home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware 1 2 the Maxx
/
sw_1.zip
/
sw_1
/
VIRUS
/
TBSCAN33.ZIP
/
TBSCAN.DOC
< prev
next >
Wrap
Text File
|
1992-03-10
|
134KB
|
3,448 lines
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Table of Contents
1. COPYRIGHT, LICENCES AND DISCLAIMER................ 2
1.1. Copyright................................... 2
1.2. Distribution and usage...................... 2
1.3. Disclaimer.................................. 3
1.4. Trademarks.................................. 3
1.5. Registration................................ 3
1.6. The registration key........................ 3
2. INTRODUCTION...................................... 5
2.1. Purpose of TbScan........................... 5
2.2. A Quick start............................... 5
2.3. Historical overview......................... 5
2.4. Benefits.................................... 6
2.4.1. Speed................................. 6
2.4.2. Reliability........................... 7
2.4.3. Flexibility........................... 8
2.4.4. Smart scanning........................ 9
2.5. Limitations of scanners..................... 9
2.6. Who are we?................................ 10
3. USAGE OF THE PROGRAM............................. 11
3.1. System requirements........................ 11
3.2. Program invokation......................... 11
3.3. While scanning............................. 12
3.4. Detecting viruses.......................... 13
3.5. The warning marks.......................... 13
3.5.1. R - Suspicious relocator............. 14
3.5.2. T - Invalid timestamp................ 15
3.5.3. ! - Branch out of code............... 15
3.5.4. # - Decryptor code found............. 15
3.5.5. D - Direct disk access............... 15
3.5.6. N - Wrong name extension............. 15
3.5.7. M - Memory resident code............. 16
3.5.8. F - Suspicious file access........... 16
3.5.9. ? - Inconsistent header.............. 16
3.5.10. E - Read or open error.............. 16
3.5.11. J - Multiple jumps.................. 16
3.5.12. p - Packed or compressed file....... 17
3.5.13. w - Windows or OS/2 header.......... 17
3.5.14. h - Hidden or System file........... 17
3.5.15. i - Internal overlay................ 17
3.5.16. s - Unusual stack................... 17
3.6. Command line options....................... 18
3.6.1. -help................................ 18
3.6.2. -info................................ 18
3.6.3. -quick............................... 19
3.6.4. -more................................ 19
3.6.5. -mutant.............................. 19
3.6.6. -direct.............................. 19
3.6.7. -analyze............................. 20
Page i
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
3.6.8. -extract............................. 21
3.6.9. -valid............................... 21
3.6.10. -once............................... 21
3.6.11. -compat............................. 21
3.6.12. -nosnow............................. 21
3.6.13. -noboot............................. 22
3.6.14. -sector............................. 22
3.6.15. -nomem.............................. 22
3.6.16. -allmem............................. 22
3.6.17. -hma................................ 22
3.6.18. -nohmem............................. 22
3.6.19. -nosub.............................. 23
3.6.20. -sub................................ 23
3.6.21. -noavr.............................. 23
3.6.22. -delete or -del..................... 23
3.6.23. -rename or -ren..................... 23
3.6.24. -batch.............................. 23
3.6.25. -repeat............................. 23
3.6.26. -log................................ 24
3.6.27. -session............................ 24
3.6.28. -loginfo............................ 24
3.6.29. -logall............................. 24
3.6.30. -data............................... 24
3.7. Examples:.................................. 25
3.8. Environment variable....................... 25
3.9. The configuration file..................... 26
3.10. The TbScan.Msg file....................... 27
3.11. Residence of the signature files.......... 27
3.12. Residence of the AVR modules.............. 27
3.13. Error messages............................ 27
4. FORMAT OF THE DATA FILE.......................... 29
4.1. Format of a signature entry................ 29
4.2. Wildcards.................................. 29
4.3. Restrictions............................... 30
4.4. Defining new signatures.................... 30
5. A VIRUS, NOW WHAT?............................... 33
5.2. Confirmation............................... 33
5.3. Identification............................. 34
5.4. No Panic!.................................. 34
5.5. Recovering................................. 34
6. CONSIDERATIONS AND RECOMMENDATIONS............... 36
6.1. What should be scanned?.................... 36
6.2. The internals of TbScan.................... 37
6.2.1. How is that blazingly speed achieved? 37
6.2.2. The code interpreter................. 38
6.2.3. The algorithms....................... 39
6.2.3.1. Checking....................... 39
6.2.3.2. Tracing........................ 39
Page ii
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
6.2.3.3. Analyzing...................... 40
6.2.3.4. Browsing....................... 40
6.2.3.5. Skipping....................... 40
6.2.4. The -compat option................... 40
6.2.5. Recursing through directories........ 41
6.3. The Sanity check........................... 42
6.4. How many viruses does it detect?........... 42
6.5. Testing the scanner........................ 42
6.6. Scan scheduling............................ 43
6.7. Extensions to the format of the data file.. 43
6.8. Compressed files........................... 44
6.9. Other products............................. 45
7. MISCELLANOUS INFORMATION......................... 47
7.1. Distribution of the signature file......... 47
7.2. Notes...................................... 47
7.3. The TbScan.Sys driver...................... 47
7.4. Exit codes................................. 47
7.5. Updates.................................... 48
7.6. Thanks..................................... 48
8. OUR OTHER PRODUCTS............................... 49
8.1. TbScanX.................................... 49
8.2. TbRescue................................... 49
8.3. Thunderbyte................................ 50
9. NAMES AND ADDRESSES.............................. 53
9.1. Contacting the author...................... 53
9.2. ESaSS...................................... 53
9.3. Thunderbyte support BBS's.................. 53
9.4. Recommended magazines and organisations.... 53
Page iii
Page 1
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
1. COPYRIGHT, LICENCES AND DISCLAIMER
1.1. Copyright
TbScan is copyright 1989-1992 ESaSS B.V.. All rights reserved. The
diskettes provided with TbScan are not copy protected. This does not
mean that you can make unlimited copies of them. TbScan is protected
by the the copyright laws which pertain to computer software.
No part of the printed manual accompanying TbScan may be reproduced,
transmitted, transcribed, stored in a retrieval system or translated
into any language, in any form or by any means, without the prior
written permission of ESaSS B.V..
1.2. Distribution and usage
Both TbScan and the accompanying documentation are SHARE-WARE.
You are hereby granted a license by ESaSS to distribute the
evaluation copy of TbScan and its documentation, subject to the
following conditions:
1. The evaluation package of TbScan may be distributed freely
without charge in evaluation form only.
2. The evaluation package of TbScan may not be sold, licensed, or
a fee charged for its use. If a fee is charged in connection
with TbScan, it must cover the cost of copying or dissemination
only. Such charges must be clearly identified as such by the
originating party. Under no circumstances may the purchaser be
given the impression that he is buying TbScan itself.
3. The evaluation package of TbScan must be presented as a
complete unit. It is not allowed to distribute the program or
the documentation separately.
4. Neither TbScan nor its documentation may be amended or altered
in any way.
5. By granting you the right to distribute the evaluation form of
TbScan, you do not become the owner of TbScan in any form.
6. ESaSS accepts no responsibility in case the program
malfunctions or does not function at all.
7. ESaSS can never be held responsible for damage, directly or
indirectly resulting from the use of TbScan.
8. Using TbScan means that you agree on these regulations.
Any other use, distribution or representation of TbScan is
Page 2
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
expressly forbidden without the written consent of ESaSS.
1.3. Disclaimer
Neither ESaSS B.V. nor anyone else who has been involved in the
creation, production or delivery of TbScan or this manual makes any
warranties with respect to the contents of the software or this
manual and each specifically disclaims any implied warranties of
merchantability or fitness for any purpose. ESaSS B.V. reserves the
right to revise the software and the manual and to make changes from
time to time in the contents without obligation to notify any
person.
1.4. Trademarks.
TbScan, TbScanX and Thunderbyte PC Immunizer are registered
trademarks of ESaSS B.V.. All other product names mentioned are
ackowledged to be the marks of their producing companies.
1.5. Registration.
THIS IS NOT FREE SOFTWARE! If you paid a "public domain" vendor for
this program, you paid for the service of copying the program, and
not for the program itself. Rest assured that nothing ever gets to
the originators of this product from such a sale. You may evaluate
this product, but if you make use of it, you must register your
copy.
