Virus List
======

I still have a very old sample of Honecker if you want it.

Yes please send me a sample, archive it with a password...thank you

Very useful to check old HDDs found in systems, thanks for the hard work!

keropi wrote on 2024-05-23, 13:55:

Very useful to check old HDDs found in systems, thanks for the hard work!

50% of the time it will find or detect the most common viruses of that DOS era. Nevertheless , still useful if you need to transfer it using a floppy disk , since most antiviruses especially the updated ones such as those released in the late 90's
are so huge that they barely fit in a 1.44MB disk. Thank you too!

Nice! Will check it out after my holidays. How complete is the virus list btw? Does it detect all known dos viruses or a subset?

Yoghoo wrote on 2024-05-23, 14:56:

Nice! Will check it out after my holidays. How complete is the virus list btw? Does it detect all known dos viruses or a subset?

Cool. It will detect all those viruses that are present in the virus list and identify a couple of variants of subsets such as Stoned, Jerusalem, etc. There is no such antivirus that will detect all "known" DOS viruses. Some virus may be detectable by one vendor and others may not be able to detect it. Although, antiviruses such as Kaspersky and F-Prot are best in detecting them through heuristics, even though they are not "known" to them. I've have seen may viruses in my collection missed by those two vendors as well

Masaw wrote on 2024-05-23, 13:27:

Yes please send me a sample, archive it with a password...thank you

https://www.sendspace.com/file/x3y3ew
password is: honecker

Geri wrote on 2024-06-02, 18:01:

Masaw wrote on 2024-05-23, 13:27:

Yes please send me a sample, archive it with a password...thank you

https://www.sendspace.com/file/x3y3ew
password is: honecker

Cool, thanks!

I know DOS hasn't been updated since before 2005, but why is the copyright still on 2005? Has this not been updated since 2005?

demiurge wrote on 2024-06-03, 02:50:

I know DOS hasn't been updated since before 2005, but why is the copyright still on 2005? Has this not been updated since 2005?

It was suppose to be a "final" release in 2005 but wasn't able to finished all the things I wanted to put in...I did however rewrite many parts of the code in 2015 and added few again things in 2019 and lastly just this February and May 2024 but didn't bother to change the copyright date.

This is very cool, thank you! A couple of questions, if you don't mind:
- any chance VCHECK could run on an 8086? (possibly with less options) F-PROT requires a 386, so it would be nice to have an option for older PCes (8086/80186/80286)
- it fails to detect EICAR - could you please add a signature for it?
- I'd like to distribute VCHECK through the SvarDOS repository - is that okay?
- there are thousands of DOS viruses out there... Maybe could you look into importing signatures from another Antivirus, for example ClamAV?

mateusz.viste wrote on 2024-09-03, 21:55:

This is very cool, thank you! A couple of questions, if you don't mind: - any chance VCHECK could run on an 8086? (possibly with […]
Show full quote

This is very cool, thank you! A couple of questions, if you don't mind:
- any chance VCHECK could run on an 8086? (possibly with less options) F-PROT requires a 386, so it would be nice to have an option for older PCes (8086/80186/80286)
- it fails to detect EICAR - could you please add a signature for it?
- I'd like to distribute VCHECK through the SvarDOS repository - is that okay?
- there are thousands of DOS viruses out there... Maybe could you look into importing signatures from another Antivirus, for example ClamAV?

- VCheck can run on 808X emulated processor such as V20,V30 but not 808X. It requires at least 80286 processor
-The v1.03 release VCheck+ includes detection for EICAR but subsequently removed from later releases.
-yes it's ok to distribute it
-DOS viruses are basically "extinct" ... majority of these viruses only exist on old/vintage systems and storage media that few people use today

Thanks for your comment. I understand that DOS viruses are fossils, and of course I was not suggesting to mass-import millions of signatures for modern windows viruses, but leverage some existing virus base to expand VCHECK's detection rate of DOS viruses.
According to the list of viruses from VCHECK's 2.01 help, it is able to detect only about 200 viruses. This is a modest percentage of existing (ancient) DOS viruses: for example MkS_Vir 5.29 from 1996 has a documented database of about 700 DOS viruses. I have never created an antivirus so I do not know how these signatures work exactly, but I imagine it is a very tedious process to create them manually, hence the idea that maybe it would be feasible to import some extra signatures (DOS-related) from (for example) ClamAV.

About EICAR: any reason not to detect it? It's a de facto industry standard today, reaching to it to test VCHECK was my first reflex.

