home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware 1 2 the Maxx
/
sw_1.zip
/
sw_1
/
VIRUS
/
NETSC99B.ZIP
/
NETSCN99.DOC
< prev
next >
Wrap
Text File
|
1992-11-17
|
40KB
|
1,079 lines
NETSCAN Version B99
Copyright (C) 1989 - 1992 by McAfee Associates
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates (408) 988-3832 office
3350 Scott Blvd, Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054 (408) 988-4004 BBS (25 lines)
U.S.A. USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet support@mcafee.COM
TABLE OF CONTENTS:
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .2
- New features and viruses in this release
- System Requirements
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Detection of known viruses
- Detection of new and unknown viruses
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .4
- technical description of known virus detection
- technical description of new/unknown virus detection
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .5
- How to verify the NETSCAN.EXE program file
COMMAND SUMMARY. . . . . . . . . . . . . . . . . . . . . . . .6
- One-line description of switches
OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . .8
- Detailed explanation of switches
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .13
- Samples of frequently-used options
EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .13
- For running NETSCAN from batch files
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .14
- How to manually remove a virus
LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . .15
- How to license NETSCAN
TECHNICAL SUPPORT INFORMATION . . . . . . . . . . . . . . . .15
- Information you should have ready when calling
OBTAINING THE LATEST VERSION OF NETSCAN. . . . . . . . . . . .16
- BBS, CompuServe, and Internet access to NETSCAN
APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .17
- Creating a virus string file with the /EXT option
Page 1
NETSCAN Version B99 Page 2
WHAT'S NEW
NETSCAN Version 99 adds detection of all new viruses
detected by VIRUSCAN that are capable of spreading over a
network.
For a complete list of known viruses, refer to the
enclosed VIRLIST.TXT file. For a description of known viruses
please refer to Patricia Hoffman's Hypertext VSUM.
Two new features was added in this release:
When NETSCAN is run against a drive that does not exist, it
will no longer give an error message. Instead, it will
go the next next drive and start scanning or quit if no
other drives are listed.
A new Dark Avenger Mutation Engine [DAME] virus detection
routine is being used. This new algorithm will greatly
speed up detection of DAME-based viruses and at the same
time reduce or entirely prevent false alarms.
SYSTEM REQUIREMENTS
NETSCAN requires 320Kb of RAM and DOS 2.0 or above (some
features require DOS 3.1 or above). NETSCAN works with 3COM
3/Share and 3/Open, Artisoft LANTastic, AT&T StarLAN, Banyan
VINES, DEC Pathworks, Microsoft LAN Manager, Novell NetWare, and
any other IBMNET or NETBIOS compatible network operating
systems. Contact McAfee Associates if you do not see your
network listed.
NETSCAN is designed to check network file servers for
viruses. For stand-alone and networked PC's please use VIRUSCAN
instead.
NETSCAN displays messages in English, French, or Spanish.
NOTE: WRITE-PROTECT THE FLOPPY DISK CONTAINING THE NETSCAN
(NETSCAN.EXE) PROGRAM BEFORE SCANNING TO PREVENT NETSCAN
FROM BECOMING INFECTED BY A COMPUTER VIRUS.
NOTE: FOR NETSCAN TO CHECK ALL AREAS OF THE FILE SERVER, IT
MUST BE RUN FROM AN ACCOUNT WITH GLOBAL READ AND FILESCAN
RIGHTS.
NETSCAN Version B99 Page 3
OVERVIEW (Known Virus Detection)
NETSCAN Version B99 fixes a bug in release V99 (unable
to scan network drive). This version (filename NETSCAN.EXE)
identifies all known computer viruses and their variants
identified by the current version of VIRUSCAN which can be
transferred over a network.
NETSCAN can check a files, subdirectories, volume, or
network drive for pre-existing computer virus infections. It
will identify the virus infecting the system and the area where
it was found, giving the name of the virus as well as the I.D.
code used with CLEAN-UP to remove it.
Infected files can be removed with the /D switch in NETSCAN
to erase the file, or with the CLEAN-UP universal virus removal
(disinfection) program. CLEAN-UP is recommended because in most
cases it will eliminate the virus and fully restore infected
programs or system areas to normal operation.
