Found back some emails and links from way back when promoting/helping ThunderByte AntiVirus (hi Frans Veldman)
Posted by jpluimers on 2026/01/20
Nice memories of the TBAV/ThunderByte Anti-Virus story.
Together with Jeroen Smulders, I was sort of on the sideline in the early days as we both were at the university had access to FidoNet (I as host, other Jeroen as point), Internet, mailing lists and newsgroups.
I used it because it was the fastest Virus Scanner around and a need when scanning all incoming FidoNet data for viruses (I had seen at university what damage a spread could do).
Some VIRUS-L, comp.virus and book links from that past:
- 1991: [Wayback/Archive] VIRUS-L Digest V4 #96
VIRUS-L Digest Monday, 3 Jun 1991 Volume 4 : Issue 96
- 1991: [Wayback/Archive] http://victoria.tc.ca/int-grps/books/techrev/pctbscan.rvw
PCTBSCAN.RVW 910612 Comparison Review - 1991: [Wayback/Archive] Usenet Archive: [comp.virus] Windows 3.0 / F-Prot
There is a Dutch anti-virus program that is Windows 3.0 aware. It is called TBSCANX (ThunderByte Scanner Resident). It knows when windows start up, and you can put it on or off in every DOS window without loading the program again. TBSCANX is a resident scanner that scans for writes to .EXE and .COM files. When it finds that a virus signature is going to be written, it alarms you. I'm planning to do an upload of this scanner (+ virus signatures) to the SIMTEL20 archives ASAP.
- 1991: [Wayback/Archive] Usenet Archive: [comp.virus] Standarized virus
Well, there is some sort of standard. IT is being used by VIRSCAN, HTSCAN and TBSCAN/TBSCANX. The file consists of a list of signatures. All lines atrting with ; are considered to be a comment. Every signature has three lines. The first line contains the virus name (Jerusalem-B) for instance. The second line consists of keywords BOOT COM or EXE (and defines the type of infection). The third line has the virus signature (a HEX string of bytes).
- 1992: [Wayback/Archive] Novell reports threat to key product – UPI Archives
Novell said the means for breaking into the program was discovered and documented by students and professors of Leiden University in the Netherlands, but it did not offer further details.
- 1993: [Wayback/Archive] exvacuo.free.fr/div/Technic/DOS/INTERRUP/
- [Wayback/Archive] exvacuo.free.fr/div/Technic/DOS/INTERRUP/INTERRUP.1ST
Interrupt List Release 34 Last change 4/3/93
…
3/91 Jeroen Pluimers 2:281/521 TBSCANX
…
TBScanX v2.3 API extracted from the TBScanX documentation (Frans Veldman, ESaSS B.V., P.O. Box 1380, 6501 BJ Nijmegen, The Netherlands). Added 3/12/91.
…
ESaSS B.V. (TBSCANX, ThunderByte, STACKMAN) Thunderbyte PC Immunizer Division P.O. Box 1380 6501 BJ Nijmegen The Netherlands Voice: +31-80-787 881 FAX: +31-80-789 186 BBS: +31-85-212 395
…
- [Wayback/Archive] http://exvacuo.free.fr/div/Technic/DOS/INTERRUP/INTERRUP.F
--------v-2FC900BP0000----------------------- INT 2F U - ThunderByte??? - INSTALLATION CHECK AX = C900h BP = 0000h Return: AL = FFh if installed BP >= 0014h Note: called by TBSCANX SeeAlso: AX=C987h,AX=CA00h --------v-2FC987----------------------------- INT 2F U - ThunderByte??? - DISINFECT FILE??? AX = C987h BX:DX -> filename BX:CX -> virus name Return: AX = status 0000h successful??? Note: called by TBSCANX SeeAlso: AX=CA00h ----------2FC9FF----------------------------- INT 2F C - STACKMAN - INSTALLATION BROADCAST AX = C9FFh BL = BCD version number CX = number of stacks DX = stack size in bytes Notes: called by STACKMAN when it goes resident to inform interested TSRs that its API is available the installation check consists of testing for the string "STACKXXX" at offset 0Ah from the INT B4 handler SeeAlso: INT B4"STACKMAN",INT B5"STACKMAN" Index: installation check;STACKMAN --------v-2FCA00BX5442----------------------- INT 2F - TBSCANX - INSTALLATION CHECK AX = CA00h BX = 5442h ('TB') Return: AL = 00h not installed = FFh installed BX = 7462h ('tb') if BX was 5442h on entry Program: TBSCANX is a resident virus scanning module by Frans Veldman. Note: programs may perform virus checks on themselves, other program files, or their data files by invoking the TBSCANX API. SeeAlso: AX=4653h,AX=C900h --------v-2FCA01----------------------------- INT 2F - TBSCANX - GET STATUS AX = CA01h Return: AH = BCD version number (v2.2+) = CAh for versions before 2.2 AL = state (00h = disabled, 01h = enabled) CX = number of signatures which will be searched ---v2.0--- BX = EMS handle, 0000h if not using EMS ---v2.3+--- BX = segment of swap area, 0000h if not swapped DX = EMS or XMS handle (XMS handle if BX=0000h), FFFFh if not using EMS SeeAlso: AX=CA02h --------v-2FCA02----------------------------- INT 2F - TBSCANX - SET STATE AX = CA02h BL = new state (00h = disabled, 01h = enabled) SeeAlso: AX=CA01h --------v-2FCA03----------------------------- INT 2F - TBSCANX - SCAN BUFFER AX = CA03h CX = size of buffer DS:DX -> buffer containing data to scan Return: CF clear if no virus signatures found BX,ES destroyed CF set if signature found ES:BX -> ASCIZ virus name (v2.3+) DS:DX -> ASCIZ virus name (v2.0) AX,CX,DX destroyed (v2.3+) all other registers except CS:IP and SS:SP destroyed (v2.0) SeeAlso: AX=CA04h --------v-2FCA04----------------------------- INT 2F - TBSCANX - SCAN FILE AX = CA04h DS:DX -> filename Return: CF clear if no virus signatures found BX,ES destroyed CF set if signature found ES:BX -> ASCIZ virus name AX,CX,DX destroyed Note: this function requires at least 4K free memory SeeAlso: AX=CA03h
- [Wayback/Archive] exvacuo.free.fr/div/Technic/DOS/INTERRUP/INTERRUP.1ST
- 1993: [Wayback/Archive] Computerviren und ihre Vermeidung: Ein übersichtlicher, praxisorientierter … – Howard Fuhs – Google Books
- 2005: [Wayback/Archive] Unravelling Internet Infrastructure | J.P. van Best
Jan-Pascal van Best was born in Utrecht (The Netherlands) on 22 March 1971. He graduated from the ‘Bonaventuracollege’ in Leiden in 1989. He then started his studies of physics and mathematics at Leiden University. In 1992 he discovered a security flaw in Novell’s NetWare networking software and he was invited to the corporate headquarters to discuss his findings. From 1996 to 1998 he worked for ‘Operator Groep Delft’, as an ICT specialist. He obtained his Master’s degree in physics in 1996 and his Master’s in Computer Science in 1998 (honours). From 1998 to 2004 he worked as a researcher at Delft University of Technology. The first year he performed research to ICT developments in Japan, for which he relocated to Kyoto for seven months. After this he started his PhD research, of which this thesis is the result. He also took part in the KWINT program of the Dutch Ministry of Economic Affairs, which is aimed at reducing the vulnerability of the Internet in The Netherlands. Currently, he works as an ICT specialist for the Dutch Ministry of the Interior and Kingdom Relations.
Related blog posts:
- 15 years of xs4all internet provider membership
- Running BBS Door Games on Windows 10 with GameSrv, DOSBox, plus telnet fun with WSL – Scott Hanselman
Finally a link to the [Wayback/Archive] ThunderByte story as it has vanished from the web elsewhere:
Please note: This page is by no means the official Thunderbyte page! This is my own personal page, describing my own history and perspective with Thunderbyte. For technical support or commercial interest, please consult Norman Data Defense Systems.
- The history of Thunderbyte Anti Virus
- The conferences
- What the press said about Thunderbyte
- What the virus writers said about Thunderbyte
- The Anti Virus Industry
- Funny stories
- Thunderbyte gadgets
The conclusion of Thunderbyte Anti Virus.
