home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Grab Bag
/
Shareware Grab Bag.iso
/
090
/
fichk.arc
/
CHECKUP.DOC
next >
Wrap
Text File
|
1988-06-23
|
22KB
|
488 lines
June, 1988
Preventive Computer Medicine to help keep your system virus free.
***********************
*** ***
*** CHECKUP ver 1.0 ***
*** ***
***********************
(C)Copyright 1988, Gilmore Systems
Gilmore Systems
P.O. Box 3831
Beverly Hills, CA 90212-0831
U.S.A.
Phone: (213) 275-8006
Program written by Chuck Gilmore
CHECKUP Page 1
Introduction
Computer viruses have now become an international concern. They've
infected places such as NASA, EDS (subsidiary of GM), universities such
as Lehigh university, and Miami university) and countless other firms as
well as individuals. Major software houses are not immune either. If
they admit being struck by a virus, nobody would buy their software.
You know things are getting bad when you buy a name brand software
package at a computer store and find that it's infected by a virus!
Just what IS a computer Virus?
A computer virus is a small piece of code contained within a seemingly
innocent program. What's unique about the code is that when the program
is run, it attaches itself to other programs. When those other programs
are run, the virus inside them seeks out and attaches itself to yet more
programs on your disks. These other programs (the targets) can be ANY
program including your operating system (ie: command.com). Depending on
what instructions are present within the viral code, the results can be
quite severe - anything from wiping out your entire fixed disk to
ruining your data to altering video I/O functions so that your CRT
explodes! These catastrophic results are usually not carried out right
away - the people writing these viruses usually set "time bombs" in the
viral code. These "time bombs" can be anything - when a certain date is
reached, or a certain memory location is written to with a certain
value, or the number of files on your disk reaches a certain number, or
you run a program a certain number of times - these are just a few
examples of "triggers" that viruses set and look for. When the
"trigger" happens, then the viral code does its catastrophic dirty work.
Bulletin Board Systems
In addition to spreading computer viruses by infected software houses,
Bulletin Board Systems are a major target for the people who derive
pleasure out of writing viral code. ANY program on a BBS can be
downloaded by ANYONE. The person downloading a program from a BBS may
be a "virus implanter" and implant the downloaded program with a virus,
then upload it to other BBS's where perhaps thousands of people will
download the infected version of the program. The problem is reaching
epidemic proportions and as a result, some companies have banned the
downloading of programs from BBS's. This is indeed a shame, since BBS's
are there for the sharing of knowledge, information, and the opportunity
to get talented programmer's works known.
How Can I Tell If MY Computer Has Infected Programs?
Simply put, YOU CANNOT! That's the scariest part of it all. Viruses
may lie dormant for months or years on an infected system before they
show their symptoms. Programs will continue to run normally until one
day when the "trigger" is reached.
What Can I Do to Stop a Potential Virus?
Checkup User Guide - (C)Copyright 1988, Gilmore Systems
CHECKUP Page 2
There are some viral-fighting programs available such as FLU-SHOT, and
versions of VACCINE. These programs attempt to block viruses from doing
things that viruses typically do. They attempt to block any altering of
COMMAND.COM or your other operating system's system files. They try to
alert you of low-level disk writing. These programs look for other
things as well but may slow your system down as a result. Some require
you to make lists of approved programs and TSR's. The problem with
these programs are that they are running on your system which may
contain a virus that looks for these particular programs and renders
them inactive or makes them think that everything's ok (sounds like
AIDs, doesn't it?) while they do their dirty work. The original version
of FLU-SHOT was found to contain a virus itself, although newer versions
have been corrected.
Introducing CHECKUP
CHECKUP is a program which differs from vaccine-type programs and other
programs that attempt to find, block, or alert you to viruses. CHECKUP
does none of these things. As a matter of fact, CHECKUP can't even be
run from your fixed disk! CHECKUP is a preventive medicine program
which sort of takes a snapshot (x-ray) of your entire fixed disk(s) and
logs it to a file. The things checkup logs are the date, time, size,
attribute, and CRC (Cyclic Redundancy Check) of every file on your fixed
disk(s). It looks for differences in all of these things whenever you
decide to run it again and alerts you to any changes. Any changes
potentially mean a virus is at work - Viruses have to alter files in
some way in order to spread themselves.