To register: fill in the file REGISTER.DOC and return it to us.
We offer several inducements to you for registering. First of all,
you receive the most up-to-date copy of the program that we have
(we do update the product on a regular basis). You also receive
support for TbScan, which can be quite valuable at times. You also
receive complete printed documentation for the product. A
"do-it-yourself" update service is offered to registered users
through our own support BBS. And finally, we include an evaluation
package of some of our other software products. This version of
TbScan is fully functional, except for option -extract, which can
be used to define your own signatures for yet unknown viruses.
This advanced option is available for registered users only.
Once you registered TbScan all future upgrades are for free.
Thunderbyte users are automatically licensed to use TbScan on the
machine where the Thunderbyte add-on card is installed.
1.6. The registration key
Page 3
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Registered users receive a key file named TbScan.KEY. The key file
contains some information like the license number and name of the
license holder.
It is NOT allowed to sell or give away the key file TbScan.KEY.
TbScan searches for the key file in the current directory. If it
does not find it it searches in the same directory as the program
file TBSCAN.EXE itself is located (only DOS 3+).
If the key file is corrupted or invalid, TbScan continues without
error message, but in that case you are running a SHARE-WARE version
instead of the registered version. If your key is only valid for
TbScanX.Exe (the memory resident version), TbScan ignores it.
Page 4
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
2. INTRODUCTION
2.1. Purpose of TbScan
TbScan is a program that was developed to trace viruses, Trojan
Horses and other threats to your valuable data. It is a so-called
virus scanner.
A virus scanner is a program that is able to search a virus
signature that has been determined beforehand. Most viruses
consist of a unique sequence of instructions, called a signature,
so by means of checking for the appearance of this signature in a
file we can see whether or not a program has been infected.
By searching all your program files for the signatures of all
viruses already identified you can easily find whether your system
has been infected and, if that is the case, with which virus.
Every PC owner should use a virus scanner frequently. It is the least
he or she can do to avoid possible damage caused by a virus.
2.2. A Quick start
Although we recommend to read this complete manual carefully, here are
already some directions how to use TbScan:
Type "TbScan C:\". This will be sufficient for a standard scan session.
It is allowed to specify more drives: "TbScan C:\ D:\".
The invokation syntaxis is:
TBSCAN [@][<path>][<filename>]... [<options>]...
If you experience any problems using TbScan, specify the -compat
option: TbScan C:\ -compat
For fast online help type "TbScan -?" or "TbScan -help". The latter
will provide a more detailed description of the command line
options.
2.3. Historical overview
Some years ago the community was confrontated with a new
phenomenon: Computer viruses. In the early days of computer viruses
people had to look into an infected file to determine whether it
has been infected by looking for a virus specific code pattern. It
doesn't take long before programmers created little programs that
were able to tell whether a specific program was infected or not.
Enhanced versions of these programs were able to search
automatically for all files. In a short time there were
Page 5
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
dedicated scanner programs for every known virus. When the number
of viruses increases, programmers started to combine several scan
programs into one, the multi-string scanner was born.
These scanners worked fine, but the amount of viruses was growing,
and the need for frequent updates increased. The number of scanning
programs also increased, and scanning programs detected the
internal search patterns (signatures) of each other thinking they
had found a virus, and a lot of people get confused by these false
alarms.
A solution to both of these problems was to separate the search
engine and the signatures. Signatures can be distributed more
quickly and via text media, and by separating the search patterns
from the executable file, other scanners were no longer triggered
by these search patterns.
TbScan uses a file with the name Virscan.Dat, originally created
for a program called Virscan.Exe. When Virscan.Exe was developed,
the number of viruses was still little compared with the current
situation. When the number of viruses increased, Virscan slows down
for every signature added.
At that time we developed the Thunderbyte add-on card, an universal
anti-virus device. Since Thunderbyte recognizes virus activities
rather than signatures, it can only tell whether a system is
infected, but it will never be able to tell you the name of the
virus. To overcome this, we decided to supply a virus scanner with
our product, and we developed TbScan.
We introduced many very sophisticated idea's in the first version
of TbScan, and today, many competitive products have adapted some
of these new idea's. Some of these idea's are: the use of wildcards
in the signature, scanning the memory of the PC, scanning only
specific parts of a file rather than the complete file, etc.
2.4. Benefits
By now already lots of virus scanners have been developed. However
TbScan has a number of important and unique characteristics. These
are:
2.4.1. Speed
Most virus scanners do not operate very fast. This is
nevertheless very important because you are surely one of those
people who do not like to stare at their display for a quarter
of an hour. When a program works slowly it is used less often,
that is a fact. And even the best virus scanner is worthless
when it is not used. Our goal was to create a scanner even fast
enough to be invoked from within the autoexec.bat file every
morning.
Page 6
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
The high speed is achived by many smart measures. For instance,
it is not required to scan a complete file to find a virus, and
TbScan will disassemble the file to locate the viral code. The
search routine itself is highly optimized, TbScan has an
internal scan-specific disk cacher, etc. For more information
about the internals of TbScan read chapter 6.2.
The speed depends on many system characteristics, so we will
not tell you how many times faster TbScan performs, but you can
easily test it by yourself. The speed of our program has been
increased with almost every new release, and the current
version is faster than every other scanner known to us. Try it
yourself!
TbScan is designed to scan for a large amount of virus
signatures. The current version of TbScan is able to scan for
over 2500 signatures (without additional memory requirements).
Because of its design, TbScan will not slow down if the number
of signatures increases. It doesn't matter whether you scan an
item for 10 or 1000 signatures.
TbScan carries some special routines to check a stack of
diskettes at a high speed. You don't have to signal TbScan
via the keyboard that a diskette has been changed: It
determines this completely automatically.
2.4.2. Reliability
TbScan checks itself immediately after invokation. If it
detects that it is infected it aborts with an error. This
reduces the chance that TbScan transfers a virus to another
machine after being infected.
TbScan can bypass viruses that are already active in memory.
This is possible through a built-in interrupt debugger!
TbScan detects even unknown viruses, because the built-in
disassembler is able to detect suspicious instruction sequences
and abnormal program lay-outs.
A lot of viruses are memory resident, which means they lodge
themselves in the memory of your computer. From there they can
easily influence all active programs you use. There are already
viruses that "desinfect" a program file, as soon an attempt is
made to read it. When such a virus is active, a virus scanner,
reading a program file in order to check it, finds that the
file is not infected (which is true at that moment). But after
the program file has been read the file is immediately infected
again. So the virus scanner reports that no virus has been
found, but in reality it is actually there.
Page 7
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
TbScan offers a unique solution for this problem: it contains
an automatic debugger that works its way through the chain of
interrupts "single stepping" until it reaches the DOS program
code. It saves the address which is then found and uses it for
the communication with DOS. In this way most viruses will not
see anything of the operations of TbScan.
TbScan is able to scan Upper Memory and the HMA. Most of the
other scanners (still) don't recognize this memory.
TbScan scans the video memory of your PC. Most anti-virus
products are not aware of the fact that it is possible to
install TSR's (and also viruses) in the unused video memory.
TbScanX (the resident version of TbScan) for instance even has
a special mode to store the signatures in unused video memory.
TbScan scans all memory, including the video memory, just to be
sure.
TbScan is able to search a complete disk at sector level. This
way no virus can remain undetected. Even already killed viruses
can be detected this way.
TbScan is able to detect mutants of a virus. A mutant is a virus
that has been modified slightly and therefore does not match the
signature anymore. TbScan is able to detect such a mutant, even
if no wildcards are used in the virus signature.
TbScan is able to detect droppers of bootsector viruses. A
dropper is a program that is not infected, but that is intended
to install the bootsector virus on your system.
2.4.3. Flexibility
TbScan is fully programmable by means of a data file.
Most of the time viruses spread quickly. After a new virus has
been found there is often no time to adapt your virus checker
in order to make it capable of recognizing this new virus. That
is why TbScan uses a data file in which the signatures of the
viruses occur. This file can quickly be adapted, possibly by
yourself, for example when you are informed of a new virus
through the media. TbScan supports among other things the
format which is used in the file "Virscan.Dat". This file is
regularly updated and can be obtained at a lot of data banks.