286+ - I understand VCHECK requires a 286 today, my question was rather to know if it would be possible to run it on a 8086 for example by recompiling it. But maybe it is not that simple, I do not know. As I was saying, for 386+ PCs there is F-PROT, but nothing for pre-386 PCs. VCHECK covers 286 which is cool, but there is still a void for 8086/80186 machines. On such machines I use an old commercial copy of MkS_Vir 5.29, but it would be really awesome to have a more modern and freely distribuable option.

mateusz.viste wrote on 2024-09-04, 08:44:

Thanks for your comment. I understand that DOS viruses are fossils, and of course I was not suggesting to mass-import millions o […]
Show full quote

Thanks for your comment. I understand that DOS viruses are fossils, and of course I was not suggesting to mass-import millions of signatures for modern windows viruses, but leverage some existing virus base to expand VCHECK's detection rate of DOS viruses.
According to the list of viruses from VCHECK's 2.01 help, it is able to detect only about 200 viruses. This is a modest percentage of existing (ancient) DOS viruses: for example MkS_Vir 5.29 from 1996 has a documented database of about 700 DOS viruses. I have never created an antivirus so I do not know how these signatures work exactly, but I imagine it is a very tedious process to create them manually, hence the idea that maybe it would be feasible to import some extra signatures (DOS-related) from (for example) ClamAV.

About EICAR: any reason not to detect it? It's a de facto industry standard today, reaching to it to test VCHECK was my first reflex.

286+ - I understand VCHECK requires a 286 today, my question was rather to know if it would be possible to run it on a 8086 for example by recompiling it. But maybe it is not that simple, I do not know. As I was saying, for 386+ PCs there is F-PROT, but nothing for pre-386 PCs. VCHECK covers 286 which is cool, but there is still a void for 8086/80186 machines. On such machines I use an old commercial copy of MkS_Vir 5.29, but it would be really awesome to have a more modern and freely distribuable option.

-The almost 200 virus signatures are base signatures, since each signature can identify from two to as much as 10 variants. so exact identification is close to 400 unique viruses. Version 2.0 is supposed to be a "revamped"
release version where in many of the viruses detected from early version were dropped off from the list since I have prioritized detection of most common viruses found "in the wild" locally in my country, viruses that are known to be written by a Filipino and viruses that are wrecking havoc across the world a.k.a those DOS viruses that are present int then Wild List Org monthly report from 1993-99, in that order and many of which are not even included yet due to size constrain of the EXE file because I want to make it as portable as possible by not using external data files, hence the idea of reading external public search strings was not conceptualized.

-the 286 requirement was a dilemma, I wanted it to be able to run under 8086 but the C++ compiler wouldn't allow it for some reasons. Maybe it would but it will be a choice between losing many features and 8086 compatibility . Since I don't have control on how the compiler works, that means I have to rewrite and reorganize many if not all of the functions under assembly language. If I would release v2.02 it would be a "major" release and I would certainly consider bringing back the /EICAR option as well. One of the options would be creating a separate command-line only "lite" version or no GUI support which would significantly reduce the file size.

Noice. A smoll antivirus to complement latest dos f-prot to scan my retro newcommers. 😏 Usually have a thing to take out all hard drives from new stuff i got somewhere, then put them on a secon channel drive on my computer, do not boot, do not execute. Just antivirus and then disk tools, then look what's in there.

mateusz.viste wrote on 2024-09-04, 08:44:

According to the list of viruses from VCHECK's 2.01 help, it is able to detect only about 200 viruses. This is a modest percentage of existing (ancient) DOS viruses: for example MkS_Vir 5.29 from 1996 has a documented database of about 700 DOS viruses. I have never created an antivirus so I do not know how these signatures work exactly, but I imagine it is a very tedious process to create them manually, hence the idea that maybe it would be feasible to import some extra signatures (DOS-related) from (for example) ClamAV.

The final Virus Buster version for DOS - from around 1999 - was able to detect about 20 000 or so, if my memory is correct. These were all existing, and alive viruses for dos, and most antivirus were super crappy compared to it.
Sadly, i haven't made a backup from it, and only the very limited versions float online with non-full virus list.

can this be made to work on a USB boot drive? does anyone have a ready made iso?

Masaw wrote on 2024-05-23, 15:14:

There is no such antivirus that will detect all "known" DOS viruses.

There would exist a simple antivirus algorithm that will detect all file and boot sector tampering viruses on a vintage DOS system.

1. Install the antivirus software to a pristine DOS installation that you know to be good. (e.g. new formatted system)
2. On the first boot of the system, store a mirror copy or a hash of the boot sector.
3. On subsequent boots, if the mirror/hash differs from the actual boot sector, report that a modification has occurred.
4. Hook into DOS mechanism that starts up .EXE and .COM files.
5. Whenever a new .EXE or a .COM file is launched, record its hash and its path.
6. Whenever an existing .EXE or a .COM file is launched that already has a hash for that path, compare the hash. If it differs, then report that a modification has occurred.

That is, the good old Microsoft Anti-Virus CHKLIST.MS algorithm.

However, CHKLIST.MS files became weaker since viruses knew to attack MSAV and those files. (the cat and mouse problem)

But now since DOS viruses are obsolete, a novel CHKLIST.MS style anti-virus approach would work just fine, and track all viruses that are based on infecting files or boot sectors.