DATA PHYSICIAN PLUS! Computer Virus Protection System DIGITAL DISPATCH, INC. (DDI) 55 Lakeland Shores Road Lakeland, MN 55043 1(800) 221-8091 (612) 436-1000 Copyright Copyright 1985, 1991 by Digital Dispatch, Inc. Notice All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored on a retrieval system, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Digital Dispatch, Inc. Digital Dispatch, Inc. makes no representations or warranties with respect to the contents hereof, and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. The qcontents of this publication are subject to change without notice. Data Physician PLUS!, VirHUNT, RESSCAN, VIRALERT, SAFEBOOT, ANTIGEN, SAFEBOOT, UNKILL, RS-NET, WIN-RS, and WIN-VA are trademarks of Digital Dispatch, Inc. Program The programs in this package are licensed for use on License a single machine. The programs may be copied, but Agreement only for the purpose of backup in the support of their use on a single machine. We have used our best efforts in the research, development, and testing of the software, but make no warranty of any kind, expressed or implied, with regard to fitness for a specific purpose, including, but not limited to, warranties of merchantability. Digital Dispatch, Inc., shall not be liable in any way, for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, reliance upon, or use of these programs. Comments and suggestions on this product may be sent to: DIGITAL DISPATCH, INC. 55 Lakeland Shores Road Lakeland, MN 55043 IBM is a registered trademark of International Business Machines, Inc. i TABLE OF 1 INTRODUCING DATA PHYSICIAN PLUS! 1 CONTENTS 1.1 The Data Physician PLUS! Programs 1 1.2 How Does Virus Protection Work? 3 1.3 Configuration Files 4 1.3.1 Date Scheduled Scanning 5 1.3.2 NOAB (No Abort) Option 6 1.4 Local-Area Network Usage 7 1.5 Microsoft Windows Usage 8 1.6 Loading Programs Into "High Memory" 9 1.7 If You Find a New Virus 10 2 GETTING STARTED 11 2.1 System Requirements 11 2.2 Distribution Files 11 2.3 Quick Start Instructions 11 2.4 Installation Procedures 12 2.5 Monochrome Display Usage 12 3 VirHUNT 13 3.1 The VirHUNT program 13 3.1.A VirHUNT Pulldown Menus 13 3.1.B Example of VirHUNT Session 14 3.1.C Using VirHUNT from AUTOEXEC.BAT 15 3.2 Identifying and Removing Viruses 16 3.2.A Memory Scan 16 3.2.B Deactivating Viruses in Memory 17 3.2.C Viruses with Removal Problems 17 3.2.D VirHUNT Options 18 3.2.D.1 Directory to Scan 18 3.2.D.2 User Specified Search/Remove 19 3.2.D.3 Scan What 19 3.2.D.4 Files Scanned 19 3.2.D.5 Scan Subdirectories 20 3.2.D.6 Virus Action 20 3.2.D.7 Variations Action 21 3.2.D.8 Backup Upon Remove 21 3.2.D.9 Pause Full Screen 22 3.2.D.10 Print Scan Output 22 3.2.D.11 Save Scan Output to File 22 3.2.D.12 Signature Mode 23 3.2.E Using Options from the Command Line 23 3.2.E.1 BA (BAckup Upon Removal) Parameter 24 3.2.E.2 -D (Date Scheduled Scanning) Parameter 24 3.2.E.3 DE (DEscribe Virus) Parameter 24 3.2.E.4 DI (DIrectory to Scan) Parameter 25 3.2.E.5 FI (FIles Scanned) Parameter 26 3.2.E.6 -L (Left-Hand Mouse) Parameter 26 3.2.E.7 LI (Scan Output to LIst File) Parameter 26 3.2.E.8 PA (PAuse Full Screen) Parameter 27 3.2.E.9 PR (PRint Scan Output) Parameter 27 3.2.E.10 QU (QUit After Scan) Parameter 27 3.2.E.11 QZ (Quit After Scan-No Pause) Parameter 27 3.2.E.12 SC (SCan Subdirectories) Parameter 28 3.2.E.13 SW (Scan What) Parameter 28 ii TABLE OF 3.2.E.14 US (USer Specified Search/Remove) Parameter 29 CONTENTS 3.2.E.15 VA (Virus Action) Parameter 29 (Cont.) 3.2.E.16 VO (Variations Option) Parameter 29 3.2.E.17 Obsolete Command Line Parameters 29 3.2.E.18 VirHUNT Examples 30 3.3 Using Signature Files 32 3.3.A What Is a Signature File? 32 3.3.B Signature Files for Detection and Removal 32 3.3.C Normal Versus Fast Mode 33 3.3.D Scanning for New Files 34 3.3.E Signature Options 34 3.3.E.1 Signature Mode Options 36 3.3.E.2 Signature File Names 36 3.3.E.3 Exclude List File 37 3.3.F Using Signature Files from the Command Line 37 3.3.F.1 SI (SIgnature Mode) Parameter 37 3.3.F.2 SF (Signature File) Parameter 38 3.3.F.3 EX (EXclude List File) Parameter 38 3.3.F.4 VirHUNT Signature Examples 39 3.4 Teaching VirHUNT about New Viruses 41 4 RESSCAN 42 4.1 The RESSCAN Program 42 4.1.A Example of RESSCAN Session 42 4.1.B Using RESSCAN from AUTOEXEC.BAT 43 4.2 RESSCAN Options 44 4.3 RESSCAN Examples 46 4.4 Memory Resident Operation 49 4.5 RESSCAN Resident Boot Checking 49 4.6 RESSCAN and Signature Files 50 4.6.A RESSCAN Signature Options 51 4.6.A.1 Signature Mode 51 4.6.A.2 Signature File Names 51 4.6.A.3 RESSCAN Signature Examples 52 4.7 Teaching RESSCAN about New Viruses 54 5 RS-NET 55 5.1 The RS-NET Program 55 6 VirALERT 56 6.1 What Is VirALERT? 56 6.2 VirALERT Installation 56 6.3 VirALERT Operation 59 6.4 VirALERT Alt-V Hotkey 60 7 SAFEBOOT 61 7.1 What Is SAFEBOOT? 61 7.2 SAFEBOOT Installation 62 7.3 SAFEBOOT Removal 62 7.4 SAFEBOOT Update 63 7.5 Formatting Disks with SAFEBOOT Installed 63 7.6 SAFEBOOT Compatibility 63 iii TABLE OF 8 ANTIGEN 65 CONTENTS 8.1 What Is ANTIGEN? 65 (Cont.) 8.2 How Does ANTIGEN Work? 65 8.3 DOS Version 65 8.4 ANTIGEN Installation Procedures 65 8.5 The Main Menu 66 8.6 Security Attachment Menu 66 8.7 The Directory List 67 8.8 Protecting All Files in a Directory 67 8.9 Security Removal Menu 68 8.10 User Interaction with the ANTIGEN Prefix 68 8.11 A Removable Virus Is Detected 69 8.12 A Non-Removable Change Is Detected 70 8.13 The ANTIGEN Prefix Has Been Altered 70 8.14 ANTIGEN Compatibility 71 8.15 When Should I Use ANTIGEN? 71 9 FILEPEEK 72 9.1 What Is FILEPEEK? 72 9.2 Using FILEPEEK to Inspect Files 72 10 UNKILL 75 10.1 What Is UNKILL? 75 10.2 What Is the DISK KILLER Virus? 75 10.3 Using the UNKILL Program 76 10.4 Restoring the Boot Sector 77 10.5 Disk Names Used by UNKILL 77 10.6 Unrecoverable Hard Disk Instructions 78 Appendix A: BATCH FILE ERRORLEVEL CHECKING A Appendix B: CONFIG.SYS FILE CREATION B Appendix C: HISTORY & FUTURE OF DATA PHYSICIAN PLUS! C Appendix D: OTHER DDI PRODUCTS AND SERVICES D iv 1. INTRODUCING DATA PHYSICIAN PLUS! ___________________________________________________________________________ 1.1 The Data Data Physician PLUS! is a state-of-the-art set of programs Physician PLUS! designed to detect and remove both known and unknown Programs computer viruses from your system. Marketed and under continuous development since 1985, Data Physician PLUS! is the most fully developed anti-virus package in the industry. Most competing anti-virus packages use simple string searches to locate viruses, an approach which frequently causes false alerts and haphazard virus removal. DDI completely disassembles each new virus to understand its exact operation, and this intelligence is built into Data Physician. When Data Physician asks if you want to remove a virus, you can proceed with confidence. Users can choose between menu-driven and command-line operation, giving unsurpassed flexibility in addressing complex computer security needs. Comprehensive ERRORLEVEL returns are generated to allow the seamless integration of Data Physician utilities with other applications. Data Physician works on normal standalone PCs under DOS, Microsoft WINDOWS, and under LANs (Local-Area Networks). You can scan any workstation, drive, or directory to which your LAN login has access. The Data Physician programs can be used alone or in concert with one another, thus allowing you to create a custom security approach that makes the most sense for your particular system configuration and security needs. An INSTALL program is included to help you get protected quickly and easily. Configuration files allow the customization of virus alert messages (such as directing users to contact specific in- house support resources in the event of a virus infection), setting custom colors, setting up date-scheduled virus scanning (such as once per day, or once per week), and restricting users from aborting out of a scan. For site licenses, custom versions of the programs can be made to perform additional functions unique to that site. Below is a list of the Data Physician PLUS! programs, along with a brief description. The installation and use of each program is covered in more detail in later sections of this document. VirHUNT (VIRus HUNT) is a computer virus scanning utility that "knows" what about 400 of the most common viruses look Page 1 like (about 800 including variants), and is able to search for and remove these viruses from your system. In most cases, VirHUNT can remove the virus without destroying the original program. Among its many options, VirHUNT allows you to search all or selected subdirectories, choose whether virus removal should occur, choose how files are backed up before virus removal, and generate a list of infected files to disk or printer. VirHUNT can store "signatures" of the boot record and files on your system, which allows even previously unknown viruses to be removed. VirHUNT contains a built-in programming language, CIL (Custom Intercept Language), that allows you to define the characteristics of new viruses to search for. Using VirHUNT to scan for viruses on your system is very quick and convenient. Most users run it at boot time from their AUTOEXEC.BAT file, or use it after one of the other Data Physician PLUS! utilities has displayed a virus warning. When a virus is discovered, VirHUNT displays a description of it that assists in the cleanup process. RESSCAN (memory-RESident SCANner) is a RAM-resident virus scanner that provides continual virus scanning as you work. Tightly coded to use approximately 20K of memory, RESSCAN checks programs for viruses--as you run them, or when they are copied or opened in any way. RESSCAN can also perform system-wide virus and file signature scans similar to VirHUNT. PC management can configure RESSCAN to halt system operation when a virus is detected and to display a message instructing the user to immediately contact computer security personnel. To handle Microsoft Windows and other VGA graphic environments, a special version of RESSCAN, called WIN-RS, is provided that uses an additional 8.4K of RAM in its resident form. RS-NET (ResScan-NETwork) assists in the use of the RESSCAN resident protection features on a local-area network. VirALERT (VIRus ALERT) is a 12K device driver that is installed as an extension of your operating system immediately upon bootup. It operates continually in the background to intercept attempts to manipulate executable and operating system files (.EXE, .COM and .SYS files). VirALERT also watches for changes to the boot record, disk formatting attempts, and TSR (terminate and stay resident) program installations. VirALERT catches changes in "real- time" and before they occur on your system, but can only remove viruses that install themselves in memory. The operation of VirALERT can be customized in many ways, including the ability to set varying levels of security, wild-card selected lists of files to watch or ignore, temporary or permanent messages suppression, and a variety of actions to take if a security problem is detected. To handle Microsoft Windows and other VGA graphic environments, Page 2 a special version of VirALERT, called WIN-VA, is provided that uses an additional 8.4K of RAM. SAFEBOOT fully protects your operating system by installing a custom DOS boot record and adding security logic to the operating system files. If a virus modifies any of the operating system files or replaces the boot record (as many do), a message is generated that informs you of the alteration. Many viruses infect the operating system because it provides such a powerful vantage point for further infection and destruction. SAFEBOOT provides a critical layer of protection that should be used whenever possible. ANTIGEN allows virus protection to be installed directly on an executable program. Each time the protected program is run, it checks itself for tampering and is capable of removing most viruses on its own. ANTIGEN is useful where the protected program needs to be widely distributed and you want it to continue to be protected independent of other utilities. You can also password-protect programs so that only valid users can run them, or install a custom message on programs that is displayed each time the programs are run. FILEPEEK allows you to inspect programs for suspicious- looking messages. Many viruses and other villainous programs contain messages that are used to taunt the hapless victim after it is too late for him or her to prevent damage (although many of these viruses are encrypted). With FILEPEEK, you can preview new programs for material that seems out of context with their purpose. Various options include wildcard selection of files to inspect, searching for all strings, a specific message, or a list of predefined messages. UNKILL restores a disk that has been damaged by the Disk Killer virus. 1.2 How Does There are several major approaches taken by Data Virus Protection Physician PLUS! to detect or otherwise protect against Work? viral activity: 1) Virus Scanning - VirHUNT and RESSCAN are virus "scanners" that search for viruses on drives and in memory. (See the list of known viruses in the README.DOC file on the distribution diskette.) 2) Virus Removal - VirHUNT and ANTIGEN can remove most viruses without harming the original program. 3) Signature Analysis - VirHUNT, RESSCAN, and ANTIGEN programs can save a "signature" on protected files that allow previously unknown viruses to be found and removed Page 3 from the original program. The signatures of Data Physician PLUS! consist of a cryptographic checksum of a file plus additional profiling data that allows both the detection of a virus-like change, and the ability to remove most viruses from infected files. Even intelligent viruses that use file compression and/or checksum adjustment to try to hide their activity can be detected by the Data Physician PLUS! algorithms. Data Physician PLUS! is also able to restore the original program in cases where multiple generations of a virus have infected the same file. 4) Real-Time Alert - VirALERT intercepts and warns you of attempts to manipulate files or system areas, before they are allowed to occur. You can control the conditions under which these warnings are generated, and also choose the subsequent action to take. RESSCAN checks programs for infection before they are run or opened in any way, thus avoiding further infection. 5) Operating System Protection - SAFEBOOT protects the operating system files and customizes the boot record. If any of these files are changed or replaced by a virus, the remaining protected files detect and report the change. 6) Visual File Inspection - FILEPEEK allows you to inspect programs for messages that viruses frequently contain. 1.3 Configuration Configuration files can be used to create your own Files custom virus alert messages, custom color schemes, and set any or all options available within Data Physician's primary virus scanning utilities: VirHUNT and RESSCAN. Configuration files are entirely optional, but can be very useful when implementing a professional computer security strategy. For example: * PC management can create virus alert messages that direct users to contact specific internal security personnel when a virus attack occurs. * Virus scans can be based on specific time spans, such as once per day, once per week, etc. * Users can optionally be forced to complete a virus scan, and to not proceed if a virus is found. The same VIRHUNT.CFG configuration files can be used by both VirHUNT and RESSCAN. Any parameters invalid for the current program being run are ignored. When first run, both programs try to process two configuration files in the following order: 1) The VIRHUNT.CFG in the current directory. Page 4 2) The VIRHUNT.CFG in the home directory of the program being run, VIRHUNT.EXE or RESSCAN.COM. The home directory is the location where the program physically resides. This is located either via the DOS PATH command or by the inclusion of the program's pathname on the command line. Parameters present in the home directory's VIRHUNT.CFG override those in the current directory. Parameters given on the command line override those present in either VIRHUNT.CFG file. The use of two configuration files is of particular value in a networked environment where, for example, local parameters such as colors or left-hand mouse may be controlled by every user, while system-wide parameters such as messages, dated execution, and no-abort options may be controlled by the system administrator. If neither file is present, the programs use their default parameters or those given on the current command line. An example configuration file called VIRHUNT.CF is provided with the Data Physician package, and it contains a considerable amount of additional information, as well as a number of example commands that are "commented out" with a semicolon. To create an active configuration file, you have two alternative paths to take: 1) Make a copy of VIRHUNT.CF called VIRHUNT.CFG, and activate the commands of your choice by removing their semicolon. Edit or add lines as you wish, and you may also want to remove much of the extraneous documentation within the file in order to speed processing. 2) You can run VirHUNT and use the Configure pulldown menu to create a configuration file or edit a previous one, and then save it to disk. Read section "VirHUNT Pulldown Menus" for more information on the Configure menu. All of the VirHUNT and RESSCAN options described in this document can be pre-configured in VIRHUNT.CFG. Below are described important options held only in the configuration file. 1.3.1 Date VirHUNT can be set to scan for viruses on or after a Scheduled specific date which is continually kept updated by VirHUNT. Scanning (The DATE parameter is ignored by RESSCAN.) The date must be in the format MM/DD/YY, with 2 digits for each part--using leading 0's if necessary. Following the date is the increment, a number from 1 to 99, which Page 5 specifies the days between dated scans. On or after this date, VirHUNT will automatically do a scan. There are two formats for the date parameter: after and every. In the after mode, VirHUNT resets the date every time it is run, so that the next scan will run at the earliest opportunity days after the current scan. This is signaled to VirHUNT in the configuration file by separating the date increment from the date with a plus sign ('+'). For example: DATE:08/30/91+07 Meaning: Dated scan command that tells VirHUNT to run at the earliest opportunity after 7 days have elapsed since the last scan. In the every mode, VirHUNT uses the date parameter to perform a scan every days, regardless of when the last scan was performed. This would be useful for doing weekly scans (for example, every Monday or every Friday). The every mode is signaled to VirHUNT in the configuration file by separating the date increment from the date with a space: DATE:08/30/91 07 Meaning: Dated scan command that tells VirHUNT to run every 7 days. 1.3.2 NOAB Some users may be tempted to abort a virus scan before it (No Abort) finishes, thus hampering an organization's computer security Option procedures. Using the NOAB (No Abort) parameter, system administrators can turn off users' ability to abort a scan. The NO ABort parameter is available in two versions: NOAB Meaning: No abort from a virus scan is allowed at any time. (Valid for both VirHUNT and RESSCAN.) NOAB:05-10 Meaning: No abort from a virus scan is allowed between the hours of 5 to 10 (military time). (VirHUNT only.) The format of this parameter is: NOAB:SS-EE where SS and EE are 2-digit numbers ranging from 00 to 23 that represent the starting and ending hours of the NO ABort times. Outside of this range, early aborts are allowed. This version could be used, for example, to set NO ABort hours between 5 and 10am, so that with VirHUNT in the AUTOEXEC.BAT file, the first scan of a normal work day would be forced to be completed, while the rest could be halted by the user. Page 6 RESSCAN ignores hours given with the NOAB parameter, thus treating both forms as full-time No ABort. The NO ABort parameter is most useful in a corporate/network environment, where the system administrator controls global options through a centrally-accessed VIRHUNT.CFG file on the server. 