TbScan supports wildcards in the signature. Many viruses are
adapted and converted to other viruses by the public. Such a
modified virus -a mutant- looks the same as the original virus,
but the part that contains the signature is often changed.
Scanners don't recognize the mutant anymore, and a new
signature must be extracted. TbScan is designed to approach
this problem different: by replacing the modified parts of the
Page 8
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
signature by wildcards TbScan can still recognize all instances
of a virus. That implies that all mutants of for instance the
Jerusalem/Plo virus are covered by just one signature rather
than 25 as some other scanners require. This also explains why
TbScan has "only" 300 signatures but still detects all 800
viruses.
There are viruses that are so completely encrypted that it is
no longer possible to define any signature for them, even if
using wildcards. The "washburn" related viruses (like 1260 and
Casper) are such viruses. The only way to detect these viruses
is by doing an algorithmic recognition. TbScan is the first
scanner that implemented the use of so called AVR (Algorithmic
Virus Recognition) modules, which contain a dedicated routine
to detect a specific virus. An AVR-module is extremely
flexible, it can perform almost any operation necessary to
detect a specific virus.
TbScan offers registered users to define their own signatures
by using the -extract option. You don't have to be an assembler
programmer to define a signature in an emergency situation!
2.4.4. Smart scanning
TbScan is not just a scanner, it is a disassembling scanner.
This means that TbScan not only scans the file but also
interpretes the contents and adjust the scanning algorithm to
gain the highest reliability and speed. With reliability we
not only mean a low "false negative" ratio, but also a low
"false positive" ratio. The best scanner is not a scanner that
yells "virus!" for every file, but a scanner that only yells
"virus!" if there IS really a virus in the file.
Besides the adjustment of the scanning algorithm, TbScan also
displays additional information about the file. It can detect
instruction sequences that are intended to write to disk
directly, to make code resident, to decrypt code, etc. TbScan
even flags files as being infected with an unknown virus if the
disassembly shows that the file contains a virus but a matching
signature can not be found. All this information is displayed
while scanning, and all in the same scan pass!
2.5. Limitations of scanners
Although TbScan is a very sophisticated scanner, it is a scanner,
and all scanners have some disadvantages in common:
+ They cannot prevent infection.
Virus scanners can only tell you whether or not your system has
been infected and if so, whether any damage has already been
done. By then only a good (non-infected) backup can still save
you.
Page 9
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
+ They can only recognize viruses that have already been
identified. When a new virus has been launched it will take a
while before someone discovers it. After that it will take some
time before a reliable signature is distilled from the virus
and it will also take a while for you to get hold of the newest
Virscan.Dat. All this means that there is a real chance that
your system is infected at a moment virus scanners have not yet
recognized "your" virus!
+ You will have to do an active operation in order to protect
your system: namely executing the virus scanner. At least once
a week one should boot from a trusted and write-protected
diskette and execute the scanner, since some viruses can
perfectly hide themselves once resident in memory. It is an
illusion that employees perform this task correctly. For
company use we recommend additional protection, like a
permanently active immunizer such as the Thunderbyte add-on
card.
2.6. Who are we?
TbScan is developed by Frans Veldman, chief executive of the
ESaSS company. ESaSS is the company that developed the well known
Thunderbyte card, the first hardware PC immunizer, and has
therefore a lot of experience and knowledge of viruses and
assembler written system software. Of course we also have a large
collection of viruses to test our products.
Page 10
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
3. USAGE OF THE PROGRAM
3.1. System requirements
TbScan runs perfectly on standard machines. "The limits are
limited".
+ TbScan requires 184 Kb of free memory. If you use a log file
TbScan needs an additional 16 Kb of memory for the log file
buffer. TbScan also allocates memory to keep all AVR modules
in memory. If there is still memory left it will be used for
cache buffers to increase the scan speed. Note that the memory
requirements are independend from the amount of signatures. The
current memory requirements already incorporate memory to
manage at least 2500 signatures.
+ DOS version 2.11 or later is sufficient to run TbScan. However,
Dos 3.3 or higher is recommended, since TbScan is optimized
and primary designed for use with these DOS versions.
+ Directories may be nested up to 20 levels.
+ The summed size of all AVR-modules should not exceed 64Kb.
3.2. Program invokation
TbScan is easy to use. The syntaxis is as follows:
TBSCAN [@][<path>][<filename>]... [<options>]...
Drive and path show from where should be searched. To search the
disk C:\ and disk D:\ you have to enter:
TBSCAN C:\ D:\
When no filename has been specified but only a drive and/or path,
then the specified path will be used as top-level path. All its
subdirectories will be processed too.
When a filename has been specified then only the specified path
will be searched. Subdirectories will not be processed.
Wildcards in the filename are allowed. It is allowed to specify
"*.*". All executable files will be processed. If you want the
non-executables to be processed too, then you have to specify the
"-analyze" parameter in combination with the filename.
"TBSCAN TEST.DAT" will always cause that no file will be processed:
TEST.DAT is not an executable file. In this case you have to
specify the -analyze parameter. (Since a .DAT file is not executable
TbScan should be prevented from disassembling such a file because the
results would not be reliable. The -analyze option prevents TbScan
Page 11
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
from disassembling the file).
You can also specify a list file to TbScan. A list file is
a file that contains a list of paths/filenames to be scanned.
Preceed the file with the character '@' on the TbScan command line:
TBSCAN @TBSCAN.LST
3.3. While scanning
TbScan divides the screen in two windows: an information window and
a scanning window. The upper window is the information window and
it initially displays the comments of the data file.
If TbScan detects infected files the names of the file and the
virus will be displayed in the upper window. The information
will stack up and scroll off the screen if it doesn't fit anymore.
The divider line between the two windows displays the directory
containing the file being processed, the number of signatures
scanning for, and the disk cacher hit-rate.
The divider bar looks like this:
C:\TEST\SUBDIR\ Virus families: 356^ Cache hit 73%
The caret (^) after the number of virus families indicates that
TbScan has linked in some AVR (Algorithmic Virus Recognition) modules.
The amount of AVR modules are added to the virus family counter.
The cache hit indicator displayes the percentage of fat- or
directory information that has been retrieved from the cache
buffers, or with other words, the percentage of disk access saved.
Note that the cache hit only applies for the fat- and directory
sectors, the contents of files will never be cached and will not
be reflected in the cache hit indicator.
The line directly below the dividor line is reserved for TbScan
comments. It contains the rotating "I am still alive" indicator,
and should normally display license information.
The lower window displays the file being processed, the algorithm
in use, info- and warning characters, the progress, and finally an
OK-statement or the name of the virus detected.
You will see one of the next five terms behind every file name:
"Checking", "Tracing", "Browsing", "Analyzing" and "Skipping". This
indicates the algorithm used to scan the file.
Behind these terms TbScan can display some warning characters.
Consult chapter "Warnings" for individual meanings of these
characters.
Page 12
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Behind these terms you will see that, dependent on size, structure
and kind of file, a number of plus signs appear. These indicate the
amount of code chunks that have been processed. The current version
of TbScan processes data in chunks of 32 Kb.
The process can be aborted by pressing Ctrl-Break.
3.4. Detecting viruses
As soon as an infected program is found, the name of the virus will
be displayed. If you did not specify one of the options -batch,
-rename or -delete, TbScan will prompt you to delete or rename the
infected file, or to continue. If you choose to rename the file,
the first character of the extension will be replaced by the
character "V". This prevents the file from being executed
accidentially until further investigation.
When TbScan detects a file it will display:
Infected by [name of virus]
It is however possible that TbScan detects a bootsector virus
dropper. A dropper is a program that is not infected, but contains
a bootsector virus and is able to install it on your bootsector.
If TbScan detects a bootsector virus is some type of files it
displays:
Dropper of [name of virus]
If the -mutant option has been specified, and TbScan detects a
non-100% signature match it displays:
Possibly infected by [name of virus]
If the -mutant option has been specified and TbScan detects a
combination of suspicious facts it displays:
Possibly infected by an unknown virus
TbScan needs to access the data file to get the name of a virus. If
it can not access the data file it displays [Can not read datafile]
instead of the virus name.
