22
Feb
2010
Feb
2010
Tool: Virustotal.rb
Last year at BlackHat I had some free time on the plane and wrote this script for querying Virustotal for anti virus results on a large number of files. I lost this particular script and wrote a different one for a project at work. Now that I have found this one again, I am posting it up for consumption to help out anyone doing malware analysis. Below is an example of the output, there is standard text output and xml output. Questions? Comments? Bugs? Let me know and I will take a look.
[hammackj@taco:~/projects/reverse/trunk/virustotal]$ ./virustotal.rb
virustotal.rb v1.0
Jacob Hammack
http://www.hammackj.com
[*] Usage: ./virustotal.rb [mode] [targets]
Modes:
-x, --xml-output Print results as xml to stdout
-f, --search-file FILE Searches a file of hashes on virus total
-s, --search-hash HASH Searches a single hash on virus total
-h, --help Show this message
[hammackj@taco:~/projects/reverse/trunk/virustotal]$ ./virustotal.rb -f testhashes.txt
deb2d2527f2bc85a01df628dcb299b08: Scanner: eSafe Result: Win32.TrojanHorse
694e9bc2ade4f30c99d8a59340307e1a: Scanner: - Result: Not Found
4c0f0b57de8c1669aa6f49d285b3865a: Scanner: - Result: Not Found
cb28c0119a39a215dc58e1af05a50bef: Scanner: - Result: Not Found
44e3c404eff8a62ecb4679041a8e9aea: Scanner: - Result: Not Found
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: a-squared Result: Net-Worm.Win32.Kido!IK
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: AhnLab-V3 Result: Win32/Conficker.worm.62976
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: AntiVir Result: Worm/Conficker.AC
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Authentium Result: W32/Downldr2.EXAE
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Avast Result: Win32:Kido-D
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: AVG Result: Worm/Generic_c.YH
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: BitDefender Result: Win32.Worm.Downadup.Gen
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: CAT-QuickHeal Result: I-Worm.Kido.dam.y
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Comodo Result: NetWorm.Win32.Kido.ih3
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: DrWeb Result: Win32.HLLW.Shadow.5
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: eTrust-Vet Result: Win32/Conficker.B
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: F-Prot Result: W32/Downldr2.EXAE
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: F-Secure Result: Worm:W32/Downadup.AB
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Fortinet Result: W32/Conficker.A!worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: GData Result: Win32.Worm.Downadup.Gen
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Ikarus Result: Net-Worm.Win32.Kido
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Jiangmin Result: TrojanDownloader.Agent.axwm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: K7AntiVirus Result: Trojan-Downloader.Win32.Agent.aqfw
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Kaspersky Result: Net-Worm.Win32.Kido.dam.y
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: McAfee Result: W32/Conficker.worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: McAfee+Artemis Result: Artemis!D9CB288F3171
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: McAfee-GW-Edition Result: Worm.Conficker.AC
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Microsoft Result: Worm:Win32/Conficker.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: NOD32 Result: Win32/Conficker.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Norman Result: Conficker.HB
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: nProtect Result: Trojan-Exploit/W32.MS08-067.62976
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Panda Result: W32/Conficker.A.worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: PCTools Result: Trojan-Downloader.Agent
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Prevx Result: High Risk Worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Rising Result: Hack.Exploit.Win32.MS08-067.k
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Sophos Result: W32/Confick-A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Sunbelt Result: Worm.Win32.Downad.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Symantec Result: W32.Downadup
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: TheHacker Result: Trojan/Downloader.Agent.aqfw
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: TrendMicro Result: WORM_DOWNAD.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: VBA32 Result: Worm.Win32.kido.58
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: ViRobot Result: Trojan.Win32.Downloader.62976.AJ
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: VirusBuster Result: Worm.Conficker.BE
You can get the latest code at https://github.com/hammackj/ruby-virustotal.