home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Computing 61
/
ac061.adf
/
VirusChecker
/
Virus_Checker.doc
/
Virus_Checker.doc
Wrap
Text File
|
1993-04-05
|
22KB
|
509 lines
************************************************************************
Virus_Checker Documentation
by John Veldthuis
Member of SHI Anti Virus Group
************************************************************************
DISTRIBUTION:
Virus_Checker is a freely distributable, copyrighted piece of
software. You do not have to pay money to use it, and may upload it
wherever you choose, but you are not allowed to sell Virus_Checker
for profit, or include Virus_Checker on a disk which is sold for
profit, without the author's (John Veldthuis) permission. Commodore
have this permission already.
Money is not solicited but would be welcome. I can be contacted at
the address below.
Please send me any more new viruses so I can update Virus_Checker,
but please don't send a letter asking for a copy without sending me
money to cover postage and disks. I cannot afford to send everyone a disk
out of my own pocket. If you send just a disk then don't be surprised if
you never see it again.
John Veldthuis
21 Ngatai Street
Manaia, Taranaki
New Zealand
Phone +64-6-274-8409
Email addresses:
FIDO 3:771/440.0
USENET johnv@tower.actrix.gen.nz
ABOUT SAFE HEX INTERNATIONAL
If you know a virus programmer you can get a reward of $ 1000 for
supplying his name and address. The fact is that the law punishes data
crime very severely. (5 years in jail in most countries).
We are an international group with more than 250 members who have started
trying to stop the spread of virus. Let me give you some example:
1. Our motto is: "Safe Hex", who dares do anything else today?".
2. A virus bank containing all well known virus killer programmes.
3. We help people to get money back lost by virus infection.
4. We write articles about virus problems for 8 magazines.
5. We release the newest and the best virus killers around.
6. We have more than 20 "Virus Centers" worldwide where you
can get free virus help by phoning our "Hotline", and the
newest killers translated n your own language at very little
cost.
For more information contact:
SAFE HEX INTERNATIONAL (Please send a "Coupon-Response
Erik Loevendahl Soerensen International" and a self addres-
Snaphanevej 10 sed envelope, if you want infor-
DK-4720 Praestoe mation about SHI by letter).
Denmark
Phone: + 45 55 99 25 12
Fax : + 45 55 99 34 98
INSTALLATION:
To run Virus_Checker once, either type it's name into a CLI window (while
the program is in the current directory), or double-click on it's icon
from the Workbench. The program will be active until you quit it or
reset your computer.
Installing Virus_Checker so that it will be active all the while your
computer is running is a good idea. This is because viruses can be on
any disk you insert into any disk drive. With Virus_Checker always
active, you will be protected.
Under 1.3, to install Virus_Checker so that it will be run whenever
you reset your computer, edit your startup-sequence to include simply
"Virus_Checker". The program will have to be either in the root
directory of the disk you are booting off of, or in the C: directory,
for this to work.
Under the 2.0 operating system, installation is much easier. All you
have to do is drag the icon for Virus_Checker into the WBStartup
drawer on your Workbench disk (or your boot partition if you use a
hard disk), and Virus_Checker will automatically be loaded when the
Workbench is loaded.
If you don't load or use WorkBench then edit the user-startup file in the
s: directory and simply include "Virus_Checker" somewhere in it.
NOTICE FOR USERS OF FILE PACKERS AND CRUNCHERS:
If you use a program such as PowerPacker to make your files smaller
then be aware that you must check these files before you crunch them.
If the file is infected and you crunch them then VC will not find the
virus in the file and each time you use that file it will infect your
machine. VC will still detect the virus in memory and remove it okay.
So if you get VC telling you your memory is infected but you cannot
find it on any disks then start unpacking any of these files and
check them UNPACKED.
ENFORCER USERS
Just a quick note for people who use the program called enforcer.
Virus_Checker will cause Enforcer hits when it does it's memory scan. There
is no way around this as it is the only way to detect a couple of viruses.