3.5. The warning marks
TbScan is not just a scanner. It also disassembles the file being
processed. This serves three purposes, by disassembling the file
the scanner can restrict itself to the area of the file where the
virus might reside, it makes it possible to use algorithmic
detection on viruses that don't have a signature, and it makes it
possible to detect suspicious instruction sequences. If TbScan
detects suspicious instruction sequences it prints a warning mark
or message.
Page 13
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Warning marks consist of a single character that might be printed
behind the name of the file being processed. There are two levels
of warnings: the informative ones are printed in a lowercase
character, and the more serious warnings are printed in an uppercase
character. The "lowercase warnings" are intended to attent special
characteristics of the file being processed, and the "uppercase
warnings" may indicate a virus. If the -info option has been
specified the important warnings will not only appear as a warning
character, but there will also be a description printed in the
upper window.
How should you treat the warnings? The less important warnings can
be considered as "information only". They indicate nothing special
but provide you information you might be interested in. The warning
marks printed in uppercase indicate more interesting information
that MIGHT indicate a virus. It is quiet normal that you have some
files on your system which trigger an uppercase warning. In fact,
DOS 5.0 comes with at least two files that trigger a serious
warning: FORMAT.COM and SORT.EXE. TbScan detects a "suspicious
relocator" in FORMAT.COM and an "inconsistent header" in SORT.EXE.
Both warnings are complete rightly. More about that later. Note
that viruses infect other programs; it is highly unlikely to find
only one of a very few infected files on a hard disk used
frequently. You should ignore the warnings if only a few programs
trigger the same warning. But, if your system behaves "strange" and
many recently used programs cause TbScan to issue the same serious
warning (or even combinations of serious warnings), your system
might be infected by a (yet unknown) virus. Almost all viruses in
our collection cause one or more serious warnings to be displayed.
So, don't get upset if TbScan warns you about a few files on your
system. But get suspicious if many files cause the same serious
warning or combinations of serious warnings.
3.5.1. R - Suspicious relocator.
The character 'R' warns for a suspicious relocator. A relocator is
a sequence of instructions that change the proportion of CS:IP. It
is often used by viruses, especially COM type infectors. Those
viruses have to relocate the CS:IP proportion because they are
compiled for a specific location in the executable file, and a
virus that infects another program can almost never use its
original location in the file (it is appended to the file). Normal
programs "know" their location in the executable file, so they
don't have to relocate themselves. On normal systems only a few
percent of the programs should cause this warning to be displayed.
Tests on a large collection of viruses shows that TbScan issues
this warning for about 65% of all viruses. The DOS FORMAT.COM
program causes this warning to be displayed too. This is rightly,
because Microsoft did some strange things with this program. It
appears that the file was originally a .EXE file which has been
converted into a .COM file by adding a sort of shell. (What is
actually the difference between infecting a file and converting it
Page 14
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
this way?) Anyway, you should ignore this warning for the DOS
FORMAT program. TbScan uses the "analyze" or "browse" algorithm on
programs which contain a suspicious relocator. Just for sure!
3.5.2. T - Invalid timestamp.
The timestamp of the program is invalid. The seconds of the
timestamp are illegal, or the date is illegal or later than the
year 2000. This is suspicious because many viruses set the
timestamp to an illegal value (like 62 seconds) to mark that they
already infected the file, preventing themselves to infect a file
for a second time. It is possible that the program being checked is
contaminated with a virus that is still unknown, especially if many
files on your system have an invalid timestamp. If only a very few
programs have an invalid timestamp you'd better correct it and scan
frequently to check that the timestamp of the files remain
correctly.
3.5.3. ! - Branch out of code.
The program has an entry point that is located outside the file's
body, or a chain of "jumps" traced to a location outside the
program file. The program being checked is probably damaged, and
can not be executed. Anyway, TbScan does not take any risk and uses
the analyze or browse method to scan the file.
3.5.4. # - Decryptor code found.
The file possibly contains a self-decryption routine. Some
copy-protected software is encrypted so this warning may appear
for some of your files. But if this warning appears a lot, or in
combination with by example the T-warning, there could be a virus
involved! Many viruses encrypt themself and cause this warning to
be displayed.
3.5.5. D - Direct disk access.
This warning is displayed if the program being processed has
instructions near the entry-point to write to a disk directly. It
is normal that some disk related utilities cause this warning to be
displayed (like Undelete.Exe). As usual, if many of your files
(which have nothing to do with the disk) cause this warning to be
displayed your system might be infected by an unknown virus.
Note that a program that accesses the disk directly should not
always be reported with the D-indicator. Only when the direct disk
instructions are near the program entry point it will be reported.
In case of a virus the offending instructions are always near the
entry point and so they will always be reported.
3.5.6. N - Wrong name extension.
Page 15
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Name conflict. The program carries the extension .EXE but appears
to be an ordinary .COM file, or it has the extension .COM but the
internal layout of an .EXE file. TbScan does not take any risk in
this situation, but scans the file for both EXE and COM type
signatures.
3.5.7. M - Memory resident code.
TbScan has found instruction sequences which could make the program
to remain resident in memory or to hook into important interrupts.
Almost all TSR (Terminate and Stay Resident) programs will trigger
this warning, because hooking into interrupts or remaining
resident belong to their normal behaviour. However if a lot of
normal programs (not intended to be a TSR) have this warning mark
it is suspicious. It is possible that the files are infected by a
virus that remains resident in memory. Note that this warning does
not appear for all TSR-programs, nor does it always mean that when
this warning appears the program is a TSR program. With other
words, the TSR detection is not 100% proof.
3.5.8. F - Suspicious file access.
TbScan has found instruction sequences common to infection schemes
used by viruses. This warning will appear for a few programs that
are able to create or modify existing files. However, if this
warning appears a lot, the files might be infected, especially if
the warning is accompanied by other serious warnings.
3.5.9. ? - Inconsistent header.
The program being processed has an exe-header that does not reflect
the actual program layout. The DOS SORT.EXE program will cause this
warning to be displayed, because the actual size of the program
file is less than reported in the "size-of-load-module" field in
the exe-header! Many viruses do not update the exe-header of an EXE
file correctly after they have infected the file, so if this
warning appears a lot it seems you have a problem. You should
ignore this warning for the DOS SORT.EXE program. (Hopefully will
MicroSoft correct the problem before the next release of DOS).
3.5.10. E - Read or open error.
The file could not be opened or read. This can be the result of an
error on the disk(ette), but the file could also be in use by
another task (multitasking) or network user. The file has not been
scanned.
3.5.11. J - Multiple jumps.
The program did not start at the program entry point, but the code
has jumped at least two times before reaching the final startup
code, or the program jumped using a memory operand. This is rather
Page 16
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
strange for normal programs. If many files cause this warning to be
displayed you should investigate your system thorougly.
3.5.12. p - Packed or compressed file.
The program is packed or compressed. There are some utilities that
are able to compress a program file, like EXEPACK or PKLITE. If the
file is infected after the file has been compressed, TbScan will
be able to detect the virus. However, if the file has been infected
before it was compressed, the virus is also compressed, and a virus
scanner might not be able to recognize the virus anymore.
Fortunately, this does not happen a lot, but you are warned! A new
program might look clean, but can turn out to be the carrier of a
compressed virus. Other files on your system will be infected in
that case, but these infections will be normally visible for virus
scanners.
By the way, TbScan does not recognize specific compression
utilities, but uses an universal way to detect any compression
program. Probably TbScan does not require any modifications as soon
as a new compression program pops up.
3.5.13. w - Windows or OS/2 header.
The program can be or is intended to be used with Windows (or OS/2).
TbScan does nothing special with these files, but that might be
changed in the future as soon as Windows or OS/2 specific virusses
occur.
3.5.14. h - Hidden or System file.
The file has the "Hidden" or the "System" file attribute set. This
means that the file is not visible at a normal directory display
but will be scanned anyway. if you don't know the source and
purpose of this file it might be a Trojan or "joke" program. Copy
it on a diskette, remove it from your hard disk and check if some
program is missing the file. If no program is missing it, well, you
have freed some diskspace, and maybe your system saved for a
future disaster.
3.5.15. i - Internal overlay.
The program being processed has additional data or code behind the
load-module as specified in the exe-header of the file. The
program might have internal overlay(s) or configuration information
appended behind the load-module of the EXE file.