The accompanying VIRLIST.TXT file lists describes all
viruses identified by NETSCAN and their associated I.D. codes
for removal by CLEAN-UP.
OVERVIEW (Unknown and New Virus Detection)
NETSCAN has three separate methods of detecting unknown and
new viruses:
Validation codes which can be periodically checked against
to look for the changes made by a virus to files or system
areas.
Generic and Family virus detectors to look for new viruses
which are derivatives of older viruses.
External virus signatures to insert new virus signature
strings on a temporary basis to NETSCAN.
NETSCAN Version B99 Page 4
SYNOPSIS (technical description of known virus detection)
NETSCAN detects known viruses by searching the system for
strings (sequences of bytes) unique to each computer virus and
reporting their presence if found. For viruses which encrypt or
cipher their code so that every infection of the virus is
different, NETSCAN uses detection algorithms (programs) that
work by statistical analysis, heurstics, or code disassembly.
SYNOPSIS (technical description of new/unknown virus detection)
NETSCAN checks for new or unknown viruses by comparing
files against previously-recorded validation (checksum) data
stored is a discrete ;plog file
NETSCAN also checks for new or unknown viruses by searching
for Generic or Family virus strings. These are strings that
have been found repeatedly in different viruses. Since virus
writers may use the older pieces of code for new viruses, this
allows NETSCAN to detect viruses which have not been written yet.
NETSCAN can be updated to search for new viruses by an
External Virus Data File, which allows the user to input new
search strings for viruses. (/EXT switch)
NETSCAN Version B99 Page 5
AUTHENTICITY
Before using NETSCAN for the first time, verify that it has
not been tampered with or infected by a virus by using the
the enclosed VALIDATE program. For instructions on using
VALIDATE, please read the VALIDATE.DOC file.
The validation results for Version B99 should be:
FILE NAME: NETSCAN.EXE
SIZE: 84,181
DATE: 11-17-1992
FILE AUTHENTICATION
Check Method 1: 9701
Check Method 2: 07AB
If your copy of NETSCAN differs, it may have been damaged or
have options stored in it with the /SAVE switch. Run NETSCAN
with only the /SAVE option to remove any stored options and then
re-run VALIDATE. Always obtain your copy of NETSCAN from a
known source. The latest version of NETSCAN and validation data
for NETSCAN.EXE can be obtained from McAfee Associates' bulletin
board system at (408) 988-4004 or from the McAfee Virus Help
Forum on CompuServe (GO MCAFEE), or the mcafee.COM anonymous ftp
site on the Internet.
NETSCAN performs a self-check when run. If NETSCAN has
been modified in any way, a warning will be displayed and the
user prompted to either continue or quit. NETSCAN can still
check for viruses, however, if NETSCAN reports that it has been
damaged, it is recommended that a clean copy be obtained.
Beginning with Version 72, all of McAfee Associates'
NETSCAN series are archived with PKWare's PKZIP Authentic File
Verification. If you do not see an "-AV" after every file is
unzipped and receive the "Authentic Files Verified! # NWN405
Zip Source: McAFEE ASSOCIATES" message when you unzip the files
then do not use them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact us if you believe tampering has occured to the
.ZIP file.
NETSCAN Version B99 Page 6
COMMAND SUMMARY
IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING
TO PREVENT INFECTION OF THE NETSCAN PROGRAM.
NETSCAN checks files and other areas of the system that
can contain a computer virus. When a virus is found, NETSCAN
identifies the virus and the file or system area where it was
found.
NETSCAN examines files based on their extension. The default
extensions supported by NETSCAN are .APP, .BIN, .COM, .EXE, .OV?,
.PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions
can be added with the /EXT option, or use the /A to check all
files.