I admit that it is a bit weird to start a story with a conclusion. However, it is the conclusion that urged me to write this story. Today, I have compiled what is supposed to be the last version of TBAV. It was a necessary step for my future, but nevertheless a bit sad. I have spent ten years of my life developing and maintaining this product. I’ve enjoyed it, but it has also has had quite an influence on my life and personal development.
When I started all this, I was 24 years. I wanted to do a lot of things, I had plenty of time, but I had barely any money. During the years the product was doing very well, I still wanted to do a lot of things, and I had plenty of money as well, but I barely had any time to spent the money. When I’m old, I will probably have plenty of time, quite likely a lot of money as well, but maybe I don’t have the spirit any more for doing a lot of things…
Here is my story. It is a story of success, but also of failure. At the final end, I had to sacrifice TBAV. In this industry, small companies can’t survive. They have to merge with other companies, and finally you have to continue with just one product. For various reasons, TBAV was not the product choosen to be kept alive.
TBAV has been my child for some time, but at some moment, you have to let your children go. Today is that day. I have enjoyed the time spent with it, and I have learned a lot during the last ten years. I have learned not only from a technical point of view, but it has also been a life lesson. My personal homepage is dedicated to me, and TBAV is part of me. TBAV has had quite an influence on my life, and the rest of my life would have been different if this product had not existed. TBAV therefore deserves a place here. A place to rest in piece…
The history of Thunderbyte Anti Virus.In 1988, I started the company ESaSS together with a friend of me. After producing a few minor hard- and software products, I got my first copy of a computer virus: some Jerusalem variant. Curiosity made me disassemble it and to discover how it worked. At that time, viruses were pretty simple, and I thought I could easily make a product that was able to protect against all computer viruses for once and for all. Not knowing that this was a false assumption, I started to write some software.
A friend of me, Tom Ordelman, who had been a journalist, came up with the name “Thunderbyte”, wrote an article about it, and copied it on the press network. The very same evening I was invited for the Dutch television show “NOS-Laat”, and several national newspapers copied the article. A very busy time started for me!
We decided to drop the hardware card and to turn the popular virus scanner TbScan into a stand alone product. I wrote some additional anti-virus tools and bundled everything together in the product called ThunderByte Anti Virus (TBAV). This turned out to be a very wise decision!
The press reviews were excellent. The scanner of TBAV, TbScan, was the fastest scanner ever, one of the first with heuristic detection capabilities, and it was a player in the top 3 range of the available anti-virus products. It also became the defacto standard test-product of the virus writers. Actually, all the attention of the virus writers and their attempts to bypass TBAV pulled customers towards us.
TBAV became a world wide product, the company grew very fast, and we had to move to a larger building a couple of times.
The load of viruses however increased exponentially, and the number of qualified people that are able to work with viruses is very limited. Also, customers started demanding more and more products, and support for the various platforms. Given these facts, it is no surprise that the anti virus companies started to buy out each others key-developers, and/or to merge into greater organisations. The 50 small separate companies were slowly converging into a smaller amount of larger and very powerful organisations.
TBAV had to follow this industry movement. Early 1998 we sold TBAV to our Norwegian collegaes Norman Data Defense Systems, to merge the two development teams and marketing channels.
Party at roof of Fairmount, San Fransisco.Visiting anti-virus conferences all over the world was part of the job. Conferences provide a good way to present lectures, establish contacts with potential customers, meet the other anti-virus experts, conduct some fruitfull late night discussions, and last but not least, to see something of the world and have some great time!
Usually we’re also having at least one party. For some funny pictures of conferences you could visit the anti-virus conference pictures page of Pavel Baudis.
Here is the text of one of the lectures I have presented: Generic Decryption Engines.
What the press said about Thunderbyte.“This scanner is defending its position as the fastest scanner on the market…the fastest in the group by a long way.”
Secure Computing, May 1996.” The ‘in the wild’ test results are perfect at 100%! “
Virus Bulletin, July 1996.
What the virus writers said about Thunderbyte“But anyway TBAV is the best AV program I have ever used… So greets to Frans Veldman…”
Automag/VLAD“Franz deserves a clap for spotting these little things. Most of the other AV companies are content to sit on what they’ve got, but TBAV continually improves. It is a good product.”
qark“The product of a virus researcher named Frans Veldman, the Thunderbyte programs were regarded by most virus writers as the anti-virus programs of choice. They were sophisticated, technically sweet and put to shame similar software marketed by McAfee Associates, Central Point Software, and Symantec, which manufactured the Norton Anti-virus.”
