HMVS

Macro Virus Scanner for MS Word and Excel

BMT Micro, Inc (http://www.bmtmicro.com) is announcing HMVS, a macro virus scanner for MS Word and Excel for Windows, including NT. This new release detectd for more than 500 new macro viruses. The HMVS viral database now contains signatures for more than 3200 different macro viruses. To download the demo you can jump BMT Micro web site and search for hmvs311e.zip (721 KB). The register costs US$ 15,00.

===========================

Advanced tool for detection of known

and unkown macro viruses


Heuristic and neural macro virus

scanner/cleaner for MS Word 6/7/8,

MS Excel 5/6/7/8 and MS Access 8.0.


Ultimate macro virus dissector


(c) J. Valky, L. Vrtik, R. Marko


Portions (c) Maros Grund, Tomas Pail

===========================

Description

HMVS is a macro virus scanner for MS Word and Excel with the following features:

MS Word 6.x, 7.x macro virus scanner/cleaner

Heuristic and neural MS Word 6.x, 7.x macro virus scanner

MS Excel 5.x, 7.x virus scanner/cleaner

generic MS Excel 5.x, 7.x virus scanner

Excel'97 and Word'97 scanner/cleaner

Heuristic Word'97 macro virus scanner

Ultimate MS Word 6.x, 7.x, Excel'97 and Word'97 dissector

HMVS is "smart" and uses a few ways to determine that file is infected:

Standard 'pattern searching' method based on 'identifications strings'

This is well know method frequently used in most virus scanners. The search string method is fast and reliable, but can search only for known viruses.

CRC16 method

This is a good method for exact identification of static viral macros. However, this method is usable only for older generations of macro viruses.

Smart CRC16

Intelligent checksumming driven by heuristics. This method is used for detecting such type of viruses like Hunter.C, Slow A/B etc.

Algorithmic scanner

This method is based on searching for some specific action for a virus and is used to search for polymorphic macro viruses (like Uglykid.A).

Heuristic analysis

HMVS uses unique heuristic technology. HMVS uses a special semi-emulator of word macro commands and will trace through each command in a macro, step by step, and try to understand the macro code. This is very reliable method and we hope that we can detect almost every virus using this method.

Neural network driven scanner

HMVS is probably the only scanner using this method for scanning MS Word 6.x, 7.x files.

Results of neural network scanning are strongly dependent on the amount of information about viruses and clean macros. Math coprocessor is required to use this method.

New in this release:

Detection for more than 500 new macro viruses. The HMVS viral database now contains signatures for more than 3200 different macro viruses

New language modules - HMVS speaks now English, Italian, German, Spanish, Polish, Hungarian Czech and Slovak.

Word'97 and Excel'97 heuristics have been improved

OLE2 engine for VBA5 has been improved

Comand line option '-VIRLIST' works

Added 'RTF' to the list of default scanned file extensions

Fxed problems with using LNF



History

HMVS 3.11, 10-jan-1999

===========================

* bugfix (previous version 3.10 crashed under MS DOS)



* improved Access'97 and Word'97 heuristics



* reduced false positive alarms



* corrected some texts in German language module



HMVS 3.10, 20-dec-1998

===========================

* we have added detection for more than 500 new macro viruses so HMVS'

viral database contains signatures for more than 3200 different macro

viruses



* we added new language modules - HMVS speaks now English, Italian, German,

Spanish, Polish, Hungarian Czech and Slovak.



See users manual for more information about using language modules.



* Word'97 and Excel'97 heuristics have been improved



* OLE2 engine for VBA5 has been improved



* command line option '-VIRLIST' works



* we added 'RTF' to the list of default scanned file extensions



* fixed some problems with using LNF



List of new HMVS 3.00(ß) features:

===========================

* Richard Marko (one of the two famous NOD Antivirus leading programmers)

joined the HMVS team



* HMVS 3.00 is now a 32-bit application compiled with DJGPP GCC++ compiler

- works under MS DOS, MS Windows 3.x, MS Windows 95/98/NT 4.0



* HMVS 3.00 was redesigned as modular system with object oriented achitecture



* HMVS 3.00 supports plug-ins



* new design of user interface

The new HMVS interface is easy to use for beginners as well as for

experienced users.

The new interface was designed with aim to get a user the full control

over the process of inspecting and cleaning macros/modules inside files.

HMVS switched to advanced cleaning mode navigates the user through several

options to let him decide which actions should be performed with

selected object.

Because of the new modular architecture multiple pass processing on

selected objects is possible.



* added MS Access engine

- the new engine allows user to scan even inside encrypted and password

protected databases

- added MS Access dissector

- added MS Access heuristics

! current engine doesn't support old MS Access formats.

! cleaning options aren't supported in this version, you have to wait

for next version



* added new Excel VBA3 engine

- new scanning engine based on P-CODE parser for exact virus identification

- new Excel VBA3 P-CODE based heuristics

- added Excel VBA3 dissector (VBA3 discompiler)

- added neural network driven scanner for Excel VBA3 viruses



* added Excel Formula engine

- added scanner for XF viruses

! cleaning options will be available in next version



* new MS Word 6/7 engine

- added support for MS Word 6/7 password protected files

(it is possible to scan and clean MS Word 6/7 password protected files)

- improved WordBasic heuristics

- MS Word dissector/discompiler supports two different token sets

1. MS Word 6/7 token database (2093 tokens)

2. MS Word 8 token database (2876 tokens)

By using language specific MS Word 8 token set database it is

possible to produce source code in 12 different languages:



Brazil, Danish, Dutch, English, Finnish, French, German, Italian

Norwegian, Portuguesse, Spanish, Swedish



* new virus database / signature definition file

- new way of virus detection

- different colors are used for displaying viral, legitimate and clean

macros

- we have significantly increased the number of viruses in HMVS'

database. HMVS detects now more than 2700 macro viruses by name.



* new amazing on-the-fly neural teaching

- HMVS is able to detect frequently occuring macros/modules, what is

typical for a virus infiltration



* there is a lot of other improvements like

- new sets of command line parameters

- the full control over HMVS through HMVS' configuration file

and much more.

Just 'play' with HMVS. We're sure you will love it !



CONTACT AUTHOR

If you want to contact the authors, here is all you need:

Lubos Vrtik (speaking for HMVS)

E-mail: vrtik@vuje.sk

Voice: +421 805 5569220

Fax: +421 805 5501471

Snail mail (home):

Lubos Vrtik

D. Stura 1011/4

926 01 Sered

Slovak Republic

Snail mail (office):

Lubos Vrtik

VUJE Trnava Ltd.

Okruzna 5

918 64 Trnava

Slovak Republic



Jan Valky (HMVS' team leader)

E-mail: Jan.Valky@st.fmph.uniba.sk

Jan.Valky@nw.fmph.uniba.sk

Voice: +421 707 7892410

Fax: +421 707 7895632

Snail mail (home):

Jan Valky

Trnavska 925/926

926 01 Sered

Slovak Republic



Richard Marko

E-mail: marko@eset.sk

Voice: +421 7 4445 79 37

Fax: +421 7 4445 79 38

Snail mail (office):

Richard Marko

ESET Ltd.

Pionierska 9/a

831 02 Bratislava

Slovak Republic

@Macarlo, Inc.
@Macarlo's Shareware & Web
OS/2
Java Lobby Member
Java Site Accredited

[TOP] [HOME] [INDEX]