Valid options for NETSCAN are:
NETSCAN {drive(s)} {options}
{drive(s)} - Indicates a drive or drives to be scanned
Options are:
/? /H or /HELP - Displays help screen
/A - Scan all files, including data, for viruses
/AD - Scan all available hard drives
/AF {filename} - Store recovery & validation data to {filename}
/BELL - Beep whenever a virus is found
/CERTIFY - List files that do not have a validation code
/CF {filename} - Check for viruses using recovery & validation
data stored in {filename}
/CHKHI - Check workstation memory from 0Kb to 1,088Kb
/D - Overwrite and delete infected files
/E .xxx .yyy - Scan overlay extensions .XXX and .YYY
/EXT {filename} - Scan using external virus data from {filename}
/FAST - Speed up NETSCAN's output
(see below for specifics)
/FR - Display all messages in French
/HISTORY {fname} - Create infection log {fname} appending to old log
/M - Scan workstation memory for all viruses
(see below for specifics)
/NLZ - Skip internal scan of LZEXE-compressed files
/NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning
/NOEXPIRE - Do not display expiration notice
/NOMEM - Disable workstation memory check
/NOPAUSE - Disable screen pause when scanning
/NPKL - Skip internal scan of PKLITE-compressed files
/REPORT {fname} - Create infection log {fname} deleting the old log
/RF {filename} - Remove recovery & validation data from {filename}
NETSCAN Version B99 Page 7
/SAVE - Save specified options as new default options
/SP - Display all messages in Spanish
/SUB - Scan all subdirectories inside a subdirectory
/UNATTEND - Scan using DOS critical error handler
(required for Novell NetWare)
@{filename} - Scan using options from {filename}
[This space left intentionally blank.]
NETSCAN Version B99 Page 8
OPTIONS
Following is a detailed description of NETSCAN's options.
Please note the /SAVE switch modifies the NETSCAN.EXE file.
This may cause other anti-viral programs to generate a warning.
/A - This option checks all files on the drive scanned. This
substantially increases the time required to scan disks, so
it is recommended this swich only be used when installing new
software or if a file-infecting virus has been found. This
option takes priority over the /E option.
/AF {filename} - This option logs recovery and validation
data for .COM and .EXE files, boot sector, and partition table
of a disk to a user-specified file. The log file size is about
20Kb per 1,000 files validated. Recovery from a virus using the
/AF information requires the CLEAN-UP (CLEAN.EXE) program.
NOTE: Files which are immunized against viruses or contain
self-modifying code should not have validation codes
added to them. To prevent NETSCAN from adding validation
codes to these files, a validation exception list must be
created with the path and filename of each file NOT to be
validated listed on each line (only one filename for each
line). To put a comment in, start the line with an "*"
character. This sample file contains a list of programs
NOT to validate:
*LIST OF FILES NOT TO USE /AV OR /AG OPTIONS WITH
*
*This is Nantucket Corp's database program, Clipper
C:\CLIPPER\BIN\CLIPPER.EXE
*This is Lotus Development Corp's spreadsheet program, 1-2-3
C:\123\123.COM
*This is MS-DOS 5.00's self-modifying program, SETVER
C:\DOS\SETVER.EXE
*PKWare's data compression programs already perform a self-check
C:\PKWARE\PKLITE.EXE
C:\PKWARE\PKZIP.EXE
C:\PKWARE\PKUNZIP.EXE
*Stac Technologies hard disk swapping program
C:\SWAPVOL.COM
*Symantec's Norton Utilities V6.01 disk caching program
C:\NORTON\NCACHE.EXE
*WordStar Corp's word processor is self-modifying
C:\WORDSTAR\WS.EXE
The validation exception list should be an ASCII or DOS
text file. If a word processor is used to create the list, be
sure to save the file as ASCII or DOS Text.
NETSCAN Version B99 Page 9
/BELL - This option causes NETSCAN to beep when a virus is found.
/CF {filename} - This option checks recovery and validation data
stored by the /AF option in {filename}. If a file or system
area has changed, NETSCAN reports that a viral infection may have
occurred. Using the /CG option adds about 25% more time to
scanning.
/CHKHI - This option checks memory on the workstation NETSCAN is
being run on from 640Kb to 1,088Kb. Server memory is not
checked. This option cannot be used with the /NOMEM option.