For each low memory read Virus_Checker will cause 2 enforcer hits. One for
the read and one for the zero that was returned. This will happen only when
Virus_Checker starts up and when you cause it to do a full memory scan via
the menu or 'm' key.
There should be 4 enforcer hits. The reads are from location $20 and
location $6c. The other 2 will depend on your setup.
WORKBENCH 2.0 USERS BEWARE
Workbench 2.0 now looks at and acts on the protection flags on each file.
If you have a file that is read protected then Virus_Checker will not be
able to check this file. WB1.3 ignores most of these flags and will happily
read a read protected file.
I got a disk with the BSG9 virus on it and wondered why VC would not pick
it up. I finally did a list on it and saw it only had the delete flag on.
After un-read protecting it VC picked the file up okay.
UPDATE
From version 6.05 VC will warn you if it finds a file that is read
protected. This will allow you to use the Shell command protect to
unprotect the file. Just use
protect filename +r
and then use Virus_Checker to Scan the file again.
FRENCH USERS
Someone has gone to the trouble of translating the Virus_Checker docs into
French. If you wish to get them then please read the following
You can get the French doc from AUGL or order it for 20 French Francs at:
BUGSS
4, Place de L'Aube
33170 GRADIGNAN
FRANCE
Direct any questions to berger@geocub.greco-prog.fr
or berger@platon.greco-prog.fr
COMMAND LINE OPTIONS:
The syntax is:
Virus_Checker [-l###] [-t###] [-w###] [-b] [-q] [-i] [-n] [-m] [dirname]
-l### tells Virus_Checker how far from the left edge of the
screen to open the Virus_Checker window.
-t### tells Virus_Checker how far down from the top edge of
the screen to open the Virus_Checker window.
-w### tells Virus_Checker how wide you want the window. It has
a maximum size of 386 pixels and a minimum of 200. Any
numbers out of this range are ignored.
This is ignored by Workbench 2.0 as there is really no need
for it due to being able to 'pop' the window up when you
want it and hide it when you don't want it.
-b tells Virus_Checker to send its window to the back of all the
other open windows.
-n tells Virus_Checker not to open a window. It will check memory
and disks inserted but you will have to use the ARexx port
or the commodities 'Exchange' program (or the hotkey) to
get it to scan the whole disk for Link/File viruses or to
view the user interface. To stop VC, run VC again, use
the ARexx port, or send it a Kill command from the
commodities 'Exchange' program.
-q tells Virus_Checker to check all memory, files, and disks for
viruses, then exit. To check the dh0: partition and exit,
do the following: "Virus_Checker -q dh0:". This will check
memory, disks, files, and dh0:, then exit.
-i tells Virus_Checker not to put up a requester when it can't read
the bootblock of a disk.
-m tells Virus_Checker to watch the file s:startup-sequence for any
changes. Some viruses will change this file and VC will
catch it. (Only works under WB2.0 and above)
Bug report
There seems to be a bug that if the file is changed VC will
pick it up okay. but if another file is changed in the S:
directory then AmigaDOS tells VC the startup-sequence has been
changed. It is okay again after that. You have been warned
dirname is the directory/file you want checked for File Viruses on
startup. An example to open the window at x/y position of
200/100 and check DH0: is: "Virus_Checker -l200 -t100 dh0:".
For WB2.0 users the command line is
L=LEFT T=TOP B=BACKDROPWINDOW N=NOWINDOW Q=QUIT I=IGNOREBB W=WATCHSS DIR
L=LEFT is the same as -l
T=TOP is the same as -t
B=BACKDROPWINDOW sets the Virus_Checker window as a Backdrop window
N=NOWINDOW is the same as -n
I=IGNOREBB is the same as -i
W=WATCHSS is the same as -m
DIR is the name of a dir/file to check for viruses on startup
an example is
Virus_Checker l 10 top 20 b i dh0:test
This will set the VC window at x/y position of 10,20, make it into a
backdrop window, ignore errors from the BootBlock reads and check the file
dh0:test when it starts up.
