Shareware Grab Bag

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Grab Bag / Shareware Grab Bag.iso / 090 / fichk.arc / CHECKUP.DOC next >

Wrap

Text File | 1988-06-23 | 22KB | 488 lines

June, 1988 Preventive Computer Medicine to help keep your system virus free. *********************** *** *** *** CHECKUP ver 1.0 *** *** *** *********************** (C)Copyright 1988, Gilmore Systems Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 U.S.A. Phone: (213) 275-8006 Program written by Chuck Gilmore CHECKUP Page 1 Introduction Computer viruses have now become an international concern. They've infected places such as NASA, EDS (subsidiary of GM), universities such as Lehigh university, and Miami university) and countless other firms as well as individuals. Major software houses are not immune either. If they admit being struck by a virus, nobody would buy their software. You know things are getting bad when you buy a name brand software package at a computer store and find that it's infected by a virus! Just what IS a computer Virus? A computer virus is a small piece of code contained within a seemingly innocent program. What's unique about the code is that when the program is run, it attaches itself to other programs. When those other programs are run, the virus inside them seeks out and attaches itself to yet more programs on your disks. These other programs (the targets) can be ANY program including your operating system (ie: command.com). Depending on what instructions are present within the viral code, the results can be quite severe - anything from wiping out your entire fixed disk to ruining your data to altering video I/O functions so that your CRT explodes! These catastrophic results are usually not carried out right away - the people writing these viruses usually set "time bombs" in the viral code. These "time bombs" can be anything - when a certain date is reached, or a certain memory location is written to with a certain value, or the number of files on your disk reaches a certain number, or you run a program a certain number of times - these are just a few examples of "triggers" that viruses set and look for. When the "trigger" happens, then the viral code does its catastrophic dirty work. Bulletin Board Systems In addition to spreading computer viruses by infected software houses, Bulletin Board Systems are a major target for the people who derive pleasure out of writing viral code. ANY program on a BBS can be downloaded by ANYONE. The person downloading a program from a BBS may be a "virus implanter" and implant the downloaded program with a virus, then upload it to other BBS's where perhaps thousands of people will download the infected version of the program. The problem is reaching epidemic proportions and as a result, some companies have banned the downloading of programs from BBS's. This is indeed a shame, since BBS's are there for the sharing of knowledge, information, and the opportunity to get talented programmer's works known. How Can I Tell If MY Computer Has Infected Programs? Simply put, YOU CANNOT! That's the scariest part of it all. Viruses may lie dormant for months or years on an infected system before they show their symptoms. Programs will continue to run normally until one day when the "trigger" is reached. What Can I Do to Stop a Potential Virus? Checkup User Guide - (C)Copyright 1988, Gilmore Systems CHECKUP Page 2 There are some viral-fighting programs available such as FLU-SHOT, and versions of VACCINE. These programs attempt to block viruses from doing things that viruses typically do. They attempt to block any altering of COMMAND.COM or your other operating system's system files. They try to alert you of low-level disk writing. These programs look for other things as well but may slow your system down as a result. Some require you to make lists of approved programs and TSR's. The problem with these programs are that they are running on your system which may contain a virus that looks for these particular programs and renders them inactive or makes them think that everything's ok (sounds like AIDs, doesn't it?) while they do their dirty work. The original version of FLU-SHOT was found to contain a virus itself, although newer versions have been corrected. Introducing CHECKUP CHECKUP is a program which differs from vaccine-type programs and other programs that attempt to find, block, or alert you to viruses. CHECKUP does none of these things. As a matter of fact, CHECKUP can't even be run from your fixed disk! CHECKUP is a preventive medicine program which sort of takes a snapshot (x-ray) of your entire fixed disk(s) and logs it to a file. The things checkup logs are the date, time, size, attribute, and CRC (Cyclic Redundancy Check) of every file on your fixed disk(s). It looks for differences in all of these things whenever you decide to run it again and alerts you to any changes. Any changes potentially mean a virus is at work - Viruses have to alter files in some way in order to spread themselves. Using CHECKUP CHECKUP should NOT be placed on your fixed disk - it will ONLY RUN FROM A FLOPPY, and furthermore, it won't even run from a floppy unless you BOOT DOS FROM FLOPPY! Why all the hassle of booting from and running from a floppy? Simple. If you boot from a fixed disk, you may be booting from an infected copy of your operating system, starting an infected TSR, have an infected device driver, or may have run an infected program. If you boot from floppy, you don't give the viruses on your fixed disk a chance to become active. Therefore, the first thing you should do in order to prepare for using the CHECKUP program is: 1) Boot DOS from your ORIGINAL distribution disk. 2) Format a bootable floppy. (use the command "FORMAT A:/S") 3) Copy CHECKUP.EXE to the newly formatted disk. 4) Diskcopy this new disk for as many fixed disk drives or logical drives you have on your system and label each one for a specific drive (ie: CHECKUP for drive C:, CHECKUP for drive D:, etc). Anytime you want to run CHECKUP, you should first turn your computer OFF, then back on with the bootable CHECKUP diskette in drive A: (Hitting Ctrl-Alt-Del may not get rid of actively running viruses). You can run CHECKUP in either of 2 ways: interactively, or by command Checkup User Guide - (C)Copyright 1988, Gilmore Systems CHECKUP Page 3 line arguments. Running CHECKUP Interactively Simply type and enter "CHECKUP" on the command line (without quotes). You'll be presented with a screen containing 3 sets of fields to fill in: 1) The Drive Letter of the fixed disk you wish to check. 