/D - This option tells NETSCAN to prompt the user to overwrite
and delete an infected files. Files erased by the /D option
can not be recovered. If the CLEAN-UP program is available,
it can be used to disinfect the file. Partition table and boot
sectpr viruses can not be removed by the /D option and require
the CLEAN-UP virus removal program.
/E .xxx .yyy - This option allows an additional extension or set
extensions to be scanned. Extensions should include a period "."
character and be separated by a space after the /E. Up to three
extensions may be added with the /E. For more extensions, use
the /A option instead.
/EXT {filename} - This option tells NETSCAN to search for viruses
using virus search strings from ASCII text file {filename}, in
addition to the viruses that NETSCAN looks for. For instructions
creating an external virus data file, refer to Appendix A.
NOTE: The /EXT option provides users with the ability to add
strings for detection of viruses on an interim or
emergency basis. When used with the /D option, it will
overwrite-and-delete infected files. This option is not
for general use and should be used with caution.
/FAST - This option speeds NETSCAN up by displaying less on the
the screen, skipping checking inside of LZEXE- and PKLITE-
compressed files, and examining a smaller portion of files
during scanning. This may reduce the accuracy of NETSCAN.
/FR - This option tells NETSCAN to display all messages in French
instead of English. This option cannot be used with the /SP
(Spanish) option.
/HISTORY {filename} - This option saves the output of NETSCAN
to {filename} in ASCII text file format. If {filename} exists,
NETSCAN will add the results of the current scan to the end.
NETSCAN Version B99 Page 10
/M - This option tells NETSCAN to check memory on the workstation
it is being run from, not the network file server's memory, for
all known computer viruses that can inhabit memory. NETSCAN by
default only checks memory for critical and "stealth" viruses,
which are viruses which can cause catastrophic damage or spread
during the scanning process. By default, NETSCAN will check
memory for the following viruses:
1024 1253 1530 15xx variant
1963 1971 2153 2560
3040 337 3445-Stealth 4096
500 512 557 702
ABC Agena Anthrax Antitelefonica
Aragon arcv B3 Blood Rage
Brain Budo Caz CD
Chang Coffee Shop Copyr-ug Cracky
Crusher Dark Avenger Davis Dir-2
DM-330 Doom II EEL Empire
End-of Evil Genius ExeBug Fam
Feist Fish Flu FORM
Frodo Soft Fune Futhark Geek
Greemlin Green HA HBT
Hellween 1182 Hi Highland Horror
Ice9 Iernim IOU Jeru Variant
Joanna Joshi Jump4Joy Kersplat
L1 Larry Leech LixoNuke
Lozinsky Lycee Magnum Malaga
Malaise Microbes Mirror Mocha
Monkey Mugshot Mummy Murphy
NCU Li Ninja Nomemklatura NOP
No-Int Nygus Nygus-KL Ontario-3
Otto P1R PCBB11 Penza
Phantom Piazzola Plastique Pogue
Pojer Problem Radyum Rattle
Reaper Reklama Rocko Sandwich
SBC Scr-2 Scroll Scythe
Sentinel Sergant Silence Sk
Sk1 Sma-108a Soyun Stealthb
Sticky Stoned (Vari) Sunday-2 SVC
Tabulero Taiwan3 Ten Bytes Tequila
Thursday 12th Turbo Turkey Twin-351
V2100 V2P6 V600 Vietnamese
Walker Whale Windmill Yan2050a
Youth Zaragoza
If any of the above viruses is found in memory, NETSCAN will stop,
tell the user to power down and reboot the system from a virus-
free system-bootable disk. This option can not be used with the
/NOMEM option.
NETSCAN Version B99 Page 11
NOTE: Using the /M option with another anti-viral software
package may result in false alarms if the other package
does not remove or cipher (hide or otherwise encrypt) its
virus search strings in memory.
/NLZ - This option tells NETSCAN not to look inside files
compressed with LZEXE, a file compression program. NETSCAN will
still check LZEXE-compressed files for viruses that may have
become infected after LZEXE compression.
/NOBREAK - This option prevents Ctrl-C or Ctrl-Brk from aborting
the scanning process.
/NOMEM - This option turns off all memory checks for viruses
in order to speed up the scanning process. It should only be
used when a system is known to be virus-free. This option can
not be used with the /CHKHI or /M options.