For the window coordinates, any values outside the size of the WB
screen are ignored and any non numerical values are ignored. There
must be no spaces between the options and the numbers. Options may be
given in any order.
If Virus_Checker is already running, and you invoke it again from the
command line, you will be asked if you want to kill it. If you answer
yes, the already-running copy will be removed from memory, and you will
have no Virus_Checker running. This will work not if you RUN Virus_Checker,
as you have you be able to answer it's question.
THE WORKBENCH STARTUP:
SPECIAL NOTE:
If Virus_Checker is not run from Workbench it will look for the file
S:VIRUS_CHECKER.INFO This is just a standard workbench info file and can
be used as described in the next section. This is to allow 1.3 users who
run VC from their startup-sequence to config VC easily. It will work for
2.0 users as well. I have done it this way because it is too hard to find
where a program ran from under 1.3. This way I only have to look for 1 file
in one directory.
To use it add the stuff you want under Workbench and save it. Then copy the
Virus_Checker.info file to the S: directory.
Support for the icon stuff has now been put in. These will override the
default settings and also the settings in the S:Virus_Checker.config file.
It will only affect those things that are given in the ICON. The rest will
be left as default or as the config file sets them.
The things that you can put in via the Information menu on Workbench are as
follows. These will be used if VC is started by Workbench
HOTKEY is only used by WB2.0
HOTKEY=string /* HOTKEY=lcommand shift del */
LEFT=num /* LEFT=150 */
TOP=num /* TOP=25 */
WINDOW=ON/OFF /* WINDOW=ON or WINDOW=OFF */
RESIDENT=ON/OFF /* RESIDENT=ON or RESIDENT=OFF */
IGNOREBBERROR=ON/OFF /* Ignore BootBlock Read Error */
/* use IGNOREBBERROR=OFF to turn requester off */
WATCHSS=ON/OFF /* WATCHSS=ON or WATCHSS=OFF */
DF0=ON/OFF /* DF0=ON or DF0=OFF */
|
V ;If Off VC will not check BootBlock or startup-sequence
DF3=ON/OFF
FULLCHECKDF0=ON/OFF /* FULLCHECKDF0=ON or FULLCHECKDF0=OFF */
|
V ;If ON VC will scan all files on the inserted disk.
FULLCHECKDF3=ON/OFF
IN ALL CASES DO NOT USE THE QUOTE MARKS " or ' in any place. VC can see the
spaces between strings without them.
THE AREXX INTERFACE:
VC has an ARexx port, which means you can send VC commands using the
REXX language, available from your Amiga dealer, or as part of the 2.0
Operating System. The port name is "Virus_Checker". Be aware that
case is important and ARexx will not find it if the name is not spelled
right. Here is an example ARexx program that talks to VC:
/* ARexx programs must start with a comment */
address 'Virus_Checker' /* Talk to Virus_Checker */
'checkdrive\df0:' /* Make virus_Checker check df0: */
/* for viruses */
'scanforsaddam\df0:' /* Make VC check df0: for Saddam */
/* virus damage */
'quit' /* Make Virus_Checker shut down. */
'drive\df1: off' /* Turn off df1: from being scanned */
Notice the '\' between the command and the drive name in the middle
examples. This must be put between all commands and their options. 'quit'
does not take an option so does not need the '\' character there.
Virus_Checker will take the following commands:
checkdrive\drivename Check drive 'drivename' for file viruses.
scanforsaddam\drivename Check drive (DF0:-DF3) for Saddam damage.
quit Make Virus_Checker shut down.
saveconfig Save the s:Virus_Checker.file file
window\option Open or Close window (Option = on or off)
drive\df?: option Turn on/off Drive scan (Option = on or off)
resident\option Turn on/off Resident flag "" "" ""
checkfile\device:dir/filename
checkbootblock\df?: Check the Bootblock in df? for viruses
Special note for 'checkfile' command.
