this is a Windows NT windowed dynamic link library.
This is a TrueType font, not a program.
This program requires Microsoft Windows.
this is an OS/2 linear extended executable.
This is a Windows 95 dynamic link library.
this is a Windows NT character-mode dynamic link lib.
this is an OS/2 and eComStation dynamic link library.
This program cannot be run in DOS mode.$.
this is an OS/2 linear extended dynamic link library.
this is a Windows NT windowed executable.
This is a Windows program, you cannot run it in DOS.
this is a Windows NT character-mode executable.
this is a Windows 16-bit dynamic link library.
this is an OS/2 32-bit dynamic link library.
this is an OS/2 16-bit dynamic link library.
this is a Windows NT dynamic link library.
this is a Windows NT (own RTL) dynamic link library.
This program requires OS/2 Presentation Manager.
This program cannot be run in a DOS session.
This program requires Microsoft Windows.
This program cannot be run in DOS mode.
WDOSX 0.97 DOS extender Copyright (c) 1996-2002 Michael TippachĪnd finally stats for strings that start with ‘This’:.
WDOSX 0.96 DOS extender Copyright (c) 1996-2001 Michael Tippach.
WDOSX 0.96 DOS extender Copyright (c) 1996-2000 Michael Tippach.
WDOSX 0.95 DOS extender Copyright (c) 1996-1998 Michael Tippach.
This program requires Phar Lap’s 286|DOS-Extender.
The pmodedj.exe stub loader is Copyright (C) 1993-1.
PMODE\W v1.33 DOS extender – Copyright 1994-1.
I mentioned 1980s… here are the signatures for these:
!Library created by Axialis IconWorkshop.
PMODE/W v1.33 DOS extender – Copyright 1994-1.
dPMODE/W v1.33 DOS extender – Copyright 1994-1.
This program must be run under Microsoft Windows.
!This program cannot be run in a DOS session.
!This program requires Microsoft Windows.
!This program cannot be run in DOS mode.
There are tones of strings and signatures that I have not seen for many years, many I never heard of, and many referenced technologies that are long gone. And even if some of them are old malware, they are not important for today’s standard anyway.Īfter I clustered my collection I was quite amazed. We can create yara sigs to catch these old goodware files looking at signatures that were common back then, but today are no longer used. Being able to recognize them is one way to cluster them into a bucket that we can… simply discard. On many inspected systems, servers, mirrors. You may ask why would we want to even look at it? Well, these files are still out there. Analysing them en masse gives us a rare insight into the ‘state of the MZ stub’ from that time… Many of these files go as early as 1980s. Analysing a large corpora of clean files is fun.
0 kommentar(er)