1.4 Local-Area VirHUNT and RESSCAN have the ability to work with Network Usage almost any local-area network (LAN). A workstation can scan for viruses on itself and any network drive to which it has access, including the fileserver. In a peer- to-peer network, you can even scan other workstations. The reason for this compatibility is that our utilities work with network resources at their simplest level: basic file manipulation. You can scan whatever drives and subdirectories your login's security level allows you to access. The utilities also recognize and make use of network file- sharing and file-locking. This allows you to scan shared files that other users are accessing. Also, if two users attempt to load one of the utilities in non-shared mode, an ERRORLEVEL return code is passed to the second user that allows a batch file to loop back and immediately try again. (Programs typically stay locked only for the short time that they are being loaded from disk.) See the Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for further information. Once network connection has been established, the workstation "sees" the fileserver as another available drive. Thus, a workstation may have A: and B: floppies, with hard disk C: locally. After network connection is established, the fileserver is available as additional drive(s), F: for example. Telling VirHUNT or RESSCAN to scan the network drive causes the fileserver drive to be scanned, to the limits of permission for the requesting login. Because of varying permission levels, fileserver scans should typically be performed by network administrators who have access to all areas and files on the fileserver. The use of two configuration files is of particular value in a networked environment where, for example, local parameters such as colors or left-hand mouse may be controlled by every user, while system-wide parameters such as messages, dated execution, and no-abort options may be controlled by the system administrator. A common configuration is where RESSCAN or VirHUNT is run on the fileserver when it is first booted. A copy of RESSCAN or VirHUNT is also kept on each workstation and run locally via AUTOEXEC.BAT when the workstation is booted, after which connection to the fileserver is established. The RS-NET Page 7 (ResScan-NETwork) program may be necessary to hook RESSCAN actively into the network. If you are using a LAN, be sure to read the section "RS-NET" in this document. Since most network virus infections enter through a workstation floppy drive, it is best to have each workstation protected with RESSCAN or VirHUNT before it is logged into the network. Where diskless workstations are used, the utilities can all be safely held on the fileserver and accessed by each workstation after they connect into the network. It is worth noting that although you can scan remote drives and files on a network, the memory scanned will be that in your local computer. To scan a particular computer's random-access memory (RAM) the virus scanner must be run directly at that machine. An alternative would be to use a "remote-control" LAN utility that allows full remote usage of a workstation. Other Data Physician utilities should be entirely compatible with your LAN, particularly when running on the workstations. However, if your fileserver uses a non-DOS operating system, the following restrictions may apply: * It is unlikely that SAFEBOOT can be used to protect the fileserver's operating system files. * VirALERT may not detect all system calls that occur on the fileserver. * RESSCAN may have difficulty in intercepting viruses in real-time. 1.5 Microsoft When running Microsoft Windows or other graphics based Windows Usage program or environment on a VGA system, you may elect to use the special Windows version of RESSCAN and VirALERT, called WIN-RS and WIN-VA, respectively. These programs are functionally identical to their counterpart except as follows: * They run gracefully as a TSR under a graphical environment such as Windows, displaying error messages, receiving user input, and restoring the original Windows screen when done. * They require an additional 8.4K of resident memory when a VGA card is used, and about 1K with lower resolution display cards. This is in addition to the memory usage of the normal programs. Although exact memory size depends on the program options being used, here are some approximations: Page 8 RESSCAN : 20K non-Windows version WIN-RS: 28.4K Windows version VirALERT: 12K non-Windows version WIN-VA: 20.4K Windows version Rather than impose the additional 8.4K memory penalty to everyone, separate programs are provided for those who require real-time virus monitoring under Windows. 1.6 Loading When running on a 80386 or 80486-based computer, memory Programs Into managers permit the use of high memory (blocks of "High Memory" memory above the normal DOS 640K limit) for loading device drivers or memory-resident programs. You can place RESSCAN and/or VirALERT into high memory to free up more conventional memory for other DOS applications. MS DOS 5.X and many third-party memory manager providers use a program called LOADHIGH to load memory-resident programs and device drivers into high memory. Refer to the documentation for your memory manager for specific instructions on how to perform this task. Loading VirALERT in its normal 12K version or its Microsoft Windows 20K version into high memory is relatively straightforward, in that the size of the physical program on disk is approximately the same as its size in memory. RESSCAN and Windows-RESSCAN are packed files that unpack themselves when they are run. Although about 35K on disk, they temporarily expand to 55K in memory to perform the initial scan and setup. After this is completed, the program leaves only the appropriate pieces resident, which reduces the memory size to approximately 20K or 28.4K, depending on whether the non-Windows or Windows version was loaded. If you do not have at least 55K of contiguous high memory available when loading RESSCAN, there are a number of actions you can try: * Since RESSCAN needs the full 55K of memory only temporarily, you can try loading most other memory- resident programs after RESSCAN in order that the most memory is free when it tries to load. * Many memory managers by default set up EMS (Expanded Memory Specification) which takes up a 64K page frame in high memory. If you do not need EMS for running the programs on your system, you can disable EMS and gain an additional 64K of high memory. Otherwise, most memory managers have a FRAME= parameter that allows moving the EMS page frame to another memory location. Page 9 This can often be used to build larger blocks of contiguous memory. * As a final resort, you can move smaller resident programs into conventional memory, thus allowing the larger RESSCAN or VirALERT programs to be loaded out of the way in high memory. 1.7 If You Find If you believe that you have a virus that the Data a New Virus Physician PLUS! utilities cannot recognize, or if VirHUNT reports that it has found a variation on a known virus, please send a copy of the infected program to DDI. If it is a boot virus or operating system virus, please try to send an infected bootable disk. DDI will analyze the virus, find the proper identification and removal information, and update the Data Physician PLUS! utilities accordingly. In an emergency, the virus can be sent to us via modem and the update can often be returned to the customer within a few hours or overnight. For the latest list of viruses "known" to Data Physician PLUS!, check the README.DOC file on the distribution diskette. Keep in mind that VirHUNT and RESSCAN can also find and remove new and previously unknown viruses through the use of file signatures and/or user-specified virus descriptions. In the README.DOC list, a few viruses are listed as "DESTRUCTIVE". This means that the virus damages the original program to the extent that it is impossible for VirHUNT to restore a perfect original program after removing the virus. In these rare cases, VirHUNT must remove the virus by deleting the infected program entirely. In order to swiftly analyze a virus, we load it into our proprietary VM DEBUG (Virtual Machine) debugging environment, where it "thinks" it is running in an unprotected computer with dozens of files to infect. In reality, the entire computer system is simulated in software by VIM DEBUG, and every move the virus makes can be watched and analyzed. We also use our own utilities to perform a complete disassembly of the virus in order to know exactly what it is capable of doing. This allows for unsurpassed virus detection and removal ability in the Data Physician utilities. Page 10 2. GETTING STARTED ___________________________________________________________________________ 2.1 System The Data Physician PLUS! package requires the following: Requirements * An IBM PC, XT, AT, or compatible microcomputer. * At least one 5.25" or 3.50" floppy diskette drive. * At least 320K of available RAM. * DOS 2.0 or higher. 2.2 Distribution The Data Physician PLUS! package is distributed on Files 5.25" or 3.50" diskettes that contain the following files: * INSTALL.EXE * VIRHUNT.EXE * RESSCAN.COM * RS-NET.COM * UNKILL.EXE * VIRALERT.SYS * ANTIGEN.EXE * SAFEBOOT.EXE * FILEPEEK.EXE * WIN-RS.COM * WIN-VA.SYS 2.3 Quick Start If you are too busy to read the remainder of this Instructions manual and need to quickly find and remove viruses from your system, here is a quick way to get started. 1). Insert the Data Physician PLUS! diskette containing VIRHUNT.EXE into a drive on your machine, and log onto that drive. 2). Type "INSTALL" and press Enter. 3). Type "I" to choose the Install option. 4). Using the cursor keys, highlight VIRHUNT and press Enter. 5). Enter the drive and path of the subdirectory in which you want the VirHUNT program to be stored. 6). When the install program asks if you want to run VirHUNT from your AUTOEXEC.BAT file, answer No. (You can change all options later by hand or by running the INSTALL program again.) Page 11 7). Quit the INSTALL program. You are now ready to run VirHUNT. Assuming you installed it in a subdirectory that is in your DOS PATH, you can now run VirHUNT from anywhere on your system. Otherwise, you will have to log into that subdirectory or include the pathname when invoking the program. If you simply enter "VIRHUNT" with no command line parameters, option and help screen pages become available. Typing "S" from the main option page performs a virus scan on the current drive. Once you have put your mind at ease with a quick VirHUNT scan, you should take some time to look over the other VirHUNT options. Also read the documentation concerning the other Data Physician PLUS! programs. 2.4 Installation To install various portions of the Data Physician PLUS! Procedures package, follow these steps: 1. Make a working copy of the Data Physician PLUS! diskette, and store the original diskettes in a safe place. The Data Physician PLUS! package is not copy protected, so the normal COPY or DISKCOPY commands may be used. 2. An INSTALL program is provided on each diskette to help you get the Data Physician PLUS! programs up and running quickly. Simply insert a Data Physician PLUS! diskette into your system's floppy drive, log onto that drive, type "INSTALL" (without the quotes) at the DOS command line, and press Enter. 3. Each INSTALL program shows a list of all Data Physician PLUS! programs present in the current drive and/or directory. Using the cursor keys, you can install or see information on each program individually. Before installing a program, however, we recommend that you read the section of this document corresponding to that particular program and its options. 2.5 Monochrome If you are using a monochrome display and have Display Usage difficulty reading the text, add the following command line parameter when invoking the utility in order to change the colors to something more useable on your display: -C This parameter may be used anywhere on the command line, and does not interfere with other parameters passed to the Data Physician PLUS! utility you are using. Page 12 3. VirHUNT VIRUS SCANNER UTILITY ___________________________________________________________________________ 3.1 The VirHUNT VirHUNT is a virus scanner designed for use in Program professional computer security environments where reliable virus removal and flexibility in usage is required. VirHUNT knows the characteristics of all common viruses, and can search for them through files, memory, and boot records. In most cases, VirHUNT can completely remove the virus, restoring the original program(s). VirHUNT can also find and remove previously unknown viruses through the use of file signatures. A large number of options are available to tailor VirHUNT to your needs. These options can be set in three different ways, singly or in combination: 1) Within VirHUNT's pulldown menu interface. (See "VirHUNT Pulldown Menus".) 2) Directly at the DOS command line when you call up VirHUNT. (See "Using Options from the Command Line".) 3) Through the use of VIRHUNT.CFG configuration files. (See "Configuration Files".) Through its built-in programming language, you can even add to the VirHUNT list of known viruses. (See "Teaching VirHUNT about New Viruses".) The minimum requirements for VirHUNT are a single 360K floppy disk, 256K of free memory, and DOS 2.0 or later. 3.1.A VirHUNT Although VirHUNT's many options can be controlled Pulldown directly from the command line or via configuration Menus files, the program provides an easy-to-use menu-driven interface that allows you to browse through the options and view information on known viruses before performing a scan. All menus can be operated via cursor keys, by mouse, or by hotkey (typing the highlighted character in the menu item you wish to choose). When cursor keys are used, all menus wrap or scroll appropriately when an edge is reached. The main program menu is a "bar" across the top of the screen with pulldown menus titled Options, Configuration, About, Scan, and Quit. Select a pulldown menu using cursor keys, mouse, or hotkey. The items in each pulldown menu Page 13 will display as you move through the main program menu. To "open" or activate a pulldown menu, press the Enter or Down- Arrow cursor key, or click on the menu title with the mouse. An active pulldown menu has highlighted hotkeys and the ability to scroll vertically through its items. Scrolling right or left moves you to the next logical pulldown menu. Exceptions are the Scan and Quit menus, which have only one item and so take immediate action when they are activated. The About menu allows you to see information about DDI and information on known viruses. The latter has a scrolling list of viruses and an information window giving the basic characteristics of the currently highlighted virus. These virus descriptions are also available when a virus is discovered during a scan. The Configure menu allows you to create or edit a VIRHUNT.CFG configuration file. Read "Configuration Files" section for more information on the use of these files. If a VIRHUNT.CFG file is present in the current subdirectory, its contents are automatically read in for you to edit through this menu. Any non-default options provided on the command line when you ran VirHUNT, or entered through its Options menu, will also be written to the VIRHUNT.CFG file if you choose to Save Configuration to disk. The Options menu is almost always displayed within VirHUNT. Even when it is not the active menu, it is displayed in "shadow mode" so that the major current scanning options are always visible. MOUSE NOTES: A mouse is supported via a standard (non- manufacturer specific) interface, and can be used wherever input is expected. Two buttons are supported: Left (index finger), and Right (middle/ring finger). The Left button is treated as the Enter key, and the Right button is treated as the Escape key. For left-handed users, there is a special VirHUNT command line parameter, -L, as well as a menu option to reverse the button definitions so that the physical Right button becomes Enter, and the Left button becomes Escape. (See section concerning the -L parameter.) In a pulldown menu, if the mouse cursor encounters the right or left edge of the menu box, it has the same effect as doing a Right-Arrow or Left-Arrow with the keyboard, moving you to the next logical menu. 3.1.B Example To start VirHUNT, make sure that the VIRHUNT.EXE file of a VirHUNT is in the current directory, or is available through Session your PATH and type VIRHUNT at the command prompt. (See your DOS manual for a description of the PATH command.) Page 14 VirHUNT will quickly check itself for infection, and then place you at the main menu. The main menu contains 4 available options, which you select by typing the highlighted letter: * Start the scan with the default option values. * Change the values of the Options. * Get information on viruses found by this version of VirHUNT. * Quit and go back to DOS. If you type "S", VirHUNT scans memory, the boot record of the current disk, and all COM and EXE files on the current disk for known viruses. This scan can be interrupted at any time by pressing the Esc key. An option exists for VirHUNT to remove viruses that it finds, but the default is to scan only. After the scan is over, you are returned to the main menu, where Options such as 'what drive to scan' can be changed and another scan started, or you can return to DOS. The main menu can be skipped, and the scan started immediately, by using command line parameters. See the next section for a quick example using AUTOEXEC.BAT, and the sections, "Using Options from the Command Line," and "Using Signature Files from the Command Line," for the details and all available options. 