This one turns off any requesters while doing it's work. If the command
OPTIONS RESULTS is used it will return RESULT if no virus found or if a
virus is found then the string VIRUSNAME Virus was/is present in the file.
This does not mean the virus is gone as there may have been errors trying
to remove the virus.
This is really for BBS users who want to check files as they come in.
You could write an arexx script to search files and log any that come up
with viruses. Later after findong which ones where infected you would run
VC over them again via the main menu thus making sure they where clear.
CheckBootBlock command
This one also needs the options results and returns messages.
If the disk is clear or you give it a number outside the range of df0: to
df3: it will return 'Okay', if VC had trouble reading the disk the message
returned is 'ERROR reading BOOTBLOCK', if the bootblock is Not the normal
one then 'NON-STANDARD BOOT CODE' is returned. If the Bootblock is
infected then the virus name will be returned. At present there is no way
to clear the virus from Arexx but I am working on it. Requesters are
disabled while this is done.
VIRUS_CHECKER OPERATION:
Upon running Virus_Checker, it will first check your memory for
viruses and tell you if any were detected. They will either be
removed or disabled. Next all disks in the floppy drives will be
checked. Any disk put in any drive (df0: to df3:) will be checked.
If Virus_Checker finds and disables the LAMER virus in memory, the
machine may guru. Once the machine is reset, however, the virus
should be gone.
THE 2.0 USER INTERFACE:
Many Thanks goes to Steve Tibbett for designing and most of the C code for
this section. All I did was translate it into assembly and intergrate it
into Virus_Checker.
This section describes the user interface that Virus_Checker uses
when Kickstart 2.0 is detected in your computer. This section does
not apply for users with Kickstart 1.3.
Kickstart 1.3 users can see the special note for using the Config file
below.
Virus_Checker can be used either with a window open, or with no window
open. When used with the window closed, Virus_Checker will only show
itself when it has something to tell you about. If you insert a disk
containing a virus, Virus_Checker will pop up a requester telling you
about it, and give you some options to deal with it.
The normal Virus_Checker user interface can present itself in two
forms. One is the 'TitleBar Window', where only the close gadget,
the depth gadget, the Zoom gadget, and the program name are visible.
If you click the Zoom gadget, Virus_Checker's window will change into
a window occupying nearly half a normal 640x200 Workbench screen.
This window is broken up into three sections: The Preferences
section, the Files section, and the Drives seection.
In the Preferences section, you can tell Virus_Checker whether it
should open a window or not, whether the window should be a Backdrop
window, and whether Virus_Checker should quit immediately when run,
or whether it should stay resident. You can also set the window
position, and the hotkey that will call Virus_Checker when you want
to open it's window or pop it to the front. (The hotkey format is
described in the AmigaDOS 2.0 manual, in the section on the
commodities exchange). As from 6.05 you can also tell Virus_Checker to
ignore errors when reading the BootBlock. It will be saved in the config
file.
THE DEFAULT HOTKEY is Left-Amiga Shift del
The Files section is where you list the drives or directories that
Virus_Checker will check when you click the Check button. If you
'Add' DF0: and DF1: to the list, then choose Check, then
Virus_Checker will check all the files on both DF0: and DF1: for file
viruses.
The Drives section lets you specify which of your floppy disk drives
will automatically be checked for bootblock and file viruses when you
insert a disk. If you have a program like CrossDOS and you don't want
Virus_Checker looking at the msdos disks then simply disable it and
Virus_Checker will never look at that drive again. Unless you enable it
again.
The Second row of Drive gadgets turn on and off the automatic scanning of
the entire disk. These are disabled by default. If you turn them on, then
Virus_Checker will scan the entire disk every time you insert one.
Checking for file viruses takes some time, so you may not want this on for
a drive that you are constantly moving disks in and out of.
The state of these gadgets is also saved in the Config file.