2) The Processing Option you wish CHECKUP to perform. 3) The filename extensions of the files you wish to check. The first field simply asks for the drive letter of the fixed disk drive you wish to check. The second field has one of three answers: N, C, or P which stand for New, Check, and Print, respectively. The first time you run CHECKUP you should choose N which will scan your fixed disk and log a "snapshot" of your files. CHECKUP will create a log on floppy drive A named DRIVEx.CKP, where the "x" is the drive letter of the drive that's being logged. You should run CHECKUP with the N option after every BACKUP or immediately before running a new program, or whenever appropriate. Using the N option logs all files which may have been added since the last time you used the N option. Choosing C or P requires that your printer be turned on (writes to LPT1 or PRN). After running N, you should re-run the program choosing P for a readable hardcopy of the log. Run CHECKUP with the C option after anytime you've run a new program such as one that may have been downloaded from a BBS (or even purchased from a store). Besides after running a new program, it would be very beneficial to give your disk a weekly checkup by running CHECKUP with the C option. CHECKUP will print any discrepencies in checks of the actual files on your fixed disk against the log entries, as well as report on deleted files, removed directories, and changed volume names. This report should alert you to possible infection by viruses present on your system and which files or programs may have become infected. Some discrepencies are normal: - If you're a programmer, the only EXE or COM files that should change are the ones YOU create or modify. - If you've edited an existing text file this will be reported by CHECKUP if you've used "*" or supplied its extension. - Many programs modify data files (ie: database programs modify database files, games may modify their own data files, etc). This is normal but will be reported by CHECKUP nonetheless. The third field lets you enter anywhere from 0 to 10 different extensions (filename extensions) which can be anywhere from one to three characters including the wildcards (? and *). If you're not familiar with wildcards, please consult your DOS manual. Whenever you specify extensions, CHECKUP only looks for and checks filenames on your fixed disk that match the extensions you supply. For instance, if you supply Checkup User Guide - (C)Copyright 1988, Gilmore Systems CHECKUP Page 4 EXE, COM, SYS, and BAT (which we recommend as a minimum), CHECKUP will only check or look for files matching those extensions (ie: *.EXE, *.COM, *.SYS, and *.BAT). Some programs use overlays, usually matching the OV? extension. For maximum protection, use "*" by itself (without quotes) to check and look for EVERY file on your fixed disk (including those without any extensions). If you use "*" (without quotes) by itself, ALL files on your fixed disk will be specified, whereas if you use "*" as in "XX*", all files matching "XX*" will be specified along with any other exensions you specify (if any). If you don't enter any extensions, "*" will default (ALL files). Once all three fields have been filled in by you, press the F2 key on your keyboard to start processing. Anytime before pressing F2, you can press F1 for brief help with the field you're on, or F10 to quit the program. Running CHECKUP With Command Line Arguments You can run CHECKUP with command line arguments as follows: CHECKUP d: /n=EXT | /c=EXT | /p=EXT [/o=OUTFILE] The arguments are not case sensitive so feel free to use lower and/or uppercase characters. Spacing is not important either, use spaces wherever you want or none at all. The argument definitions are: d: - The drive letter of the fixed disk drive to check. /n= - Identical to N of field 2 of interactive usage. /c= - Identical to C of field 2 of interactive usage. /p= - Identical to P of field 2 of interactive usage. EXT - Identical to field 3 of interactive usage. Extensions must be separated by commas. [/o=OUTFILE] - The brackets surrounding this argument mean it's optional - don't use the brackets. /o=OUTFILE if present, will print output to the filespec specified by OUTFILE instead of your printer. OUTFILE should contain a complete path including drive. Note that printed output (which would be routed to OUTFILE) takes place when the C or P options are used. Note that ONLY ONE of /n=, /c=, or /p= is to be used (just as in the interactive mode). Examples: CHECKUP c: /n=* creates new log of files on drive C: CHECKUP c: /n=exe,com,sys,bat creates new log of files on drive C: matching *.exe, *.com, *.sys, *.bat Checkup User Guide - (C)Copyright 1988, Gilmore Systems CHECKUP Page 5 CHECKUP e:/p=* makes a readable hardcopy of everything in the DRIVEE.CKP log. CHECKUP e:/p=* /o=c:\log_e same as above but creates file C:\LOG_E and prints to this file instead of your printer. CHECKUP f:/c=* checks drive F against the log DRIVEF.CKP and prints any discrepencies on your printer. CHECKUP f: /c=* /o=c:\report