/NOEXPIRE - This option prevents NETSCAN from displaying a warning
message after 7 months warning that it may no longer be current
with respect to known computer viruses.
/NOPAUSE - This option disables the "More? (H = Help )" prompt
displayed when NETSCAN fills up a screen with 24 lines of text.
This allows NETSCAN to run on LAN's with severe infections
without requiring operator assistance.
/NPKL - This option tells NETSCAN not to look inside files
compressed with PKLITE, a file compression program. NETSCAN
will still check PKLITE-compressed files for viruses that may
have become infected after PKLITE compression.
/REPORT {filename} - This option saves the output of NETSCAN
to {filename} in ASCII text file format. If {filename} exists,
NETSCAN will erase it and replace with the current scan results.
/RF {filename} - This option removes recovery and validation
data from log file {filename} created by the /AF option.
/SAVE - This option stores any listed options for subsequent
executions of NETSCAN. The options are stored by modifying the
NETSCAN.EXE executable file itself. For example:
NETSCAN /NOMEM /REPORT C:\NETSCAN.LOG /NOPAUSE /SAVE
saves the default options to /NOMEM, /REPORT C:\NETSCAN.LOG and
/NOPAUSE and will cause NETSCAN to use these options the next time
it is run. If NETSCAN is run with only the /SAVE switch, all saved
options are removed and the NETSCAN.EXE is returned to normal. If
you do not wish to modify the NETSCAN.EXE file, use the @{filename}
option instead.
NETSCAN Version B99 Page 12
NOTE: VALIDATE 0.4 must be used to validate NETSCAN V89 or above
if the /SAVE option is used. /SAVE directly modifies
NETSCAN.EXE in such a manner that validate codes will not
match if an older version of VALIDATE is used. VALIDATE
0.4 generates correct validation results if the /SAVE
option is used.
/SP - This option tells NETSCAN to display all messages in Spanish
instead of English. This option cannot be used with the /FR
(French) option.
/SUB - This option scans all subdirectories inside a
subdirectory. Previously, NETSCAN would only recursively check
subdirectories if a drive was scanned at the root level (e.g.,
C:). Do not use the /SUB switch if you are scanning a drive
from the root level.
/UNATTEND - This option tells NETSCAN to use the DOS critical
error handler when accessing files. This allows NETSCAN to skip
files in use by another program instead of stopping and
displaying an error message. This option requires DOS 3.10 or
above.
NOTE: The /UNATTEND switch is required if you are running
NETSCAN on a Novell NetWare file server.
@{filename} - This option allows the user to store a list of
options and drives to be scanned in a configuration file.
Options need to be separated by a space, while drives (disks,
subdirectories, or files) need to be listed on separate lines.
A sample file might look like this:
/A /BELL /NOMEM /REPORT C:\NETSCAN\NETSCAN.LOG
F:\PUBLIC
G:
The first line contains the NETSCAN options while other lines list
the names of disks, subdirectories, or files to scan. The file
should be an ASCII text file. If a word processor is used to
create the list, be sure to save it as ASCII or DOS text.
NETSCAN Version B99 Page 13
EXAMPLES
The following examples show different option settings:
NETSCAN F: /UNATTEND
To scan drive F: on a Novell NetWare LAN for viruses
NETSCAN F: /CF C:\NETSCAN.CRC
To scan drive F: for viruses and check for unknown
viruses by comparing against recovery/validation data
from file NETSCAN.CRC
NETSCAN X: Y: Z: /D /A
Scans all files on drives X: Y: and Z: for viruses and
prompt for erasure of any infected files, if found.
NETSCAN L: M: /E .WPM .COD
Scans drives L: and M: for viruses, including files
with .WPM and .COD extensions
NETSCAN G: /EXT A:SAMPLE.ASC /BELL
To scan drive G: for known viruses and for new viruses
added he external virus data file option, and beep
whenever a virus is found.