3.1.C Using VirHUNT can automatically scan your system every time VirHUNT from you boot if you include a call to the program in your AUTOEXEC.BAT AUTOEXEC.BAT file. To scan memory and the boot disk (usually your hard disk, C:), place the following line in AUTOEXEC.BAT: VIRHUNT QU This will run VirHUNT, and if nothing is found, quit back to DOS to continue your AUTOEXEC.BAT file. (All VirHUNT parameters are described more fully later.) If a virus is found, VirHUNT requires a user keypress before continuing. This insures that you are made aware of any problems. If you have several hard disks, or are booting from a floppy and want to scan a hard disk, you could use the following in your AUTOEXEC.BAT: VIRHUNT DIC: DID: QU where the DI parameters tell VirHUNT what disks to scan, and can be repeated as often as needed to scan all disks in your system. Page 15 When VirHUNT exits to DOS, it always returns information in the ERRORLEVEL variable that can be checked within DOS batch files or at boot time in AUTOEXEC.BAT to take special action if there is a problem. The ERRORLEVEL returns are: 0 = Clean scan 1 = Signature(s) change(s) found 2 = Virus(es) found 3 = Virus(es) found and signature(s) change(s) found 4 = Program quit during self-check (useful on networks) 5 = 6 = Program unable to repair itself during self-check Read Appendix "BATCH FILE ERRORLEVEL CHECKING" for the proper checking of ERRORLEVEL values. Remember, DOS must be able to find the VirHUNT.EXE file, so that it must be in your current directory, or in your PATH (in which case the VirHUNT command must come after the PATH command in your AUTOEXEC.BAT). For more information on the command line parameters for VirHUNT, see the sections, "Using Options from the Command Line," and "Using Signature Files from the Command Line," for the details and all available options. 3.2 Identifying Because VirHUNT is designed to allow the removal of and Removing viruses, its virus identification routine is very Viruses selective. Thus, if VirHUNT finds even a variation of a known virus, the identification is accurate enough to allow reliable removal of the virus without damage to the host program. VirHUNT also displays a brief description of each discovered virus. 3.2.A Memory Many viruses install themselves as memory-resident Scan programs in order to infect more files faster. VirHUNT optionally scans your system's memory for these viruses. This can be a tricky process since many viruses try to hide from DOS and anti-virus programs, and do not install themselves as normal TSRs. Also, because viruses tend to come in "families" (the same person writes more than one, or the original is "hacked" by other people to create new viruses), trying to identify which virus is in memory can be challenging. If the virus was recently executed, a copy of the virus code might still be in DOS buffers. Thus, even though only one virus is active in memory, VirHUNT will occasionally report that more than one is present. Do not be alarmed by this. Page 16 The file scan and virus remove logic can be counted on to positively identify and remove all copies of the virus. Certain viruses, when active in memory, watch for when a file opens and closes, and tag along with the process in order to infect more files. Therefore, a careless virus scanner could actually help a virus to spread. VirHUNT is aware of these types of viruses, and if one is found in memory the program will inform the user and halt the system. This forces the user to reboot (hopefully from a "clean," write-protected floppy disk) and try again, but will prevent massive virus infection of files. 3.2.B Deactivating When either option "remove virus" or "wipefile Viruses in Memory virus" is used (see the section "Virus Action"), VirHUNT will deactivate viruses in memory. This does NOT remove the virus from memory or cleanup the space used, nor does it prevent a virus from becoming resident again. Its purpose is to "turn off" a virus so that it will not cause re-infection immediately after removing viruses from a boot record or file. Certain viruses cannot be deactivated, and when such viruses are encountered VirHUNT will inform the user and halt the system. This forces the user to reboot (hopefully from a "clean," write-protected floppy disk) and try again, but will help prevent a freshly disinfected system from becoming infected again. 3.2.C Viruses Many viruses are poorly written and contain their own with Removal unintentional "bugs." Sometimes it is not possible to Problems completely restore the original program after virus removal due to these bugs. For example, the Datacrime #2, the Datacrime #2B, and Virus 101 viruses destroy the stack information in the EXE header during infection. While some programs may tolerate an incorrect stack, it will cause others to behave erratically or crash. VirHUNT cannot reconstruct the missing stack information for EXE files infected with these viruses, and so leaves the stack as the virus left it. If the infected program crashed when the virus was attached, it probably would not be any better after VirHUNT removes the virus. The 405 virus, which affects only COM files, over-writes the original file rather than attaching itself. As a result, the original program is destroyed. When VirHUNT removes this virus, the file is "wipefiled." (Zeros are written over the program, and then the file is deleted.) Page 17 The Leprosy virus presents the same problem as the 405, but affects both COM and EXE files. Other viruses have less drastic consequences. The Israeli viruses, for example, destroy the checksum field in the header by overwriting it with their own information. Again, VirHUNT cannot reconstruct the missing information, but as it has no effect on the program (and some linkers do not even set it!) this is not a major consideration. A fairly common removal problem is that the virus "pads" the infected file to a paragraph boundary (a multiple of 16 bytes) before attaching the virus. As a result, the original file length is gone, and cannot be completely restored by VirHUNT. However, the typical result is a maximum of 15 bytes of added "garbage" at the end of the file, which does no harm. Another common unremovable change involves the time/date stamp of the file. Several viruses modify it to use it as a signature, and there is no way to find the original timestamp. Again, this has no effect on the program. 3.2.D VirHUNT VirHUNT's many options provide a great deal of Options flexibility and power in the detection and removal of computer viruses. In most cases, the VirHUNT default scanning operation will be what you want. However, the default settings can be modified by indicating the desired options either from the options menu within VirHUNT, or from the DOS command line (see section "Using Options from the Command Line"), or from the VIRHUNT.CFG configuration file(s) (see section "Configuration Files".) The available options and their default settings are discussed in detail below. 3.2.D.1 Directory This option tells VirHUNT where to find the files to Scan to be scanned. The default directory is the root directory of the current drive. Since VirHUNT, by default, also scans subdirectories under the chosen directory, this default will scan the entire current drive. (Also, see the section "Scan Subdirectories," for controlling the scanning of subdirectories.) Any drive and/or directory can be specified, and multiple drives/directories can be specified by separating them with a space or a semi-colon when entering the drive to search. Default action: Scan Current Drive including subdirectories Page 18 3.2.D.2 User User specified search/remove "programs" allow for quick Specified field upgrades of VirHUNT, and allow the user to find Search/Remove and remove "local" or newly discovered viruses. When enabled, the user specifies a filename containing search and removal parameters for up to 10 viruses, which are checked for along with the internally specified viruses. For details on the contents of this file, see the section "Teaching VirHUNT About New Viruses." Default action: No User Specified Viruses 3.2.D.3 Scan VirHUNT has the ability to scan four different areas What for viruses: * Memory * Real DOS memory only (first 640K) * Boot records * Files The default memory scan searches all of the real-mode memory space (first 1 Meg of memory) so that viruses resident in high memory will be found. However, this scan includes memory where neither RAM nor ROM are present, and some machines return parity or other errors when these areas are scanned. If these problems occur, using the R option (Real DOS memory--640K on most machines) will restrict the scan to lower memory. When selected from the options menu, the Scan What option allows the user to choose what combination of areas to scan. It is also legal to select None, which is useful for doing signature scans. See the section "Using Signature Files." Default action: Scan Memory, Boot, Files 3.2.D.4 Files By default, VirHUNT only checks executable files with Scanned extensions of .EXE, .COM, .BIN, .SYS, and .OV?. The user may chose to scan all files by changing the Files Scanned flag. In this way, VirHUNT can find viruses that may be hiding in renamed files (a rare occurrence.) Regardless of how a file is named, if an .EXE header is present within the file, VirHUNT treats it as an .EXE file when detecting and removing a virus within it. When creating a signature file (see the section "Using Signature Files,") scanning all files causes VirHUNT to take the signature of all files. Be warned that this can take some time, and will produce a large signature file. Page 19 Default action: Executable Files Only (.EXE, .COM, .BIN, .SYS, and .OV?) When defaulting to Executable files only, you may also specify additional file extensions to search for. Periods are used to identify extensions in the list as follows: .ext[.ext][...] For example, to search for all executable files plus all .PIF and .DLL files you enter the following for the Files Scanned option: .PIF.DLL Note that these additional files would be included in a signature file list created by VirHUNT during the same scan pass. Wildcard characters are NOT supported in the extension list. 3.2.D.5 Scan When VirHUNT searches a directory for infected files, Subdirectories it also checks the subdirectories of that directory for infected files. For example, the default directory is the root directory of the current disk, and the default is to scan subdirectories. This means that the root directory, and all files in its subdirectories, and all files in their subdirectories, etc., are scanned. This scans all files on the disk. If Scan Subdirectories is turned off, only the specified directory (the root in this example) would be scanned. Default action: Scan Subdirectories 3.2.D.6 Virus When VirHUNT detects a virus it is always reported to Action the user. Then, there are several alternative actions that can be performed. The default is to do nothing but report the infection. The other alternatives are: * Remove the virus. * Wipefile (write zeros over the file, then delete it) * Halt the system after the virus scan if viruses are detected. The Remove option returns the host infected program to its original state (or as close as possible--see the section "Viruses with Removal Problems"). Note that unless all copies of the virus are found and removed from your system, the file could become infected again. Page 20 The Wipefile option first over-writes the file with zeros, and then deletes the file. This way, even "undeleted" programs will not accidentally restore infected files. After a wipefile, programs should be restored from their WRITE-PROTECTED distribution floppies. The Halt system option checks at the end of a scan, and if any infected files (or infected boot records or memory resident viruses) were found, a message is displayed and the system is halted. This is typically used in a corporate environment, when the handling of a computer virus is a matter for the security director. Default action: Report Only 3.2.D.7 Variation VirHUNT can detect variations of known viruses and Action treat them differently than when an exact virus match is made. The default is to only report the presence of a virus variation and leave it alone regardless of the Remove virus and Wipefile options set for exact virus matches. (See the section "Virus Action.") The Halt system option is unaffected by the Variation Action setting, in other words, the system will halt for all virus matches if the Halt option is toggled on. The virus variation option toggles between leaving variations alone or treating them the same as exact virus matches (Remove or Wipefile). Default action: Do Not Remove Variations 3.2.D.8 Backup When VirHUNT removes a virus, there is always a chance Upon Remove that the infected program will not be restored to a useable state. Or, perhaps, you want to keep a non- executing copy of infected programs around for later analysis. VirHUNT allows you to make a backup copy of the infected program before virus removal is attempted. The default is to not create backup copies of infected files. There are two filename extensions associated with the backup option, the primary and secondary extensions. The primary extension is always non-blank, and the filename with the primary extension is checked for existence. If it DOES exist, and the secondary extension is non-blank, the backup name is changed to the filename plus the secondary extension. The filename with the secondary extension is assumed to be okay for over-writing, if it exists. By allowing two predefined filename extensions, VirHUNT reduces the user intervention required in making automated backups, especially on a heavily infected machine. When backing up, there are two options: Page 21 * Force backup upon removal (always make a backup). * Ask for backup upon removal (ask user if a backup is required). If backup is Force backup or Ask for backup and no extensions are given, the primary extension defaults to VIR. NOTE: There can be no backup when removing a boot virus. If the system is no longer bootable, boot instead from an uninfected system diskette and use the SYS command to reinstall the operating system. Default action: No Backup 3.2.D.9 Pause If the screen fills up while VirHUNT is performing a Full Screen virus scan, the default is for the screen to begin scrolling upwards as additional information is generated. When Pause is selected, the user is asked for a keypress to continue. This insures that no important information scrolls by unnoticed by the user. Default action: Scroll Screen 3.2.D.10 Print VirHUNT has the ability to echo the screen output from Scan Output a scan to the first printer, usually called PRN or LPT1. The default is not to print the scan output. Note that printer support is at its lowest level, through BIOS calls, so that no special printer support is offered. When printing the output, the display screen is scrolled rather than paused, since nothing will be missed if the user is not watching the screen. Default action: Do Not Print 3.2.D.11 Save VirHUNT has the ability to echo the screen output from Scan Output a scan to a disk file. The default is to not send the to File list to a file. If the list file already exists, the new scan is appended to the file so that all scans can be kept in the same file. When sending the list to a file, the display screen is scrolled rather than paused, since nothing will be missed if the user is not watching the screen. Default action: No List File Page 22 3.2.D.12 Signature In addition to detecting and removing all known Mode common viruses, VirHUNT and RESSCAN also allow you to detect and in most cases remove even previously unknown viruses. This is accomplished through the creation and use of intelligent "signatures" for the files and boot record on your system. More information on the use of file signatures is in section "Using Signature Files" in this document. 3.2.E Using All available options are available from the command Options from the line. In addition, the user can tell VirHUNT to quit Command Line back to DOS after the scan. These options allow VirHUNT to be used as a self-running check, which automatically logs its output to disk. When valid command line parameters are present, the main menu is skipped and VirHUNT proceeds directly to the virus scan. VirHUNT always returns information in the ERRORLEVEL variable that can be checked within DOS batch files. The ERRORLEVEL returns are: 0 = Clean scan 1 = Signature(s) change(s) found 2 = Virus(es) found 3 = Virus(es) found and signature(s) change(s) found 4 = Program quit during self-check (useful on networks) 5 = 6 = Program unable to repair itself during self-check Read Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for the proper checking of ERRORLEVEL values. Any VirHUNT option can be used more than once, and the last occurrence, the "rightmost" copy on the command line, takes precedence. The only exception to this is the directory to scan. If this command is specified more than once, all specified drives and/or directories are scanned, in the order given on the command line. Upper or lower case is not important. The VirHUNT command line uses the format: VIRHUNT [DIpathname] [USfilename] [SWmbfn] [VArwh] [VOyn] [FIae] [FI.ext[.ext...]] [SCyn] [BAfa[.ext[.ext]]] [PAyn] [PRyn] [SFfilename] [SIscrfn] [LIfilename] [EXfilename] [QU] [QZ] Where square brackets show optional parameters, uppercase characters indicate parameter names, and non-italicized lowercase characters indicate parameter settings. The entire command line is processed before the scan occurs, so the order of options is not important. Page 23 VirHUNT command line options are discussed in detail below. 3.2.E.1 BA The BA parameter controls the BAckup option of VirHUNT. (BAckup Upon The format is: Removal) BAx.ex1.ex2 where x is one of the following backup action characters: F - Force backup A - Ask for backup N - No backup If the action is F or A, one or two extensions may be specified, starting with periods. For example: BAf.abc.vir forces a backup, with a primary extension of ABC, and a secondary extension of VIR. Again, if backup mode is Force backup or Ask for backup and no extensions are given, the primary extension defaults to VIR. Default BA value: N (No Backup) 3.2.E.2 -D This parameter tells VirHUNT to check the date held (Date Scheduled within the VIRHUNT.CFG configuration file. If a valid Scanning) date exists VirHUNT checks to see if a scan is Parameter scheduled to run. Two outcomes can then occur: 1) If a scan is due to be run, it is performed and the current date is stored back into VIRHUNT.CFG to set the schedule for the next scan. 2) If a scan is not due to be run, no scan occurs. With the -D parameter active, VirHUNT will automatically quit without showing the main menu, regardless of whether a scan was performed or not. This allows VirHUNT to perform date-scheduled scanning from the AUTOEXEC.BAT file without interrupting the normal boot sequence until a scan is scheduled to run. 3.2.E.3 DE This parameter specifies the manner in which virus (DEscribe Virus) descriptions are displayed if one is detected during a Parameter scan. The format is: DEx Page 24 where x is the single character W or T indicating one of the following virus description modes: W = Window mode. If a virus is discovered during a scan, a pop-up window displays a description of that particular virus. This mode requires user input to continue if a virus is found. T = Text mode. Virus descriptions are included in the normal scrolling output of the virus scan. This mode is useful when virus scan output is being printed or directed into a file for later perusal, since it doesn't require user input to continue in the event a virus is discovered. (See the VirHUNT PR and LI parameters.) Default DE value: Window mode description NOTE: Virus descriptions may also be toggled during a virus scan by the F1 key to turn on/off text mode description, and the F2 key to turn on/off window descriptions. 