3.5.16. s - Unusual stack.
The EXE file being processed has an odd (instead of even) stack
offset or no stack at all. Many viruses do not setup a legal stack.
Page 17
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
3.6. Command line options
It is possible to specify so-called options on the command line.
Tbscan recognizes option-characters and option-words. The words are
more easy to remember, and they will be used in this manual for
convenience.
-help, -h =help (-? = short help)
-info, -i =display disassembly information
-quick, -q =quick scan
-more, -m =enable "More" prompt
-mutant, -y =enable fuzzy search
-direct, -d =direct calls into DOS/BIOS
-analyze, -a =force analyze/all files
-extract, +a =extract signature
-valid, -u =force authorization
-once, -o =only once a day
-compat, -c =maximum-compatibility mode
-nosnow, -t =avoid snow on CGA monitors
-noboot, -s =skip bootsector
-sector, +s =scan all disk sectors
-nomem, -r =don't scan memory
-allmem, +r =scan for all viruses in memory
-hma, +e =scan HMA too
-nohmem, -e =don't scan UMB/HMA
-nosub, -n =don't scan in sub directories
-sub, +n =process sub directories
-noavr, -j =do not search for AVR modules
-del[ete] -z =delete infected files
-batch, -b =don't ask keyboard input
-repeat, -x =scan multiple diskettes
-loginfo, -w =log files with a lowercase warning too
-logall, +w =log all files unconditionally
-log [<filename>], +l [<filename>] =append to log file
-session [<filename>], -l [<filename>] =create session log file
-data <filename> -f <filename> =data file to be used
-ren[ame] [<ext mask>], +z [<ext mask>] =rename infected files
3.6.1. -help
If you specify this option TbScan displays the contents of the of
the TbScan.HLP file if it is available in the home directory of
TbScan. If you specify the -? option you will get the option
summary as listed above.
3.6.2. -info
If you are an experienced user we recommend you to use this option.
If you do so, TbScan will display the most important warnings
with the complete pathname of the concerned file in the upper
window.
Page 18
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
3.6.3. -quick
This option enables you to quickly scan the system. It is intended
to be used in the "afternoon scan" of the system. It is recommended
to invoke TbScan once a day without this option because this option
does not offer you the highest security. .OVL, .BIN and .SYS files
are skipped entirely since it is not likely that these files are
infected, memory scan is skipped, the scan frame is reduced to
2Kb instead of 4Kb, and TbScan does not fall back to the analyze
routine as often as usual. However, TbScan still detects 95% of the
viruses if this option is specified.
3.6.4. -more
When you enter the parameter -more TbScan will stop after it has
checked the contents of one window. This gives you the
possibility to examine the results without using a log file.
3.6.5. -mutant
TbScan is able to detect mutants of viruses while performing a
normal (default) scan, since many of the signatures contain
wildcards. However, if you use the -mutant option TbScan does not
restrict itself to the wildcard specification, but allows up to two
extra changes anywhere in the signature. Needless to say, if you
use this option false alarms may occur. Therefore this option is
not recommended to be used in a normal scan session. However, you
can use this option if you expect the system is infected but TbScan
does not detect a virus. If you scan again and specify the -mutant
option, and TbScan now reports many files to be "possibly infected"
with one virus, it might be possible that the files are infected by
an unknown variant of the virus. It is recommended to supply one
such a possibly infected file to a virus expert before invoking a
clean up operation.
3.6.6. -direct
TbScan communicates with DOS through interrupt 21h. To prevent this
from being "monitored" by viruses, option -direct can be entered.
TbScan will use its built-in debugger to trace through the
chain of interrupts until it has reached the DOS entry point. This
address is shown on the display and after that moment it will be
used for the communication with DOS. The same applies to the
communications with the disk system: TbScan first searches for the
entry point of the BIOS, and performs direct calls into it.
Resident programs, such as viruses, are then excluded from taking
part in the virus scan process.
This implies however that the regular resident programs remain
ignorant too with regard to the file access by TbScan. That is why
it is not recommended to use this option when you use a multitasker
or when you are connected to a local area network.
Page 19
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Also note that many protection software packages will be fooled by
TbScan when using the -direct option. Don't be surprised when
TbScan scans files you don't actually have any access to...
When you use this option do not popup resident programs while
TbScan is active! This is because resident programs do not know
that some foreground program performs file access and a machine
hang might occur.
When you have installed the Thunderbyte card in your PC, TbScan
will not search for the DOS entry point, but for the entry point of
Thunderbyte. Otherwise Thunderbyte should warn you (correctly)
that a program performs direct calls into DOS and the BIOS. So
only Thunderbyte remains between TbScan and DOS/BIOS. Since no
viruses can be inserted between Thunderbyte and DOS/BIOS, this is
completely safe.
3.6.7. -analyze
Normally TbScan only uses the analysis method when the program to
be checked is too complicated for the builtin interpreter. But
through option -analyze you can force TbScan to use the analysis
or browse method always. Keep in mind though that the program will
perform more slowly and that false alarms may occur. Therefore it
is recommended to refrain from this option while performing a
normal scan session. Since this option also disables the internal
disassembler of TbScan, most warning marks will not occur,
bootsector virus droppers will not be detected, and the AVR
modules will not be executed.
The -analyze option can not be used if the -mutant option has been
specified too. It would cause too many false alarms. If you expect
a virus and TbScan does not find a virus, you'd better use the
-mutant option rather than -analyze. The -analyze option does
not increase the hit rate like the -mutant option.
If you have the odd feeling that you have to increase the hit rate
of TbScan you'd better use the -mutant option rather than the
-analyze option. The -mutant option already detected some new
unknown viruses, while the -analyze option did not and caused only
false alarms.
Without this option TbScan processes only executable files, even if
a (wildcarded) filename has been specified. However, if you want to
scan non-executable files you have to use the -analyze option.
TbScan can only scan non-executable files if the -analyze option
has been specified because non-executable files can not be
disassembled. Since there are no specific signatures for
non-executable files TbScan scans for all signatures in all files
just to be able to find anything at all.
So, if you use the -analyze option in combination with an explicite
Page 20
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
filename specification, TbScan scans ALL matching files for ALL
signatures. Needless to say that this combination is NOT
recommended due to its low performance and exessive amount of
false alarms. It is only provided to gain some compatibility with
other scanners.
3.6.8. -extract
This option is available for registered users only. See chapter
"defining a signature" for usage of option -extract.
3.6.9. -valid
TbScan checks the signature file for modifications. If you change
the contents of that file TbScan will issue a warning. If you
don't want the warning to be displayed, use the -valid option.
3.6.10. -once
If you specify this option TbScan "remembers" that is has been used
that day, and it will not run anymore a next time on that day if
you specify this option again. This option is very powerfull if you
use it in your autoexec.bat file in combination with a list file
like:
TbScan @Everyday.Lst -once -rename
TbScan now scans every day the first time being invoked the list of
files and/or paths specified in the file "Everyday.Lst". All other
times the machine will boot that day, TbScan will return to DOS
immediately. This option does not interfere with the normal use of
TbScan: If you invoke TbScan without the -once option it will
always run, regardless of a previous invokation with the -once
option. The opposite is also true: if you use the option -once
after TbScan has been executed before that day without the -once
option, TbScan will still execute.
Note that if TbScan can not write to TbScan.Exe because it is
read-only or located on a write protected diskette, the -once option
will fail and start the scanner always.
3.6.11. -compat
If you specify this option, TbScan tries to behave somewhat more
compatible. Use this option if the program does not behave as
expected or hangs the machine. This option will slow down the scan
process so it should only be used when necessary. Note that option
-compat does not affect the results of a scan.
3.6.12. -nosnow
If you use TbScan on a machine with a CGA video system TbScan
Page 21
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
can cause "snow" on the screen. Option -nosnow can be used to
eliminate the snow. TbScan will perform a little slower in that
case.
3.6.13. -noboot
If you specify this option TbScan will not scan the bootsector.
3.6.14. -sector
This option is experimental. This option enables the feature to
scan a disk at sector level. This way you can trace viruses that
reside outside the files and bootsector and difficult stealth
viruses. This option might also tell you that a virus ever
resided on the machine in the past. If this option detects a
signature it does not mean that the virus should be still active.