Using CHECKUP
CHECKUP should NOT be placed on your fixed disk - it will ONLY RUN FROM
A FLOPPY, and furthermore, it won't even run from a floppy unless you
BOOT DOS FROM FLOPPY!
Why all the hassle of booting from and running from a floppy? Simple.
If you boot from a fixed disk, you may be booting from an infected copy
of your operating system, starting an infected TSR, have an infected
device driver, or may have run an infected program. If you boot from
floppy, you don't give the viruses on your fixed disk a chance to become
active. Therefore, the first thing you should do in order to prepare
for using the CHECKUP program is:
1) Boot DOS from your ORIGINAL distribution disk.
2) Format a bootable floppy. (use the command "FORMAT A:/S")
3) Copy CHECKUP.EXE to the newly formatted disk.
4) Diskcopy this new disk for as many fixed disk drives or logical
drives you have on your system and label each one for a specific
drive (ie: CHECKUP for drive C:, CHECKUP for drive D:, etc).
Anytime you want to run CHECKUP, you should first turn your computer
OFF, then back on with the bootable CHECKUP diskette in drive A:
(Hitting Ctrl-Alt-Del may not get rid of actively running viruses).
You can run CHECKUP in either of 2 ways: interactively, or by command
Checkup User Guide - (C)Copyright 1988, Gilmore Systems
CHECKUP Page 3
line arguments.
Running CHECKUP Interactively
Simply type and enter "CHECKUP" on the command line (without quotes).
You'll be presented with a screen containing 3 sets of fields to fill
in:
1) The Drive Letter of the fixed disk you wish to check.
2) The Processing Option you wish CHECKUP to perform.
3) The filename extensions of the files you wish to check.
The first field simply asks for the drive letter of the fixed disk drive
you wish to check.
The second field has one of three answers: N, C, or P which stand for
New, Check, and Print, respectively. The first time you run CHECKUP you
should choose N which will scan your fixed disk and log a "snapshot" of
your files. CHECKUP will create a log on floppy drive A named
DRIVEx.CKP, where the "x" is the drive letter of the drive that's being
logged. You should run CHECKUP with the N option after every BACKUP or
immediately before running a new program, or whenever appropriate.
Using the N option logs all files which may have been added since the
last time you used the N option.
Choosing C or P requires that your printer be turned on (writes to LPT1
or PRN). After running N, you should re-run the program choosing P for
a readable hardcopy of the log.
Run CHECKUP with the C option after anytime you've run a new program
such as one that may have been downloaded from a BBS (or even purchased
from a store). Besides after running a new program, it would be very
beneficial to give your disk a weekly checkup by running CHECKUP with
the C option. CHECKUP will print any discrepencies in checks of the
actual files on your fixed disk against the log entries, as well as
report on deleted files, removed directories, and changed volume names.
This report should alert you to possible infection by viruses present on
your system and which files or programs may have become infected. Some
discrepencies are normal:
- If you're a programmer, the only EXE or COM files that should
change are the ones YOU create or modify.
- If you've edited an existing text file this will be reported
by CHECKUP if you've used "*" or supplied its extension.
- Many programs modify data files (ie: database programs modify
database files, games may modify their own data files, etc). This
is normal but will be reported by CHECKUP nonetheless.