3.2.E.4 DI This optional parameter specifies the directory to (DIrectory to scan. Its format is: Scan) Parameter DI\path or DIx: or DIx:\path where x: is any legal disk, and \path is any legal path. If no path is specified (a disk name only), the root directory of the disk is used. For example: DIC: DI\utils DId:\scribble scans the C: drive, the \UTILS directory (and subdirs) on the current drive, and the \SCRIBBLE directory (and subdirs) on the D: drive. This parameter may be specified more than once, to scan multiple disks or multiple directories. Default DI value: Scan Current Drive starting at the root and including subdirectories NOTE: if normal DOS and UNIX drive and pathnames are used on the command line, the DI parameter is assumed (and thus optional). The format is: [d:[\path]] [\path] [/path] Drive names are identified by a ':' as the second character. Pathnames must begin with a '\' or '/' (for UNIX folks). Page 25 Multiple drives/pathnames may be given on a single command line. Default if omitted: scan entire current disk starting at the root and including subdirectories. 3.2.E.5 FI The FI parameter tells VirHUNT what files to scan. FIles Scanned) The general format is: Parameter FIA or FIE for (A)ll files or (E)xecutable files only (.EXE, .COM, .BIN, .SYS, and .OV? files). Default FI value: E (Executable Only) When defaulting to Executable files only, you may also specify additional file extensions to search for. Periods are used to identify extensions in the list as follows: FI.ext[.ext][...] For example, to search for all executable files plus all .PIF and .DLL files you use the following: FI.PIF.DLL Note that these additional files would be included in a signature file list created by VirHUNT during the same scan pass. Wildcard characters are NOT supported in the extension list. 3.2.E.6 -L This parameter specifies Left-Hand mouse operation within (Left-Hand the VirHUNT pulldown menu interface. It reverses normal Mouse) mouse button operation so that the physical Right button Parameter acts as the Enter key, and the Left button acts as the Escape key. See section "VirHUNT Pulldown Menus" for more mouse usage information. 3.2.E.7 LI (Scan The LI parameter controls the LIst option of VirHUNT. Output to LIst The format is: File) Parameter LIfilename.ext where filename.ext is any legal filename, and may include both drive specifier (such as C:) and a path. For example: LIinfect.lst or LI\viruses.lst Default LI value: No List File Page 26 3.2.E.8 PA The PA parameter controls the PAuse option. (Pause Full The format is: Screen) Parameter PAx where x is Y for pause at full screen, or N for scroll full screen. Default PA value: N (Scroll Screen) 3.2.E.9 PR The PR parameter controls the PRint option. (Print Scan The format is: Output) Parameter PRx where x is Y for print scan output, or N for do not print. Default PR value: N (Do Not Print) 3.2.E.10 QU The QU parameter is unique to the command line, and (QUit After Scan) tells VirHUNT to QUit to DOS after the scan, rather Parameter than remaining in VirHUNT. This is useful for putting VirHUNT into an automatic scan, such as from within a batch file. Note that when QU is used, if no viruses are found, VirHUNT will return to DOS without pausing, so that files like AUTOEXEC.BAT can proceed without an operator. If any viruses are found, VirHUNT will require a keypress before continuing (to avoid this, use the QZ parameter described later). Default QU value (if both it and QZ omitted): Remain in VirHUNT After Scan 3.2.E.11 QZ The QZ parameter is similar to QU described above, (Quit After Scan except that it is intended for unattended batch No Pause) operation with an output list file, and when used as Parameter such does not require any user keypresses to acknowledge viruses found. A list output file MUST be specified, or QZ will function the same as the QU option. For example, the following batch file sequence will run by itself without requiring user intervention, even if a virus is detected: Page 27 ... VIRHUNT DIC: DID: LIC:\INFECT.LST QZ IF ERRORLEVEL 2 GOTO VIRUSES_DETECTED ... See the Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for the available ERRORLEVEL settings and how to check them properly. Default QZ value (if both it and QU omitted): Remain in VirHUNT After Scan 3.2.E.12 SC (SCan The SC parameter tells VirHUNT whether to scan Subdirectories) subdirectories of the specified subdirectories. Parameter The format is: SCY or SCN where Y says YES to scan subdirectories, and N says NO to scan subdirectories. Default SC value: Y (Scan Subdirectories) 3.2.E.13 SW (Scan The SW parameter tells VirHUNT what files to scan What) Parameter (see the Scan What menu option described earlier). The format is SW plus either N (for None) or some combination of M or R, B, and F (for Memory or Real DOS memory, Boot, and Files). The default memory scan searches all of the real-mode memory space (first 1 Meg of memory) so that viruses resident in high memory will be found. However, this scan includes memory where neither RAM nor ROM are present, and some machines return parity or other errors when these areas are scanned. If these problems occur, using the R option (Real DOS memory--640K on most machines) will restrict the scan to lower memory. Examples of the SW option: SWn (perform no scan at all) SWf (scan files only) SWbf (scan boot records & files SWrbf (scan real memory, boot recs & files) Default SW value: MBF (Memory, Boot, Files) Page 28 3.2.E.14 US (USer The US parameter tells VirHUNT to use a file of Specified custom virus search/remove parameters. This Search/Remove) allows you to "teach" VirHUNT about new viruses. Parameter The format is: USfilename.ext where filename.ext is any legal filename, and may include both drive specifier (such as C:) and a path. For example: USmyvirs.prg or US\localvir.prg For more information, see the section entitled, "Teaching VirHUNT About New Viruses." Default US value: No User Specified Viruses 3.2.E.15 VA The VA parameter controls the Virus Action option. (Virus Action) The format is: Parameter VAx where x is R (Remove viruses), W (Wipefile infected files), H (Halt system after scan if viruses detected), or N (ignore file, report only). Only one letter can be specified. Default VA value: N (Report Only) 3.2.E.16 VO The VO parameter controls the Variations Option. (Variations The format is: Option) Parameter VOx where x is Y for take action (same action as Virus Action option) or N for take no action. Default VO value: N (Do Not Remove Variations) 3.2.E.17 Obsolete During various upgrades of VirHUNT, new features Command Line have been added, and some options have been merged Parameters or had their names changed. This is reflected in the command line processing, where the parameter names and values have changed. However, to support batch files that include commands from older versions of VirHUNT, some obsolete command line parameters are still available. Page 29 The RE parameter (REmove) has been replaced by the Virus Action option. The format is: REx where x is Y or N, or W (Wipefile). The RV parameter (Remove Variations) has been replaced with the Variations Option. The format is: RVx where x is Y to set Variations Option to the state of Virus Action, or N to reset Variations option. The BO parameter (BOot check) has been replaced by the Scan What option. The format is: BOx where x is Y for scan the boot record, or N to skip the boot record. 3.2.E.18 VirHUNT The VirHUNT parameters provide a great deal of power Examples and flexibility. Some typical VirHUNT command lines follow, along with their explanation. Page 30 Command Explanation VirHUNT VAH QU Scan memory, boot, and all executable files on the default drive. If any viruses are found, halt the system with a warning message to the user. Otherwise, quit back to DOS when done. Such a command might be useful in an AUTOEXEC.BAT file. VirHUNT DIC: DID: QU Scan memory, boot, and all executable files on the C: drive and D: drive, and quit to DOS when done. If no viruses were found, VirHUNT will perform the scan and exit without any intervention from the user. VirHUNT FIA DI\SCRIBBLE Scan memory, the boot record of the current disk, and all files in the \SCRIBBLE directory of the current disk. Remain in VirHUNT when done. This would be useful if a virus was suspected in this particular directory. VIRHUNT SWBF DIB: QU Scan the boot record and executable files on the B: drive, and quit to DOS when done. Such a command would be useful when introducing a new floppy to your system, and could be tied to a function key via the ANSI.SYS driver. (See your DOS manual for details on ANSI.SYS.) VIRHUNT VAR LIINFECT.LST Scan memory, boot, and all executable files on the default drive, removing any viruses found from the boot or files. The scan output is also sent to the INFECT.LST file in the current directory. Page 31 3.3 Using Most virus search and removal programs have one Signature Files shortcoming: The author of the program must be able to analyze each new virus, or closely-related family of viruses, before appropriate search and removal algorithms can be added. Most of the time, this is not a critical limitation since the vast majority of virus infections are caused by the most common and well-known viruses. One of several ways that VirHUNT and its companion program, RESSCAN, overcome typical virus search and removal limitations is through the use of signature files. 3.3.A What Is a A signature file contains information about the boot Signature File? record and files on the disks that you scan. When a later signature scan takes place, any difference between the stored state of the file (its signature) and the current state of the file is reported. In many cases, such as attack of a virus, this information can also be used to remove the changes and restore the original file. The files on your system must be assumed to be virus-free when the signature file is created. If VirHUNT does not report any viruses while creating the signature file, you can proceed with confidence. Even in the unlikelihood that an unknown virus is present, subsequent signature checks will soon make its presence known. Remember, if a virus that VirHUNT does not otherwise know is caught via a signature file, please send a copy to DDI so that the new virus can be included in an updated version of VirHUNT. See the section "Virus Identification" for details. 3.3.B Using The normal use of a signature file is as follows: Signature Files for Detection 1). A signature file is created during a VirHUNT scan. and Removal 2). The same signature file is used during subsequent VirHUNT scans until new files are added, deleted, or changed on your system. At this time, you should create a new signature file to reflect the new status of your disk. When creating a signature file, VirHUNT assumes it has permission to write-over any existing signature file or any file with the same name (see the section "Signature File Names" for naming information). However, if the file is read-only, VirHUNT will not write over it, and will give an error instead. The files you tell VirHUNT to scan while creating a signature file are the only files whose signatures are Page 32 stored. Also, if the Scan What option does not include the boot record, it will not be represented in the resulting signature file. If all files are scanned (not just the executable files), the signature file will take more time and be correspondingly larger. If VirHUNT should find any viruses during signature file creation, and if the virus Remove option is activated, these viruses are removed before the signature is created. If the virus Remove option is not activated and a virus is detected, VirHUNT will generate a warning message but create a signature on the infected file as-is. If you perform both a signature check and file scan simultaneously, it is best if both processes are set up to check exactly the same files, such as the entire drive. The reason is as follows: When both types of checks are used simultaneously and VirHUNT finds a "known" virus in a file during signature analysis, it assumes that the normal virus scanning logic has already reported the virus. In other words, it tries to avoid generating a duplicate warning message. Therefore, it is usually safer to turn the file scan off when checking signatures, since the latter offers the greatest level of protection all by itself. The same rules apply to boot records, as well. During a signature scan, if a file is missing or not accessible this is reported along with the changed files. Remember, a signature file MUST have been previously created before a valid signature scan can take place. 3.3.C Normal When doing signature file creation or scan, there are Versus Fast Mode two modes available: normal and fast. In normal mode, the signature reflects information on the entire contents of the file. In fast mode, this part of the signature is skipped. There is no difference in the size of the resulting signature file, but there is a time and feature trade-off between the two modes: * In normal mode, the scan is slower, but there is an increase in the confidence of file integrity. * In fast mode, the scan is faster, but there are changes that could be missed. Fast mode signature files also do not support the removal of unknown viruses from the files listed in the signature file. Page 33 NOTE: Signature files allow the removal of previously unknown viruses only when the normal mode was used in both the signature file creation and the subsequent virus scan. In fast mode, not enough information is kept to guarantee the integrity of the repaired file. The exception is when viruses are held in the boot record, for which full information is always kept. Normal and fast mode can be mixed and matched as needed. For example, a signature file could be created in normal mode, and later scanned in fast mode. If changes are detected, the signature scan can be repeated in normal mode to verify the changes and attempt cleanup. If a normal scan is attempted on a signature file that was created in fast mode, VirHUNT notes this and does a fast scan anyway, as the additional information would not be used. 3.3.D Scanning The presence of a signature file also allows VirHUNT to for New Files do a check for new files during a file scan. Although this slows down the file scan, it allows the user to confirm the integrity of their file system, spot any files created by a virus, and determine when it is necessary to create a new signature file. The Newfile option is valid only if done in conjunction with a virus scan, since it relies on the scanning parameters to know what directories and file types to look for. The Newfiles scan does not update the given signature file-- it uses it only to determine what files found on disk are not listed in the signature file, and therefore are reported as new. You want to be sure that the signature file used during the Newfiles scan corresponds to the directories being scanned. If the signature file is for a different directory or drive, or if the signature file contains only executable files and you are scanning all files for Newfiles, VirHUNT will report a large number of "new files," which will consist mainly of false alerts. You can use either the default or a specified signature file. See the section "Signature File Names" for details on default versus specified signature files. 3.3.E Signature Signature file creation and scan have their own Options options, along with some minor overlap with the virus scan options. In particular, the backup file option, the pause screen, the print scan output, the scan output to list Page 34 file, and the QUit command line options all are significant during signature file creation or scan. The Scan What and DIrectories to scan option can be of significant use during signature file creation and a newfile scan. Depending on the value of the Signature File option (see the section "Signature File Names,") the value of the directory to scan may be significant during both signature creation and scan. The signature file options are explained in more detail below. Page 35 3.3.E.1 Signature The signature mode option on the VirHUNT main menu Mode Options controls what signature file options are to be in effect, if any. The available combinations and their meaning are as follows: File Option Meaning CREATE Create signature file. CREATE FAST Create Fast format signature file. SCAN Scan previous signature file. SCAN FAST Scan previous signature file in Fast format. SCAN REMOVE Scan previous signatures and remove viruses. SCAN NEWFILES Scan previous signatures and report if any new files are present. SCAN FAST NEWFILES Scan in Fast format and report on new files. SCAN REMOVE NEWFILES Scan and remove viruses and report on new files. Default: Signatures not active 3.3.E.2 Signature There are two naming schemes for signature files, File Names 1.) the default, and 2.) a specified name. When a name and optional drive and/or path is specified, VirHUNT creates or scans the specified signature file. If multiple paths are specified and the file is created, all boot record and/or file signatures are placed in the single signature file. If there are multiple paths and a scan, the signature files is scanned only once. The default signature file is always named VirHUNT.SIG, and is located in the starting directory of the current scan. If multiple directories are scanned, only one VirHUNT.SIG file will be used. For example, suppose disk C has the following tree structure: C:\ _____FILE_1.COM ___FILE_2.COM ___SUBDIR_1_____FILE_3.COM ____FILE_4.COM ___SUBDIR_2_____FILE_5.COM ____FILE_6.COM ___SUBDIR_3_____FILE_7.COM ____FILE_8.COM |____SUBDIR_4_____FILE_9.COM Page 36 A signature file creation using the default signature file on the 2 paths C:\ and C:\SUBDIR_3 will create one VirHUNT.SIG file, located in the root directory, containing information for all files in all directories on the disk (i.e., for files FILE_1.COM through FILE_9.COM). The signature file option is selected from the same sub-menu as the signature mode (see above). Default (signatures active): VIRHUNT.SIG Default (signatures not active): no Signature File 3.3.E.3 Exclude An Exclude file can be used that contains a list of List File files that are to be excluded from a signature check. In naming the Exclude file, be sure to include a drive specifier and path, if necessary. The Exclude file must be previously created as an ASCII text file. It should contain a list of filenames, one per line. The filenames in the list may be given in two forms: DRIVE:\PATH\FILENAME.EXT or FILENAME.EXT In the first form, only the specified file will be excluded from the signature check. In the second, all files with the same name and extension will be excluded, regardless of their location. The Exclude list file option is selected from the same sub- menu as the signature mode (see above). Default: No Exclude List File 3.3.F Using Like all other VirHUNT options, signature files can be Signature Files specified on the DOS command line. VirHUNT will then from the Command skip the main menu and proceed directly to the file Line scan or signature scan, as appropriate. See the section "Using Options from the Command Line" for more details. Below are listed the valid signature file command line options, followed by some examples of their use. 3.3.F.1 SI The SI parameter informs VirHUNT that a signature file (SIgnature Mode) operation is desired. The format is: Parameter SIxxx Page 37 where xxx is a 1 to 3 letter code specifying the operation to perform. The legal combinations are: C = Create signature file. CF = Create signature file in Fast format. S = Scan signature file. SF = Scan signature file in Fast format. SR = Scan signature file and Remove viruses, if possible. SN = Scan signature file, check for Newfiles. SFN = Scan signature file in Fast format, check for Newfiles. SRN = Scan signature file and remove viruses, if possible, and check for Newfiles Default SI value: Signature Create/Scan Not Done Note that the combination SFR (Scan Fast format, Remove virus) is not valid because a Fast format scan does not provide enough information to remove viruses reliably. The meaning of "Create," "Scan," "Fast," "Remove," and "Newfiles" in this context is discussed in previous sections of this document. 