Even if TbScan deleted the virus this option is still able to
detect the signature for a while. This option is NOT recommended
for a normal search. Note that TbScan is not able to detect
suspicious facts anymore; it can not disassemble files with this
mode. False alarms may occur frequently since everything is being
searched for, and search is even performed in unused disk space
containing garbage.
3.6.15. -nomem
If you specify this option TbScan will not scan the memory of the
PC for viruses.
3.6.16. -allmem
If you specify this option TbScan will search for all viruses of
the signature file in the memory of your PC, regardless of the
virus type. This option is not recommended since many viruses have
a different signature after they install themself in memory and a
scan for non-memory specific viruses in memory makes no sense at
all. It may cause a lot of false alarms. It is provided to maintain
some compatibility with other scanners.
3.6.17. -hma
TbScan detects the presence of a XMS-driver, and scans the HMA
automatically. If you have a HMA-driver not compatible with the
XMS standard you can use the -hma option to force TbScan to scan
the HMA.
3.6.18. -nohmem
By default TbScan searches for RAM above the DOS limit and scans
that too. This means that even video memory and the current EMS
pages are scanned. You can use the -nohmem option to disable the
scanning of memory above the DOS limit.
Page 22
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
3.6.19. -nosub
TbScan will default search in subdirectories for executable files,
except when a filename (or wildcards) are specified. If you use
this option TbScan will never search in subdirectories.
3.6.20. -sub
If you use this option TbScan will always search in subdirectories,
even when you specify a filename or wildcards. Only subdirectories
matching the filename mask will be scanned too.
3.6.21. -noavr
If you specify this option TbScan will not search for AVR modules
(Algorithmic Virus Recognition modules; .AVR files) at startup and
will not perform any algorithmic searches on files.
3.6.22. -delete or -del
If TbScan detects a virus in a file it prompts the user to delete
or rename the infected file, or to continue. If you specify the
-delete option, TbScan will not ask the user what to do but it just
deletes the infected file. Use this option only if you already
found out that your system is infected, and if you have a trusted
backup, and wants to get rid of all infected files at once.
3.6.23. -rename or -ren
If TbScan detects a file virus it prompts the user to delete
or rename the infected file, or to continue. If you specify the
-rename option, TbScan will not ask the user what to do but it just
renames the infected file. By default, the first character of the
file's extension will be replace by the character "V". A .EXE file
will be renamed to .VXE, and a .COM file to .VOM. This prevents the
infected programs from being executed, but the program can still be
examined or repaired at a later time. You can also add a parameter
to this option specifying the target extension. The parameter
should always contain 3 characters, question marks are allowed. The
default target extension is "V??".
3.6.24. -batch
If TbScan detects a file virus it prompts the user to delete or
rename the infected file, or to continue. If you specify the -batch
option TbScan will always continue. This option is intended to be
used in a batch file that would be executed unattended. It is
highly recommended to use a log file in this situation, otherwise
the scanning does not make very much sense.
3.6.25. -repeat
Page 23
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
The option is very powerfull if you want to check a large amount of
diskettes. TbScan does not return to DOS after checking a disk, but
it waits until you inserted another disk in the drive. You don't
have to press a key on the keyboard when ready, TbScan detects
automatically when the drive is ready to be accessed. This way you
can check a large amount of diskettes without touching the
keyboard. One thing you will notice however is that the motor of
the disk drive keeps spinning, and the light keeps burning. This
does not harm your drive in any way, you can safely open and close
the drive-door while the motor still runs. Many backup programs
handle the drives the same way as TbScan does.
3.6.26. -log
When you use this parameter, TbScan creates a LOG-file. The
default filename is TBSCAN.LOG and it will be created in the current
directory. You may optionally specify a path and filename. In the
LOG-file all infected program files are listed. The filenames are
specified including the complete path name. If the log file already
exists the information will not be overwritten but instead appended
to the file. If you use this option often it is recommended to
delete or truncate the log file every month to avoid unlimited
growth.
3.6.27. -session
This option is the same as the -log option, except that if there
already exists a log file the log information will be overwritten
instead of appended. A log file created by the -session option only
contains information of a single scanning session.
3.6.28. -loginfo
If you use a log file and wants to log files with lowercase
(informative) warnings too you should specify this option.
3.6.29. -logall
If you use a log file and wants to get all files listed in the log
file unconditionally you can use this option.
3.6.30. -data
You can override the default path en name of the signature file by
using this option.
TbScan normally tries to locate a data file by itself. See chapter
3.10 for information how TbScan searches for a data file.
If TbScan does not succeed in recognizing or locating the
appropriate data file by default, or you want to override the
default data search, you should use the -data option.
Page 24
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
3.7. Examples:
TbScan \ -data c:\TbScan.Dat -noboot
Process all executable files in the root directory and its
sub directories. Skip the bootsector scan. Use the
signature file "c:\TbScan.Dat".
TbScan \*.*
Process all executable files in the root directory. Don't
process sub directories.
TbScan Test.Dat -log c:\test.log
No file will be processed. TEST.DAT is not an executable. A
LOG file with the name c:\test.log will be created.
TbScan Test.Dat Test.Tmp -analyze
Search Test.Dat and testp for ALL viruses using the
analyze method.
TbScan c:\ -analyze -rename vi?
Process all executable files in the root directory and
its sub directories. Use the analysis method. Rename
infected files to a file by replacing the first two
characters of the extension by "VI". The last character
remains the same.
TbScan c:\*.* -analyze
Process ALL files in the root directory. Search for ALL
viruses in ALL files. The analysis-method will be used. Sub
directories will not be processed.
The last two examples shows the difference in behaviour of the
-analyze parameter when a filename and when no filename has been
specified.
3.8. Environment variable
If you want to use certain options always, it can be handy to use
the environment variable "TBSCAN" for this. For instance, if you
always use the option -noboot and always specifies the signature
file to be used, you can insert the following line into your
autoexec.bat file:
SET TBSCAN=-LOG -DATA C:\TBSCAN.DAT -NOBOOT
TbScan now always acts like you specified the -noboot and -log
option on the command line!
Another good item to include in the environment variable is the
Page 25
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
option -data, to specify which data file should be used by default.
3.9. The configuration file
For people that like the use of configuration files: TbScan can
be configured with a configuration file. The configuration file
should be in the same directory as the file TbScan.Exe, and the
name of the configuration file should be TBS.BAT (surprise,
surprise). The format of this configuration file is as follows:
tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 [<default options...>]
Example:
tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 -direct -data c:\virus\Virscan.Dat
To use this configuration file you have to type "TBS C:\" on the DOS
prompt. If you want to override the default options specified in
the TBS.BAT file just type "TBSCAN".
This configuration file is very powerfull. You can even define
mnemonics like "DAILY" and "WEEKLY" to invoke a predefined scan session.
However, it is still possible to specify additional options on the
command line. If TbScan detects a virus the file Virus.Txt will be
printed on the screen. The file should contain information like the
phone number of the company helpdesk and the phone number of the
security officer.
An example:
@echo off
if '%1'=='daily' goto daily
if '%1'=='weekly' goto weekly
:help
echo Type "TBS weekly" or "TBS daily" to start a scan event
goto end
:daily
tbscan c:\system d:\ -quick %2 %3 %4
if errorlevel 2 goto help
if errorlevel 1 goto virus
goto end
:weekly
tbscan c:\ d:\ e:\ -log c:\logs\tbscan.log %2 %3 %4
if errorlevel 2 goto help
if errorlevel 1 goto virus
goto end
:virus
type virus.txt
:end
For more information about this kind of powerfull "configuration"
files consult the DOS manual and search for the keyword "batch
Page 26
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
files".
Most people overlook the power of the DOS batch file features. But,
why learning yet another configuration file language if a DOS
batch file will suit your needs perfectly? You can predefine scan
sessions, define default options, and branch to a specific routine
if TbScan detects a virus.
On the TbScan diskette you will find an example BATCH file with the
name TBS.BAT. You can edit it to suit your needs.
3.10. The TbScan.Msg file
TbScan prints the TbScan.Msg file on the screen after 15 seconds
or when it finished scanning and it has not detected a virus. The
file TbScan.Msg as supplied by us contains our address and
registration information. However, you can edit this file as you
like, it is possible to define your company logo in this file.
3.11. Residence of the signature files
TbScan looks for the data file in this order:
1) If the -data option is used it will use the specified file.
2) It searches in the active directory for a file with the
name TBSCAN.DAT.
3) It searches for TBSCAN.DAT in the same directory as the
program file TBSCAN.EXE itself is located (only DOS 3+).
4) It searches in the active directory for a file with the
name VIRSCAN.DAT.
5) It searches for VIRSCAN.DAT in the same directory as the
program file TBSCAN.EXE itself is located (only DOS 3+).
TbScan also looks for a datafile containing emergency update
signatures. The file should be named ADDNSIGS.DAT. It should be
either in the current directory or in the TbScan home directory.
3.12. Residence of the AVR modules
The AVR modules are only searched in the directory where the
program TBSCAN.EXE itself resides.
3.13. Error messages
Errormessages that might be displayed:
+ Error in data file at line <number>.
There is an error in the specified line of the data file.
Page 27
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
+ Failed to locate DOS entry point.
TbScan has not been able to locate the DOS entry point, but
continues as if option -direct has not been specified.
+ Limit exceeded.
The total amount of internal signature information exceeded
64Kb. This message will be displayed if the number of
signatures reaches 2500. You can either reduce the number of
signatures or make them shorter.
+ Data file not found.
TbScan has not been able to locate the data file.
+ Command line error.
An invalid or illegal command line or environment option has
been specified.
+ Can not combine -mutant with -analyze.
It is not allowed to combine the options mentioned, it would
cause too many false alarms, and does not make sense at all.
+ No matching files found.
The path specified does not exist, is empty, or the specified
file does not exist.
+ No matching executable files found.
The path specified does not exist, is empty, or the specified
file does not exist or is not an executable file.
+ Can not create logfile.
The optional specified log file path is illegal, the disk is
full or write protected, or the file already exists and can not
be overwritten.
+ Sanity check failed!
TbScan detected that its internal checksum does not match
anymore. TbScan is possibly contaminated by a virus.
Obtain a clean copy of TbScan, put it on a WRITE PROTECTED
bootable diskette, boot from that diskette, and try again!
Page 28
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
4. FORMAT OF THE DATA FILE
4.1. Format of a signature entry
The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or
modified with every DOS-text editor.
All lines starting with ";" are comment lines. TbScan ignores these
lines. When the ";" character is followed by a percent-sign the
remaining part of the line will be displayed on the screen. A
maximum of 8 lines can be printed on the screen.
In the first line the name of a virus is expected. The second line
contains one or more of the next words:
BOOT SYS EXE COM HIGH LOW
These words may be separated by spaces, tabs or commas.
BOOT means that the virus is a bootsector virus. SYS, EXE and COM
indicate the virus can occur in files with these extensions.
Overlay files (with the extension OV?) will be searched for EXE
viruses. BIN files will be searched for SYS viruses. HIGH means
that the virus can occur in the memory of your PC located above the
TbScan program itself. LOW means that the virus can occur in the
memory of your PC located below the TbScan program itself.
In the third line the signature is expected in ASCII-HEX. Every
virus character is described by means of two characters.
One entry in the signature file should look like:
;
Test virus
EXE COM
ABCD21436587ABCD
;
It is allowed to use spaces in the ASCII-HEX signature to increase
the readability.
The sequence of three lines should be repeated for every virus.
Between all lines comment lines may occur.
4.2. Wildcards
TbScan allows you to use wildcards in a signature. Wildcards can be
used to define one signature that recognizes a couple of related
viruses.
- The ? wildcard.
Page 29
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
The question mark specifies a wildcard nibble, which means that
the corresponding half of the byte may have any value.
Example:
A5E623CB??CD21?883FF3E
- The * wildcard.
You can use the asterisk followed by an ASCII-HEX character to
skip a fixed amount of bytes in the signature. The ASCII-HEX
character specifies the amount of bytes that should be skipped.
Example:
A5E623CB*3CD2155??83FF3E?BCD
This sequence of bytes will be recognised as a virus:
A5E623CB142434CD21554583FF3E3BCD
- The % wildcard.
A percent sign (%) followed by an ASCII-HEX character indicates
that the remaining part of the signature could be located a
number of bytes away. The ASCII-HEX character specifies the
maximum distance the remaining part should occur.
- The ** wildcard.
You can use the "**" -wildcard to skip an unlimited variable
amount of bytes in the signature.
4.3. Restrictions.
+ The name of a virus may contain up to 30 characters.
+ The ASCII-HEX signature may contain up to 132 characters.
+ A signature must contain at least one sequence of two
non-wildcard bytes. A sequence of four however is recommended.
+ The signature should start with one non-wildcard byte.
+ The %-wildcard should not be followed by any other wildcard.
Examine the VIRSCAN.DAT or TBSCAN.DAT file for a "live" example of
the format of the signature file.
4.4. Defining new signatures.
This chapter is intended for advanced users only. You need to be
registered (owning a TbScan.Key file or a Thunderbyte add-on card)
to be able to use the following guideline.
Page 30
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Although the supplied data file is updated frequently it might
happen that your system is infected by a yet unknown virus. Next
chapter indicates how to determine this is the case. If you are
completely sure the system is infected by a virus, and TbScan does
not detect it, it fails even with the -mutant option, TbScan can be
used to define a temporary signature.
- Collect some infected files and copy them into a temporary
directory.
- Boot from a clean write-protected diskette. The next steps you
should NOT execute ANY program from the infected system, even
when you expect the program to be clean.
- Execute TbScan with the -extract option in the directory
containing the infected files. TbScan will NOT scan but instead
display the first instructions at the entry-point of the
infected programs. It is recommended to use the -session
option of TbScan.
- Compare the "signatures" produced by TbScan. You should see
something like this:
VIRUS1.COM 1234ABCD5678EFAB909090ABCD123478FF
VIRUS2.COM 1234ABCD5678EFAB901234ABCD123478FF
VIRUS3.COM 1234ABCD5678EFAB9A5678ABCD123478FF
If the "signatures" are completely different, the files are
possibly not infected, or they are infected by a virus that
requires an AVR module to detect it.
- Replace all differences in the "signatures" by question marks
("?"). A signature to detect the "virus" in the example above
could be: 1234ABCD5678EFAB9?????ABCD123478FF
- Add the signature to the data file of TbScan. Give the virus a
name and specify the EXE and COM keywords.
- Run TbScan again in the directory containing the infected
files. TbScan should now detect the virus.
- Send a couple of infected files to a recommended anti-virus
researcher, preferrable to us.
Congratulations! You have defined a "do-it-yourself" signature! Now
you can scan all your machines to search for the new virus.
However, keep in mind that the signature is a "quick-and-dirty"
solution. Some instances of the virus might not be recognised, and
some innocent programs might be suspected from a virus. A signature
that is guaranteed to detect all instances of the virus can be
achieved only after complete disassembly of the new virus. For
these reasons you should NOT distribute the "signature" to others.
The final signature assembled by experienced anti-virus researchers
will be completely different in most cases!
Page 31
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Page 32
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
- The size of one or more programs has increased.
- The screen behaves strangely, or you will find unusual
information displayed here.
5.1. Prevention - ChkDsk detects many errors.
Prevention is always better than cure. You can prevent an infection
by using reliable software only, that is software of which the 5.2. Confirmation
origins are known.
Once you think your system may have a virus, try to get
MAKE SURE YOU HAVE AN UNINFECTED WRITE-PROTECTED BOOTABLE DOS DISK confirmation. You can get confirmation by using a virus scanner, or
STORED IN A SAFE PLACE. The disk will be needed in case of by booting from the uninfected write protected DOS diskette and
infection. Without an uninfected bootable disk you will never be comparing the files on the hard disk to the known uninfected
able to get rid of any virus! The disk should be write protected to original copies. DO NOT RUN ANY PROGRAM ON THE HARD DISK WHILE
make sure it will remain uninfected. This is very important. AND BEFORE PERFORMING THIS TEST TO PREVENT THE VIRUS GOING RESIDENT
IN MEMORY. If the files have not been changed there is no file
Only boot from your hard disk or from your original DOS diskette. virus. If they all get changed in the same way, it is very likely
NEVER use someone's else's disk for booting. Should you have a hard the files are infected by a virus. The bootsector is more difficult
disk make certain that you have opened your floppy drive before to test. Use the DOS SYS command to replace the bootsector in case
resetting or booting your PC. of doubt.
