DATA PHYSICIAN PLUS! Computer Virus Protection System DIGITAL DISPATCH, INC. (DDI) 55 Lakeland Shores Road Lakeland, MN 55043 1(800) 221-8091 (612) 436-1000 Copyright Copyright 1985, 1991 by Digital Dispatch, Inc. Notice All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored on a retrieval system, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Digital Dispatch, Inc. Digital Dispatch, Inc. makes no representations or warranties with respect to the contents hereof, and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. The qcontents of this publication are subject to change without notice. Data Physician PLUS!, VirHUNT, RESSCAN, VIRALERT, SAFEBOOT, ANTIGEN, SAFEBOOT, UNKILL, RS-NET, WIN-RS, and WIN-VA are trademarks of Digital Dispatch, Inc. Program The programs in this package are licensed for use on License a single machine. The programs may be copied, but Agreement only for the purpose of backup in the support of their use on a single machine. We have used our best efforts in the research, development, and testing of the software, but make no warranty of any kind, expressed or implied, with regard to fitness for a specific purpose, including, but not limited to, warranties of merchantability. Digital Dispatch, Inc., shall not be liable in any way, for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, reliance upon, or use of these programs. Comments and suggestions on this product may be sent to: DIGITAL DISPATCH, INC. 55 Lakeland Shores Road Lakeland, MN 55043 IBM is a registered trademark of International Business Machines, Inc. i TABLE OF 1 INTRODUCING DATA PHYSICIAN PLUS! 1 CONTENTS 1.1 The Data Physician PLUS! Programs 1 1.2 How Does Virus Protection Work? 3 1.3 Configuration Files 4 1.3.1 Date Scheduled Scanning 5 1.3.2 NOAB (No Abort) Option 6 1.4 Local-Area Network Usage 7 1.5 Microsoft Windows Usage 8 1.6 Loading Programs Into "High Memory" 9 1.7 If You Find a New Virus 10 2 GETTING STARTED 11 2.1 System Requirements 11 2.2 Distribution Files 11 2.3 Quick Start Instructions 11 2.4 Installation Procedures 12 2.5 Monochrome Display Usage 12 3 VirHUNT 13 3.1 The VirHUNT program 13 3.1.A VirHUNT Pulldown Menus 13 3.1.B Example of VirHUNT Session 14 3.1.C Using VirHUNT from AUTOEXEC.BAT 15 3.2 Identifying and Removing Viruses 16 3.2.A Memory Scan 16 3.2.B Deactivating Viruses in Memory 17 3.2.C Viruses with Removal Problems 17 3.2.D VirHUNT Options 18 3.2.D.1 Directory to Scan 18 3.2.D.2 User Specified Search/Remove 19 3.2.D.3 Scan What 19 3.2.D.4 Files Scanned 19 3.2.D.5 Scan Subdirectories 20 3.2.D.6 Virus Action 20 3.2.D.7 Variations Action 21 3.2.D.8 Backup Upon Remove 21 3.2.D.9 Pause Full Screen 22 3.2.D.10 Print Scan Output 22 3.2.D.11 Save Scan Output to File 22 3.2.D.12 Signature Mode 23 3.2.E Using Options from the Command Line 23 3.2.E.1 BA (BAckup Upon Removal) Parameter 24 3.2.E.2 -D (Date Scheduled Scanning) Parameter 24 3.2.E.3 DE (DEscribe Virus) Parameter 24 3.2.E.4 DI (DIrectory to Scan) Parameter 25 3.2.E.5 FI (FIles Scanned) Parameter 26 3.2.E.6 -L (Left-Hand Mouse) Parameter 26 3.2.E.7 LI (Scan Output to LIst File) Parameter 26 3.2.E.8 PA (PAuse Full Screen) Parameter 27 3.2.E.9 PR (PRint Scan Output) Parameter 27 3.2.E.10 QU (QUit After Scan) Parameter 27 3.2.E.11 QZ (Quit After Scan-No Pause) Parameter 27 3.2.E.12 SC (SCan Subdirectories) Parameter 28 3.2.E.13 SW (Scan What) Parameter 28 ii TABLE OF 3.2.E.14 US (USer Specified Search/Remove) Parameter 29 CONTENTS 3.2.E.15 VA (Virus Action) Parameter 29 (Cont.) 3.2.E.16 VO (Variations Option) Parameter 29 3.2.E.17 Obsolete Command Line Parameters 29 3.2.E.18 VirHUNT Examples 30 3.3 Using Signature Files 32 3.3.A What Is a Signature File? 32 3.3.B Signature Files for Detection and Removal 32 3.3.C Normal Versus Fast Mode 33 3.3.D Scanning for New Files 34 3.3.E Signature Options 34 3.3.E.1 Signature Mode Options 36 3.3.E.2 Signature File Names 36 3.3.E.3 Exclude List File 37 3.3.F Using Signature Files from the Command Line 37 3.3.F.1 SI (SIgnature Mode) Parameter 37 3.3.F.2 SF (Signature File) Parameter 38 3.3.F.3 EX (EXclude List File) Parameter 38 3.3.F.4 VirHUNT Signature Examples 39 3.4 Teaching VirHUNT about New Viruses 41 4 RESSCAN 42 4.1 The RESSCAN Program 42 4.1.A Example of RESSCAN Session 42 4.1.B Using RESSCAN from AUTOEXEC.BAT 43 4.2 RESSCAN Options 44 4.3 RESSCAN Examples 46 4.4 Memory Resident Operation 49 4.5 RESSCAN Resident Boot Checking 49 4.6 RESSCAN and Signature Files 50 4.6.A RESSCAN Signature Options 51 4.6.A.1 Signature Mode 51 4.6.A.2 Signature File Names 51 4.6.A.3 RESSCAN Signature Examples 52 4.7 Teaching RESSCAN about New Viruses 54 5 RS-NET 55 5.1 The RS-NET Program 55 6 VirALERT 56 6.1 What Is VirALERT? 56 6.2 VirALERT Installation 56 6.3 VirALERT Operation 59 6.4 VirALERT Alt-V Hotkey 60 7 SAFEBOOT 61 7.1 What Is SAFEBOOT? 61 7.2 SAFEBOOT Installation 62 7.3 SAFEBOOT Removal 62 7.4 SAFEBOOT Update 63 7.5 Formatting Disks with SAFEBOOT Installed 63 7.6 SAFEBOOT Compatibility 63 iii TABLE OF 8 ANTIGEN 65 CONTENTS 8.1 What Is ANTIGEN? 65 (Cont.) 8.2 How Does ANTIGEN Work? 65 8.3 DOS Version 65 8.4 ANTIGEN Installation Procedures 65 8.5 The Main Menu 66 8.6 Security Attachment Menu 66 8.7 The Directory List 67 8.8 Protecting All Files in a Directory 67 8.9 Security Removal Menu 68 8.10 User Interaction with the ANTIGEN Prefix 68 8.11 A Removable Virus Is Detected 69 8.12 A Non-Removable Change Is Detected 70 8.13 The ANTIGEN Prefix Has Been Altered 70 8.14 ANTIGEN Compatibility 71 8.15 When Should I Use ANTIGEN? 71 9 FILEPEEK 72 9.1 What Is FILEPEEK? 72 9.2 Using FILEPEEK to Inspect Files 72 10 UNKILL 75 10.1 What Is UNKILL? 75 10.2 What Is the DISK KILLER Virus? 75 10.3 Using the UNKILL Program 76 10.4 Restoring the Boot Sector 77 10.5 Disk Names Used by UNKILL 77 10.6 Unrecoverable Hard Disk Instructions 78 Appendix A: BATCH FILE ERRORLEVEL CHECKING A Appendix B: CONFIG.SYS FILE CREATION B Appendix C: HISTORY & FUTURE OF DATA PHYSICIAN PLUS! C Appendix D: OTHER DDI PRODUCTS AND SERVICES D iv 1. INTRODUCING DATA PHYSICIAN PLUS! ___________________________________________________________________________ 1.1 The Data Data Physician PLUS! is a state-of-the-art set of programs Physician PLUS! designed to detect and remove both known and unknown Programs computer viruses from your system. Marketed and under continuous development since 1985, Data Physician PLUS! is the most fully developed anti-virus package in the industry. Most competing anti-virus packages use simple string searches to locate viruses, an approach which frequently causes false alerts and haphazard virus removal. DDI completely disassembles each new virus to understand its exact operation, and this intelligence is built into Data Physician. When Data Physician asks if you want to remove a virus, you can proceed with confidence. Users can choose between menu-driven and command-line operation, giving unsurpassed flexibility in addressing complex computer security needs. Comprehensive ERRORLEVEL returns are generated to allow the seamless integration of Data Physician utilities with other applications. Data Physician works on normal standalone PCs under DOS, Microsoft WINDOWS, and under LANs (Local-Area Networks). You can scan any workstation, drive, or directory to which your LAN login has access. The Data Physician programs can be used alone or in concert with one another, thus allowing you to create a custom security approach that makes the most sense for your particular system configuration and security needs. An INSTALL program is included to help you get protected quickly and easily. Configuration files allow the customization of virus alert messages (such as directing users to contact specific in- house support resources in the event of a virus infection), setting custom colors, setting up date-scheduled virus scanning (such as once per day, or once per week), and restricting users from aborting out of a scan. For site licenses, custom versions of the programs can be made to perform additional functions unique to that site. Below is a list of the Data Physician PLUS! programs, along with a brief description. The installation and use of each program is covered in more detail in later sections of this document. VirHUNT (VIRus HUNT) is a computer virus scanning utility that "knows" what about 400 of the most common viruses look Page 1 like (about 800 including variants), and is able to search for and remove these viruses from your system. In most cases, VirHUNT can remove the virus without destroying the original program. Among its many options, VirHUNT allows you to search all or selected subdirectories, choose whether virus removal should occur, choose how files are backed up before virus removal, and generate a list of infected files to disk or printer. VirHUNT can store "signatures" of the boot record and files on your system, which allows even previously unknown viruses to be removed. VirHUNT contains a built-in programming language, CIL (Custom Intercept Language), that allows you to define the characteristics of new viruses to search for. Using VirHUNT to scan for viruses on your system is very quick and convenient. Most users run it at boot time from their AUTOEXEC.BAT file, or use it after one of the other Data Physician PLUS! utilities has displayed a virus warning. When a virus is discovered, VirHUNT displays a description of it that assists in the cleanup process. RESSCAN (memory-RESident SCANner) is a RAM-resident virus scanner that provides continual virus scanning as you work. Tightly coded to use approximately 20K of memory, RESSCAN checks programs for viruses--as you run them, or when they are copied or opened in any way. RESSCAN can also perform system-wide virus and file signature scans similar to VirHUNT. PC management can configure RESSCAN to halt system operation when a virus is detected and to display a message instructing the user to immediately contact computer security personnel. To handle Microsoft Windows and other VGA graphic environments, a special version of RESSCAN, called WIN-RS, is provided that uses an additional 8.4K of RAM in its resident form. RS-NET (ResScan-NETwork) assists in the use of the RESSCAN resident protection features on a local-area network. VirALERT (VIRus ALERT) is a 12K device driver that is installed as an extension of your operating system immediately upon bootup. It operates continually in the background to intercept attempts to manipulate executable and operating system files (.EXE, .COM and .SYS files). VirALERT also watches for changes to the boot record, disk formatting attempts, and TSR (terminate and stay resident) program installations. VirALERT catches changes in "real- time" and before they occur on your system, but can only remove viruses that install themselves in memory. The operation of VirALERT can be customized in many ways, including the ability to set varying levels of security, wild-card selected lists of files to watch or ignore, temporary or permanent messages suppression, and a variety of actions to take if a security problem is detected. To handle Microsoft Windows and other VGA graphic environments, Page 2 a special version of VirALERT, called WIN-VA, is provided that uses an additional 8.4K of RAM. SAFEBOOT fully protects your operating system by installing a custom DOS boot record and adding security logic to the operating system files. If a virus modifies any of the operating system files or replaces the boot record (as many do), a message is generated that informs you of the alteration. Many viruses infect the operating system because it provides such a powerful vantage point for further infection and destruction. SAFEBOOT provides a critical layer of protection that should be used whenever possible. ANTIGEN allows virus protection to be installed directly on an executable program. Each time the protected program is run, it checks itself for tampering and is capable of removing most viruses on its own. ANTIGEN is useful where the protected program needs to be widely distributed and you want it to continue to be protected independent of other utilities. You can also password-protect programs so that only valid users can run them, or install a custom message on programs that is displayed each time the programs are run. FILEPEEK allows you to inspect programs for suspicious- looking messages. Many viruses and other villainous programs contain messages that are used to taunt the hapless victim after it is too late for him or her to prevent damage (although many of these viruses are encrypted). With FILEPEEK, you can preview new programs for material that seems out of context with their purpose. Various options include wildcard selection of files to inspect, searching for all strings, a specific message, or a list of predefined messages. UNKILL restores a disk that has been damaged by the Disk Killer virus. 1.2 How Does There are several major approaches taken by Data Virus Protection Physician PLUS! to detect or otherwise protect against Work? viral activity: 1) Virus Scanning - VirHUNT and RESSCAN are virus "scanners" that search for viruses on drives and in memory. (See the list of known viruses in the README.DOC file on the distribution diskette.) 2) Virus Removal - VirHUNT and ANTIGEN can remove most viruses without harming the original program. 3) Signature Analysis - VirHUNT, RESSCAN, and ANTIGEN programs can save a "signature" on protected files that allow previously unknown viruses to be found and removed Page 3 from the original program. The signatures of Data Physician PLUS! consist of a cryptographic checksum of a file plus additional profiling data that allows both the detection of a virus-like change, and the ability to remove most viruses from infected files. Even intelligent viruses that use file compression and/or checksum adjustment to try to hide their activity can be detected by the Data Physician PLUS! algorithms. Data Physician PLUS! is also able to restore the original program in cases where multiple generations of a virus have infected the same file. 4) Real-Time Alert - VirALERT intercepts and warns you of attempts to manipulate files or system areas, before they are allowed to occur. You can control the conditions under which these warnings are generated, and also choose the subsequent action to take. RESSCAN checks programs for infection before they are run or opened in any way, thus avoiding further infection. 5) Operating System Protection - SAFEBOOT protects the operating system files and customizes the boot record. If any of these files are changed or replaced by a virus, the remaining protected files detect and report the change. 6) Visual File Inspection - FILEPEEK allows you to inspect programs for messages that viruses frequently contain. 1.3 Configuration Configuration files can be used to create your own Files custom virus alert messages, custom color schemes, and set any or all options available within Data Physician's primary virus scanning utilities: VirHUNT and RESSCAN. Configuration files are entirely optional, but can be very useful when implementing a professional computer security strategy. For example: * PC management can create virus alert messages that direct users to contact specific internal security personnel when a virus attack occurs. * Virus scans can be based on specific time spans, such as once per day, once per week, etc. * Users can optionally be forced to complete a virus scan, and to not proceed if a virus is found. The same VIRHUNT.CFG configuration files can be used by both VirHUNT and RESSCAN. Any parameters invalid for the current program being run are ignored. When first run, both programs try to process two configuration files in the following order: 1) The VIRHUNT.CFG in the current directory. Page 4 2) The VIRHUNT.CFG in the home directory of the program being run, VIRHUNT.EXE or RESSCAN.COM. The home directory is the location where the program physically resides. This is located either via the DOS PATH command or by the inclusion of the program's pathname on the command line. Parameters present in the home directory's VIRHUNT.CFG override those in the current directory. Parameters given on the command line override those present in either VIRHUNT.CFG file. The use of two configuration files is of particular value in a networked environment where, for example, local parameters such as colors or left-hand mouse may be controlled by every user, while system-wide parameters such as messages, dated execution, and no-abort options may be controlled by the system administrator. If neither file is present, the programs use their default parameters or those given on the current command line. An example configuration file called VIRHUNT.CF is provided with the Data Physician package, and it contains a considerable amount of additional information, as well as a number of example commands that are "commented out" with a semicolon. To create an active configuration file, you have two alternative paths to take: 1) Make a copy of VIRHUNT.CF called VIRHUNT.CFG, and activate the commands of your choice by removing their semicolon. Edit or add lines as you wish, and you may also want to remove much of the extraneous documentation within the file in order to speed processing. 2) You can run VirHUNT and use the Configure pulldown menu to create a configuration file or edit a previous one, and then save it to disk. Read section "VirHUNT Pulldown Menus" for more information on the Configure menu. All of the VirHUNT and RESSCAN options described in this document can be pre-configured in VIRHUNT.CFG. Below are described important options held only in the configuration file. 1.3.1 Date VirHUNT can be set to scan for viruses on or after a Scheduled specific date which is continually kept updated by VirHUNT. Scanning (The DATE parameter is ignored by RESSCAN.) The date must be in the format MM/DD/YY, with 2 digits for each part--using leading 0's if necessary. Following the date is the increment, a number from 1 to 99, which Page 5 specifies the days between dated scans. On or after this date, VirHUNT will automatically do a scan. There are two formats for the date parameter: after and every. In the after mode, VirHUNT resets the date every time it is run, so that the next scan will run at the earliest opportunity days after the current scan. This is signaled to VirHUNT in the configuration file by separating the date increment from the date with a plus sign ('+'). For example: DATE:08/30/91+07 Meaning: Dated scan command that tells VirHUNT to run at the earliest opportunity after 7 days have elapsed since the last scan. In the every mode, VirHUNT uses the date parameter to perform a scan every days, regardless of when the last scan was performed. This would be useful for doing weekly scans (for example, every Monday or every Friday). The every mode is signaled to VirHUNT in the configuration file by separating the date increment from the date with a space: DATE:08/30/91 07 Meaning: Dated scan command that tells VirHUNT to run every 7 days. 1.3.2 NOAB Some users may be tempted to abort a virus scan before it (No Abort) finishes, thus hampering an organization's computer security Option procedures. Using the NOAB (No Abort) parameter, system administrators can turn off users' ability to abort a scan. The NO ABort parameter is available in two versions: NOAB Meaning: No abort from a virus scan is allowed at any time. (Valid for both VirHUNT and RESSCAN.) NOAB:05-10 Meaning: No abort from a virus scan is allowed between the hours of 5 to 10 (military time). (VirHUNT only.) The format of this parameter is: NOAB:SS-EE where SS and EE are 2-digit numbers ranging from 00 to 23 that represent the starting and ending hours of the NO ABort times. Outside of this range, early aborts are allowed. This version could be used, for example, to set NO ABort hours between 5 and 10am, so that with VirHUNT in the AUTOEXEC.BAT file, the first scan of a normal work day would be forced to be completed, while the rest could be halted by the user. Page 6 RESSCAN ignores hours given with the NOAB parameter, thus treating both forms as full-time No ABort. The NO ABort parameter is most useful in a corporate/network environment, where the system administrator controls global options through a centrally-accessed VIRHUNT.CFG file on the server. 1.4 Local-Area VirHUNT and RESSCAN have the ability to work with Network Usage almost any local-area network (LAN). A workstation can scan for viruses on itself and any network drive to which it has access, including the fileserver. In a peer- to-peer network, you can even scan other workstations. The reason for this compatibility is that our utilities work with network resources at their simplest level: basic file manipulation. You can scan whatever drives and subdirectories your login's security level allows you to access. The utilities also recognize and make use of network file- sharing and file-locking. This allows you to scan shared files that other users are accessing. Also, if two users attempt to load one of the utilities in non-shared mode, an ERRORLEVEL return code is passed to the second user that allows a batch file to loop back and immediately try again. (Programs typically stay locked only for the short time that they are being loaded from disk.) See the Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for further information. Once network connection has been established, the workstation "sees" the fileserver as another available drive. Thus, a workstation may have A: and B: floppies, with hard disk C: locally. After network connection is established, the fileserver is available as additional drive(s), F: for example. Telling VirHUNT or RESSCAN to scan the network drive causes the fileserver drive to be scanned, to the limits of permission for the requesting login. Because of varying permission levels, fileserver scans should typically be performed by network administrators who have access to all areas and files on the fileserver. The use of two configuration files is of particular value in a networked environment where, for example, local parameters such as colors or left-hand mouse may be controlled by every user, while system-wide parameters such as messages, dated execution, and no-abort options may be controlled by the system administrator. A common configuration is where RESSCAN or VirHUNT is run on the fileserver when it is first booted. A copy of RESSCAN or VirHUNT is also kept on each workstation and run locally via AUTOEXEC.BAT when the workstation is booted, after which connection to the fileserver is established. The RS-NET Page 7 (ResScan-NETwork) program may be necessary to hook RESSCAN actively into the network. If you are using a LAN, be sure to read the section "RS-NET" in this document. Since most network virus infections enter through a workstation floppy drive, it is best to have each workstation protected with RESSCAN or VirHUNT before it is logged into the network. Where diskless workstations are used, the utilities can all be safely held on the fileserver and accessed by each workstation after they connect into the network. It is worth noting that although you can scan remote drives and files on a network, the memory scanned will be that in your local computer. To scan a particular computer's random-access memory (RAM) the virus scanner must be run directly at that machine. An alternative would be to use a "remote-control" LAN utility that allows full remote usage of a workstation. Other Data Physician utilities should be entirely compatible with your LAN, particularly when running on the workstations. However, if your fileserver uses a non-DOS operating system, the following restrictions may apply: * It is unlikely that SAFEBOOT can be used to protect the fileserver's operating system files. * VirALERT may not detect all system calls that occur on the fileserver. * RESSCAN may have difficulty in intercepting viruses in real-time. 1.5 Microsoft When running Microsoft Windows or other graphics based Windows Usage program or environment on a VGA system, you may elect to use the special Windows version of RESSCAN and VirALERT, called WIN-RS and WIN-VA, respectively. These programs are functionally identical to their counterpart except as follows: * They run gracefully as a TSR under a graphical environment such as Windows, displaying error messages, receiving user input, and restoring the original Windows screen when done. * They require an additional 8.4K of resident memory when a VGA card is used, and about 1K with lower resolution display cards. This is in addition to the memory usage of the normal programs. Although exact memory size depends on the program options being used, here are some approximations: Page 8 RESSCAN : 20K non-Windows version WIN-RS: 28.4K Windows version VirALERT: 12K non-Windows version WIN-VA: 20.4K Windows version Rather than impose the additional 8.4K memory penalty to everyone, separate programs are provided for those who require real-time virus monitoring under Windows. 1.6 Loading When running on a 80386 or 80486-based computer, memory Programs Into managers permit the use of high memory (blocks of "High Memory" memory above the normal DOS 640K limit) for loading device drivers or memory-resident programs. You can place RESSCAN and/or VirALERT into high memory to free up more conventional memory for other DOS applications. MS DOS 5.X and many third-party memory manager providers use a program called LOADHIGH to load memory-resident programs and device drivers into high memory. Refer to the documentation for your memory manager for specific instructions on how to perform this task. Loading VirALERT in its normal 12K version or its Microsoft Windows 20K version into high memory is relatively straightforward, in that the size of the physical program on disk is approximately the same as its size in memory. RESSCAN and Windows-RESSCAN are packed files that unpack themselves when they are run. Although about 35K on disk, they temporarily expand to 55K in memory to perform the initial scan and setup. After this is completed, the program leaves only the appropriate pieces resident, which reduces the memory size to approximately 20K or 28.4K, depending on whether the non-Windows or Windows version was loaded. If you do not have at least 55K of contiguous high memory available when loading RESSCAN, there are a number of actions you can try: * Since RESSCAN needs the full 55K of memory only temporarily, you can try loading most other memory- resident programs after RESSCAN in order that the most memory is free when it tries to load. * Many memory managers by default set up EMS (Expanded Memory Specification) which takes up a 64K page frame in high memory. If you do not need EMS for running the programs on your system, you can disable EMS and gain an additional 64K of high memory. Otherwise, most memory managers have a FRAME= parameter that allows moving the EMS page frame to another memory location. Page 9 This can often be used to build larger blocks of contiguous memory. * As a final resort, you can move smaller resident programs into conventional memory, thus allowing the larger RESSCAN or VirALERT programs to be loaded out of the way in high memory. 1.7 If You Find If you believe that you have a virus that the Data a New Virus Physician PLUS! utilities cannot recognize, or if VirHUNT reports that it has found a variation on a known virus, please send a copy of the infected program to DDI. If it is a boot virus or operating system virus, please try to send an infected bootable disk. DDI will analyze the virus, find the proper identification and removal information, and update the Data Physician PLUS! utilities accordingly. In an emergency, the virus can be sent to us via modem and the update can often be returned to the customer within a few hours or overnight. For the latest list of viruses "known" to Data Physician PLUS!, check the README.DOC file on the distribution diskette. Keep in mind that VirHUNT and RESSCAN can also find and remove new and previously unknown viruses through the use of file signatures and/or user-specified virus descriptions. In the README.DOC list, a few viruses are listed as "DESTRUCTIVE". This means that the virus damages the original program to the extent that it is impossible for VirHUNT to restore a perfect original program after removing the virus. In these rare cases, VirHUNT must remove the virus by deleting the infected program entirely. In order to swiftly analyze a virus, we load it into our proprietary VM DEBUG (Virtual Machine) debugging environment, where it "thinks" it is running in an unprotected computer with dozens of files to infect. In reality, the entire computer system is simulated in software by VIM DEBUG, and every move the virus makes can be watched and analyzed. We also use our own utilities to perform a complete disassembly of the virus in order to know exactly what it is capable of doing. This allows for unsurpassed virus detection and removal ability in the Data Physician utilities. Page 10 2. GETTING STARTED ___________________________________________________________________________ 2.1 System The Data Physician PLUS! package requires the following: Requirements * An IBM PC, XT, AT, or compatible microcomputer. * At least one 5.25" or 3.50" floppy diskette drive. * At least 320K of available RAM. * DOS 2.0 or higher. 2.2 Distribution The Data Physician PLUS! package is distributed on Files 5.25" or 3.50" diskettes that contain the following files: * INSTALL.EXE * VIRHUNT.EXE * RESSCAN.COM * RS-NET.COM * UNKILL.EXE * VIRALERT.SYS * ANTIGEN.EXE * SAFEBOOT.EXE * FILEPEEK.EXE * WIN-RS.COM * WIN-VA.SYS 2.3 Quick Start If you are too busy to read the remainder of this Instructions manual and need to quickly find and remove viruses from your system, here is a quick way to get started. 1). Insert the Data Physician PLUS! diskette containing VIRHUNT.EXE into a drive on your machine, and log onto that drive. 2). Type "INSTALL" and press Enter. 3). Type "I" to choose the Install option. 4). Using the cursor keys, highlight VIRHUNT and press Enter. 5). Enter the drive and path of the subdirectory in which you want the VirHUNT program to be stored. 6). When the install program asks if you want to run VirHUNT from your AUTOEXEC.BAT file, answer No. (You can change all options later by hand or by running the INSTALL program again.) Page 11 7). Quit the INSTALL program. You are now ready to run VirHUNT. Assuming you installed it in a subdirectory that is in your DOS PATH, you can now run VirHUNT from anywhere on your system. Otherwise, you will have to log into that subdirectory or include the pathname when invoking the program. If you simply enter "VIRHUNT" with no command line parameters, option and help screen pages become available. Typing "S" from the main option page performs a virus scan on the current drive. Once you have put your mind at ease with a quick VirHUNT scan, you should take some time to look over the other VirHUNT options. Also read the documentation concerning the other Data Physician PLUS! programs. 2.4 Installation To install various portions of the Data Physician PLUS! Procedures package, follow these steps: 1. Make a working copy of the Data Physician PLUS! diskette, and store the original diskettes in a safe place. The Data Physician PLUS! package is not copy protected, so the normal COPY or DISKCOPY commands may be used. 2. An INSTALL program is provided on each diskette to help you get the Data Physician PLUS! programs up and running quickly. Simply insert a Data Physician PLUS! diskette into your system's floppy drive, log onto that drive, type "INSTALL" (without the quotes) at the DOS command line, and press Enter. 3. Each INSTALL program shows a list of all Data Physician PLUS! programs present in the current drive and/or directory. Using the cursor keys, you can install or see information on each program individually. Before installing a program, however, we recommend that you read the section of this document corresponding to that particular program and its options. 2.5 Monochrome If you are using a monochrome display and have Display Usage difficulty reading the text, add the following command line parameter when invoking the utility in order to change the colors to something more useable on your display: -C This parameter may be used anywhere on the command line, and does not interfere with other parameters passed to the Data Physician PLUS! utility you are using. Page 12 3. VirHUNT VIRUS SCANNER UTILITY ___________________________________________________________________________ 3.1 The VirHUNT VirHUNT is a virus scanner designed for use in Program professional computer security environments where reliable virus removal and flexibility in usage is required. VirHUNT knows the characteristics of all common viruses, and can search for them through files, memory, and boot records. In most cases, VirHUNT can completely remove the virus, restoring the original program(s). VirHUNT can also find and remove previously unknown viruses through the use of file signatures. A large number of options are available to tailor VirHUNT to your needs. These options can be set in three different ways, singly or in combination: 1) Within VirHUNT's pulldown menu interface. (See "VirHUNT Pulldown Menus".) 2) Directly at the DOS command line when you call up VirHUNT. (See "Using Options from the Command Line".) 3) Through the use of VIRHUNT.CFG configuration files. (See "Configuration Files".) Through its built-in programming language, you can even add to the VirHUNT list of known viruses. (See "Teaching VirHUNT about New Viruses".) The minimum requirements for VirHUNT are a single 360K floppy disk, 256K of free memory, and DOS 2.0 or later. 3.1.A VirHUNT Although VirHUNT's many options can be controlled Pulldown directly from the command line or via configuration Menus files, the program provides an easy-to-use menu-driven interface that allows you to browse through the options and view information on known viruses before performing a scan. All menus can be operated via cursor keys, by mouse, or by hotkey (typing the highlighted character in the menu item you wish to choose). When cursor keys are used, all menus wrap or scroll appropriately when an edge is reached. The main program menu is a "bar" across the top of the screen with pulldown menus titled Options, Configuration, About, Scan, and Quit. Select a pulldown menu using cursor keys, mouse, or hotkey. The items in each pulldown menu Page 13 will display as you move through the main program menu. To "open" or activate a pulldown menu, press the Enter or Down- Arrow cursor key, or click on the menu title with the mouse. An active pulldown menu has highlighted hotkeys and the ability to scroll vertically through its items. Scrolling right or left moves you to the next logical pulldown menu. Exceptions are the Scan and Quit menus, which have only one item and so take immediate action when they are activated. The About menu allows you to see information about DDI and information on known viruses. The latter has a scrolling list of viruses and an information window giving the basic characteristics of the currently highlighted virus. These virus descriptions are also available when a virus is discovered during a scan. The Configure menu allows you to create or edit a VIRHUNT.CFG configuration file. Read "Configuration Files" section for more information on the use of these files. If a VIRHUNT.CFG file is present in the current subdirectory, its contents are automatically read in for you to edit through this menu. Any non-default options provided on the command line when you ran VirHUNT, or entered through its Options menu, will also be written to the VIRHUNT.CFG file if you choose to Save Configuration to disk. The Options menu is almost always displayed within VirHUNT. Even when it is not the active menu, it is displayed in "shadow mode" so that the major current scanning options are always visible. MOUSE NOTES: A mouse is supported via a standard (non- manufacturer specific) interface, and can be used wherever input is expected. Two buttons are supported: Left (index finger), and Right (middle/ring finger). The Left button is treated as the Enter key, and the Right button is treated as the Escape key. For left-handed users, there is a special VirHUNT command line parameter, -L, as well as a menu option to reverse the button definitions so that the physical Right button becomes Enter, and the Left button becomes Escape. (See section concerning the -L parameter.) In a pulldown menu, if the mouse cursor encounters the right or left edge of the menu box, it has the same effect as doing a Right-Arrow or Left-Arrow with the keyboard, moving you to the next logical menu. 3.1.B Example To start VirHUNT, make sure that the VIRHUNT.EXE file of a VirHUNT is in the current directory, or is available through Session your PATH and type VIRHUNT at the command prompt. (See your DOS manual for a description of the PATH command.) Page 14 VirHUNT will quickly check itself for infection, and then place you at the main menu. The main menu contains 4 available options, which you select by typing the highlighted letter: * Start the scan with the default option values. * Change the values of the Options. * Get information on viruses found by this version of VirHUNT. * Quit and go back to DOS. If you type "S", VirHUNT scans memory, the boot record of the current disk, and all COM and EXE files on the current disk for known viruses. This scan can be interrupted at any time by pressing the Esc key. An option exists for VirHUNT to remove viruses that it finds, but the default is to scan only. After the scan is over, you are returned to the main menu, where Options such as 'what drive to scan' can be changed and another scan started, or you can return to DOS. The main menu can be skipped, and the scan started immediately, by using command line parameters. See the next section for a quick example using AUTOEXEC.BAT, and the sections, "Using Options from the Command Line," and "Using Signature Files from the Command Line," for the details and all available options. 3.1.C Using VirHUNT can automatically scan your system every time VirHUNT from you boot if you include a call to the program in your AUTOEXEC.BAT AUTOEXEC.BAT file. To scan memory and the boot disk (usually your hard disk, C:), place the following line in AUTOEXEC.BAT: VIRHUNT QU This will run VirHUNT, and if nothing is found, quit back to DOS to continue your AUTOEXEC.BAT file. (All VirHUNT parameters are described more fully later.) If a virus is found, VirHUNT requires a user keypress before continuing. This insures that you are made aware of any problems. If you have several hard disks, or are booting from a floppy and want to scan a hard disk, you could use the following in your AUTOEXEC.BAT: VIRHUNT DIC: DID: QU where the DI parameters tell VirHUNT what disks to scan, and can be repeated as often as needed to scan all disks in your system. Page 15 When VirHUNT exits to DOS, it always returns information in the ERRORLEVEL variable that can be checked within DOS batch files or at boot time in AUTOEXEC.BAT to take special action if there is a problem. The ERRORLEVEL returns are: 0 = Clean scan 1 = Signature(s) change(s) found 2 = Virus(es) found 3 = Virus(es) found and signature(s) change(s) found 4 = Program quit during self-check (useful on networks) 5 = 6 = Program unable to repair itself during self-check Read Appendix "BATCH FILE ERRORLEVEL CHECKING" for the proper checking of ERRORLEVEL values. Remember, DOS must be able to find the VirHUNT.EXE file, so that it must be in your current directory, or in your PATH (in which case the VirHUNT command must come after the PATH command in your AUTOEXEC.BAT). For more information on the command line parameters for VirHUNT, see the sections, "Using Options from the Command Line," and "Using Signature Files from the Command Line," for the details and all available options. 3.2 Identifying Because VirHUNT is designed to allow the removal of and Removing viruses, its virus identification routine is very Viruses selective. Thus, if VirHUNT finds even a variation of a known virus, the identification is accurate enough to allow reliable removal of the virus without damage to the host program. VirHUNT also displays a brief description of each discovered virus. 3.2.A Memory Many viruses install themselves as memory-resident Scan programs in order to infect more files faster. VirHUNT optionally scans your system's memory for these viruses. This can be a tricky process since many viruses try to hide from DOS and anti-virus programs, and do not install themselves as normal TSRs. Also, because viruses tend to come in "families" (the same person writes more than one, or the original is "hacked" by other people to create new viruses), trying to identify which virus is in memory can be challenging. If the virus was recently executed, a copy of the virus code might still be in DOS buffers. Thus, even though only one virus is active in memory, VirHUNT will occasionally report that more than one is present. Do not be alarmed by this. Page 16 The file scan and virus remove logic can be counted on to positively identify and remove all copies of the virus. Certain viruses, when active in memory, watch for when a file opens and closes, and tag along with the process in order to infect more files. Therefore, a careless virus scanner could actually help a virus to spread. VirHUNT is aware of these types of viruses, and if one is found in memory the program will inform the user and halt the system. This forces the user to reboot (hopefully from a "clean," write-protected floppy disk) and try again, but will prevent massive virus infection of files. 3.2.B Deactivating When either option "remove virus" or "wipefile Viruses in Memory virus" is used (see the section "Virus Action"), VirHUNT will deactivate viruses in memory. This does NOT remove the virus from memory or cleanup the space used, nor does it prevent a virus from becoming resident again. Its purpose is to "turn off" a virus so that it will not cause re-infection immediately after removing viruses from a boot record or file. Certain viruses cannot be deactivated, and when such viruses are encountered VirHUNT will inform the user and halt the system. This forces the user to reboot (hopefully from a "clean," write-protected floppy disk) and try again, but will help prevent a freshly disinfected system from becoming infected again. 3.2.C Viruses Many viruses are poorly written and contain their own with Removal unintentional "bugs." Sometimes it is not possible to Problems completely restore the original program after virus removal due to these bugs. For example, the Datacrime #2, the Datacrime #2B, and Virus 101 viruses destroy the stack information in the EXE header during infection. While some programs may tolerate an incorrect stack, it will cause others to behave erratically or crash. VirHUNT cannot reconstruct the missing stack information for EXE files infected with these viruses, and so leaves the stack as the virus left it. If the infected program crashed when the virus was attached, it probably would not be any better after VirHUNT removes the virus. The 405 virus, which affects only COM files, over-writes the original file rather than attaching itself. As a result, the original program is destroyed. When VirHUNT removes this virus, the file is "wipefiled." (Zeros are written over the program, and then the file is deleted.) Page 17 The Leprosy virus presents the same problem as the 405, but affects both COM and EXE files. Other viruses have less drastic consequences. The Israeli viruses, for example, destroy the checksum field in the header by overwriting it with their own information. Again, VirHUNT cannot reconstruct the missing information, but as it has no effect on the program (and some linkers do not even set it!) this is not a major consideration. A fairly common removal problem is that the virus "pads" the infected file to a paragraph boundary (a multiple of 16 bytes) before attaching the virus. As a result, the original file length is gone, and cannot be completely restored by VirHUNT. However, the typical result is a maximum of 15 bytes of added "garbage" at the end of the file, which does no harm. Another common unremovable change involves the time/date stamp of the file. Several viruses modify it to use it as a signature, and there is no way to find the original timestamp. Again, this has no effect on the program. 3.2.D VirHUNT VirHUNT's many options provide a great deal of Options flexibility and power in the detection and removal of computer viruses. In most cases, the VirHUNT default scanning operation will be what you want. However, the default settings can be modified by indicating the desired options either from the options menu within VirHUNT, or from the DOS command line (see section "Using Options from the Command Line"), or from the VIRHUNT.CFG configuration file(s) (see section "Configuration Files".) The available options and their default settings are discussed in detail below. 3.2.D.1 Directory This option tells VirHUNT where to find the files to Scan to be scanned. The default directory is the root directory of the current drive. Since VirHUNT, by default, also scans subdirectories under the chosen directory, this default will scan the entire current drive. (Also, see the section "Scan Subdirectories," for controlling the scanning of subdirectories.) Any drive and/or directory can be specified, and multiple drives/directories can be specified by separating them with a space or a semi-colon when entering the drive to search. Default action: Scan Current Drive including subdirectories Page 18 3.2.D.2 User User specified search/remove "programs" allow for quick Specified field upgrades of VirHUNT, and allow the user to find Search/Remove and remove "local" or newly discovered viruses. When enabled, the user specifies a filename containing search and removal parameters for up to 10 viruses, which are checked for along with the internally specified viruses. For details on the contents of this file, see the section "Teaching VirHUNT About New Viruses." Default action: No User Specified Viruses 3.2.D.3 Scan VirHUNT has the ability to scan four different areas What for viruses: * Memory * Real DOS memory only (first 640K) * Boot records * Files The default memory scan searches all of the real-mode memory space (first 1 Meg of memory) so that viruses resident in high memory will be found. However, this scan includes memory where neither RAM nor ROM are present, and some machines return parity or other errors when these areas are scanned. If these problems occur, using the R option (Real DOS memory--640K on most machines) will restrict the scan to lower memory. When selected from the options menu, the Scan What option allows the user to choose what combination of areas to scan. It is also legal to select None, which is useful for doing signature scans. See the section "Using Signature Files." Default action: Scan Memory, Boot, Files 3.2.D.4 Files By default, VirHUNT only checks executable files with Scanned extensions of .EXE, .COM, .BIN, .SYS, and .OV?. The user may chose to scan all files by changing the Files Scanned flag. In this way, VirHUNT can find viruses that may be hiding in renamed files (a rare occurrence.) Regardless of how a file is named, if an .EXE header is present within the file, VirHUNT treats it as an .EXE file when detecting and removing a virus within it. When creating a signature file (see the section "Using Signature Files,") scanning all files causes VirHUNT to take the signature of all files. Be warned that this can take some time, and will produce a large signature file. Page 19 Default action: Executable Files Only (.EXE, .COM, .BIN, .SYS, and .OV?) When defaulting to Executable files only, you may also specify additional file extensions to search for. Periods are used to identify extensions in the list as follows: .ext[.ext][...] For example, to search for all executable files plus all .PIF and .DLL files you enter the following for the Files Scanned option: .PIF.DLL Note that these additional files would be included in a signature file list created by VirHUNT during the same scan pass. Wildcard characters are NOT supported in the extension list. 3.2.D.5 Scan When VirHUNT searches a directory for infected files, Subdirectories it also checks the subdirectories of that directory for infected files. For example, the default directory is the root directory of the current disk, and the default is to scan subdirectories. This means that the root directory, and all files in its subdirectories, and all files in their subdirectories, etc., are scanned. This scans all files on the disk. If Scan Subdirectories is turned off, only the specified directory (the root in this example) would be scanned. Default action: Scan Subdirectories 3.2.D.6 Virus When VirHUNT detects a virus it is always reported to Action the user. Then, there are several alternative actions that can be performed. The default is to do nothing but report the infection. The other alternatives are: * Remove the virus. * Wipefile (write zeros over the file, then delete it) * Halt the system after the virus scan if viruses are detected. The Remove option returns the host infected program to its original state (or as close as possible--see the section "Viruses with Removal Problems"). Note that unless all copies of the virus are found and removed from your system, the file could become infected again. Page 20 The Wipefile option first over-writes the file with zeros, and then deletes the file. This way, even "undeleted" programs will not accidentally restore infected files. After a wipefile, programs should be restored from their WRITE-PROTECTED distribution floppies. The Halt system option checks at the end of a scan, and if any infected files (or infected boot records or memory resident viruses) were found, a message is displayed and the system is halted. This is typically used in a corporate environment, when the handling of a computer virus is a matter for the security director. Default action: Report Only 3.2.D.7 Variation VirHUNT can detect variations of known viruses and Action treat them differently than when an exact virus match is made. The default is to only report the presence of a virus variation and leave it alone regardless of the Remove virus and Wipefile options set for exact virus matches. (See the section "Virus Action.") The Halt system option is unaffected by the Variation Action setting, in other words, the system will halt for all virus matches if the Halt option is toggled on. The virus variation option toggles between leaving variations alone or treating them the same as exact virus matches (Remove or Wipefile). Default action: Do Not Remove Variations 3.2.D.8 Backup When VirHUNT removes a virus, there is always a chance Upon Remove that the infected program will not be restored to a useable state. Or, perhaps, you want to keep a non- executing copy of infected programs around for later analysis. VirHUNT allows you to make a backup copy of the infected program before virus removal is attempted. The default is to not create backup copies of infected files. There are two filename extensions associated with the backup option, the primary and secondary extensions. The primary extension is always non-blank, and the filename with the primary extension is checked for existence. If it DOES exist, and the secondary extension is non-blank, the backup name is changed to the filename plus the secondary extension. The filename with the secondary extension is assumed to be okay for over-writing, if it exists. By allowing two predefined filename extensions, VirHUNT reduces the user intervention required in making automated backups, especially on a heavily infected machine. When backing up, there are two options: Page 21 * Force backup upon removal (always make a backup). * Ask for backup upon removal (ask user if a backup is required). If backup is Force backup or Ask for backup and no extensions are given, the primary extension defaults to VIR. NOTE: There can be no backup when removing a boot virus. If the system is no longer bootable, boot instead from an uninfected system diskette and use the SYS command to reinstall the operating system. Default action: No Backup 3.2.D.9 Pause If the screen fills up while VirHUNT is performing a Full Screen virus scan, the default is for the screen to begin scrolling upwards as additional information is generated. When Pause is selected, the user is asked for a keypress to continue. This insures that no important information scrolls by unnoticed by the user. Default action: Scroll Screen 3.2.D.10 Print VirHUNT has the ability to echo the screen output from Scan Output a scan to the first printer, usually called PRN or LPT1. The default is not to print the scan output. Note that printer support is at its lowest level, through BIOS calls, so that no special printer support is offered. When printing the output, the display screen is scrolled rather than paused, since nothing will be missed if the user is not watching the screen. Default action: Do Not Print 3.2.D.11 Save VirHUNT has the ability to echo the screen output from Scan Output a scan to a disk file. The default is to not send the to File list to a file. If the list file already exists, the new scan is appended to the file so that all scans can be kept in the same file. When sending the list to a file, the display screen is scrolled rather than paused, since nothing will be missed if the user is not watching the screen. Default action: No List File Page 22 3.2.D.12 Signature In addition to detecting and removing all known Mode common viruses, VirHUNT and RESSCAN also allow you to detect and in most cases remove even previously unknown viruses. This is accomplished through the creation and use of intelligent "signatures" for the files and boot record on your system. More information on the use of file signatures is in section "Using Signature Files" in this document. 3.2.E Using All available options are available from the command Options from the line. In addition, the user can tell VirHUNT to quit Command Line back to DOS after the scan. These options allow VirHUNT to be used as a self-running check, which automatically logs its output to disk. When valid command line parameters are present, the main menu is skipped and VirHUNT proceeds directly to the virus scan. VirHUNT always returns information in the ERRORLEVEL variable that can be checked within DOS batch files. The ERRORLEVEL returns are: 0 = Clean scan 1 = Signature(s) change(s) found 2 = Virus(es) found 3 = Virus(es) found and signature(s) change(s) found 4 = Program quit during self-check (useful on networks) 5 = 6 = Program unable to repair itself during self-check Read Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for the proper checking of ERRORLEVEL values. Any VirHUNT option can be used more than once, and the last occurrence, the "rightmost" copy on the command line, takes precedence. The only exception to this is the directory to scan. If this command is specified more than once, all specified drives and/or directories are scanned, in the order given on the command line. Upper or lower case is not important. The VirHUNT command line uses the format: VIRHUNT [DIpathname] [USfilename] [SWmbfn] [VArwh] [VOyn] [FIae] [FI.ext[.ext...]] [SCyn] [BAfa[.ext[.ext]]] [PAyn] [PRyn] [SFfilename] [SIscrfn] [LIfilename] [EXfilename] [QU] [QZ] Where square brackets show optional parameters, uppercase characters indicate parameter names, and non-italicized lowercase characters indicate parameter settings. The entire command line is processed before the scan occurs, so the order of options is not important. Page 23 VirHUNT command line options are discussed in detail below. 3.2.E.1 BA The BA parameter controls the BAckup option of VirHUNT. (BAckup Upon The format is: Removal) BAx.ex1.ex2 where x is one of the following backup action characters: F - Force backup A - Ask for backup N - No backup If the action is F or A, one or two extensions may be specified, starting with periods. For example: BAf.abc.vir forces a backup, with a primary extension of ABC, and a secondary extension of VIR. Again, if backup mode is Force backup or Ask for backup and no extensions are given, the primary extension defaults to VIR. Default BA value: N (No Backup) 3.2.E.2 -D This parameter tells VirHUNT to check the date held (Date Scheduled within the VIRHUNT.CFG configuration file. If a valid Scanning) date exists VirHUNT checks to see if a scan is Parameter scheduled to run. Two outcomes can then occur: 1) If a scan is due to be run, it is performed and the current date is stored back into VIRHUNT.CFG to set the schedule for the next scan. 2) If a scan is not due to be run, no scan occurs. With the -D parameter active, VirHUNT will automatically quit without showing the main menu, regardless of whether a scan was performed or not. This allows VirHUNT to perform date-scheduled scanning from the AUTOEXEC.BAT file without interrupting the normal boot sequence until a scan is scheduled to run. 3.2.E.3 DE This parameter specifies the manner in which virus (DEscribe Virus) descriptions are displayed if one is detected during a Parameter scan. The format is: DEx Page 24 where x is the single character W or T indicating one of the following virus description modes: W = Window mode. If a virus is discovered during a scan, a pop-up window displays a description of that particular virus. This mode requires user input to continue if a virus is found. T = Text mode. Virus descriptions are included in the normal scrolling output of the virus scan. This mode is useful when virus scan output is being printed or directed into a file for later perusal, since it doesn't require user input to continue in the event a virus is discovered. (See the VirHUNT PR and LI parameters.) Default DE value: Window mode description NOTE: Virus descriptions may also be toggled during a virus scan by the F1 key to turn on/off text mode description, and the F2 key to turn on/off window descriptions. 3.2.E.4 DI This optional parameter specifies the directory to (DIrectory to scan. Its format is: Scan) Parameter DI\path or DIx: or DIx:\path where x: is any legal disk, and \path is any legal path. If no path is specified (a disk name only), the root directory of the disk is used. For example: DIC: DI\utils DId:\scribble scans the C: drive, the \UTILS directory (and subdirs) on the current drive, and the \SCRIBBLE directory (and subdirs) on the D: drive. This parameter may be specified more than once, to scan multiple disks or multiple directories. Default DI value: Scan Current Drive starting at the root and including subdirectories NOTE: if normal DOS and UNIX drive and pathnames are used on the command line, the DI parameter is assumed (and thus optional). The format is: [d:[\path]] [\path] [/path] Drive names are identified by a ':' as the second character. Pathnames must begin with a '\' or '/' (for UNIX folks). Page 25 Multiple drives/pathnames may be given on a single command line. Default if omitted: scan entire current disk starting at the root and including subdirectories. 3.2.E.5 FI The FI parameter tells VirHUNT what files to scan. FIles Scanned) The general format is: Parameter FIA or FIE for (A)ll files or (E)xecutable files only (.EXE, .COM, .BIN, .SYS, and .OV? files). Default FI value: E (Executable Only) When defaulting to Executable files only, you may also specify additional file extensions to search for. Periods are used to identify extensions in the list as follows: FI.ext[.ext][...] For example, to search for all executable files plus all .PIF and .DLL files you use the following: FI.PIF.DLL Note that these additional files would be included in a signature file list created by VirHUNT during the same scan pass. Wildcard characters are NOT supported in the extension list. 3.2.E.6 -L This parameter specifies Left-Hand mouse operation within (Left-Hand the VirHUNT pulldown menu interface. It reverses normal Mouse) mouse button operation so that the physical Right button Parameter acts as the Enter key, and the Left button acts as the Escape key. See section "VirHUNT Pulldown Menus" for more mouse usage information. 3.2.E.7 LI (Scan The LI parameter controls the LIst option of VirHUNT. Output to LIst The format is: File) Parameter LIfilename.ext where filename.ext is any legal filename, and may include both drive specifier (such as C:) and a path. For example: LIinfect.lst or LI\viruses.lst Default LI value: No List File Page 26 3.2.E.8 PA The PA parameter controls the PAuse option. (Pause Full The format is: Screen) Parameter PAx where x is Y for pause at full screen, or N for scroll full screen. Default PA value: N (Scroll Screen) 3.2.E.9 PR The PR parameter controls the PRint option. (Print Scan The format is: Output) Parameter PRx where x is Y for print scan output, or N for do not print. Default PR value: N (Do Not Print) 3.2.E.10 QU The QU parameter is unique to the command line, and (QUit After Scan) tells VirHUNT to QUit to DOS after the scan, rather Parameter than remaining in VirHUNT. This is useful for putting VirHUNT into an automatic scan, such as from within a batch file. Note that when QU is used, if no viruses are found, VirHUNT will return to DOS without pausing, so that files like AUTOEXEC.BAT can proceed without an operator. If any viruses are found, VirHUNT will require a keypress before continuing (to avoid this, use the QZ parameter described later). Default QU value (if both it and QZ omitted): Remain in VirHUNT After Scan 3.2.E.11 QZ The QZ parameter is similar to QU described above, (Quit After Scan except that it is intended for unattended batch No Pause) operation with an output list file, and when used as Parameter such does not require any user keypresses to acknowledge viruses found. A list output file MUST be specified, or QZ will function the same as the QU option. For example, the following batch file sequence will run by itself without requiring user intervention, even if a virus is detected: Page 27 ... VIRHUNT DIC: DID: LIC:\INFECT.LST QZ IF ERRORLEVEL 2 GOTO VIRUSES_DETECTED ... See the Appendix titled "BATCH FILE ERRORLEVEL CHECKING" for the available ERRORLEVEL settings and how to check them properly. Default QZ value (if both it and QU omitted): Remain in VirHUNT After Scan 3.2.E.12 SC (SCan The SC parameter tells VirHUNT whether to scan Subdirectories) subdirectories of the specified subdirectories. Parameter The format is: SCY or SCN where Y says YES to scan subdirectories, and N says NO to scan subdirectories. Default SC value: Y (Scan Subdirectories) 3.2.E.13 SW (Scan The SW parameter tells VirHUNT what files to scan What) Parameter (see the Scan What menu option described earlier). The format is SW plus either N (for None) or some combination of M or R, B, and F (for Memory or Real DOS memory, Boot, and Files). The default memory scan searches all of the real-mode memory space (first 1 Meg of memory) so that viruses resident in high memory will be found. However, this scan includes memory where neither RAM nor ROM are present, and some machines return parity or other errors when these areas are scanned. If these problems occur, using the R option (Real DOS memory--640K on most machines) will restrict the scan to lower memory. Examples of the SW option: SWn (perform no scan at all) SWf (scan files only) SWbf (scan boot records & files SWrbf (scan real memory, boot recs & files) Default SW value: MBF (Memory, Boot, Files) Page 28 3.2.E.14 US (USer The US parameter tells VirHUNT to use a file of Specified custom virus search/remove parameters. This Search/Remove) allows you to "teach" VirHUNT about new viruses. Parameter The format is: USfilename.ext where filename.ext is any legal filename, and may include both drive specifier (such as C:) and a path. For example: USmyvirs.prg or US\localvir.prg For more information, see the section entitled, "Teaching VirHUNT About New Viruses." Default US value: No User Specified Viruses 3.2.E.15 VA The VA parameter controls the Virus Action option. (Virus Action) The format is: Parameter VAx where x is R (Remove viruses), W (Wipefile infected files), H (Halt system after scan if viruses detected), or N (ignore file, report only). Only one letter can be specified. Default VA value: N (Report Only) 3.2.E.16 VO The VO parameter controls the Variations Option. (Variations The format is: Option) Parameter VOx where x is Y for take action (same action as Virus Action option) or N for take no action. Default VO value: N (Do Not Remove Variations) 3.2.E.17 Obsolete During various upgrades of VirHUNT, new features Command Line have been added, and some options have been merged Parameters or had their names changed. This is reflected in the command line processing, where the parameter names and values have changed. However, to support batch files that include commands from older versions of VirHUNT, some obsolete command line parameters are still available. Page 29 The RE parameter (REmove) has been replaced by the Virus Action option. The format is: REx where x is Y or N, or W (Wipefile). The RV parameter (Remove Variations) has been replaced with the Variations Option. The format is: RVx where x is Y to set Variations Option to the state of Virus Action, or N to reset Variations option. The BO parameter (BOot check) has been replaced by the Scan What option. The format is: BOx where x is Y for scan the boot record, or N to skip the boot record. 3.2.E.18 VirHUNT The VirHUNT parameters provide a great deal of power Examples and flexibility. Some typical VirHUNT command lines follow, along with their explanation. Page 30 Command Explanation VirHUNT VAH QU Scan memory, boot, and all executable files on the default drive. If any viruses are found, halt the system with a warning message to the user. Otherwise, quit back to DOS when done. Such a command might be useful in an AUTOEXEC.BAT file. VirHUNT DIC: DID: QU Scan memory, boot, and all executable files on the C: drive and D: drive, and quit to DOS when done. If no viruses were found, VirHUNT will perform the scan and exit without any intervention from the user. VirHUNT FIA DI\SCRIBBLE Scan memory, the boot record of the current disk, and all files in the \SCRIBBLE directory of the current disk. Remain in VirHUNT when done. This would be useful if a virus was suspected in this particular directory. VIRHUNT SWBF DIB: QU Scan the boot record and executable files on the B: drive, and quit to DOS when done. Such a command would be useful when introducing a new floppy to your system, and could be tied to a function key via the ANSI.SYS driver. (See your DOS manual for details on ANSI.SYS.) VIRHUNT VAR LIINFECT.LST Scan memory, boot, and all executable files on the default drive, removing any viruses found from the boot or files. The scan output is also sent to the INFECT.LST file in the current directory. Page 31 3.3 Using Most virus search and removal programs have one Signature Files shortcoming: The author of the program must be able to analyze each new virus, or closely-related family of viruses, before appropriate search and removal algorithms can be added. Most of the time, this is not a critical limitation since the vast majority of virus infections are caused by the most common and well-known viruses. One of several ways that VirHUNT and its companion program, RESSCAN, overcome typical virus search and removal limitations is through the use of signature files. 3.3.A What Is a A signature file contains information about the boot Signature File? record and files on the disks that you scan. When a later signature scan takes place, any difference between the stored state of the file (its signature) and the current state of the file is reported. In many cases, such as attack of a virus, this information can also be used to remove the changes and restore the original file. The files on your system must be assumed to be virus-free when the signature file is created. If VirHUNT does not report any viruses while creating the signature file, you can proceed with confidence. Even in the unlikelihood that an unknown virus is present, subsequent signature checks will soon make its presence known. Remember, if a virus that VirHUNT does not otherwise know is caught via a signature file, please send a copy to DDI so that the new virus can be included in an updated version of VirHUNT. See the section "Virus Identification" for details. 3.3.B Using The normal use of a signature file is as follows: Signature Files for Detection 1). A signature file is created during a VirHUNT scan. and Removal 2). The same signature file is used during subsequent VirHUNT scans until new files are added, deleted, or changed on your system. At this time, you should create a new signature file to reflect the new status of your disk. When creating a signature file, VirHUNT assumes it has permission to write-over any existing signature file or any file with the same name (see the section "Signature File Names" for naming information). However, if the file is read-only, VirHUNT will not write over it, and will give an error instead. The files you tell VirHUNT to scan while creating a signature file are the only files whose signatures are Page 32 stored. Also, if the Scan What option does not include the boot record, it will not be represented in the resulting signature file. If all files are scanned (not just the executable files), the signature file will take more time and be correspondingly larger. If VirHUNT should find any viruses during signature file creation, and if the virus Remove option is activated, these viruses are removed before the signature is created. If the virus Remove option is not activated and a virus is detected, VirHUNT will generate a warning message but create a signature on the infected file as-is. If you perform both a signature check and file scan simultaneously, it is best if both processes are set up to check exactly the same files, such as the entire drive. The reason is as follows: When both types of checks are used simultaneously and VirHUNT finds a "known" virus in a file during signature analysis, it assumes that the normal virus scanning logic has already reported the virus. In other words, it tries to avoid generating a duplicate warning message. Therefore, it is usually safer to turn the file scan off when checking signatures, since the latter offers the greatest level of protection all by itself. The same rules apply to boot records, as well. During a signature scan, if a file is missing or not accessible this is reported along with the changed files. Remember, a signature file MUST have been previously created before a valid signature scan can take place. 3.3.C Normal When doing signature file creation or scan, there are Versus Fast Mode two modes available: normal and fast. In normal mode, the signature reflects information on the entire contents of the file. In fast mode, this part of the signature is skipped. There is no difference in the size of the resulting signature file, but there is a time and feature trade-off between the two modes: * In normal mode, the scan is slower, but there is an increase in the confidence of file integrity. * In fast mode, the scan is faster, but there are changes that could be missed. Fast mode signature files also do not support the removal of unknown viruses from the files listed in the signature file. Page 33 NOTE: Signature files allow the removal of previously unknown viruses only when the normal mode was used in both the signature file creation and the subsequent virus scan. In fast mode, not enough information is kept to guarantee the integrity of the repaired file. The exception is when viruses are held in the boot record, for which full information is always kept. Normal and fast mode can be mixed and matched as needed. For example, a signature file could be created in normal mode, and later scanned in fast mode. If changes are detected, the signature scan can be repeated in normal mode to verify the changes and attempt cleanup. If a normal scan is attempted on a signature file that was created in fast mode, VirHUNT notes this and does a fast scan anyway, as the additional information would not be used. 3.3.D Scanning The presence of a signature file also allows VirHUNT to for New Files do a check for new files during a file scan. Although this slows down the file scan, it allows the user to confirm the integrity of their file system, spot any files created by a virus, and determine when it is necessary to create a new signature file. The Newfile option is valid only if done in conjunction with a virus scan, since it relies on the scanning parameters to know what directories and file types to look for. The Newfiles scan does not update the given signature file-- it uses it only to determine what files found on disk are not listed in the signature file, and therefore are reported as new. You want to be sure that the signature file used during the Newfiles scan corresponds to the directories being scanned. If the signature file is for a different directory or drive, or if the signature file contains only executable files and you are scanning all files for Newfiles, VirHUNT will report a large number of "new files," which will consist mainly of false alerts. You can use either the default or a specified signature file. See the section "Signature File Names" for details on default versus specified signature files. 