3.3.F.2 SF The SF parameter controls the Signature File mode. The (Signature File) format is as follows: Parameter SFfilename.ext where filename.ext is any valid filename, and may include a drive and/or path. Specifying a signature file turns default mode off. Remember that only one signature file may be specified, no matter how many drives and/or paths are to be scanned. Default SF value: VIRHUNT.SIG in 1st Dir Scanned 3.3.F.3 EX The EX parameter allows specific files to be excluded (EXclude List) from a signature check. The format is: Parameter EXfilename.ext where filename.ext is any legal filename, and may include both drive specifier (such as C:) and a path. The file named by the EX parameter must be previously created as an ASCII text file. It should contain a list of filenames (one per line) that are to be excluded (ignored) during signature checking. Page 38 The filenames in the list may be given in two forms: DRIVE:\PATH\FILENAME.EXT or FILENAME.EXT In the first form, only the specified file will be excluded from the signature check. In the second, all files with the same name and extension will be excluded, regardless of their location. Default EX value: No Exclude List File 3.3.F.4 VirHUNT Following are some typical examples of using signature Signature files with VirHUNT from the DOS command line, along Examples with their explanation. Page 39 Command Explanation VIRHUNT SIC DIC: DID: Scan memory, boot, and all executable files on the C: drive and D: drive. During the scan of the C: drive, create the file C:\VIRHUNT.SIG, which contains the boot record and file information for the C: and D: drives. VIRHUNT SIC SF\MYFILES.SIG DIC: DID: Scan memory, boot, and all executable files on the C: drive and D: drive. During the scan of the C: drive, create the file C:\MYFILES.SIG, which contains the boot record and file information for the C: drive. During the scan of the D: drive, update the file C:\MYFILES.SIG to add the boot and file information for the D: drive. VIRHUNT SIS DIC: SWN Do a signature scan only, using the file C:\VIRHUNT.SIG. Since files (and boot) are not being scanned for known viruses, changes in signatures will be reported even if the file (or boot) is infected with a known virus. VIRHUNT SISN SFB:\SAVE.SIG DIC: Scan memory, boot, and all executable files on the C: drive for known viruses and new files. (Use the signature file B:\SAVE.SIG for the Newfiles scan). Then, use the signature file B:\SAVE.SIG to scan for any changes. Note that the signatures scanned are NOT limited to the C: drive! VIRHUNT SISFN DIC: DID: QU Scan memory, boot, and all executable files on the C: and D: drives for known viruses and new files. The default signature file C:\VIRHUNT.SIG is used for the Newfiles scan. Also, scan signatures using the file C:\VIRHUNT.SIG for changes using Fast mode. Quit to DOS when done. Such a command would be useful in an AUTOEXEC.BAT file, where you want to take the minimum time for booting your system. NOTE: The signature file should be created in NORMAL mode, so that if problems are found, VirHUNT has a chance to cleanup the files. Page 40 3.4 Teaching VirHUNT allows the user to "teach" VirHUNT about new VirHUNT about viruses. Information about these new viruses is New Viruses written in the VirHUNT built-in Custom Intercept Language(CIL). Writing virus information in CIL can be technically demanding, and is best suited to persons with a high level of debugging skill. If you feel up to the task, consult the CIL.DOC documentation file that is provided on the distribution diskette. Also, refer to the section entitled, "US Parameter" in this document. Luckily, you have an easier alternative to writing in CIL. You can send any new viruses that you run into to DDI and we will quickly update our utilities to detect and remove them. Page 41 4. RESSCAN VIRUS SCANNING TSR ___________________________________________________________________________ 4.1 The RESSCAN RESSCAN is a RAM-resident virus scanner that provides Program continuous virus scanning as you work. Like VirHUNT, RESSCAN can scan for viruses in memory, in boot records, and in files. RESSCAN can also be run from the DOS command line to perform system-wide virus and file signature scans similar to VirHUNT. However, there are three major differences between the programs: 1. RESSCAN can be loaded as a TSR (Terminate and Stay Resident) program that checks programs for viruses as you run them, or when they are copied or opened in any way. 2. RESSCAN does not have the same ability as VirHUNT to remove viruses. This limitation allows RESSCAN to occupy a very small amount of memory-- about 20K--when loaded as a TSR. (The MS Windows version of RESSCAN, WIN-RS, takes up about 28.4K of memory.) 3. RESSCAN does not have a menu page. All options must be specified on the DOS command line when you run the RESSCAN program, or be present in VIRHUNT.CFG configuration file(s). (See the section "Configuration Files" for more information.) PC management can configure RESSCAN to "force" users to complete a virus scan, and to report a discovered virus before proceeding with their work. If you are running RESSCAN on a local-area network (LAN), be sure to read the sections "Local-Area Network Usage" and "RS-NET" in this document. 4.1.A Example of To start RESSCAN, make sure that the RESSCAN.COM file RESSCAN Session is in the current directory or is available in your PATH, (see your DOS manual for a description of PATH) and type RESSCAN at the command prompt. RESSCAN first checks itself for corruption, and then start scanning memory, plus the boot of the default disk, plus the executable files on the default disk for known viruses. Any viruses found are reported for further action. This scan can be interrupted at any time by pressing Ctrl-C or Ctrl- Break. After the disk scan, RESSCAN will install itself as a TSR (Terminate and Stay Resident program), and will watch any file being executed or opened in any other way, such as in a COPY process, for known viruses. It will also monitor Page 42 disk boot records and warn you of any attempt to boot from an infected disk or diskette. The RESSCAN initial virus scan, or installation as a memory- resident TSR, may be turned off by using command line parameters. See the section "RESSCAN Options" for details. 4.1.B Using RESSCAN can automatically scan your system every time RESSCAN from you boot by including RESSCAN in your AUTOEXEC.BAT AUTOEXEC.BAT file. Including the following command: RESSCAN as part of your AUTOEXEC will scan memory and the boot disk, then leave RESSCAN as a resident program to watch for viruses in the programs you execute. If you have several hard disks, or are booting from a floppy and want to scan a hard disk, use the following in your AUTOEXEC.BAT: RESSCAN DIC: DID: where the DIx parameters tell RESSCAN what disks to scan, and can be repeated as often as needed to scan all disks in your system. When RESSCAN exits to DOS, it always returns information in the ERRORLEVEL variable that can be checked within DOS batch files or at boot time in AUTOEXEC.BAT to take special action if there is a problem. The ERRORLEVEL returns are: 0 = Clean scan 1 = Signature(s) change(s) found 2 = Virus(es) found 3 = Virus(es) found and signature(s) change(s) found 4 = Program quit during self-check (useful on networks) 5 = 6 = Program unable to repair itself during self-check Read Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for the proper checking of ERRORLEVEL values. Remember, DOS must be able to find the RESSCAN.COM file, so it must be in the ROOT directory, or in your PATH, in which case, the RESSCAN command must come after the PATH command in your AUTOEXEC.BAT. For more information on the command line parameters for RESSCAN, see the sections "RESSCAN Options" and "RESSCAN Signature Options." For more examples, see the sections "RESSCAN Examples" and "RESSCAN Signature Examples." Page 43 4.2 RESSCAN RESSCAN has a number of options to make its virus scan more Options flexible and powerful. The defaults have been chosen so that most people can use RESSCAN without needing to change any options. However, these values can be changed by specifying parameters on the command line, and/or by specifying them in the VIRHUNT.CFG configuration file(s). (See "Configuration Files".) RESSCAN's parameters work the same as described in the VirHUNT section of this manual, where a more full description can be found. -R is now the only RESSCAN command line parameter that is not shared with VirHUNT, thus reducing the complexity of working with both programs. For compatibility with the VIRHUNT.CFG configuration file, all command line parameters used by VirHUNT are understood by RESSCAN; those not appropriate are ignored. The RESSCAN command line uses the format: RESSCAN [-R[S][B]] [DIpathname] [VAH] [FIA] [FI.ext[.ext...]] SW[{M}{R}][B][F][N] [SFfilename] [USfilename] [LIfilename] [EXfilename] [d:[\path]] [\path] [/path] SI[S][F][N][C] Where square brackets show optional parameters, uppercase characters indicate parameter names, and non-italicized lowercase characters indicate parameter settings. The RESSCAN parameters are described briefly below. -R[S][B] The -R parameter alone causes RESSCAN to not go memory Resident at all. Adding S and/or B will allow RESSCAN's normal monitoring logic to go resident while selectively preventing the Signature (S) and/or Boot (B) monitoring portion of RESSCAN from going resident. This allows minimized memory usage and enhanced speed if not all of RESSCAN monitoring features are needed. Note that the signature portion will not stay resident unless an additional signature option (SIs, SIsf, or SIc) is also specified on the RESSCAN command line, since otherwise RESSCAN is not required to use or create a signature file during its normal scan. Default if omitted: all RESSCAN options will be installed resident in memory. DIpathname Specify DIrectory and/or drive to scan. Multiple drives/pathnames can be identified on a single command line. If you use normal drive and/or pathnames on the command line, you can avoid the use of the DI parameter (see below). Default if omitted: scan entire current disk and subdirectories, starting at the root. [d:[\path]] [\path] [/path] If a normal drive and/or Page 44 pathname is given on the command line, the DI parameter is assumed. Drive names are identified by a ':' as the second character. Pathnames must begin with a '\' or '/' (for UNIX folks). Multiple drives/pathnames may be given on a single command line. Default if omitted: scan entire current disk and subdirectories, starting at the root. FIA Scan ALL FIles. Default if omitted: scan just executable files (.EXE, .COM, .BIN, .SYS, .OV?). FI.ext[.ext][...] Add additional executable extensions beyond the normal .EXE, .COM, .BIN, .SYS, and OV? to the list of files to be scanned and/or monitored. Periods are used to identify extensions in the list. Note that these additional files will be included in the signature files created by RESSCAN. Wildcard chara cters are NOT supported in the extension list. Default if omitted: scan just normal executable files. VAH Virus Action is HALT if virus found. This option is useful in a business environment where data security is administered by a central office that wants to be informed of each and every virus occurrence. Default if omitted: report viruses only. SW[{M}{R}][B][F][N] Scan What specifies what areas to scan: Memory or Real DOS memory, Boot records, Files, or Nothing. The default memory scan searches all of the real-mode memory space (first 1 Meg of memory) so that viruses resident in high memory will be found. However, this scan includes memory where neither RAM nor ROM are present, and some machines return parity or other errors when these areas are scanned. If these problems occur, using the R option (Real DOS memory-- 640K on most machines) will restrict the scan to lower memory. Default if omitted: scan all memory, boot, and files. SI[S][F][N][C] SIgnature scan: Scan, Fast, Newfiles, Create. (Legal combinations: S, SF, N, SN, C) Default if omitted: no signature scan. SFfilename Name of Signature File to use. (See section "RESSCAN and Signature Files".) Default if omitted: filename = \VIRHUNT.SIG USfilename Name of USer signature file to scan. Note: user signatures must be in RESSCAN format, not VirHUNT format. (See section "Teaching RESSCAN about New Viruses".) Default if omitted: no user signatures searched. LIfilename Specifies output file for copy of virus scan Page 45 output. If the specified file does not exist, it will be created, else the scan information will be appended to the current file. Default if omitted: no output file. EXfilename.lst Specifies a file (name may contain drive and/or path) that contains a list of filenames (one per line) to exclude from signature checking, both normal and resident. This list file must be previously created as an ASCII text file. The list may contain names in two forms: DRIVE:\PATH\FILENAME.EXT (e.g. C:\DOS\COMMAND.COM) or FILENAME.EXT (e.g. MYPROG.EXE) In the first form, only the specified file will be excluded from the signature check. In the second, all files with the same name and extension will be excluded, regardless of their location. Default if omitted: no exclude list file. The case of parameters is not significant, nor is the order of multiple character options (such as for SW and SI). 4.3 RESSCAN Following are a few examples of RESSCAN being run from the Examples DOS command line, and their explanation. Page 46 Command Explanation RESSCAN -R Scan memory, boot record(s) & files of the current disk. RESSCAN -R SWmf FIA Scan memory & all files on the current disk only, ignore the boot record(s). RESSCAN SWbf Scan the boot record(s) & files of the the current disk, & attempt to install RESSCAN. Memory is not searched. RESSCAN VAH Scan memory, & the boot record(s) and files of the current disk. If an infected file is found, halt the system, otherwise attempt to install RESSCAN. If installed, trying to run an infected program will cause RESSCAN to halt the system. Commonly used in AUTOEXEC.BAT at boot time. RESSCAN DIA: Scan the A: disk, & attempt to install RESSCAN as a memory-resident TSR. RESSCAN -R DIc:\myfiles Scan the files in C:\MYFILES and its subdirectories. Do not attempt to remain resident. RESSCAN -R DIc: DId: DIe:\files Scan the C: drive, the D: drive, and the E:\FILES subdirectory & its subdirectories. Do not attempt to install RESSCAN. RESSCAN -R USmysig.lst Scan the current disk only. The user signatures in MYSIG.LST are also searched for. RESSCAN SWmf USmysig.lst Use the user signatures in MYSIG.LST. Scan the files only, do not check the boot record(s). Attempt to install RESSCAN. RESSCAN DIC: DID: USmysig.lst Use the signatures in MYSIG.LST. Scan the files on the C: drive and the D: drive, and attempt to remain resident after the scan. RESSCAN -R SWn USmysig.lst Use the signatures in MYSIG.LST. Do not attempt to remain resident, do not scan the disk. This would be useful for checking the syntax of MYSIG.LST. Page 47 Other RESSCAN examples: RESSCAN SWrbf Scan Real-memory (only the lower 640K that the system knows to exist), boot records, and files. Remain resident after scan. Scanning Real memory only avoids scanning "high memory" above 640K which can cause problems on some machines. RESSCAN -Rsb Scan default drive; leave only file monitoring logic memory resident. (-Rsb turns keeps signature and boot record monitoring from going resident.) Same as the command RESSCAN under previous versions. RESSCAN Scan default drive; leave file and boot monitoring resident. Note that although not denied by the -Rs parameter, signatures are not left resident since they were not used for the scan. RESSCAN SIs Scan default drive using signatures; leave file, signature, and boot monitoring resident. RESSCAN SIs -Rb Scan default drive using signatures; leave file and signature monitoring resident. (-Rb keeps boot record monitoring from going resident.) RESSCAN SIs EXfiles.lst Scan default drive using signatures; leave file, signature, and boot monitoring resident. The files given in FILES.LST are excluded from both the normal and resident signature scan. RESSCAN FI.pif.dll Scan default drive; leave file and boot monitoring resident. All files with a .PIF and .DLL extension are considered executable and included in both the normal and resident scan. RESSCAN A: C: \MYFILES Scan the A: drive, the C: drive, and the directory \MYFILES on the current drive. Stay resident, including file and Page 48 boot record monitoring. (Signature monitoring not loaded resident because no signature operation is given.) 