Any of the Gadgets that have text with an UnderScore beneath then can be
accessed by simply pressing the that key on the keyboard.
For example. If you wished to change the Hotkey you will notice that the H
in HotKey is Underlined. This means simply by pressing the 'h' key that
gadget will become active.
The options that you set in the user interface can be saved to disk
using the Save button. The options are saved to the file
"S:Virus_Checker.Config", and are read from there whenever the
program is loaded.
KEYSTROKES:
The Following keys will activate the following functions, when typed
into the Virus_Checker window:
s - Will activate the Scan mode
m - Will immediately do a complete memory scan (same as startup)
f - Will activate the Saddam Disk Scan (used to fix Saddam virus damage)
0 - 3 Will check the First File in startup-sequence and bootblock on disk
in drive which matches number
There are also some options on the menu (hold the right mouse button
to get to the menus) which have keyboard-equivalent shortcuts. These
are next to the inverse A on the menu.
LINK/FILE VIRUS CHECK:
If you want to check a disk for Link/File viruses then put the disk in
any drive. Make sure the Virus_Checker window is active and use the right
mouse button to bring up the Project Menu. Select the "Link/File Scan"
and release the mouse button. An alternative way is to just press
the 's' key on the keyboard.
This will bring up a requester asking you which drive to check. Enter
the drive name in the box, eg. DF0:, DH1:,RAD: etc. Under WB2.0 you
can also use the "Use Requester" option. It will then check all the
files on that drive. You can also enter directories if you want to
eg, c: df0:c, df0:libs etc.
When Virus_Checker is scanning the disk and you know that a directory
is clear and don't want to check it press control-d in the window
with the filenames and Virus_Checker will ignore that directory and
go back up one level.
If you want to stop the check completely press control-c in the
window with the filenames and Virus_Checker will print a break
message then stop scanning the disk and go back to normal scanning.
If Virus_Checker brings a requester up that says a program just run
has infected your memory with the Xeno Virus, it has already disabled
it. You should immediately check all files on the disks that are in
the drives at that time. This means that a program that you just ran
or a program some other program just ran is infected with the virus
and all files should be checked to find out which one it was.
With viruses which use a RomTag I have decided to clear out all
RomTags to make sure I remove the Viruses from the list. In doing
this you will lose things like Recoverable ram disks such as RAD:,
VD0: etc. If you have a virus make sure that you save anything in the
ram disks that you want before rebooting. The ramdisks and others
will disappear on a reboot. My policy is better safe than sorry.
BRAINFILE ADDITION:
When VC finds a Non-Standard bootblock it will bring up 4 gadgets.
One of these gadgets is Learn. Pressing this will allow VC to
remember this BootBlock and not bother you again with it. To do this
VC writes a file called VCBrainFile to the S: directory. If you have
a single drive this will invoke a requester asking that Volume
something be put in the drive. This will then save to the file. On
Startup VC will check for the file in the S: directory and read it if
it is there. If not it will carry on without it. If you get an error
then VC will tell you about it and will happily write over the file
next time.
NON-STANDARD BOOT CODE:
When Virus_Checker brings up a Requester that says the disk has
non-standard boot code, this means that the code in the boot block is
not what should be there. This does not mean that it is a virus as
many games use copy protection in their boot blocks, and there are many
bootblocks that do interesting things, that are not viruses. You
should however be cautious if it is not a game. Do not replace the
boot block if you are not sure. If something strange happens then
please send a copy of the disk to me so that I can check it out. To
determine if an unknown bootblock is likely a virus:
1. Format a blank disk so you know it is clear.
2. Make sure all disks except the one just formatted are write protected.
3. Boot from the disk that you suspect.
4. Place formatted disk in drive zero and then reboot.
5. Take disk out of drive zero and turn off computer for about 30 secs.
6. Run the Virus_Checker program. If the Virus_Checker finds
non-standard boot code on the newly formatted disk, you have found a
new virus. Please send it to me.