The third field lets you enter anywhere from 0 to 10 different
extensions (filename extensions) which can be anywhere from one to three
characters including the wildcards (? and *). If you're not familiar
with wildcards, please consult your DOS manual. Whenever you specify
extensions, CHECKUP only looks for and checks filenames on your fixed
disk that match the extensions you supply. For instance, if you supply
Checkup User Guide - (C)Copyright 1988, Gilmore Systems
CHECKUP Page 4
EXE, COM, SYS, and BAT (which we recommend as a minimum), CHECKUP will
only check or look for files matching those extensions (ie: *.EXE,
*.COM, *.SYS, and *.BAT). Some programs use overlays, usually matching
the OV? extension. For maximum protection, use "*" by itself (without
quotes) to check and look for EVERY file on your fixed disk (including
those without any extensions). If you use "*" (without quotes) by
itself, ALL files on your fixed disk will be specified, whereas if you
use "*" as in "XX*", all files matching "XX*" will be specified along
with any other exensions you specify (if any). If you don't enter any
extensions, "*" will default (ALL files).
Once all three fields have been filled in by you, press the F2 key on
your keyboard to start processing. Anytime before pressing F2, you can
press F1 for brief help with the field you're on, or F10 to quit the
program.
Running CHECKUP With Command Line Arguments
You can run CHECKUP with command line arguments as follows:
CHECKUP d: /n=EXT | /c=EXT | /p=EXT [/o=OUTFILE]
The arguments are not case sensitive so feel free to use lower and/or
uppercase characters. Spacing is not important either, use spaces
wherever you want or none at all. The argument definitions are:
d: - The drive letter of the fixed disk drive to check.
/n= - Identical to N of field 2 of interactive usage.
/c= - Identical to C of field 2 of interactive usage.
/p= - Identical to P of field 2 of interactive usage.
EXT - Identical to field 3 of interactive usage. Extensions
must be separated by commas.
[/o=OUTFILE] - The brackets surrounding this argument mean it's
optional - don't use the brackets. /o=OUTFILE if
present, will print output to the filespec specified
by OUTFILE instead of your printer. OUTFILE should
contain a complete path including drive. Note that
printed output (which would be routed to OUTFILE)
takes place when the C or P options are used.
Note that ONLY ONE of /n=, /c=, or /p= is to be used (just as in the
interactive mode).
Examples:
CHECKUP c: /n=* creates new log of files on drive C:
CHECKUP c: /n=exe,com,sys,bat creates new log of files on drive C:
matching *.exe, *.com, *.sys, *.bat
Checkup User Guide - (C)Copyright 1988, Gilmore Systems
CHECKUP Page 5
CHECKUP e:/p=* makes a readable hardcopy of everything
in the DRIVEE.CKP log.
CHECKUP e:/p=* /o=c:\log_e same as above but creates file C:\LOG_E
and prints to this file instead of your
printer.
CHECKUP f:/c=* checks drive F against the log
DRIVEF.CKP and prints any discrepencies
on your printer.
CHECKUP f: /c=* /o=c:\report same as above but creates file
C:\REPORT and prints to this file
instead of your printer.
CHECKUP d: /c=exe,com,sys,bat checks drive D against log DRIVED.CKP
and prints any discrepencies on your
printer. Note that only *.exe, *.com,
*.sys, and *.bat will be checked.
***********************************
*** IMPORTANT FINAL REMARKS ***
***********************************
Running CHECKUP with the N option will only log the current state of
your files on your fixed disk(s), which may already contain infected
files. Subsequent runs using the C option alert you to any changes
which may have occurred. Any of the changes reported is an alert of a
potential virus. If a file has changed that shouldn't have, remove it
from your system immediately and replace it with the same file from your
original distribution diskette. If COMMAND.COM, IBMBIO.COM, or
IBMDOS.COM have changed on your drive C, turn off your computer
immediately. Insert your original DOS diskette in Drive A and restart
your computer. Once restarted, do a "SYS C:" to overwrite these files
to the way they should be. If COMMAND.COM was the only file that
changed, turn off your computer immediately. Insert your original DOS
Diskette in Drive A and restart your computer. Once restarted, do a
"COPY COMMAND.COM C:" or to the appropriate disk drive.