The Virus Creation Labs
The Anti Virus IndustryHow does the Anti Virus Industry look like? Well, the work as an anti-virus developer is challenging. There is the challenge with the virus writers, who always try to be smarter than you. There is the challenge to keep up with the competitors, and there is the challenge to find even the most difficult viruses. The work is also highly variable. There is some routine work, like adding signatures for trivial viruses that don’t need any research as well. There is a lot of research work, for finding out how new complex viruses work, and how the system reacts on them. Then there is some degree of Public Relations work, like presenting lectures on conferences, or publishing articles. And last but not least there is the actual development, i.e. writing the code to make the anti virus product work. But the job of virus analyser is also quite exhaustive. The amount of viruses grows exponentially, and you can be sure that on any vacation some new type of virus breaks out that needs to be analysed very quickly.
This picture is taken after a (rather traditional) chinese meal after an anti-virus conference. Anti-Virus experts from almost all the well known anti-virus companies can be seen on this picture!
Funny stories.
One of our distributors apparently had good contacts within The White House. One day we received a letter regarding our product, signed by Al Gore, vice-president of the USA. I would have liked to publish the entire letter, but it says “personal”, and apart from that, eh, publishing someone’s signature on the internet is a bit rude, especially if the person involved is the vice-president of the USA…
Thunderbyte gadgets
Over the years, many Thunderbyte promotion gadgets have been created.
You see a small collection of these items here.
Queries
I learned that when adding &nfpr=1 to a search query URL, it will make the query more exact so that is what some second level searches contain in their URL:
- [Wayback/Archive] “comp.virus” “pluimers” – Google Search
- [Wayback/Archive] “comp.virus” “pluimers” – Google Search
- [Wayback/Archive] “pluimers” “TBSCANX” – Google Search
- [Wayback/Archive] “pluimers” “Thunderbyte” – Google Search
- [Wayback/Archive] “pluimers” “TBAV” – Google Search
- [Wayback/Archive] “TBScanX” site:exvacuo.free.fr/div/Technic/DOS/INTERRUP/ – Google Search
- [Wayback/Archive] leiden university computer virus 1990s – Google Search
- [Wayback/Archive] “novell” “netware” “leiden” “security” – Google Search
Related
Already back in the 1990s, Leiden University was strong in security and vulnerability research. Much information on it is not on-line any more.
For instance I remember students in that period who after hours visited the various computer stations trying to read usernames and passwords from computer memory as back in the days, Novell Netware did not properly clear/encode that data and the buffer signatures were quite predictable.
Some links that were still on-line at the time of writing:
- [Wayback/Archive] comp.os.netware.security FAQ
Subject: 2.01 - What is HACK.EXE? NetWare: 3 HACK is a program, written at Leiden University in the Netherlands, which exploits the lack of packet authentication in early versions of NetWare 3. It enabled a user to pose as a more privileged client by sending requests to the server with fake source addresses. If SUPERVISOR is logged on, it attempts to send a single packet to the server requesting it to add Supervisor-equivalency to the account it is being run from. Novell released updated versions of the server and client software which would add packet authentication (using a feature called NCP packet signatures). The software is available from ftp.novell.com. NetWare 3.12 includes the updated software, but the administrator still has to set the correct packet signature level on both server and workstations. - [Wayback/Archive] https://www.patrickmin.com/VIRUSDET.TXT
Virus Detection Alternatives Patrick Min Leiden University Department of Computer Science Niels Bohrweg 1 2333 CA Leiden The Netherlands Email : Min@rulcri.LeidenUniv.nl fidonet : 2:512/2.24 An evaluation of different techniques for virus detection. The discussion is sufficiently general to be applicable to a substantial number of computing platforms. All mentioned practical issues concern the MS DOS operating system. Improvement of the operating system is presented as the most fundamental and therefore effective way to tackle the virus problem. Published July 1992 by the Dutch National Criminal Intelligence Service (CRI), Computer Crime Unit, PO Box 20304, 2500 EH, The Hague, The Netherlands.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment