home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-12
/
htscan17.zip
/
HTSCAN.DOC
< prev
next >
Wrap
Text File
|
1992-04-16
|
51KB
|
1,441 lines
----------------------------------------------------------------------------
HTScan Version 1.17 Date 16-04-92
(C) 1990-1992 by Harry Thijssen
----------------------------------------------------------------------------
CONTENTS
1. INTRODUCTION.................................................... 1
1.1. Purpose of HTSCAN......................................... 1
1.2. A quick start............................................. 1
1.3. Benefits.................................................. 2
1.3.1. Flexibility....................................... 2
1.3.2. Reliability....................................... 2
1.3.3. Future use and speed.............................. 2
1.3.4. DOS 5.x and Upper-Memory-Blocks................... 2
1.3.5. Security.......................................... 2
2. USAGE........................................................... 3
2.1. Syntax.................................................... 3
2.1.1. Drive and path.................................... 3
2.1.2. Options........................................... 3
2.1.3. Advanced options.................................. 4
2.1.4. Explanation of some options....................... 4
2.2. Exit Codes................................................ 5
2.3. Configuration file........................................ 6
2.4. Message file.............................................. 6
2.5. Residence of HTSCAN.EXE................................... 6
2.6. Residence of the signature lists.......................... 6
- ii -
3. SIGNATURE FILES................................................. 7
3.1. VIRSCAN format............................................ 7
3.2. HTSCAN format............................................. 8
3.3. VIRUSBUL format........................................... 10
3.4. MCAFEE format............................................. 11
3.5. Switches in the signature files........................... 11
3.6. VIRSCAN.DAT file.......................................... 12
3.6.1. Signature format.................................. 12
3.6.2. Recommended usage................................. 12
3.6.3. Checksum.......................................... 12
3.6.4. Where to find VIRSCAN.DAT......................... 12
3.7. ADDNSIGS.DAT file......................................... 13
3.7.1. Signature format.................................. 13
3.7.2. Recommended usage................................. 13
3.7.3. Where to find ADDNSIGS.DAT........................ 13
3.8. AVR modules............................................... 14
3.8.1. AVR format........................................ 14
3.8.2. Recommended usage................................. 14
3.8.3. Where to find AVR modules......................... 14
3.9. COMPRSCA.DAT.............................................. 14
3.9.1. Signature format.................................. 14
3.9.2. Recommended usage................................. 14
3.9.3. Where to find COMPRSCA.DAT........................ 14
3.10. HTSCAN.DAT file........................................... 15
3.10.1. Signature format.................................. 15
3.10.2. Recommended usage................................. 15
3.11. HTTROJAN.DAT file......................................... 15
3.11.1. Signature format.................................. 15
3.11.2. Recommended usage................................. 15
3.11.3. Where to find HTTROJAN.DAT........................ 15
3.12. VIRUSBUL.DAT file......................................... 16
3.12.1. Signature format.................................. 16
3.12.2. Recommended usage................................. 16
3.13. MCAFEE.DAT file........................................... 16
3.13.1. Signature format.................................. 16
3.13.2. Recommended usage................................. 16
- iii -
4. MESSAGES........................................................ 17
4.1. Virus in memory........................................... 17
4.2. Compressed files.......................................... 17
4.3. Invalid date/time......................................... 18
4.4. EXE/COM extension exchanged............................... 18
4.5. Unusual values in boot-sector............................. 18
5. TIPS............................................................ 19
5.1. Running HTSCAN............................................ 19
5.2. Routine scanning and /A................................... 19
5.3. Scanning when probably infected........................... 19
5.4. Compressed files and scanning from a .BAT file............ 19
5.5. Backups................................................... 19
6. WHAT TO DO IF YOU FIND A VIRUS?................................. 20
6.1. Recommended approach...................................... 20
6.2. If you don't have a backup and it is a known virus........ 20
6.3. If you don't have a backup and it is an unknown virus..... 21
7. HOW TO PREVENT A VIRUS INFECTION?............................... 22
8. LICENSES........................................................ 22
9. DISCLAIMER...................................................... 22
10. MISCELLANEOUS INFORMATION....................................... 23
10.1. Requirements............................................. 23
10.2. Copyrights and trademarks................................ 23
10.3. New versions............................................. 23
10.4. Questions, suggestions or problems....................... 23
10.5. Translations............................................. 24
10.6. Thanks................................................... 24
APPENDICES
I. APPENDIX A. Examples of invoking HTSCAN........................ 25
II. APPENDIX B. Examples of HTSCAN style signatures................ 26
III. APPENDIX C. Addresses for experienced help..................... 28
C.1. If you have access to a modem............................ 28
C.2. If you don't have access to a modem...................... 28
IV. APPENDIX D. Example batch file................................. 29
- 1 -
1. INTRODUCTION
1.1. Purpose of HTSCAN
HTSCAN is a user programmable virus-scanner. It is designed to
detect and identify known viruses within files, boot-sectors,
main-boot-record(s) (partition-tables) and memory. You can use HTSCAN for
scanning all your floppy-disks, hard-disks and network-drives.
1.2. A quick start
First of all, the master rules when dealing with viruses:
- Cold-boot the machine to be scanned from a clean write-protected
floppy-disk. Control-Alt-Del is not enough!
- Run HTSCAN from a write-protected floppy-disk after cold-booting
your PC, before starting any other program!
For a quick start, place HTSCAN.EXE, HTSCAN.OVR, HTSCAN.LNG, VIRSCAN.DAT
and/or HTSCAN.DAT and/or VIRUSBUL.DAT on a clean bootable floppy-disk.
Make the floppy-disk write-protected. Now you can boot the PC you want
to scan from this floppy-disk and start HTSCAN with:
HTSCAN A:\
if the floppy with HTSCAN is in drive A: or:
HTSCAN B:\
if the floppy with HTSCAN is in drive B:.
If HTSCAN doesn't report any infections, you may scan your disk(s)
with:
HTSCAN C:\
or
HTSCAN C:\ D:\
etc.
- 2 -
1.3. Benefits
1.3.1. Flexibility
HTSCAN is a flexible programmable virus-scanner. It uses the text files
VIRSCAN.DAT, HTSCAN.DAT, HTTROJAN.DAT, VIRUSBUL.DAT and MCAFEE.DAT as
signature lists. If a new virus is detected, all you have to do is adding
its signature to one of the signature lists. Several types of wildcards
in the scan-strings of the signatures are supported.
1.3.2. Reliability
Reliability was, and still is, a major goal for HTSCAN. For this reason
HTSCAN scans the whole file starting with the first byte, ending with the
last. No trick is used to reduce the number of bytes to scan.
1.3.3. Future use and speed
HTSCAN is designed to scan for a large amount of virus signatures in the
future. The only limit is the amount of free memory and will be reached
with about 4000 virus-signatures. Because of its design, HTSCAN will
not slow down significantly when scanning for such large number of
viruses. In fact it doesn't matter if you scan an item, e.g. *.COM, for 1
or 100 viruses.
1.3.4. DOS 5.x and Upper-Memory-Blocks
Since DOS 5.x has been released, the Upper-Memory-Blocks and the
High-dos-Memory-Area can be addressed with standard software. One of the
negative side-effects is that a resident virus now may become resident
within these memory parts. Of course HTScan fully supports the scanning
of these areas.
1.3.5. Security
HTSCAN will do a self-test with every startup to be sure HTSCAN is not
altered. If it is altered, it will give a message and aborts.
Although this is a benefit, realize that you can't scan your system with
HTSCAN to know which virus causes the trouble after HTSCAN is got
infected. So be sure to have at least a copy on a write-protected
floppy-disk.
- 3 -
2. USAGE
2.1. Syntax
The call is:
HTSCAN [@]<path>... [option]...
or
HTSCAN [&]<drive>[..<drive>] [option]...
2.1.1. Drive and path
Path:
disk
or
disk and path
or
disk, path and filename
or
@filename
When the filename is preceded with a "@", it is a listfile with the
names of files, directories or drives to scan.
When the drive name is preceded with a "&", this means scan all
drives starting with the named drive and, when specified, ending with
the drive specified after the "..". When no ending drive is specified,
HTSCAN will scan all drives starting with the specified one.
(On some networks "&" will do nothing.)
See appendix A for examples.
2.1.2. Options
/A ; scan all files for all file-viruses
/B- ; don't beep when an infection is found
/B+ ; beep when an infection is found (default)
/D ; delete/rename infected files
; (HTSCAN will prompt before deleting/renaming)
/I ; license info
/R ; rename infected files
; (HTSCAN will prompt you before renaming)
/M ; scan all memory for all viruses
/M- ; don't scan memory for viruses
/M+ ; scan all memory for all viruses (same as /M)
/N ; do not include sub-directories
/O[=]<log-file> ; place logging in the specified file
/P- ; don't prompt before scrolling the screen
/P+ ; prompt before scrolling the screen
; (default when /O is not used)
/Q ; quiet mode, don't display filenames
/Q+ ; semi quiet mode, display only directory names
/S ; skip boot-record(s)
- 4 -
/U- ; don't scan upper memory blocks for viruses
/U+ ; scan upper memory blocks for all resident viruses
; (default when DOS 5.x or QEMM is used)
/V[=]<sig. list>; use the specified virus-signature list or directory
/W- ; don't warn when compressed/self-extracting files found
/X ; scan multiple floppies
2.1.3. Advanced options
Miscellaneous
/$M=<directory> ; specifies where infected files should be moved to
/$U ; run unattended.
; Don't prompt for renaming, deleting and moving files
/$USlow ; slow down upper-memory scan to avoid hardware errors
/$W+ ; use new errorlevel when ending the program (default)
/$W- ; use old errorlevel when ending the program
/$? ; for help about the advanced options
Screen related
/$T=<n> ; preserve the top n lines for a shell program
/$B=<n> ; preserve the bottom n lines for a shell program
Network related
/$NOE ; suppress open-error messages
Research related
/$A ; display all scanned files. Whether infected or not.
; (in log-file only)
/$G ; scan for all boot-record viruses in COM and EXE files.
; If /A is used also, boot-record all files are scanned
; for boot-record viruses.
/$O ; display the offset where the scan-string is found
; (in log-file only)
2.1.4. Explanation of some options
/$USlow
On some computers HTSCAN scans the upper-memory-blocks to fast for the
hardware. This may result in hardware-errors. With /$USLOW it is possible
to slow down the scanning of the upper-memory-blocks.
/$NOE
A common problem on networks is the impossibility to open all files,
resulting in a large number of error messages. HTSCAN has the switch
/$NOE. (Which means -- No Open Error --)
/$NOE suppresses the error message generated by an attempt to open an
execute-only file, a busy file etc.
- 5 -
2.2. Exit Codes
Default or when /$W+ is used, HTSCAN will exit with the following
exit codes:
0 : Normal termination, no viruses found.
1..49 : One or more warnings issued.
50..74 : Program interrupted by user.
75..99 : A program error occurred.
100..149 : Operator error.
150..174 : Error in signature-file.
175..199 : One or more trojans/jokes found.
200..255 : One or more viruses found.
When /$W- is used, HTSCAN will exit with the following exit codes:
0 : Normal termination, no viruses found
1 : One or more viruses found
> 1 : Abnormal termination (Error)
Note: The default in this release is /$W+.
In earlier versions the default was /$W-.
- 6 -
2.3. Configuration file
Using HTScan should be done frequently. Although the defaults switch-
settings are perfect for routine scanning, some people are always using
some command-line switches. For those, it is boring to enter these
switches over and over again. This is not necessary at all. It is
possible to place your own command-line switches in the file HTSCAN.CFG
in the current directory or in the same directory as HTSCAN.EXE. This
configuration file may contain all command-line options delimited by
spaces on the same line or you may place every option on a single line.
A switch used on the command-line will overrule the switch in the
configuration file. Have a look at HTSCAN.CFG in EXAMPLES.ZIP for an
example of HTSCAN.CFG.
2.4. Message file
In a company environment it is often useful if a scanner can produce
a clear instruction in their native language. With HTSCAN it is possible
to put such messages/instructions in the file HTSCAN.MSG. Different
messages for different errorlevels are possible. Place HTSCAN.MSG in the
current directory or the same directory as HTSCAN.EXE. The message
corresponding to HTSCAN's errorlevel will be displayed when HTSCAN is
ending. Have a look at HTSCAN.MSG in EXAMPLES.ZIP for an example of
HTSCAN.MSG.
2.5. Residence of HTSCAN.EXE
Like every other virus-fighter this program should be placed on a clean
write-protected floppy before using it. Boot from a clean write-protected
floppy-disk and start HTSCAN. If you thinks it is awkward to use a
program from floppy-disk like this, I agree. Unfortunately this is the
only way to catch all viruses.
2.6. Residence of the signature lists
If /V is not used to give the virus-signature filename or the directory
where HTSCAN.DAT and/or VIRSCAN.DAT and/or VIRUSBUL.DAT can be found,
HTSCAN looks first on the current directory for a file named HTSCAN.DAT
and/or VIRSCAN.DAT and/or VIRUSBUL.DAT. If non is found, HTSCAN will look
for these files in the directory where HTSCAN.EXE resides. HTSCAN will
use all signature-files found in the same directory. E.g. if HTSCAN.DAT
and VIRSCAN.DAT both in the current directory, both files are used.
- 7 -
3. SIGNATURE FILES
3.1. VIRSCAN format
Format of a virus signature entry
<Virus name>
<Affected items>
<Virus signature>
Lines starting with ';' are treated as comment.
Virus name
Any name of 1 to 30 characters.
Affected items
BOOT/COM/EXE/LOW/HIGH separated by blanks
item scanning
LOW : Memory beneath HTSCAN (beneath PSP)
HIGH : Conventional memory above HTSCAN
BOOT : Boot-Sectors and Main-Boot-Records (Partition-Sectors)
COM : *.COM files and, if at least 1 signature contains a
EXE item, .EXE files without EXE header
EXE : *.EXE files and, if at least 1 signature contains a
COM item, .COM files with EXE header
Virus signature
Any hex string. The hex string should have a min. length of 8
and a max. length of 80 characters.
? means: everything in this nibble (half byte) is ok.
%x means: ignore up to x bytes of garbage.
%x after %x is allowed.
For example:
%F%F means ignore up to 30 bytes.
*x means: ignore x bytes of garbage.
x can be 1 to F.
After a "*x" byte, the next byte may contain again "*x" but
not "?".
** means: ignore up to 255 bytes of garbage.
HTSCAN is only reliable if the virus-string is found in 1024 bytes or
less.
- 8 -
3.2. HTSCAN format
The syntax of HTSCAN is a superset of VIRSCAN.
Format of a virus signature entry
<Virus name>
<Affected items>
<Virus signature>
Lines starting with ';' are treated as comment by HTSCAN.
Lines starting with ';%' are displayed on the screen.
Virus name
Any name of 1 to 80 characters.
If the second character is a space, the first character describes the
kind of "infection" found.
C -> Compressed
D -> Dropper
F -> Found
I -> Infected
J -> Joke
O -> Overwritten
S -> Self-Extracting
T -> Trojanized
If the first character is not one of the characters above or not a
capital, the signature will be treated as a virus-signature.
Affected items
PART/BOOT/SYS/COM/EXE/OVL/BIN/PIF/LOW/HIGH/UMB separated by blanks
item scanning
LOW : Memory beneath HTSCAN (beneath PSP)
HIGH : Conventional memory above HTSCAN
UMB : Upper memory blocks. Usually 640 Kb up to 1 Mb.
If available, HMA will be treated as UMB.
MAIN : Main-Boot-Records (Hard-Disk only)
(alias PART) (The Main-Boot-Record is also called Partition-Table)
BOOT : Boot-Sectors and Main-Boot-Records
SYS : *.SYS files
COM : *.COM files and, if at least 1 signature contains a
EXE item, .EXE files without EXE header
EXE : *.EXE files and, if at least 1 signature contains a
COM item, .COM files with EXE header
OVL : *.OV* files
(alias OV*)
BIN : *.BIN files
PIF : *.PIF files
- 9 -
Virus signature
Any hex string. A space as separator is allowed. The hex string
should have a min. length of 8 and a max. length of 100 characters.
? means: everything in this nibble (half byte) is ok.
*x means: ignore x bytes of garbage.
x can be 1 to F.
After a "*x" byte, the next byte may contain again "*x" but
not "?".
*(x) : same as above. However x can be 1 to 254.
** means: ignore up to 255 bytes of garbage.
%x means: ignore up to x bytes of garbage.
%x after %x is allowed.
%(x) : same as above. However x can be 1 to 254.
For example:
%(30) means ignore up to 30 bytes and is the same as %F%F
{ means: start of an XORred part of the signature.
} means: end of an XORred part of the signature.
XX points to the place in the file where XOR value can be found.
If XX is not specified in the scan-string, HTSCAN try's XOR value
0..255.
Spaces within the virus-signatures are ignored.
If you like, you can also specify a normal text as virus signature
by putting the text between double quotation marks. When this
syntax is used, a question mark and an asterisk is treated as normal
text.
HTSCAN is only 100% reliable if the virus-string is found in
1024 bytes or less.
See appendix B for examples of HTSCAN style signatures.
- 10 -
3.3. VIRUSBUL format
Format of a virus signature entry in VIRUSBUL style:
<Virus name>
<Affected items>
<Virus signature>
Lines starting with ';' are treated as comment by HTSCAN.
Lines starting with ';%' are displayed on the screen.
Virus name
Any name of 1 to 80 characters.
Affected items
C/E/N/P/D/M/R/?
? Means CEDMR.
Virus signature
Any hex string. A space as separator is allowed. The hex string
should have a min. length of 8 and a max. length of 100 characters.
Wildcards are supported like in HTSCAN style.
Look at the file VIRUSBUL.DAT in EXAMPLES.ZIP for examples of this
format.
Refer to Virus-Bulletin for further information and scan-strings.
- 11 -
3.4. MCAFEE format
Format of a virus signature entry in MCAFEE style:
"<Virus signature>"<Virus name>
Lines starting with '#' are treated as comment by HTSCAN.
Lines starting with '#%' are displayed on the screen.
Virus signature
Any hex string. A space as separator is allowed. The hex string
should have a min. length of 8 and a max. length of 100 characters.
Virus name
Any name of 1 to 25 characters.
HTSCAN will scan all memory, boot-sectors, .COM and .EXE files for all
signatures in MCAFEE style.
Look at the file MCAFEE.DAT in EXAMPLES.ZIP for examples of this
format.
3.5. Switches in the signature files
You can switch the HTSCAN format on with ";$HS+".
You can switch the Virus-Bulletin format on with ";$VB+" and off with
";$VB-" on a separate line in the signature-files.
You can switch the McAfee format on with ";$MA+" and off with
";$MA-" on a separate line in the signature-files.
You can switch to the entry-point + 512 bytes mode ";$IP+" and off with
";$IP-" on a separate line in the signature-files.
- 12 -
3.6. VIRSCAN.DAT file
3.6.1. Signature format
VIRSCAN.DAT uses by default the VIRSCAN format described in 3.1.
3.6.2. Recommended usage
I recommend to use the signature file VIRSCAN.DAT unmodified.
Collect your own signatures in the file HTSCAN.DAT.
3.6.3. Checksum
HTScan checks the checksum in VIRSCAN.DAT to detect unauthorized changes
in VIRSCAN.DAT.
3.6.4. Where to find VIRSCAN.DAT
VIRSCAN.DAT contains a VERIFIED list of virus signatures. Several
Bulletin Boards over the world have a copy of this file available for
download or file-request under the name:
VSIGyyxx.ZIP - latest VERIFIED version of VIRSCAN.DAT
where yy is the year and xx a sequence number.
The MASTER copy of this file is maintained and available on:
Bamestra RBBS, The Netherlands (FIDO 2:512/10.0)
phone: ++31 2998 3602 or ++31 2998 3603 (HST/CM)
The signatures in VIRSCAN.DAT are collected by Jan R. Terpstra.
(SysOp Bamestra BBS)
See also 10.3
- 13 -
3.7. ADDNSIGS.DAT file
3.7.1. Signature format
ADDNSIGS.DAT uses by default the VIRSCAN format described in 3.1.
3.7.2. Recommended usage
To use ADDNSIGS.DAT, you have to place it in the same directory as
VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. ADDNSIGS.DAT is an addition to other
virus-signature files. It is not possible to use HTSCAN with ADDNSIGS.DAT
only.
3.7.3. Where to find ADDNSIGS.DAT
ADDNSIGS.DAT contains emergency additions of VIRSCAN.DAT. It will be
distributed in case a rapidly spreading virus is discovered.
ADDNSIGS.DAT will be distributed in ASIGyynn.ZIP where yy is the year
and nn a sequence number. This file will have a rather short life, as all
emergency updates will be moved over to VIRSCAN.DAT in the next release.
The MASTER copy of this file is maintained and, if existent,
available on:
Bamestra RBBS, The Netherlands (FIDO 2:512/10.0)
phone: ++31 2998 3602 or ++31 2998 3603 (HST/CM)
The signatures in ADDNSIGS.DAT are collected by Jan R. Terpstra.
(SysOp Bamestra BBS)
See also 10.3
- 14 -
3.8. AVR modules
3.8.1. AVR format
AVR's are algorithmic virus recognition modules. The format is
not free for the public.
3.8.2. Recommended usage
To use an AVR module, you have to place it in the same directory as
VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. An AVR is an addition to other
virus-signature files. It is not possible to use HTSCAN with an AVR file
only.
3.8.3. Where to find the AVR modules
The AVR modules are available in VSIGyynn.ZIP. For further information
about VSIGyynn.ZIP see 3.6.3.
3.9. COMPRSCA.DAT
3.9.1. Signature format
COMPRSCA.DAT uses by default the VIRSCAN format described in 3.1.
3.9.2. Recommended usage
COMPRSCA.DAT contains signatures to detect compressed files. It is not
necessary for the virus-scanner, but could give you some info about the
possible source of an infection. See also 4.2. for more information.
To use COMPRSCA.DAT, you have to place it in the same directory as
VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. COMPRSCA.DAT is an addition to other
virus-signature files. It is not possible to use HTSCAN with COMPRSCA.DAT
only.
3.9.3. Where to find this COMPRSCA.DAT
COMPRSCA.DAT will be available in VSIGyynn.ZIP. For further information
about VSIGyynn.ZIP see 3.6.3.
- 15 -
3.10. HTSCAN.DAT file
3.10.1. Signature format
HTSCAN.DAT uses by default the HTSCAN format described in 3.2.
3.10.2. Recommended usage
I recommend to collect your own signatures in the file HTSCAN.DAT in the
same directory as VIRSCAN.DAT. In this way, a new update of VIRSCAN.DAT
can be copied over the old version without loosing your own collection of
signatures.
3.11. HTTROJAN.DAT file
3.11.1. Signature format
HTTROJAN.DAT uses by default the HTSCAN format described in 3.2.
3.11.2. Recommended usage
HTTROJAN contains signatures of trojans and jokes. To use it, you have to
place HTTROJAN.DAT in the same directory as VIRSCAN.DAT/HTSCAN.DAT/
VIRUSBUL.DAT. HTTROJAN.DAT is an addition to other virus-signature files.
It is not possible to use HTSCAN with HTTROJAN.DAT only.
3.11.3. Where to find this HTTROJAN.DAT
The latest update of HTTROJAN.DAT is always available within the
HTTROJxx.ZIP archive at INFOdesk the Hague. Magic-file name HTTROJAN.
- 16 -
3.12. VIRUSBUL.DAT file
The fourth signature-file is VIRUSBUL.DAT. In this file you can type the
signatures published by Virus-Bulletin in a format almost like published
in Virus-Bulletin.
3.12.1. Signature format
VIRUSBUL.DAT uses by default the VIRUSBUL format described in 3.3.
3.12.2. Recommended usage
Collect the signatures published in Virus-Bulletin in the file
VIRUSBUL.DAT. If you use VIRUSBUL.DAT and VIRSCAN.DAT, place them in the
same directory.
3.13. MCAFEE.DAT format
The fifth signature-file is MCAFEE.DAT. In this file you can type the
signatures published in a McAfee style.
3.13.1. Signature format
MCAFEE.DAT uses by default the MCAFEE format described in 3.4.
3.13.2. Recommended usage
Collect the signatures published in a McAfee style in the file
MCAFEE.DAT. To use it, you have to place MCAFEE.DAT in the same directory
as VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. MCAFEE.DAT is only an addition to
other virus-signature files. It is not possible to use HTSCAN with
MCAFEE.DAT only.
- 17 -
4. MESSAGES
4.1. Virus in memory
If a virus is found in memory, HTSCAN will stop, issues a warning and
ask if it should continue. Don't continue unless you are absolute sure
the virus will not harm your files and/or disks.
If you are not sure, follow the instructions:
- turn your computer off using the power-switch
- wait at least 30 seconds
- boot from a write-protected clean floppy-disk
- start HTSCAN again from clean write-protected floppy-disk
4.2. Compressed files.
HTSCAN will give a warning when a compressed executable file was
found. The name(s) off the compressed file(s) and the compress
utility are listed in the message window on the screen and in the
log-file. In the final report, the message "x Compressed executable
file(s) found." will appear on the screen.
HTSCAN will NOT decompress these files.
HTSCAN will look for executable files compressed with:
DIET version 1.00d
EXEPACK several versions
LZexe version 0.91
PKLite version 1.03/1.05
and self-extracting files compressed with:
ARJ version 1.00/1.10/2.00/2.10
LHA version 2.10
LHarc version 1.13
PAK version 2.50
PKZip version 1.10
If a compressed file is found, HTSCAN can't scan within the compressed
file. If it is a new file, decompress it and scan its contents with
HTSCAN. If the warning was triggered on an old file which didn't change
and there is no infection found in other files, don't bother about the
compressed files. When a compressed file was found, the errorlevel will
be > 0.
- 18 -
4.3. Invalid date/time.
HTSCAN will give a warning when it finds a file with an invalid
date/time. (Year > 2000 will be treated as illegal!)
The name(s) off the file(s) are listed in the message window on the
screen and in the log-file. In the final report, the message "x
File(s) with an illegal date/time found." will appear on the screen.
Many viruses use an invalid date/time for self-recognition. When a
file with invalid date/time was found, the errorlevel will be > 0.
4.4. EXE/COM extension exchanged.
HTSCAN will give a warning when it finds an EXE file without EXE
header or a COM file with EXE header. The name(s) off the file(s)
are listed in the message window on the screen and in the log-file.
In the final report, the message "x File(s) with an exchanged COM/EXE
header found." will appear on the screen. When a file with an
exchanged EXE/COM extension was found, the errorlevel will be > 0.
4.5. Unusual values in boot-sector
HTSCAN will give a warning when it finds unusual values in a boot-
sector. Unusual values are reported in the message window on the screen
and in the log-file. Some boot-sector viruses will trigger this
warning. Unfortunately, a floppy used by PcBackup will trigger this
warning too.
- 19 -
5. TIPS
5.1. Running HTSCAN
It is necessary to cold-boot from a clean write-protected DOS floppy-disk
before running HTSCAN from a clean write-protected floppy. If you don't
have such a floppy-disk, create it NOW. Believe me, going to a shop
buying a clean DOS version after you get an infection takes more time and
money. You can create a bootable DOS floppy with "FORMAT A: /S".
See appendix IV for an example of a batch file which can be placed on
this floppy and used in routine scanning.
5.2. Routine scanning and /A
Unfortunately many users think option /A is best for routine scanning.
This is NOT. Option /A is very time consuming and makes only sense if you
scan an unknown floppy or if you know you are struck by a virus. Don't
use it in routine scanning.
5.3. Scanning when probably infected
When your system is probably infected you should absolutely run HTSCAN
from a write-protected floppy after cold-booting using reset-button or
the power switch. Again, Ctrl-Alt-Del is NOT enough.
If you are one of those persons who insist in not creating a clean
bootable DOS floppy, you could save your self lots of trouble using the
/M option. However, this is NOT recommended, this option will increase
the chance on false alarms and it is NOT save.
5.4. Compressed files and scanning from a .BAT file
When HTSCAN is used from a .BAT file to scan a hard-disk in a routine
scan, check only on errorlevel 50 or greater. Don't bother on the
compressed files when no infections where found in other files.
When HTSCAN is used from a .BAT file to scan a incoming floppy,
check on errorlevel 1 or greater. If a compressed file is found,
decompress it and scan its contents with HTSCAN.
5.5. Backups
Backups are the most important precaution that can be taken against
computer viruses. Unduplicated data stored on a disk will be
irretrievable lost in the event of an attack by a destructive virus.
In english: BACKUP your data periodically!
- 20 -
6. WHAT TO DO IF YOU FIND A VIRUS?
STAY COOL, it is my opinion that most harm is done by users who panicky
tried to disinfect there disk. If you find a virus by a virus-scanner the
virus has done his job or will wait until some event. In both cases
there is no reason to hurry. You have plenty of time.
DON'T INSERT ANY OF YOUR BACKUP-DISKETTE'S IN YOUR PC BEFORE YOU ARE
100% SURE YOUR PC IS CLEAN!
6.1. Recommended approach
This will only work if you have a clean current backup.
- Power down your system. Power up and boot from a clean
write-protected floppy-disk.
- Low-level-format your hard-disk
(check your hard-disk documentation on how to do that,
or consult your supplier)
- Restore your system from the last known clean-backup
6.2. If you don't have a backup and it is a known virus
If the virus is in the boot-sector or a system-file:
- get a virus killer for this virus and use it to clean-up your disk
if you can't find a killer for this virus:
- Power down your system. Power up and boot from a clean
write-protected floppy-disk.
- Use the DOS command SYS to overwrite the infected spots.
If the virus is in the main-boot-record (partition-table):
- get a virus killer for this virus and use it to clean-up your disk
if you can't find a killer for this virus:
- Power down your system. Power up and boot from a clean
write-protected floppy-disk.
if you have DOS 5.0 or higher:
- you may try FDISK /MBR to fix the main-boot-record, although
this will destroy your data in certain unusual circumstances
if you don't have DOS 5.0:
- Backup your system
- Low-level-format your hard-disk
- Restore your files.
- 21 -
If the virus is in your software:
- Power down your system. Power up and boot from a clean
write-protected floppy-disk.
- Use "HTSCAN <path> /R" from a clean write-protected floppy-disk.
HTSCAN will ask you for every infected file if it should be renamed.
- Reinstall your software from the original floppy-disks.
- Delete the renamed infected files with "HTSCAN <path> /D /A".
If you can't find the original software:
- get a virus killer for this virus and use it to clean-up your
infected (renamed) files.
Be extreem carefull when cleaning your software with a virus
killer. A lot of killers are unreliable and may totally destroy your
program's. In the worst case, such a destroyed program could act
like a trojan and destroy your data the next time it is executed.
Run "HTSCAN <path> /A" to be absolute sure your disk is clean.
I strongly recommend that you get experienced help in dealing with
viruses. You can find addresses of experienced help in the appendices.
Get at least information on the virus. I only gave a description how to
get rid off the virus. Maybe the virus has corrupted your data. In such
a case you should use a clean backup to restore your data.
6.3. If you don't have a backup and it is an unknown virus
If HTSCAN can't find a virus, first try the latest version available of
of the data-file you use. If nothing is reported and you still believe
you got a virus, because EXE/COM-files are growing and/or program's don't
work anymore etc., send a sample of a possibly infected file to a well-
known virus-researcher. Look at "Addresses for experienced help" for an
address.
- 22 -
7. HOW TO PREVENT A VIRUS INFECTION?
In my opinion this is impossible. The only thing you can do is finding it
before it can cause great damage. For this purpose you could run an
alteration-searcher or checksummer with every system boot-up.
8. LICENSES
You are free to use, copy and distribute HTSCAN for NONcommercial
purposes if:
1) No fee is charged for such copying and distribution,
2) It is distributed ONLY in its original, unmodified state.
If you share HTSCAN with others, please share the original HTSCAN17.ZIP
file instead of sharing HTSCAN.EXE.
If you find HTSCAN fast, easy, and convenient to use, a donation of
Fl. 2,50 or more would be appreciated.
Type "HTSCAN /I" for more information.
Note, a donation for HTSCAN is not a donation for VIRSCAN.DAT.
Site licenses and commercial licenses for HTSCAN are available.
Type "HTSCAN /I" for more information.
9. DISCLAIMER
In providing this software I disclaim all warranties, expressed or
implied, including but not limited to the warranties of merchantability,
fitness for a particular purpose, and noninfringement, and shall not be
liable for any direct, special, incidental or consequential damages
related to the performance or no-performance of this software and/or
documentation.
- 23 -
10. MISCELLANEOUS INFORMATION
10.1. Requirements
Memory: at least 320 Kb of available RAM
Operating System: Dos version 3.0 or later
10.2. Copyrights and trademarks
ARJ is a trademark of Robert K. Jung
DIET is a trademark of Teddy Matsumoto
LHA and LHarc are trademarks of Haruyasu Yoshizaki
McAfee is a trademark of McAfee Associates
PAK is a trademark of NoGate Consulting
PKZip and PKLite are trademarks of PKWare Inc.
QEMM is a trademark of Quarterdeck
Virus-Bulletin is a trademark of Virus Bulletin Ltd.
10.3. New versions
The newest versions of HTSCANxx.ZIP, HTTROJxx.ZIP, VSIGyyxx.ZIP
and ASIGyyxx.ZIP are available at:
INFOdesk BBS The Hague, 2:512/2
+31-70-3898822, up to 14.4K HST
File-Requests allowed from 8.00 am - 3.00 am (GMT+1). All file-requests
are allowed, including request of 4-D inbounds.
Magic-file names:
HTSCAN,
VSIG,
ASIG and
HTTROJAN
New versions of HTSCANxx.ZIP, VSIGyyxx.ZIP and ASIGyyxx.ZIP are also
distributed through the VIRUSINF File-Echo. VIRUSINF is available all
over the world.
10.4. Questions, suggestions or problems
If you have questions, suggestions or even problems, feel free to contact
me at one of the addresses below.
Mail address: Netmail address:
Harry Thijssen Harry Thijssen
P.O. Box 662 INFOdesk The Hague
6400 AR Heerlen FIDO 2:512/2.7
The Netherlands +31-70-3898822
Please state the version of HTSCAN.EXE you are presently using.
- 24 -
10.5. Translations
Several language packets are available. The originel distribution file
HTSCAN17.ZIP includes the english language packet. Other languages are
available in a file like:
HTSC17<languages>.ZIP
For dutch this file is:
HTSC17NL.ZIP
For english this file is:
HTSC17EN.ZIP
Both files are available at INFOdesk the Hague.
HTScan will at least be available in English and Dutch.
If you are willing to translate HTScan in a currently not supported
language, please contact me at the address mentioned above.
10.6. Thanks
I wish to thank all the Beta-testers of HTScan for their time and help.
A special word of thanks goes to Erwin Lanting and Righard Zwienenberg
([RiZwi] of INFOdesk) for their comments on and help with HTSCAN.
- 25 -
I. APPENDIX A. Examples of invoking HTSCAN
Examples:
Scan drive C:
HTSCAN C:\
Scan directory C:\USR without the subdirectories:
HTSCAN C:\USR /N /O=LOG-FILE.TXT /V=C:\USR\VIRUS\HTSCAN.DAT /S
Scan the file C:\USR\VIRUS\HTSCAN.EXE and delete it if infected:
HTSCAN C:\USR\VIRUS\HTSCAN.EXE /D
Scan all *.OV? and *.BIN files for all file viruses:
HTSCAN *.OV? *.BIN /A
Scan drive C:, D: and E:
HTSCAN C:\ D:\ E:\ or
HTSCAN &C..E or if drive E: is the last drive
HTSCAN &C
Scan a list of files:
HTSCAN @TO-SCAN.TXT
To-Scan.Txt is a listfile which could contain for example:
C:\COMMAND.COM
D:\UTIL\
..\
\*.COM
Scan all drives. Don't warn for compressed and/or self-extracting files.