4.4 Memory As a TSR (Terminate and Stay Resident) program, RESSCAN Resident can perform ongoing virus scanning on all the files and Operation disks you use or access. The exact memory requirements of RESSCAN depends on what monitoring options are loaded memory resident: File monitoring only................: 19152 bytes File and Signature monitoring.......: 20272 bytes File and Boot record monitoring.....: 22672 bytes File, Signature, and Boot monitoring: 23792 bytes If run more than once, RESSCAN will recognize that it is already memory-resident, and will not install itself again. The various resident options of RESSCAN are controlled by the -R parameter, described earlier. The default resident operation is described in some detail below. Before any program is run or copied, RESSCAN examines it first. If the program has the signature of a known virus, or if a signature file is being used and a change is detected in the program (see section "RESSCAN and Signature Files"), RESSCAN will pop up a window and inform you of the name of the program and the suspected virus (if known). It then asks you if you want to continue. While this may seem like a worthless question (who wants viruses running around their system?), remember that finding a signature is not absolute proof that the file is infected, and to completely lock someone out of a program may be an even worse decision. Using the VAH (Halt system) parameter, RESSCAN can be made to halt the system when it finds a suspected virus, and to prompt the user to contact their supervisor. This is primarily useful in a business environment, where data security is administered by a central office. RESSCAN also performs resident boot checking, which monitors system drive boot records and guards against using or booting from an infected disk or diskette. For more information, see section "RESSCAN Resident Boot Checking" below. 4.5 RESSCAN When running as a resident program, RESSCAN by default Resident Boot performs ongoing checks for infected operating system boot Checking records on system drives, and can keep you from unknowingly booting from an infected hard drive or floppy. Resident boot checking can be inactivated by the -R parameter, described earlier. A more detailed description follows. Page 49 Resident boot checking watches INT 13 for read/writes to all floppy boot records, all hard disk Master Boot Records (MBRs), and the partition boot record of the first hard disk (normally the boot drive is C:). On a read, the data read is checked for infection. On a write, the data is checked BEFORE the write occurs. In either case, if an infection is found, a RESSCAN window displays an appropriate message and asks if you wish to continue with the process. Note that typing 'N'o to terminate the suspect action may need to be repeated, since some DOS processes make several retries if a BIOS call fails (which is what RESSCAN emulates.) In addition, RESSCAN watches the keyboard for a Ctrl-Alt-Del reset, and INT 19h (warm-boot) is also monitored. In either event, the boot drives (A: floppy drive and C: hard disk) are checked for virus infection. If you are about to boot from a virus infected disk, a pop-up message is displayed. This will continue until you say 'Y'es to booting from the infected disk, or until an uninfected diskette is inserted. As a general protection feature, RESSCAN will warn of any write attempt to the Master Boot Record (MBR) or DOS boot record of your hard disk, regardless of whether or not the information to be written contains a virus. 4.6 RESSCAN and RESSCAN can create and use signature files, which allow Signature Files the detection and removal of previously unknown viruses. A full description of signature files is given in the VirHUNT section of this document. The RESSCAN use of signature files differs from VirHUNT in the following ways: 1) RESSCAN cannot remove viruses. Because RESSCAN is a memory-resident program, an effort has been made to keep it small and fast, and this means limiting some features. If RESSCAN reports the presence of a virus, you can run VirHUNT to remove it. 2) RESSCAN can create signature files in Normal mode only, although it can scan a Fast mode signature file created by VirHUNT. 3) RESSCAN's signature checking can be made memory-resident along with normal known virus scanning. (This is the default unless changed with the -Rs parameter.) When the user attempts to run or open a monitored file, RESSCAN first checks it for known viruses. If no known viruses are found and resident signature checking is available, the appropriate signature file is opened, and the program's stored signature is located and compared against its current signature. If the signature has changed, a RESSCAN window Page 50 displays the name of the possibly infected program along with a "signature changed" message. If the signature file has been corrupted, a message to that effect is displayed one time only, and resident signature checking is turned off. If the signature file cannot be opened, no message is displayed and RESSCAN tries again next time. The signature file used is either the default VIRHUNT.SIG belonging to the first drive/directory on the list processed by RESSCAN, or the signature file specified by the SFfilename command line parameter. Thus, VirHUNT and RESSCAN can share the same signature file(s) and Exclude file list. When a Newfile scan is requested, it occurs during the file scan for viruses. Thus requesting a Newfiles scan when the files scan is not used (SWn or some other use of the SW parameter without the f {files} option) means that the Newfiles scan is skipped as well. 4.6.A RESSCAN Be aware that there is an interaction between the Signature Options RESSCAN SIc (Create signature file) option and the SW (Scan What), FI (FIle All or added extensions), and DI (DIrectory to scan) options described in earlier in "RESSCAN Options". The contents of a newly created signature file depend on what files where scanned, and whether the boot was scanned. Depending on whether default signature files are used, the DI (directory to scan) option may or may not be significant during both signature creation and scan (see the section "Signature File Names"). 4.6.A.1 Signature The signature mode is controlled by the SI command line Mode parameter. The legal combinations are: SIs = Scan signature file SIsf = Scan signature file Fast SIc = Create signature file SIsn = Scan signature file and report any New files found A full description of the "Create", "Scan", and "Fast" signature file options are discussed in the VirHUNT section of this document. 4.6.A.2 Signature There are 2 naming schemes available for the signature File Names file: the default "VIRHUNT.SIG", or a name specified by the SFfilename command line parameter (see the section "RESSCAN Options"). When a name (and optionally drive and/or path) is specified with SF, RESSCAN creates or scans the specified signature file. Page 51 Even if multiple paths are specified with the DI parameter during a signature file Create, all boot record and/or file signatures are placed in the single signature file. Similarly, if multiple paths are given for a scan, the signature file is scanned only once. 4.6.A.3 RESSCAN Following are some typical examples of using signature Examples files with RESSCAN from the DOS command line, along with their explanation. Page 52 Command Explanation RESSCAN -R SIs Scan memory, and the boot record(s) and files of the current disk, and scan the signatures in VIRHUNT.SIG in the root directory of the current disk. RESSCAN SIs DIC: DID: Scan memory, the boot record(s), and files on the C: drive, then scan signatures using C:\VIRHUNT.SIG. Next, scan the boot record(s) and files on the D: drive, and scan signatures using D:\VIRHUNT.SIG. Remain resident after the scan. RESSCAN SIc Scan memory, the boot record(s), and files on the current disk. The file VIRHUNT.SIG is created in the root directory of the current disk, and contains information on the boot record(s) and files scanned. Remain resident after the scan. RESSCAN SIsn Scan memory, the boot record(s), and files on the current disk for known viruses and new files. The file VIRHUNT.SIG in the root directory of the current disk is used for both the new files check and the signature scan. Remain resident after the scan. RESSCAN -R SWn SIs Do a signature scan only, using the VIRHUNT.SIG file in the root directory of the current drive. RESSCAN SIsf DIC: DID: Scan memory, boot, and all executable files on the C: and D: drives for known viruses. Also scan signatures using the files C:\VIRHUNT.SIG and D:\VIRHUNT.SIG for changes using FAST mode. Remain resident when done. Such a command would be useful in an AUTOEXEC.BAT file, where you want to take the minimum time for booting your system. NOTE: The signature files should be created in NORMAL mode, so that if unknown viruses are found VirHUNT has a chance to remove them cleanly. Other RESSCAN examples that use signature file options include: RESSCAN -R SWf DI\utils SIsn SFmystuff.sig scans the files in the \UTILS directory on the current disk for viruses and newfiles (using the signature file MYSTUFF.SIG), and does a signature scan using MYSTUFF.SIG in the current directory. RESSCAN -R SWf SIc DIC: DID: SFd:\abc\virhunt.sig Page 53 Scans only the files on the C: and D: drives, and creates the file D:\ABC\VIRHUNT.SIG containing information on the files scanned from both disks. RESSCAN DIC: DID: SIc SFc:\files.sig Does a full virus scan on the C: and D: drives, creating a signature file C:\FILES.SIG in the process. RESSCAN -R DI\bin FIA SWf Scan all files in the \BIN directory, executable or not. Do not scan memory or boot records, do not attempt to remain resident. RESSCAN DIC: DID: LIc:\infect.lst Do a virus scan for the C: and D: drives, sending a copy of the scan results to the file INFECT.LST in the root directory of the C: drive. 4.7 Teaching Like VirHUNT, RESSCAN allows the user to "teach" it RESSCAN About about new viruses. Information about these new viruses New Viruses is written in the built-in Custom Intercept Language, called CIL. Writing virus information in CIL can be technically demanding, and is best suited to persons with a high level of debugging skill. If you feel up to the task, consult the CIL.DOC documentation file that is provided on the distribution diskette. Luckily, you have an easier alternative to writing in CIL. You can send any new viruses that you find to DDI and we will quickly update our utilities to detect and remove them, and provide you with the upgrade to Data Physician PLUS!. Page 54 5. RS-NET ___________________________________________________________________________ 5.1 The RS-NET RS-NET is a "helper" program that can optionally be Program used when running used RESSCAN as a memory-resident program on a local-area network (LAN). If you need to load RESSCAN before you load your network software (such as from your AUTOEXEC.BAT file), the network software may not allow RESSCAN to see the DOS requests it needs in order to do virus scanning operations. To overcome this problem, there are two alternates you can use, depending on which works best for your site: 1) Load RESSCAN after your network software is loaded. (If this approach works, RS-NET is not needed at all.) 2) Run RS-NET after RESSCAN and your network software are loaded. This sets up a link between RESSCAN and the network software that allows proper operation. There are no parameters needed when running RS-NET. RS-NET checks to be sure that the correct version of RESSCAN is installed in memory, and whether it is necessary to install the network link. Running RS-NET more than once will not hurt anything, since it recognizes when it is not needed. Note that RS-NET is not a resident program itself--it simply makes sure that RESSCAN is linked properly. As a workstation user, be sure to run RS-NET before you log into the network server, to protect yourself from any viruses that may be on the server. Page 55 6. VirALERT ___________________________________________________________________________ 6.1 What Is VirALERT is a program (actually a device driver) that runs VirALERT? continually in the background to intercept changes to executable and operating system files (.EXE, .COM & .SYS files). VirALERT also watches for changes to the boot record, disk formatting attempts, and TSR (terminate and stay resident) program installations. There are programs that have a valid need to access, modify, or create executable and system files, or install TSR's. For example, you might use compilers, linkers, certain DOS commands (such as COPY or DEL on an executable file), or the ANTIGEN program from within the Data Physician PLUS! package. You will usually know when an operation intercepted by VirALERT is appropriate, at which time you can allow it to occur. However, unexplained modifications to programs or system memory should be considered highly suspect, as those are the primary means by which computer viruses spread. VirALERT intercepts virus-like activity before it happens, but cannot remove viruses. This is similar to RESSCAN, our scanner that looks for specific viruses (or any file alteration when using signature files) in real-time while you work. VirHUNT and ANTIGEN, on the other hand, do have the ability to remove viruses that have installed themselves earlier. 6.2 VirALERT As a device driver, VirALERT is loaded by the presence Installation of a DEVICE command in your CONFIG.SYS file. The format of this command is as follows: DEVICE=[pathname\]VIRALERT.SYS [d: W Q V T F I X=list Y=list Z=list] All parameters within brackets are optional. The pathname parameter tells DOS where to find the VIRALERT.SYS device driver file. The trailing parameters within brackets can be given in any order and are explained below. d: = The letter of the first hard Disk in your system, with the d replaced by the appropriate letter (i.e. C: or D:, etc.) VirALERT uses this parameter in its warning messages, and to determine which DOS calls affect which drives. If not given, this parameter defaults to C:. W = Warns you about a Write attempt to executable or system files using FCBs. FCBs can access files without Page 56 letting DOS know they are open. This is an infrequently used programming technique, so adding the W parameter allows you to consider the activity suspicious and monitor for it. You may find, however, that a number of valid programs on your system use FCBs, in which case you may decide to not use the W parameter. Q = Warns you about a Questionable write attempt to disk. Questionable writes are direct disk access (INT 13H, INT 21H IOCTL, INT 26H, INT 40H) that are being attempted from within an application program instead of by DOS or BIOS. It is possible, but unusual, for a valid application to attempt these types of disk accesses. By including the Q parameter, you will increase your security level at the possible cost of additional false alarms. You may decide to use this option only after deciding something suspicious is occurring in your system. V = Reminds you that VirALERT has been temporarily turned off via the Alt-V hotkey. (See the Alt-V Hotkey section below.) Since you might find it easy to forget to turn protection back on, the V parameter can be used to remind you. When VirALERT is Off, a green, blinking V will appear in the upper-right corner of the display to tell you that you are not currently protected. T = Warns you about a TSR (RAM-resident program) installation. Many viruses install themselves into memory as a TSR, although so do many legitimate programs. Using the T parameter, you are warned in either case. Based on the known characteristics of the programs you are running, you are then usually able to determine which TSR installations are valid and which are not. F = Warns you about Format calls to floppy disks. Format calls to hard drives are always intercepted, regardless of the F parameter. Incidentally, the DOS FORMAT command does not actually perform a format function on hard drives, so VirALERT intercepts FORMAT C: as a questionable write to disk (see Q parameter). VirALERT is designed to protect against actual low-level formats that a virus may generate, not an accidental use of the DOS FORMAT command. I = Skips the initial check for disconnected memory blocks. Although disconnected memory blocks are normally signs of a virus, some microcomputers reserve blocks of memory for use by BIOS, and this can confuse VirALERT. If disconnected memory block warnings appear immediately upon installation of VirALERT, use the I parameter to turn this check off. To explain further, VirALERT by default looks for blocks of "non-existent" RAM (RAM not included in the memory size variable used by DOS and BIOS) that have interrupts pointed to them. This is a common technique used by viruses, including the BRAIN virus. Page 57 X=list = EXcludes the associated list of files from being watched. For example: X=MYFILE.EXE,*.SYS,AB?.COM will make VirALERT ignore any files named MYFILE.EXE, any file with a .SYS extension, and .COM files with 2 or 3 character names starting with AB. NOTE: You cannot provide an associated pathname, so any file with a matching name will be excluded. There is a maximum of 9 files in a list, which must be given without spaces. Y=list = Protect the associated list of files. For example: Y=*.OVL,MYFILE.TXT will make VirALERT watch all files with a .OVL extension, and the file MYFILE.TXT. No pathnames can be given, and there is a maximum of 9 files in the list. NOTE: A file can be specified in BOTH the include and exclude lists. When a file is specified in both the include and exclude lists, the exclude list takes precedence. Therefore, a command line like: X=AUTOEXEC.BAT Y=*.BAT will include all .BAT files EXCEPT for AUTOEXEC.BAT. Z=list = Excludes the associated list of files from a TSR watch. For example: Z=SK.COM,CED.COM,MYTSR*.EXE,MYTSR*.COM will allow the programs SK and CED, and any programs starting with MYTSR to go RAM-resident as a TSR without generating a warning to the user. No pathnames can be given, and there is a maximum of 9 files in the list. NOTE: The T parameter must be specified before Z becomes useful. Page 58 As mentioned, the parameters listed above may be in any order on the command line. You may optionally add spaces between them for legibility. For example, the following VirALERT command lines are all equivalent: DEVICE=VIRALERT.SYS FQ C: DEVICE=VIRALERT.SYS F Q C: DEVICE=VIRALERT.SYS C: F Q DEVICE=VIRALERT.SYS FC:Q 6.3 VirALERT In operation, VirALERT monitors DOS and BIOS operations Operation and warns you when something (possibly a virus) is attempting to edit or delete an executable file, edit the boot sector, format a disk, install a RAM-resident program, or perform other suspicious tricks in system memory. When a suspect disk operation is attempted, VirALERT opens a window on your screen, displays one of the following messages (where the X's are replaced with relevant drive or filenames): "Attempt to format floppy drive x!" "Attempt to format hard disk x!" "Attempt to access the file xxxxx!" "Attempt to delete the file xxxxx!" "Attempt to write to the file xxxxx!" "Attempt to create the file xxxxx!" "Attempt to rename the file xxxxx!" "Attempt to rename a file as xxxxx!" "Attempt to format drive xxxxx using IOCTL!" "Attempt to write to boot record on drive x!" "Illegal attempt to access drive x!" "Disk write from DOS, but normal DOS call has been bypassed!" "The VirALERT program appears to have been tampered with!" and then waits for you to press one of the following keys: C = Continue the current operation. F = Fail (don't perform) the suspicious operation and pass a DOS error code indicating the failure back to the current program. A = Abort the current program and return to the DOS command line. Since no cleanup is done, it is possible that this could later crash DOS. Page 59 I = Inactivate VirALERT for the duration of the current program. R = Reboot the system to insure the program is gone from memory. When a suspect memory operation is attempted, VirALERT opens a window on your screen and displays the following messages: "The current program is going Resident!" and then waits for you to press one of the following keys: C = Continue the current operation. D = Delete the TSR from the system by unhooking any interrupt vectors pointing to it, and making sure that DOS reclaims the memory. R = Reboot the system to insure the program is gone from memory. When a legal response is given, VirALERT removes the window and takes the appropriate action. Aborting the program clears the screen and cleans up interrupt vectors that were taken over by the aborted program in order to minimize system crashes. 