. With the result of 17 scanners on about 600000+ samples.

A bundle of new samples have been added.

The VGREP database has been updated.

The VGREP database has been updated.

The past few months were a bit quit but I am working through a backlog of files to add to the database. The number of entries will probly increase some more the next few days as well.

The VGREP database has been updated.

The VGREP database has been updated.

The vgrep results of November 2006 were released and are now part of the VGREP site.

A parsing error in the BitDefender and G Data parser was detected and fixed. The database was rebuild to get rid of all the incorrect entries.

Over time some scanners have shown to be unreliable for these tests. So a number of scanners have been removed from the process this required the database to be rebuild from logs. (The normal procedure is to add the daily results.)

Due to a small hardware glitch on the wrong moment it took almost 24 hours before the server was back up. (If it ain't proof of murphy's law then what is?)

The vba32 scanner had an update and it now survives all the samples it used to die on earlier.

The avast scanner has a new library and it now survives all the samples it used to die on earlier.

Through some honeypots I learned about a number of sites spreading malware that get advertised through windows popups (UDP/1026). This blacklist will publish all domain names involved.

After a number of minor changes in background processes and having to remove a number of sample to make sure none of the scanners crash it is time to reload the database fresh from the scan files.

Today CyberSoft joined the ranks of organisations with acess to the malware collection. I hope this will help them make a better product.

The new vgrep data was loaded into the VGREP site. These scan ran from the 16th to the 18th of june.

After doing some study on the various virus encyclopedia links provided by the manufacturers I was able to work out some translations from names to a URL. This will result in more links back to manufacturer so you can find more details about the sample and what it is supposed to do. While it ain't perfect it may help more people detecting and cleaning out malware.

Untill now no effort had been put in to find duplicate entries. But as I expect not to add new scanners and their parsers are functioning withing established parameters I can focus on the sample database. About 2500 samples were duplicates as their MD5 checksum told me. I think I got rid of all of them now. So the database can be reset to clear out the incorrect file pointers.

Due to a bug in the VBA32 parser some links were not established. This issue is now corrected. This should be the last required fix. So the database can be reset to clear out the incorrect file pointers.

Due to a bug in the Central Command Vexira parser some links were not established. This issue is now corrected.

Due to a bug in the Grisoft AVG 2005 parser some links were not established. This issue is now corrected.

Due to a bug in the VirusBuster 2005 parser some links were not established. This issue is now corrected.

Due to a bug in the CAT QuickHeal parser some links were not established. This issue is now corrected.

Due to a bug in the Trend Micro parser some links were not established. This issue is now corrected.

Due to a bug in the F-Prot parser some links were not established. This issue is now corrected. Other issues exist at least in the parser for Trend-Micro and VirusBuster. These will be taken care of next.

A new Sample scan page has been added. With this page you can submit a suspected file to be scanned. The results of some scanners is shown right away. Other results may be reported later.

A special Partners page has been added.

After improving the synchronisation of sample files the timestamps should become more accurate. In order to show this a database reset is required.

For those parties that have signed up there is now an announcement mailinglist. Via this mailinglist all parties will be notified when a set of new samples is placed on the server.

The scanner from G Data called AVL for Linux Console v7.0 has been added. It seems to be an OEM version of BitDefender for Linux v7.0

The database needed a reset as the NOD32 parser was not working correctly. It should result in less bogus entries. Perhaps other reset may be required to get rid of all the bogus entries.

Added the VirusBlokAda results to the database.

Added the Hauri ViRobot results to the database. This is a scanner with a poor detection rate..

Added the MicroWorld escan results to the database. This is a scanner with a very high detection rate..

Added the Arcavir results to the database. Oddly enough the results are different from mks_vir while they seem to share the same engine.

The KlamAV scanner uses the VirusPool database to match descriptions.

Some of you may have noticed that the past few days a Mydoom variant became rather active again and has pushed the old NetSky variant from the top menace position.

Due to the files removed from the collection the database neded to be reset to be accurate.

Added the Ikarus PSCAN scanner to the results.

Added the MKS_VIR scanner to the results.

Added the Grisoft AVG scanner to the results.

Due to planned activities the server was unreachable for some hours.

A new version of the VGREP database has been loaded. The scans were done in the beginning of May.

The database now has the CME-MITRE info in the descriptions for the relevant entries. The information is taken from the CME list as publised in XML format. As the CME information is linked to scanners I do not (yet) test they will have more names for the high-profile malware entries. The handling of the CME info is integrated into the core database build procedures to make sure they remain accurate.

Pretty much as I feared a forum attracts webspammers to boast their junk sites. As I see no point in running a forum I have removed it from the site as I have no wish to invest time in keeping a forum free of those buggers. This news section will do just fine to communicate changes and other related information. If someone wants their ads up here they can take it up with google by following the proper link.

The database has been rebuilded from the latest log files. Avast now completes the run again. The following samples were removed as they crashed the Avast software: Appelscha.2161 CyberTech.501.a Desperado.b Hydra.1649 Radyum.860 Seat.2389 Vic.793 Virus.DOS.Hydra.1162 Virus.DOS.SillyC.501 Arara.1038 DBF.990 DOS.Grog Jerusalem.Dengue Scoundrel.3323 V.873.a Virus.DOS.Corrupted.Joshua Virus.DOS.Jvirus.2267 Bobo.1363 Death.1001 Grog.1200 Mvf.1866 Seat.1868 VGEN_41661 Virus.DOS.Desperado.c Virus.DOS.Mvf.1896

The database has been rebuilded from the latest log files. This rebuild takes about an hour but is the only reliable way to make sure the database is consistent. Normal updates will only add records to the database. During this rebuild you may notice there are less (or even a few) entries in the database.