Use the signature lists in directory C:\SIGN and place the log-file in
directory D:\TEMP in HTSCAN.LOG:
HTSCAN &A /V=C:\SIGN /O=D:\TEMP\HTSCAN.LOG /W-
- 26 -
II. APPENDIX B. Examples of HTSCAN style signatures
Examples:
(All example viruses don't really exist)
Fantasy-Virus (Boot version)
PART BOOT
FF00 FF00 FF00 FF00 FF00 FF00 FF00
;
Hello World (OV* version)
OVL
"Hello World"
;
Mean-Virus
PART BOOT SYS COM EXE OVL
1F0A 2F0B ??0C 4F0D ?F0E 6?0F 7F00
The Mean-Virus would be recognized in the following string:
1F0A2F0BFF0C4F0DFF0E6F0F7F00
For the real hackers among you:
Suicide-Virus
LOW HIGH UMB BOOT SYS COM EXE OVL
1F0A 2F0B 3?** 6F0F 7F*3 9F0? AF03 ???4 CF%2 05
The Suicide-Virus signature scan's for 1F,0A,2F,0B followed by a byte
of which the left nibble is 3 and the right nibble is unknown. Next
there can be a string of garbage 0 to 255 bytes in length followed by
6F,0F. After this there is a string of garbage 3 bytes long followed
by 9F. Next there is a byte of which the left nibble is 0 and the
right nibble unknown. There after comes AF,03 followed by three
unknown nibbles. The right part of the last byte of the two bytes
containing these three nibbles is 4. The trailing part of this virus
is CF followed by 0, 1 or 2 garbage bytes ending with 05 The Suicide-
Virus would be recognized in the following string:
1F0A2F0B3F0C4F0D5F0E6F0F7F008F019F02AF03BF04CF05
And again, for readability below each other, the scan-string and de
string in the file.
1F0A 2F0B 3?** 6F0F 7F*3 9F0? AF03 ???4 CF %2 05
1F0A 2F0B 3F0C 4F0D 5F0E 6F0F 7F00 8F01 9F02 AF03 BF04 CF 05
(examples continues on next page)
- 27 -
Examples: (Continued)
At last worst, the XORred scan-strings.
Assume the file contains:
4861 7272 7920 5468 696a 7373 656e 2020
this would be found with the scan-strings:
in the next example the XOR value is 0
(the scan-string is equal to the string in the file)
4861 7272 {7920 5468 696a 7373 656e} 2020
in the next 3 examples the XOR value is 1
4861 7272 {7821 5569 686b 7272 646f} 2020
4861 7272 {78?? 55?? 68?? 72?? ?46?} 2020
4861 7272 {78*2 ?9 ** 72 6?6f}
and finally an XOR-red part with a pointer to the XOR-value
the file contains: 4861 7272 7920 5468 696a 7373 656e 2020
^^
||
and the sign. is: 4861 7272 XX20 {261a 1b18 0101 171c}
XX points to the place in the file where the XOR value resides.
In this example the XOR value is hex 79. The part of the scan
string between { and } is XOR-red with this hex-value 79.
- 28 -
III. APPENDIX C. Addresses for experienced help
C.1. If you have access to a modem
A good solution for getting experienced help is a message in a
dedicated fido-echomail-conference. E.g. VIRUS or VIRUS_INFO.
Also you can ask the sysop of your home BBS. Most of the Sysop's
know where to ask for experienced help.
Below are the addresses of several well-known virus-busters.
INFOdesk
The Hague (The Netherlands)
FIDO 2:512/2
+31-70-3898822
Martin Roesler at
Farmers Node
Puchheim (Germany)
FIDO 2:246/18.4
+49-89-807408
Paul Ferguson at
SENTRY NET
Centreville (USA)
FIDO 1:109/229
+1-703-815-3244
C.2. If you don't have access to a modem
You may send a letter to me or to:
INFOdesk The Hague
P.O. BOX 32395
2503 AB The Hague
The Netherlands
Don't forget to include a reply-paid envelope.
- 29 -
IV. APPENDIX D. Example batch file
The next batch file could be placed on a bootable write-protected floppy
together with HTSCAN. When this file is named AUTOEXEC.BAT, it will start
a routine scan whenever your computer is booted from this floppy.
The signature-files placed in the directory C:\SIGN are used. The log
file will be written to C:\TEMP\HTSCAN.LOG.
echo off
rem *****************************************************************
rem * Before running this batch file, the directories *
rem * C:\SIGN and C:\TEMP should exist. *
rem * *
rem * The signature files (VIRSCAN.DAT etc.) should been placed *
rem * in C:\SIGN. *
rem *****************************************************************
HTSCAN &C /V=C:\SIGN /O=C:\TEMP\HTSCAN.LOG /W-
if errorlevel == 200 goto virus
if errorlevel == 175 goto trojan
if errorlevel == 150 goto signerror
if errorlevel == 100 goto opererror
if errorlevel == 75 goto progerror
:ok
erase C:\TEMP\HTSCAN.LOG
goto end
:virus
echo Virus found by HTScan. Reported in C:\TEMP\HTSCAN.LOG
pause
goto end
:trojan
echo Trojan found by HTScan. Reported in C:\TEMP\HTSCAN.LOG
pause
goto end
:signerror
echo HTScan detected some problem with a signature file.
pause
goto end
:opererror
echo HTScan detected an operator error.
pause
goto end
:progerror
echo HTScan aborted.
pause
goto end
:end