6.4 VirALERT If you use the Alt-V hotkey combination (press Alt and Alt-V Hotkey V keys simultaneously), VirALERT allows you to change its status between the following states: * Active - VirALERT is on normal duty * Inactive - VirALERT will be quiet until the current program is finished or another program is run * Off - VirALERT will be quiet until Alt-V is used to changes its status again. NOTE: The active/inactive toggle display may not be brought up when a VirALERT message is on the screen. Page 60 7. SAFEBOOT ___________________________________________________________________________ 7.1 What Is SAFEBOOT provides the following critical functions: SAFEBOOT? 1) SAFEBOOT is an intelligent replacement for the normal DOS boot record. The boot record is the first code to be executed upon booting up your microcomputer. If a virus takes control in the boot record (as several well-publicized viruses have) it has an powerful vantage point from which to operate. For example, some viruses direct the operating system to be loaded from altered files that the virus has hidden within sectors falsely marked as "bad" on the disk. 2) SAFEBOOT protects the PC-DOS operating system files IBMBIO.COM, IBMDOS.COM (or their MS-DOS equivalents), and COMMAND.COM. Even if a virus does its own replacement of the boot record (and destroys the SAFEBOOT boot record in the process), enough intelligence is left in the remaining security code to protect and inform you of the security breach. 3) SAFEBOOT can be provided with a list of additional files (non-operating system) that you want to check during bootup for signs of tampering. This list is held in a file called SAFEBOOT.DAT. 4) SAFEBOOT checks for interrupt vectors hooked to "non- existent" memory blocks, and generates the following warning message if found: WARNING! System interrupt XX is pointing to a "non-existent" block of memory, a common virus signature. If you are aware of this, press any key to continue. If this is a problem, the suggested action is to turn off the machine, leave it off for a minute, then re-boot with a trusted floppy. Clean up action may then be taken. The "XX" in the message above is replaced with the interrupt number in question. (Some clones set aside memory blocks for exclusive use by BIOS, which will generate this warning invalidly.) You have three major options when executing SAFEBOOT: Page 61 1. Installation of SAFEBOOT on the drive of your choice 2. Removal of SAFEBOOT 3. Updating of the optional list of files that you want SAFEBOOT to check upon bootup. These options are explained more fully in the remaining sections of this document. 7.2 SAFEBOOT To install SAFEBOOT on a bootable disk: Installation a. From the main menu, select the "Set DOS Version" option and find the correct DOS version in the list for your machine. b. From the main menu, select the Install option. c. Enter the letter of the drive on which you wish to install SAFEBOOT. d. Decide whether you wish to use SAFEBOOT to protect files in addition to the default operating system files. If you answer "N", just the operating system files are protected. If you answer "Y", you are brought to a file protection display that allows you to build a list of additional files to protect. Leave the protection display via the Quit option to store the file list you have created. If you leave the protection display via the Abort option, you return to the main menu without SAFEBOOT being installed. e. SAFEBOOT now installs itself automatically onto the selected drive and is active each time you boot from that disk. NOTE: SAFEBOOT always creates a file called SAFEBOOT.SYS during installation. If you created an optional file list, a file called SAFEBOOT.DAT is also created. Both of these files must remain in the root directory on the protected drive. 7.3 SAFEBOOT To remove SAFEBOOT from a bootable disk: Removal a. Select the Remove option from the main menu. b. Enter the letter of the drive from which you wish to Remove SAFEBOOT. d. SAFEBOOT now removes itself automatically from the selected drive, and is no longer active when you boot from that disk. If you accidently delete SAFEBOOT.SYS Page 62 from your disk before going through the removal steps outlined above, your system will not be bootable. If this happens, boot from a floppy with the SAME version of DOS and use the SYS command to restore the system files. 7.4 SAFEBOOT In this context, Updating means adding, deleting, or Update updating the files in the SAFEBOOT optional file list. Without a file list, SAFEBOOT will check only the operating system files on the boot disk. By providing a file list, however, you can cause SAFEBOOT to check for changes any other files that are present on your system at boot time. You are allowed the option of creating a file list when first installing SAFEBOOT on a drive, or you can use the Update option to add, edit, or delete the file list at any time. When you select the Update option from the main menu, you are brought to a display that allows the selection of any files on the system. When you leave the protection display via the Quit option, your changes are written to disk. If you choose the Abort option, your changes are ignored. 7.5 Formatting Simple formatting of hard drives and floppy diskettes Disks with can be done while SAFEBOOT is installed. However, if SAFEBOOT you want to transfer the operating system to the Installed formatted drive, you need to use the "Transfer DOS" option within the SAFEBOOT installation program. The FORMAT command (using the /S parameter) and the SYS command will not transfer a SAFEBOOT'ed system properly on their own. Thus, if you have trouble creating a bootable drive or floppy diskette via FORMAT or SYS, remember to run SAFEBOOT and select the "Transfer DOS" option. 7.6 SAFEBOOT * SAFEBOOT is compatible with DOS 2.0 and above ONLY. Compatibility * SAFEBOOT supports DOS 4.0+ hard disk partitions of all sizes, including those greater than 32 MB. * Extended boot records are supported. Extended boot records exist under DOS 3.3 and above where you have used DOS to set up multiple partitions on a single drive. * SAFEBOOT is not able to locate files on drives that are accessed through the use of device drivers (such as Bernoulli drives or multiple partitions through means other than DOS) because SAFEBOOT executes before these device drivers are installed. Page 63 * SAFEBOOT can handle many versions of MS-DOS that have been customized by hardware manufacturers for their systems. The "Set DOS Version" option on the main SAFEBOOT menu shows the various custom SAFEBOOT versions that can be generated. If SAFEBOOT fails to work, you can remove it using the Remove option and then try re-installing a different version. Page 64 8. ANTIGEN ___________________________________________________________________________ 8.1 What Is ANTIGEN represents a unique approach to the problems of ANTIGEN? virus detection and removal for PC-DOS and MS-DOS computer systems. Rather than placing the emphasis on external programs to detect and remove viruses, ANTIGEN allows the protected program itself to perform its own virus detection each time it is executed. If any problems are found, the ANTIGEN logic held within the program is capable of removing most viruses from the infected file. ANTIGEN also allows you to password protect programs so that only valid users can run them. In addition, ANTIGEN can be used to install a custom message to programs that is displayed each time the programs are run. 8.2 How ANTIGEN provides virus detection and removal by placing a Does ANTIGEN security prefix in place of the normal DOS file header. Work? When a program executes, the security prefix takes control first and checks both itself and the application program for signs of tampering or virus contamination. If any problems are detected, the user is given the option of removing (if possible) the contamination, and later, of returning to DOS rather than continuing the altered application. 8.3 DOS Due to the internal workings of DOS, the ANTIGEN security Version prefix is much more effective using DOS 3.0 or higher. While the security prefix will function using DOS 2.x, it is less efficient in detecting viruses and cannot remove them. 8.4 ANTIGEN The ANTIGEN security prefix is installed on your existing Installation application programs by means of the ANTIGEN.EXE program. Procedures The ANTIGEN program itself is used only for installation or removal of the prefix. The actual virus detection and removal functions are handled by the extra security prefix code that ANTIGEN adds to your protected programs. The ANTIGEN program is started by entering "ANTIGEN" at the DOS command line, with the ANTIGEN.EXE program available either in the current directory, or along the DOS search path. The first display briefly describes the security prefix, and awaits a keypress to proceed. You then arrive at the main menu. Page 65 8.5 The The main menu of the ANTIGEN security program allows you to Main Menu select whether to Attach or Remove ANTIGEN from a file or group of files. The desired option is selected by typing the highlighted letter. 8.6 Security To attach an ANTIGEN security prefix, you first select what Attachment programs you wish to protect. As shown below, you may Menu protect programs One at a time, protect files selected from a directory Listing, or protect All of the programs in a directory (only .COM and .EXE files are affected). The desired option is selected by typing the highlighted letter. Anti-Virus Protection V2.0 (c) DDI 1991 (800) 221-8091 ANTIGEN - Security prefix control program Do you wish to add a prefix to: One program A List of programs All executable programs in a directory Press Esc to return to the main menu Regardless of which option you choose from the menu above, ANTIGEN next asks you if you wish to place a password on the security prefix. Doing so will require this password to be entered before the protected program can be run. Setting a password also restricts removal of the security prefix to those who know the password. You are next given the option of building a custom message that appears along with the normal security analysis messages each time a protected program is run. If you had decided to attach the ANTIGEN prefix to only one file from the security attachment menu, you are now asked for the name (and pathname, if necessary) of the program to be protected. ANTIGEN then proceeds to install security on that program. The other two security attachment option routes are described below. Page 66 8.7 The If at the security attachment menu you chose to protect Directory List selected files protect selected files from a list, you are now asked for the directory pathto display. Pressing Return selects the present directory, or you may enter a directory path. ANTIGEN then displays the executable files in that directory. Anti-Virus Protection V2.0 (c) DDI 1991 (800) 221-8091 ANTIGEN - Security prefix control program Directory: C:\PROGRAMS PROG1.COM > PROG2.COM > PROG1.EXE PROG2.EXE Move highlight bar to file via arrows, PgUp, PgDn, Home, End Mark file for prefix attachment. Help, Quit, Abort also available The files may be marked for security prefix installation by moving the highlight bar to the desired file, and pressing M to Mark the file (Return will also mark the file). The Mark is a toggle, and re-marking a file will remove the original mark. When you exit the directory list by the Quit command, the marked files will have the ANTIGEN security prefix installed (plus the optional password and custom message) before returning to the main menu. If the Abort command is used, the list is discarded, and control returns to the main menu. 8.8 Protecting The third main menu option is used to protect all All Files in a executable files in a single directory. After setting Directory the optional password and custom message, ANTIGEN prompts you for the directory name. Pressing Return selects the present directory, or you may enter a directory path. ANTIGEN then automatically attaches the security prefix (plus optional password and/or custom message) to all executable .COM and .EXE files in that directory. Page 67 8.9 Security To remove an ANTIGEN security prefix, you first select what Removal Menu programs are to be unprotected. As shown below, the file selection options are similar to those available during security prefix attachment. Anti-Virus Protection V2.0 (c) DDI 1991 (800) 221-8091 ANTIGEN - Security prefix control program Do you wish to remove a prefix from: One program A List of programs All executable programs in a directory Press Esc to return to the main menu Enter file name for prefix removal. (include pathname.) >> C:\PROGRAMS\PROG1.COM << To cancel removing protection, press Esc key or enter blank file name. Once a file or group of files have been selected, ANTIGEN begins the removal process. Several outcomes may result: * If a selected file has a security prefix and NO password, ANTIGEN performs the removal without pausing. * If a selected file has a security prefix AND a password, ANTIGEN prompts you for the password before continuing. * If a selected file has no security prefix, ANTIGEN informs you of this and allows you to press any key to continue. After all selected programs have been processed, ANTIGEN returns you to the main menu. 8.10 User When you run a program that has been protected with the Interaction ANTIGEN security prefix, a message similar to the following with the appears: ANTIGEN Prefix Security prefix Copyright 1991 by DDI FILENAME.EXE protected on 01-20-91 A custom message may appear here. Page 68 Security analysis in progress... These messages inform you that ANTIGEN is checking the protected program for signs of tampering. NOTE: The date of ANTIGEN installation on this program is shown, as well as any optional custom message. Also, if a password was installed in the security prefix, you are prompted to enter it before being allowed to continue. Entering a wrong password returns you to the DOS command line. If no tampering is detected, the application program begins normal execution. Otherwise, the ANTIGEN prefix is able to report three different types of tampering. * A removable virus is detected. * A non-removable change is detected. * The ANTIGEN prefix has been altered. Each of these tamperings evokes a different response from ANTIGEN, described in subsequent sections of this document. 8.11 A If a removable virus is detected, the ANTIGEN prefix will Removable notify you with the message: Virus Is Detected Virus detected: do you wish to attempt removal (Y/N)? If you respond with a 'Y', the ANTIGEN prefix will clean up the program, and respond with a message of: Virus removed. Regardless of whether the virus is removed, the ANTIGEN prefix then asks: Do you want to execute the program (Y/N)? This allows you to return to the DOS command line rather than risk executing a possibly altered program. At this time, the preferred course of action is to return to DOS, and use other programs within the Data Physician PLUS! package to investigate your system further. Follow the recommendations given earlier in this manual to clean up your system. Page 69 8.12 A Non- There are two classes of non-removable virus, although they Removable normally appear together: a non-removable change to the Change Is program on disk, or a change in the program's memory image Detected (the copy being run). In either case, the ANTIGEN prefix displays a double warning message: WARNING: The program appears to have been altered! WARNING: A non-removable change has occurred to the program stored on disk! ANTIGEN then asks: Do you want to execute the program (Y/N)? thus allowing you to return to the DOS command line rather than execute the altered program. The preferred course of action is to return to DOS, and use the other programs within the Data Physician PLUS! package to investigate your system further. Follow the recommendations given in the Data Physician PLUS! manual to clean up your system. 8.13 The The ANTIGEN security prefix is capable of checking its own ANTIGEN integrity, and does so before investigating the integrity of Prefix Has the application program. If any change is found in the Been Altered ANTIGEN prefix, the user is given the message: WARNING: The security analysis program appears to have been altered! When this occurs, the ANTIGEN security prefix does NO checking on the application program, as the unauthorized change may have rendered the ANTIGEN prefix itself dangerous. Instead, the user is given the message: Do you want to execute the program (Y/N)? and given the choice of continuing the application or returning to DOS. Once again, the preferred course of action is to return to DOS, and use the other programs within the Data Physician PLUS! package to investigate your system further. Follow the recommendations given earlier in this manual to clean up your system. Page 70 8.14 ANTIGEN Where the protected program uses itself as an overlay, Compatibility or writes to itself during normal operation, the ANTIGEN header may be incompatible. If a problem occurs, run ANTIGEN again to remove the security prefix from that program, which should then work correctly. 