CHECKUP searches all file attributes - system, hidden, etc. Once
processing has started, checkup starts a timer and when processing
finishes, checkup prints how long it ran. On computer running at 4.77
Mhz such as the original IBM XT's, CHECKUP may take a while to complete
its job. On computers such as the IBM PS/2 Model 80 running at 20 Mhz,
CHECKUP flies through in minutes. We've incorporated fast algorithms so
that CHECKUP will run through your system as fast as possible.
It's pretty difficult to evade a CRC (cyclic redunancy check) of your
files, not to mention changing file size by adding a couple of bytes or
so.
Checkup User Guide - (C)Copyright 1988, Gilmore Systems
CHECKUP Page 6
Clever viruses install themselves over unused portions of program files,
and manage to keep the same size, date, time, and attribute of the file.
But even with these protective checks, CRC does not guarantee that some
clever deviant may code a virus to attempt to match the original CRC of
a file it altered. There are no reports of this yet, but as more CRC
checking programs such as this are in use, virus-writing programmers
will have to incorporate code (mutations) to match the CRC of the
original file when they alter it. It's not a small task for them,
however CRC checking is a well known method. If you can test a file for
CRC, you can alter a file such that its CRC stays the same. Because of
this, we offer another version of CHECKUP (MCHECKUP or Modified CHECKUP)
which uses a unique, modified CRC check which is not known to the
virus-writing programmers (and we won't make the method public in order
to protect you). Since the modification we made to the CRC algorithm is
unknown to anyone but us, a virus-writing programmer will not know how
to defeat the check.
***************************
*** Register Today! ***
***************************
If you've obtained this copy of CHECKUP from a friend or BBS (shared
programs), there is NO guarantee that your copy of CHECKUP hasn't become
infected by a virus. We cannot guarantee that somebody didn't download
this program, infect it (purposely or accidentally), and pass it on by
uploading it to other BBS's or giving it to friends.
Since this is shareware we would normally encourage you to try it, then
register if you like it. Recall that FLU-SHOT became infected. You may
use this program at your own risk.
We can only guarantee that the copy of CHECKUP we send you on floppy via
U.S. mail is free of viruses. When you get your copy of CHECKUP through
the mail, please boot DOS from the original DOS distribution diskette
and then do a DOS compare (COMP) on our CHECKUP versus the one you
downloaded or got from a friend. Report any differences to us
immediately, along with the name and telephone number of the BBS you
obtained it from.
Registration is $15 (U.S. currency, check, or use your VISA/MC when
registering by phone).
When you register, we'll send you not only a copy of CHECKUP, but a copy
of MCHECKUP as well. We recommend the use of MCHECKUP over CHECKUP
since virus-writing programmers don't know what we're looking for.
Unless you specifically request a 3-1/2" micro-floppy disk, we will send
you a 5-1/4" disk. CHECKUP will run on all true IBM compatible
computers running the IBM PC-DOS or MS-DOS operating systems versions
2.0 and above. Some fixed disks require drivers which should be placed
on your boot diskettes from the original driver distribution diskette.
CHECKUP runs on the entire family of IBM (and compatible) computers
ranging from the XT to the PS/2 model 80. Fixed disks containing the
Checkup User Guide - (C)Copyright 1988, Gilmore Systems
CHECKUP Page 7
OS/2 operating system and associated files can also be checked with
CHECKUP since they maintain the same file structure as DOS - you must
still format DOS bootable diskettes to use CHECKUP.
To register, send $15 to:
Gilmore Systems
P.O. Box 3831
Beverly Hills, CA 90212-0831
- or call us with your VISA/MC number -
(213) 275-8006
Many companies such as us use BBS systems to exchange and share
information, ideas, new technologies, programs, tools, and multitudes of
other things. How can we continue to use these invaluable offerings in
fear of destruction of your most valuable programs, data, or even
hardware? We hope that CHECKUP will offer you security against these
fears and at the same time inspire other programmers to create other
anti-viral or preventive computer medicine type programs.
- Chuck Gilmore, President
Checkup User Guide - (C)Copyright 1988, Gilmore Systems