same as above but creates file C:\REPORT and prints to this file instead of your printer. CHECKUP d: /c=exe,com,sys,bat checks drive D against log DRIVED.CKP and prints any discrepencies on your printer. Note that only *.exe, *.com, *.sys, and *.bat will be checked. *********************************** *** IMPORTANT FINAL REMARKS *** *********************************** Running CHECKUP with the N option will only log the current state of your files on your fixed disk(s), which may already contain infected files. Subsequent runs using the C option alert you to any changes which may have occurred. Any of the changes reported is an alert of a potential virus. If a file has changed that shouldn't have, remove it from your system immediately and replace it with the same file from your original distribution diskette. If COMMAND.COM, IBMBIO.COM, or IBMDOS.COM have changed on your drive C, turn off your computer immediately. Insert your original DOS diskette in Drive A and restart your computer. Once restarted, do a "SYS C:" to overwrite these files to the way they should be. If COMMAND.COM was the only file that changed, turn off your computer immediately. Insert your original DOS Diskette in Drive A and restart your computer. Once restarted, do a "COPY COMMAND.COM C:" or to the appropriate disk drive. CHECKUP searches all file attributes - system, hidden, etc. Once processing has started, checkup starts a timer and when processing finishes, checkup prints how long it ran. On computer running at 4.77 Mhz such as the original IBM XT's, CHECKUP may take a while to complete its job. On computers such as the IBM PS/2 Model 80 running at 20 Mhz, CHECKUP flies through in minutes. We've incorporated fast algorithms so that CHECKUP will run through your system as fast as possible. It's pretty difficult to evade a CRC (cyclic redunancy check) of your files, not to mention changing file size by adding a couple of bytes or so. Checkup User Guide - (C)Copyright 1988, Gilmore Systems CHECKUP Page 6 Clever viruses install themselves over unused portions of program files, and manage to keep the same size, date, time, and attribute of the file. But even with these protective checks, CRC does not guarantee that some clever deviant may code a virus to attempt to match the original CRC of a file it altered. There are no reports of this yet, but as more CRC checking programs such as this are in use, virus-writing programmers will have to incorporate code (mutations) to match the CRC of the original file when they alter it. It's not a small task for them, however CRC checking is a well known method. If you can test a file for CRC, you can alter a file such that its CRC stays the same. Because of this, we offer another version of CHECKUP (MCHECKUP or Modified CHECKUP) which uses a unique, modified CRC check which is not known to the virus-writing programmers (and we won't make the method public in order to protect you). Since the modification we made to the CRC algorithm is unknown to anyone but us, a virus-writing programmer will not know how to defeat the check. *************************** *** Register Today! *** *************************** If you've obtained this copy of CHECKUP from a friend or BBS (shared programs), there is NO guarantee that your copy of CHECKUP hasn't become infected by a virus. We cannot guarantee that somebody didn't download this program, infect it (purposely or accidentally), and pass it on by uploading it to other BBS's or giving it to friends. Since this is shareware we would normally encourage you to try it, then register if you like it. Recall that FLU-SHOT became infected. You may use this program at your own risk. We can only guarantee that the copy of CHECKUP we send you on floppy via U.S. mail is free of viruses. When you get your copy of CHECKUP through the mail, please boot DOS from the original DOS distribution diskette and then do a DOS compare (COMP) on our CHECKUP versus the one you downloaded or got from a friend. Report any differences to us immediately, along with the name and telephone number of the BBS you obtained it from. Registration is $15 (U.S. currency, check, or use your VISA/MC when registering by phone). When you register, we'll send you not only a copy of CHECKUP, but a copy of MCHECKUP as well. We recommend the use of MCHECKUP over CHECKUP since virus-writing programmers don't know what we're looking for. Unless you specifically request a 3-1/2" micro-floppy disk, we will send you a 5-1/4" disk. CHECKUP will run on all true IBM compatible computers running the IBM PC-DOS or MS-DOS operating systems versions 2.0 and above. Some fixed disks require drivers which should be placed on your boot diskettes from the original driver distribution diskette. CHECKUP runs on the entire family of IBM (and compatible) computers ranging from the XT to the PS/2 model 80. Fixed disks containing the Checkup User Guide - (C)Copyright 1988, Gilmore Systems CHECKUP Page 7 OS/2 operating system and associated files can also be checked with CHECKUP since they maintain the same file structure as DOS - you must still format DOS bootable diskettes to use CHECKUP. To register, send $15 to: Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 - or call us with your VISA/MC number - (213) 275-8006 Many companies such as us use BBS systems to exchange and share information, ideas, new technologies, programs, tools, and multitudes of other things. How can we continue to use these invaluable offerings in fear of destruction of your most valuable programs, data, or even hardware? We hope that CHECKUP will offer you security against these fears and at the same time inspire other programmers to create other anti-viral or preventive computer medicine type programs. - Chuck Gilmore, President Checkup User Guide - (C)Copyright 1988, Gilmore Systems