8.15 When Should ANTIGEN can be used to add virus detection and removal I Use ANTIGEN? logic to programs that you want to be absolutely sure do not become infected or altered. This may be frequently- run utilities, or programs that you sell commercially or distribute to other sites. Other advantages include: * An ANTIGEN-protected program carries its own ability to remove the virus that has attacked it. * Since every protected program checks its own integrity each time it is run, a virus has a difficult time gaining a foothold in the executable files. * When a large number of programs are being protected, ANTIGEN can make the time given to security analysis less noticeable than with some other techniques. NOTE: ANTIGEN increases the size of each protected program by approximately 4.5K bytes. On systems where virus attacks cannot be tolerated, this disk space represents inexpensive insurance. Page 71 9. FILEPEEK ___________________________________________________________________________ 9.1 What Is FILEPEEK allows you to inspect programs for suspicious- FILEPEEK? looking messages. Many viruses and other villainous programs contain messages that are used to taunt the hapless victim after it is too late to prevent damage. Using FILEPEEK, it is possible to examine a program for these suspicious-looking messages. If FILEPEEK displays a message that doesn't seem appropriate for the type of program being inspected, it may be wise to question the safety of running that program. A virus perpetrator could possibly encrypt his text messages so an inspection program would not display them. Given that clues usually exist in the program, however, FILEPEEK can provide you that little extra security edge that might prove to be the difference between safety and disaster. NOTE: FILEPEEK will not change or affect the contents of any of your files. 9.2 Using FILEPEEK operates like many of the other programs within FILEPEEK to Data Physician PLUS!. You can use the built-in menus or Inspect Files tell FILEPEEK what you want to do directly at the DOS command line. The DOS command line options are as follows: FILEPEEK [[-L]filename [user search string]] [or] FILEPEEK [[-L]filename [-L]listname] where filename is the name of the file to look at (include wildcards and pathname if necessary), "-L" is a flag telling FILEPEEK that what follows is the name of a list, user search string is a specific string of characters you want to search for, and listname is the name of a file containing a list of specific strings to search for. For example: FILEPEEK QUACK.EXE searches the file QUACK.EXE for ANY text, which is then displayed to you as it is found. FILEPEEK \UTIL\*.COM COPYRIGHT Page 72 searches all .COM files in the \UTIL directory for any text containing the string "COPYRIGHT", without the quotes. NOTE: FILEPEEK searches are not case-sensitive. A character will match whether it is uppercase or lowercase. For example, "COPYRIGHT" will match any of the following: "COPYRIGHT", "Copyright", "copyright", "CopyRight", or any other combination. The search string itself can also be given in any capitalization form. FILEPEEK -LFILES.LST looks into the file FILES.LST for a list of files to be searched for any text. This list of files must be a plain ASCII text file with one filename per line. Wildcards and pathnames may be used. FILEPEEK -LFILES.LST WHATEVER TEXT YOU WANT searches the files in the list FILES.LST for the string "WHATEVER TEXT YOU WANT". FILEPEEK can only handle single spaces between words in the search string. A list of strings to search for may also be used on the DOS command line. This list of strings must be plain ASCII text file with one string per line. There may be up to 100 strings of a maximum length of 80 characters. Excess strings or excess characters will be ignored. NOTE: A list of strings and a list of files can be used together. FILEPEEK \DOS\*.SYS -LTEXT.LST will search all the .SYS files in the DOS directory for any string contained in the file TEXT.LST. FILEPEEK -LFILES.LST -LSTRINGS.TXT searches the files specified in FILES.LST for the strings specified in STRINGS.TXT. If you prefer to use menus, just enter "FILEPEEK" at the DOS command line. The following list of options appears, each of which is selected by pressing the capitalized letter within its description: F = search File for text L = search List of files for text D = select files from Directory list Page 73 M = set Mode: search for any string Q = Quit the program. The first three options allow different methods of selecting the files you wish to inspect: entering a specific filename, telling FILEPEEK what file contains the list of files you wish to inspect, or selecting files from a directory listing. The fourth option, "set Mode", is used to define what to search for within the selected files. It defaults to "All strings", which means that FILEPEEK will show you every printable string that is four or more contiguous characters in length. You can change the search mode to "User specified string", which allows you to enter a specific text string to search for, or "List of strings in a file", where you tell FILEPEEK what file contains the list of strings to search for (described earlier in this section). Once the desired search Mode is set and you select what file(s) to search through, FILEPEEK inspects the selected file(s) for the selected printable text strings and displays them to you, one page at a time. You can page up and down through the messages, or abort the search at any time. If you are searching multiple files and are at the end of the current file, the ESC key aborts the entire search, otherwise it aborts the search of the current file and continues on to the next file. If you are searching for All strings, you are likely to see a number of short nonsense words, copyright messages, and words that are used legitimately within the program. There may even be error messages shown, such as "out of memory", "out of disk space", or "disk error". These are normally of no concern. Watch out, however, for profanity, street slang, or messages that are worded suspiciously or seem totally out of keeping with the nature of the inspected program. Good hunting! Page 74 10. UNKILL ___________________________________________________________________________ 10.1 What is UNKILL helps you to recover from a Disk Killer virus UNKILL? attack. 10.2 What Ise The Disk Killer virus does just what its name implies. The DISK KILLER After a certain amount of time beyond the initial Virus? infection, the disk (floppy or hard) is rendered unreadable. The Disk Killer virus is a "boot virus." That is, it infects the boot records of both floppy and hard disks. When the disk is booted, the virus places itself in memory, and performs two functions there: 1) The virus infects new disks as floppies are introduced to the system. 2) The virus keeps track of the time it has been active. While the first function is expected of a virus, the second is used by the virus for its internal countdown timer. When 48 hours of use since the initial infection have elapsed (such as six 8-hour days), the "killer" phase of the virus is activated, and the virus scrambles the data on the disk. The virus will "kill" a hard disk if one is present, otherwise it will scramble a floppy disk. Your data, however, is NOT necessarily lost! The Disk Killer virus was designed to leave your data in a recoverable state, apparently as a challenge to the computer users of the world. When the Disk Killer virus displays the following message, you should allow it to finish. Disk Killer - Version 1.00 by COMPUTER OGRE 04/01/1989 PROCESSING Warning !! Don't turn off the power or remove the diskette while Disk Killer is processing! Page 75 There are two reasons for allowing Disk Killer to finish its processing: 1) Turning off power or removing the diskette during a write can damage a track beyond recovery. 2) The DDI UNKILL is much more reliable at unkilling a fully killed disk than a partially killed disk. A partial kill could exist if Disk Killer was interrupted while processing, or if the disk partition is larger than 32 Mbytes. The virus does not understand large drives and will probably error out with a "divide by 0" warning. WARNING: Do not be fooled into attempting to save or "rescue" a disk. By the time you can react, critical information like the FAT is long gone. 10.3 Using the After the DISK KILLER virus completes running, you need UNKILL Program to reboot from a floppy in order to run UNKILL. The program first presents a screen that explains the dangers of "unkilling" your disk, and also informs you that DDI is NOT responsible for any damage that may occur to your system as a result of using UNKILL. A response of 'Y' (Yes) must be entered before UNKILL continues. When the entire drive was killed, the only question normally asked by UNKILL is which disk to "unkill." Be warned that this may NOT be the letter you are used to associating with that drive. See section 10.5 below for more information and examples on how to specify drives to UNKILL. Once UNKILL knows which drive to process, it examines the disk to determine if the disk can be successfully "unkilled," and then automatically restores the disk. If a partial kill had occurred, UNKILL asks you what tracks to unkill. This can take some experimentation and detective work with a disk editor that allows you to inspect individual sectors and tracks. Only attempt a partial unkill if you are an expert with such an editor. Two helpful facts: 1) The Disk Killer starts at track 0 and proceeds upwards. Therefore, unkilling should normally start at track 0 and go through the same range of tracks. Determining at what track Disk Killer stopped killing the disk is the hard part. 2) Unkilling a previously good track will cause it to appear killed. Unkilling it again will restore it. This allows multiple passes at recovering tracks while trying to find where Disk Killer left off. Ascertaining whether a track is Page 76 good or bad involves inspecting its ASCII contents or running programs in the afflicted area. In rare circumstances, UNKILL may ask an additional question, whether or not you want UNKILL to take its "best shot" at restoring your disk. This occurs when UNKILL finds a different "bad track" map than the one used by the Disk Killer virus. If you want to go ahead, answer with a 'Y' (Yes), and let UNKILL run. Please note that quitting UNKILL and running it again may produce a different "bad track" map, one that WILL agree with the one used by the virus. BE WARNED: Once the disk has been "unkilled," the disk will STILL be infected with the disk killer virus. You need to use a virus removal program, such as DDI's VirHUNT, to finish cleaning up the disk. Also, be sure to scan ALL your floppy and hard disks, to make sure that there are no more copies of the virus hiding around. 10.4 Restoring Once UNKILL is finished, there is still the problem of the Boot Sector restoring the bootability of the disk. While the "kill" algorithm of the Disk Killer virus leaves all the data on the disk recoverable, the first 2 bytes of the boot sector (the MBR of a hard disk, the boot record of a floppy) are gone forever. In the case of a hard disk, UNKILL can replace the damaged MBR (Master Boot Record) with one that is functionally the same, and there is no need to do any further work. For a floppy disk, UNKILL cannot repair the boot record, and each version of DOS has different requirements for its boot record. Therefore, UNKILL will not try to repair the boot record of a floppy disk. In order to make the disk bootable again, you need to boot (either from floppy or hard disk) the SAME version of DOS, and use the SYS command on that floppy disk. Note that using SYS on a floppy disk will also remove the Disk Killer virus. 10.5 Disk Names The Disk Killer virus DOES NOT care about DOS disk Used by UNKILL names -- it goes after the physical drive. Thus, beware of the drive name that you give to the UNKILL utility. For example, consider a system with two hard disks, C: and D:. If the C: drive is "killed," and then the system is rebooted, the drives available to DOS will be A:, B:, and C:. However, the C: drive reported by DOS is NOT the 1st hard disk, but instead is the 2nd (formerly the D: drive)! When you tell UNKILL to recover the disk, choose drive C. UNKILL will pick the 1st hard disk, where C: is supposed to be. Page 77 For example: A system with 2 hard disks, and several extended partitions ("drives") C: and D: on the 1st hard disk, and E:, F:, and G: on the 2nd. In this case, when you reboot DOS will report 3 hard disk, C:, D: and E:. These are the E:, F:, and G: drives from before the kill. When you UNKILL the disk, you will be told that only hard disks C: and D: exist. Choose C: to UNKILL -- this corresponds to the 1st hard disk, which contains logical volumes C: and D:. 10.6 Unrecoverable If UNKILL is unsuccessful, you may find that DOS Hard Disk will not allow you to access the disk. Instructions There are steps you can take to use the disk again, although the data on the disk will be gone. If it is a floppy disk, simply use the FORMAT command to erase and reinitialize the disk. The virus (and, unfortunately, your data) will be gone, and the disk will be usable again. For a hard disk, you need to use a bootable floppy disk to bring your system up. (Remember: Your boot floppy should be write-protected, so that more infections do not occur). Then, use the FDISK program to partition your hard disk. After FDISK, DOS will force you to reboot your system, and again use the boot floppy. Next, use the FORMAT command to prepare the disk for use by DOS. Use your latest backup to restore your files, and be sure to use VirHUNT to find and remove any viruses that might be hiding in your backups. Page 78 APPENDIX A BATCH FILE ERRORLEVEL CHECKING ___________________________________________________________________________ When VirHUNT or RESSCAN exit to DOS, they return information in the ERRORLEVEL variable that can be checked within DOS batch files or at boot time in AUTOEXEC.BAT to take special action if there is a problem. The ERRORLEVEL returns are: 0 = Clean scan 1 = Signature(s) change(s) found 2 = Virus(es) found 3 = Virus(es) found and signature(s) change(s) found 4 = Program quit during self-check (useful on networks) 5 = 6 = Program unable to repair itself during self-check Remember, the IF ERRORLEVEL statement in a batch file tests for greater-than-or-equal ( >= ), not equality. To test for multiple error conditions, the IF ERRORLEVEL statements should be in descending order. For example: :NETWORK_RETRY VIRHUNT SIS IF ERRORLEVEL 6 GOTO BAD_PROGRAM IF ERRORLEVEL 4 GOTO NETWORK_RETRY IF ERRORLEVEL 3 GOTO REALLY_DIRTY_SYSTEM IF ERRORLEVEL 2 GOTO VIRUS_INFECTED_SYSTEM IF ERRORLEVEL 1 GOTO CHANGING_SYSTEM GOTO EXIT :BAD_PROGRAM ECHO Program unable to self-repair--please replace this copy GOTO EXIT :REALLY_DIRTY_SYSTEM ECHO Viruses and file signature changes found. ECHO (Possibly unknown virus!) GOTO EXIT :VIRUS_INFECTED_SYSTEM ECHO Viruses found! GOTO EXIT :CHANGING_SYSTEM ECHO Changed files (possibly unknown virus!) :EXIT Errorlevel 4, "Program quit during self-check" is useful when running in a network environment. If two users attempt to load one of the utilities in non-shared mode, an ERRORLEVEL of 4 is passed to the second user that allows the batch file to loop and retry access again, as shown above. A APPENDIX B CONFIG.SYS FILE CREATION ___________________________________________________________________________ The command that installs VirALERT must appear in your CONFIG.SYS file, which in turn must reside in the root directory on your boot disk. If you do not have a CONFIG.SYS file, you can create one with any editor that can generate plain ASCII text files. As an alternative, you can type in the following commands at the DOS command line while logged into the root directory. (Single function key presses are shown between < > brackets.) COPY CON CONFIG.SYS DEVICE=VIRALERT.SYS DOS then responds with the message "1 File(s) copied", at which time the CONFIG.SYS file should exist in your root directory. You can then TYPE the contents of it to verify that it contains the DEVICE command line. NOTE: When typing the DEVICE command line, you need to include any necessary pathname or options (see the section on "VirALERT Installation"). B APPENDIX C HISTORY & FUTURE OF DATA PHYSICIAN PLUS! ___________________________________________________________________________ DDI began researching computer virus protection techniques in 1984. Within a year we had developed Data Physician, the first commercially available virus protection package. In 1990, the product was substantially enhanced and renamed Data Physician PLUS! DDI performs the in-depth disassembly and analysis of newly discovered viruses for a number of professional computer security researchers worldwide. We also donate research resources to COMPUTERS & SECURITY, an international journal devoted to the study of technical and financial aspects of computer security. These activities assist DDI in keeping the Data Physician PLUS! product ahead of the virus threat. The focus at DDI has remained on careful research and the dissemination of undistorted information and high quality products. We have a commitment to supporting our software and customers through reasonably-priced upgrades. If you desire upgrade pricing, encounter a computer virus on your system, find a problem in our software, or have suggestions on a feature that should be added or modified, we would like to hear from you. C APPENDIX D OTHER DDI PRODUCTS AND SERVICES ___________________________________________________________________________ Digital Dispatch, Inc. (DDI) is a software development and computer consulting organization. Incorporated in 1982, DDI has earned a reputation for providing quality, cost- effective solutions to organizations around the world. In addition to DDI's own products, our efforts and algorithms are represented in a large number of software products marketed by other firms. (References are supplied upon request.) The products and services available through DDI are listed below. Security * Data Physician PLUS! - computer virus protection Products * VM-DEBUG - crashproof interpretive debugger that simulates Intel microprocessors Multimedia * Thousands of hours of custom CBT courseware, demos, Computer-Based and simulations. Training (CBT) * Interactive videodisc courseware * Custom training management systems * Custom test drivers * Software conversion utilities * Training and multitasking simulation authoring systems for DOS and OS/2 Hypertext * Development of computerized documentation, manuals, Development catalogs, and other reference works with hypertext links and full-word indexing. CAD/CAM & * Conversion of paper-based technical documents such as MAPPING blueprints and maps into CAD, Geographic Information Systems (GIS), and Facility Management Systems (FMS). * Device drivers for AutoCAD applications Business & * DDI Business Systems - UNIX business, manufacturing, Manufacturing and financial systems Please call or write for product or consulting information. DIGITAL DISPATCH, INC. (DDI) 55 Lakeland Shores Road Lakeland, MN 55043 1(800)221-8091 (612)436-1000 D