EXIT CODES
After NETSCAN has finished running, it sets the DOS
ERRORLEVEL. The ERRORLEVEL's returned by NETSCAN are:
ERRORLEVEL │ DESCRIPTION
═══════════╪══════════════════════════════════════════════
0 │ No viruses found
1 │ One or more viruses found
2 │ Abnormal termination (program error)
3 │ One or more uncertified files found
4 │ Ctrl-C or Ctrl-Break aborted scan
If a user stops the scanning process, NETSCAN will set the
ERRORLEVEL to 4. If you wish to prevent users from stopping the
scanning process, then run NETSCAN with the /NOBREAK option.
NETSCAN Version B99 Page 14
VIRUS REMOVAL
What do you do if a virus is found? You can contact McAfee
Associates for help, their authorized agents, or use the CLEAN-UP
program.
McAfee Associates can be reached by BBS, CompuServe, FAX,
Internet, or Telephone and there is no charge for support calls
to McAfee Associates (Authorized agents may charge normal McAfee
Associates consulting rates.).
The CLEAN-UP universal virus disinfection program can
disinfect virtually all reported computer viruses. It is
updated with each release of the NETSCAN program to remove new
viruses. CLEAN-UP can be downloaded from McAfee Associates'
BBS, the McAfee Virus Help Forum on CompuServe, and the
mcafee.COM and WSMR-SIMTEL20.Army.Mil sites on the Internet, or
from any of the agents' BBSes listed in the enclosed AGENTS.TXT
text file.
It is strongly recommended that you get experienced help in
dealing with viruses if you are unfamilar with anti-virus
software and methods. This is especially true for 'critical'
viruses and partition table/boot sector infecting viruses as
improper removal of these viruses can result in the loss of
all data and the use of the infected disk(s). [For a listing of
critical viruses, see the /M switch listed under OPTIONS above.]
Before removing a boot sector or partition table-infecting
virus, it is recommended that you cold boot the infected PC from
a clean DOS disk and backup any critical data.
For qualified assistance in removing a virus, contact
McAfee Associates directly or any of the Authorized Agents in
your area. Agents may charge McAfee Associates' normal consult
rates for their services.
If you wish to remove a file-infecting virus manually, cold
boot the PC from a clean (virus-free) DOS system disk and run
NETSCAN with the /A and /D switches to erase all infected files.
Any files removed in this manner can not be recovered.
NETSCAN Version B99 Page 15
LICENSE
NETSCAN may be copied and distributed for testing and
evaluation purposes on a trial period of five (5) days. If you
wish to use NETSCAN after the trial period, a license is
required. Licenses are available for internal use within
businesses, organizations, government agencies, and for external
use by repair centers and other service organizations. License
fees are based on the size of the network or number of copies
required. Information on licensing can be obtained from McAfee
Associates or any authorized agent listed in the AGENTS.TXT
file.
TECHNICAL SUPPORT
For fast and accurate help, please have the following
information ready when you contact McAfee Associates:
- Program name and version number.
- Type and brand of computer, hard disk, plus any
peripherals.
- Version of DOS plus any TSRs or device drivers in use.
- Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.
- A printout of what is in memory from the MEM command
(DOS 4 and above users only) or a similar utility.
- The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at your computer be will helpful.
McAfee Associates can be contacted by BBS, CompuServe, FAX, or
InterNet 24 hours a day, or by telephone at (408) 988-3832,
Monday through Friday, 7:00AM to 5:30PM Pacific Time.
If you are overseas, there may be an Authorized McAfee
Associates Agent in your area. Please refer to the AGENTS.TXT
file for a list of McAfee Associates Agents.
NETSCAN Version B99 Page 16
OBTAINING THE LATEST VERSION OF McAFEE ASSOCIATES PROGRAMS
McAfee Associates regularly updates the VIRUSCAN series
of programs every 4 to 6 weeks to add new virus detectors,
new options, and fix the occasional, if infrequent, bug. To
distribute these new versions, we run a multi-line BBS,
CompuServe Forum, and Internet node:
BBS ACCESS
Our 25-line BBS is accessible 24 hours a day, 365 days a
year, except for scheduled downtime and maintenance. All lines
run US Robotics Courier HST Dual Standard ASL modems operating
from 1,200bps to 14,400bps with line settings of 8 data bits, no
parity, and one stop bit.
THE McAFEE VIRUS HELP FORUM ON COMPUSERVE
We are now sponsoring the McAfee Virus Help Forum on
CompuServe. To reach the McAfee Virus Help Forum type GO MCAFEE
at any CompuServe prompt. A free introductory membership is
available. For more information, please read the enclosed
COMPUSER.NOT file.
INTERNET ACCESS TO McAFEE ASSOCIATES SOFTWARE
The latest versions of McAfee Associates' anti-viral
software is now available by anonymous ftp (file transfer
protocol over the Internet from the site mcafee.COM. If
your domain resolver does not support names, use the IP#
192.187.128.1. Enter "anonymous" for your user I.D. and
your own email address for the password. Programs are
located in the pub/antivirus directory. If you have any
questions, please send email to support@mcafee.COM
McAfee Associates' anti-viral software may also be
found at the Simtel20 archive site WSMR-SIMTEL20.Army.MIL
in the PD1:<MSDOS.TROJAN-PRO> directory and its associated
mirror sites WUARCHIVE.WUSTL.EDU (US), NIC.SWITCH.CH (Swiss),
NIC.FUNET.FI (Finland), SRC.DOC.IC.AC (UK), and
RANA.CC.DEAK.OZ.AU (Australia).
NETSCAN Version B99 Page 17
APPENDIX A: Creating a Virus String File with the /EXT Option
NOTE: The /EXT option is intended for emergency and research
use only. It is a temporary method for identifying new
viruses prior to the subsequent release of NETSCAN. A
thorough understanding of viruses and string-search
techniques is advised for using this option. A string
length of 10 to 15 bytes is recommended.
The External Virus Data file should be created with an
editor or a word processor and saved as an ASCII text file. Be
sure each line ends with a Carriage Return/Line Feed pair.
The virus string file uses the following format:
#Comment about Virus_1
"aabbccddeeff..." Virus_1_Name
#Comment about Virus_2
"gghhiijjkkll..." Virus_2_Name
.
.
"uuvvwwxxyyzz..." Virus_n_Name
Where aa, bb, cc, etc. are the hexadecimal bytes that you wish
to scan for. Each line in the file represents one virus. The
Virus Name for each virus is mandatory, and may be up to 25
characters in length. The double quotes (") are required at the
beginning and end of each hexadecimal string.
NETSCAN will use the string file to search memory, the
Partition Table, Boot Sector, System files, all .COM and .EXE
files, and overlay files with the extension .APP, .BIN, .COM,
.EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP.
Virus strings may contain wild cards. The two wildcard
options are:
FIXED POSITION WILDCARD
The question mark "?" may be used to represent a wildcard
in a fixed position within the string. For example, the string:
"E9 7C 00 10 ? 37 CB"
would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or
any other similar string, regardless of the fifth byte.
NETSCAN Version B99 Page 18
RANGE WILDCARD
The asterisk "*", followed by range number in parentheses
"(" and ")" is used to represent a variable number of adjoining
random bytes. For example, the string:
"E9 7C *(4) 37 CB"
would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and
"E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB"
would not match since the distance between 7C and 37 is greater
than four bytes. You may specify a range of up to 99 bytes.
Up to 10 different wildcards of either kind may be used in one
virus string.
COMMENTS
A pound sign "#" at the begining of a line will denote a
comment. Use this for adding notes to the external virus data
file. For example:
#New .COM virus found in file FRITZ.EXE from
#Schneiderland on 01-22-91
"53 48 45 45 50" Fritz-1 [F-1]
gives a description of the virus, name of the infected file,
where and when it was found, etc.
NETSCAN Version B99 Page 19
IMPORTANT NOTICE - PLEASE READ!
Due to the nature of anti-virus software, the slight chance
exists that a virus may be reported in a file that is not
infected by that virus.
If you receive a report of a virus which you believe may be in
error, please contact McAfee Associates by telephone at (408)
988-3832, by fax at (408) 970-9727, or upload the file to our
BBS at (408) 988-4004 along with your name, address, daytime
telephone number, and electronic mail address, if any.