3.3.E Signature Signature file creation and scan have their own Options options, along with some minor overlap with the virus scan options. In particular, the backup file option, the pause screen, the print scan output, the scan output to list Page 34 file, and the QUit command line options all are significant during signature file creation or scan. The Scan What and DIrectories to scan option can be of significant use during signature file creation and a newfile scan. Depending on the value of the Signature File option (see the section "Signature File Names,") the value of the directory to scan may be significant during both signature creation and scan. The signature file options are explained in more detail below. Page 35 3.3.E.1 Signature The signature mode option on the VirHUNT main menu Mode Options controls what signature file options are to be in effect, if any. The available combinations and their meaning are as follows: File Option Meaning CREATE Create signature file. CREATE FAST Create Fast format signature file. SCAN Scan previous signature file. SCAN FAST Scan previous signature file in Fast format. SCAN REMOVE Scan previous signatures and remove viruses. SCAN NEWFILES Scan previous signatures and report if any new files are present. SCAN FAST NEWFILES Scan in Fast format and report on new files. SCAN REMOVE NEWFILES Scan and remove viruses and report on new files. Default: Signatures not active 3.3.E.2 Signature There are two naming schemes for signature files, File Names 1.) the default, and 2.) a specified name. When a name and optional drive and/or path is specified, VirHUNT creates or scans the specified signature file. If multiple paths are specified and the file is created, all boot record and/or file signatures are placed in the single signature file. If there are multiple paths and a scan, the signature files is scanned only once. The default signature file is always named VirHUNT.SIG, and is located in the starting directory of the current scan. If multiple directories are scanned, only one VirHUNT.SIG file will be used. For example, suppose disk C has the following tree structure: C:\ _____FILE_1.COM ___FILE_2.COM ___SUBDIR_1_____FILE_3.COM ____FILE_4.COM ___SUBDIR_2_____FILE_5.COM ____FILE_6.COM ___SUBDIR_3_____FILE_7.COM ____FILE_8.COM |____SUBDIR_4_____FILE_9.COM Page 36 A signature file creation using the default signature file on the 2 paths C:\ and C:\SUBDIR_3 will create one VirHUNT.SIG file, located in the root directory, containing information for all files in all directories on the disk (i.e., for files FILE_1.COM through FILE_9.COM). The signature file option is selected from the same sub-menu as the signature mode (see above). Default (signatures active): VIRHUNT.SIG Default (signatures not active): no Signature File 3.3.E.3 Exclude An Exclude file can be used that contains a list of List File files that are to be excluded from a signature check. In naming the Exclude file, be sure to include a drive specifier and path, if necessary. The Exclude file must be previously created as an ASCII text file. It should contain a list of filenames, one per line. The filenames in the list may be given in two forms: DRIVE:\PATH\FILENAME.EXT or FILENAME.EXT In the first form, only the specified file will be excluded from the signature check. In the second, all files with the same name and extension will be excluded, regardless of their location. The Exclude list file option is selected from the same sub- menu as the signature mode (see above). Default: No Exclude List File 3.3.F Using Like all other VirHUNT options, signature files can be Signature Files specified on the DOS command line. VirHUNT will then from the Command skip the main menu and proceed directly to the file Line scan or signature scan, as appropriate. See the section "Using Options from the Command Line" for more details. Below are listed the valid signature file command line options, followed by some examples of their use. 3.3.F.1 SI The SI parameter informs VirHUNT that a signature file (SIgnature Mode) operation is desired. The format is: Parameter SIxxx Page 37 where xxx is a 1 to 3 letter code specifying the operation to perform. The legal combinations are: C = Create signature file. CF = Create signature file in Fast format. S = Scan signature file. SF = Scan signature file in Fast format. SR = Scan signature file and Remove viruses, if possible. SN = Scan signature file, check for Newfiles. SFN = Scan signature file in Fast format, check for Newfiles. SRN = Scan signature file and remove viruses, if possible, and check for Newfiles Default SI value: Signature Create/Scan Not Done Note that the combination SFR (Scan Fast format, Remove virus) is not valid because a Fast format scan does not provide enough information to remove viruses reliably. The meaning of "Create," "Scan," "Fast," "Remove," and "Newfiles" in this context is discussed in previous sections of this document. 3.3.F.2 SF The SF parameter controls the Signature File mode. The (Signature File) format is as follows: Parameter SFfilename.ext where filename.ext is any valid filename, and may include a drive and/or path. Specifying a signature file turns default mode off. Remember that only one signature file may be specified, no matter how many drives and/or paths are to be scanned. Default SF value: VIRHUNT.SIG in 1st Dir Scanned 3.3.F.3 EX The EX parameter allows specific files to be excluded (EXclude List) from a signature check. The format is: Parameter EXfilename.ext where filename.ext is any legal filename, and may include both drive specifier (such as C:) and a path. The file named by the EX parameter must be previously created as an ASCII text file. It should contain a list of filenames (one per line) that are to be excluded (ignored) during signature checking. Page 38 The filenames in the list may be given in two forms: DRIVE:\PATH\FILENAME.EXT or FILENAME.EXT In the first form, only the specified file will be excluded from the signature check. In the second, all files with the same name and extension will be excluded, regardless of their location. Default EX value: No Exclude List File 3.3.F.4 VirHUNT Following are some typical examples of using signature Signature files with VirHUNT from the DOS command line, along Examples with their explanation. Page 39 Command Explanation VIRHUNT SIC DIC: DID: Scan memory, boot, and all executable files on the C: drive and D: drive. During the scan of the C: drive, create the file C:\VIRHUNT.SIG, which contains the boot record and file information for the C: and D: drives. VIRHUNT SIC SF\MYFILES.SIG DIC: DID: Scan memory, boot, and all executable files on the C: drive and D: drive. During the scan of the C: drive, create the file C:\MYFILES.SIG, which contains the boot record and file information for the C: drive. During the scan of the D: drive, update the file C:\MYFILES.SIG to add the boot and file information for the D: drive. VIRHUNT SIS DIC: SWN Do a signature scan only, using the file C:\VIRHUNT.SIG. Since files (and boot) are not being scanned for known viruses, changes in signatures will be reported even if the file (or boot) is infected with a known virus. VIRHUNT SISN SFB:\SAVE.SIG DIC: Scan memory, boot, and all executable files on the C: drive for known viruses and new files. (Use the signature file B:\SAVE.SIG for the Newfiles scan). Then, use the signature file B:\SAVE.SIG to scan for any changes. Note that the signatures scanned are NOT limited to the C: drive! VIRHUNT SISFN DIC: DID: QU Scan memory, boot, and all executable files on the C: and D: drives for known viruses and new files. The default signature file C:\VIRHUNT.SIG is used for the Newfiles scan. Also, scan signatures using the file C:\VIRHUNT.SIG for changes using Fast mode. Quit to DOS when done. Such a command would be useful in an AUTOEXEC.BAT file, where you want to take the minimum time for booting your system. NOTE: The signature file should be created in NORMAL mode, so that if problems are found, VirHUNT has a chance to cleanup the files. Page 40 3.4 Teaching VirHUNT allows the user to "teach" VirHUNT about new VirHUNT about viruses. Information about these new viruses is New Viruses written in the VirHUNT built-in Custom Intercept Language(CIL). Writing virus information in CIL can be technically demanding, and is best suited to persons with a high level of debugging skill. If you feel up to the task, consult the CIL.DOC documentation file that is provided on the distribution diskette. Also, refer to the section entitled, "US Parameter" in this document. Luckily, you have an easier alternative to writing in CIL. You can send any new viruses that you run into to DDI and we will quickly update our utilities to detect and remove them. Page 41 4. RESSCAN VIRUS SCANNING TSR ___________________________________________________________________________ 4.1 The RESSCAN RESSCAN is a RAM-resident virus scanner that provides Program continuous virus scanning as you work. Like VirHUNT, RESSCAN can scan for viruses in memory, in boot records, and in files. RESSCAN can also be run from the DOS command line to perform system-wide virus and file signature scans similar to VirHUNT. However, there are three major differences between the programs: 1. RESSCAN can be loaded as a TSR (Terminate and Stay Resident) program that checks programs for viruses as you run them, or when they are copied or opened in any way. 2. RESSCAN does not have the same ability as VirHUNT to remove viruses. This limitation allows RESSCAN to occupy a very small amount of memory-- about 20K--when loaded as a TSR. (The MS Windows version of RESSCAN, WIN-RS, takes up about 28.4K of memory.) 3. RESSCAN does not have a menu page. All options must be specified on the DOS command line when you run the RESSCAN program, or be present in VIRHUNT.CFG configuration file(s). (See the section "Configuration Files" for more information.) PC management can configure RESSCAN to "force" users to complete a virus scan, and to report a discovered virus before proceeding with their work. If you are running RESSCAN on a local-area network (LAN), be sure to read the sections "Local-Area Network Usage" and "RS-NET" in this document. 4.1.A Example of To start RESSCAN, make sure that the RESSCAN.COM file RESSCAN Session is in the current directory or is available in your PATH, (see your DOS manual for a description of PATH) and type RESSCAN at the command prompt. RESSCAN first checks itself for corruption, and then start scanning memory, plus the boot of the default disk, plus the executable files on the default disk for known viruses. Any viruses found are reported for further action. This scan can be interrupted at any time by pressing Ctrl-C or Ctrl- Break. After the disk scan, RESSCAN will install itself as a TSR (Terminate and Stay Resident program), and will watch any file being executed or opened in any other way, such as in a COPY process, for known viruses. It will also monitor Page 42 disk boot records and warn you of any attempt to boot from an infected disk or diskette. The RESSCAN initial virus scan, or installation as a memory- resident TSR, may be turned off by using command line parameters. See the section "RESSCAN Options" for details. 4.1.B Using RESSCAN can automatically scan your system every time RESSCAN from you boot by including RESSCAN in your AUTOEXEC.BAT AUTOEXEC.BAT file. Including the following command: RESSCAN as part of your AUTOEXEC will scan memory and the boot disk, then leave RESSCAN as a resident program to watch for viruses in the programs you execute. If you have several hard disks, or are booting from a floppy and want to scan a hard disk, use the following in your AUTOEXEC.BAT: RESSCAN DIC: DID: where the DIx parameters tell RESSCAN what disks to scan, and can be repeated as often as needed to scan all disks in your system. When RESSCAN exits to DOS, it always returns information in the ERRORLEVEL variable that can be checked within DOS batch files or at boot time in AUTOEXEC.BAT to take special action if there is a problem. The ERRORLE