Use the DOS program ChkDsk frequently (without the /F switch).
Page 33
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
its cause. Some highly suspicious alterations are:
Note that file viruses infect other programs. It is very unlikely
- Programs do not operate as they used to, or cause the computer to find only one or a very few infected programs on a hard disk
to "hang" or reboot after some time. used frequently. If TbScan reports a virus in only 1% of the files
- Data disappears or gets damaged. on your hard disk, you should treat it as a false alarm.
If you did not expect to find a virus but used the -analyze option
of TbScan which detected a "virus", forget about it. The -analyze
option has never caused a virus to be detected that remains
undetected in normal scan sessions. It causes many false alarms
instead.
If you find a virus, do NOT use "your" TbScan to check other
machines, except when you have copied it to a write protected
diskette before the system became infected. Although TbScan
performs a sanity check immediately after the invokation, there are
some viruses that are able to fool every self-check, and TbScan
migh carry such a virus without detecting it.
5.3. Identification
Indentify the virus. Why is this so important? Because if you know
which virus caused you the trouble you know what the virus has
exactly done, and whether your data files are still reliable or
damaged. You can use a virus scanner to identify a virus. Once you
know the name of the virus you have to obtain additional
information about the virus. You can log on to our support BBS,
consult professional literature, or consult a virus expert. If the
virus only infects executable files you have only to replace the
executable files. But if the virus swaps some bytes on a random
location of your hard disk everytime you execute a program, you
have to replace your data files too, even when you didn't see any
changes in your data files.
5.4. No Panic!
The most important thing to do is NOT PANIC! Panicking doesn't help
you, as you need to be calm to deal with the situation properly.
In most cases of virus infections in the past, most of the damage
has been done by the operator of the system, not by the virus. Do
nothing at all except for identifying the virus and obtaining
information about the virus. Reformatting the hard disks
immediately is the worst you can do. Once after you know exactly
what the virus does, you can work out a strategy to recover.
DO NOT MAKE A NEW BACKUP OF YOUR SYSTEM UNLESS YOU DON'T OVERWRITE
AN ALREADY EXISTING BACKUP. In this case label the backup as being
infected and unreliable.
5.5. Recovering
Page 34
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
For all recovery activities it is important to boot from your
uninfected write-protected DOS diskette. Do NOT run any program
from your hard disk! The virus must stay out of your memory while
cleaning the system.
Restore the DOS system and bootsector by using the DOS SYS command.
In case of a file virus, restore all executables. A virus removal
utility is not recommended unless you don't have a backup of the
uninfected executable files. Depending on the virus it might also
be necessary to replace all data files.
If the system has been infected by a virus that modifies the
partition table it might be necessary to perform a low level
reformat of your hard disks. If you used an utility to backup the
partition table (like TbRescue) it isn't necessary to reformat the
disks, just restore the partition table.
Once the system has been cleaned, check all diskettes, backups,
etc. One infected diskette can cause you the same trouble again.
It is highly recommended to protect your system against
re-infections, since it is possible that you forgot to clean one
floppy. Use a virus scanner frequently, install a resident scanner
(like TbScanX), or better, install the Thunderbyte PC Immunizer.
Page 35
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
6. CONSIDERATIONS AND RECOMMENDATIONS
6.1. What should be scanned?
In the early days of viruses, virus scanners just scanned
everything. Today we know that this approach has serious
disadvantages: the number of false alarmes is very high, the scan
speed is very very slow, etc.
Before we proceed, let's first establish some facts about viruses.
A virus is just a program. Like any other program, if you don't
execute it it will not do anything except for occupying disk space.
This means that data files like text files can never spread a
virus. Of course, it is possible to copy a virus into a .TXT file,
but since the text file will never be executed, the virus will
never be able to do anything. It is just a stream of bytes, like
the text in the text file. A program and a boot sector however will
be executed, and if they contain a virus the virus will gain
control and perform its nasty operations.
We now know that it doesn't make sense to scan non-executable
files. Note that a batch file (.BAT) is just a text file, it can be
"executed" in some way, buy it is not possible to make a virus in
the batch file language. What we need to scan are files with the
extensions EXE COM OV? SYS and BIN.
What do these programs contain? Of course they contain program
code, but they also contain data. The texts that will be displayed
on the screen by that program are just data. They will never be
"executed". The exe-header of an exe file does not contain any
code, only data. The exe-header is only used by DOS to load the
program, and it is thrown away before DOS passes control to the
program. We don't have to scan it, that's easy enough. The same
applies to the bytes after the so called load-module of the file.
This area of a file will not be loaded in memory at first instance,
so we can skip it also.
Unfortunately, the remaining part of the executable file is most
of the time the largest. The code-data ratio differs for each
program, but on the avarage we can state that about one third of a
program consists of data. However, it is hardly possible to divide
a program into code and data. Even the operating system is not able
to do this, only the program itself. What happens when you execute
a program is that the operating system passes control to the file
at a fixed location. The location is the first byte in case of a
.COM file, or a location specified in the exe-header of a .EXE
file. This location is referred to as ENTRY-POINT in this manual.
This location is the only location in a file from which we can be
100% sure it contains code. For other locations we can only guess.
How does a virus work?
Page 36
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
A virus that wants to infect a file can not just throw its viral
code at a random location in that file, it won't work. The virus
has to be sure that its code will be executed before the host
program gains control. Why? Because if the contaminated program
finds itself altered it will behave unexpected. The program
accesses internal resources that are overwritten by the virus and
the program crashes. Besides, how does the virus know whether that
random location will be ever executed? There is only ONE location
that will always be executed, and that is the entry-point of the
program. To infect a file the virus has to link itself onto the
entry-point and store the original instructions of the program at
another place. The virus is now sure it will gain control instead
of the host program, and the virus has the possibility to restore
the original instructions before passing control to the host
program. There has never been any virus reported that does not link
itself to the entry-point of a program.
This brings us to a very important fact: if we scan the location
where we can find the first instructions of the program we are sure
we are scanning the area where the virus would reside. TbScan uses
this knowledge and normally scans a window of about 4Kb around the
program's entry point. This is called "Checking". If you want to
know more about this process consult chapter "The internals of
TbScan".
Note that it is not "unsafe" to restrict the area where we search
for viruses. If the signatures are assembled according to this
knowledge it is always possible to detect the virus in the scanning
area. This tackle has been adopted by many other competitive virus
scanners. If TbScan is not completely sure about the entry-point of
the file it just scans all the program code of the file using the
"browse" or "analyze" algorithm.
6.2. The internals of TbScan
6.2.1. How is that blazingly speed achieved?
The speed of TbScan is achieved by many measures.
To avoid false alarms, TbScan already scans restricted areas of
the file, and of course, this approach also affects the speed
in a positive way. Disk access is minimized, and not much data
has to be searched.
TbScan is entirely written in assembly language. High-level
languages like Pascal and Basic have an enormous overhead which
not only affects the size of the program but also reduces the
execution speed.
The search routine is highly optimized. Every byte to be
scanned is only accessed once, regardless of the number of
Page 37
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
signatures. Execution time will hardly increase when it has to
search for 3000 signatures instead of 300. The search algorithm
used can be described as "rotating semi-double 16-bits hashing".
The number of DOS function calls has been minimized. DOS is
relatively slow, and access should be avoided as much as
possible. For this reason TbScan walks just once through a
directory instead of first processing the files and secondly
the subdirectories or vice versa.
TbScan writes directly to the screen instead of using DOS or
the BIOS to do this. Although TbScan has a scrolling window,
screen access is minimized as much as possible without
affecting the visual appearance of the program.
TbScan has a built-in disk cacher. A disk cacher is
already installed on many machines, but a normal disk cacher
slows down the scan speed of a virus scanner instead of
increasing it! This slow down is caused by the disk cacher, that
tries to make assumptions on what the program will read next,
but fails doing so. The disk cacher fails because it doesn't
know that every file is accessed just once, and it also doesn't
know that the remaining part of a partial scanned file will not
be accessed at all. The cacher wastes many clock cycles by
reading ahead and maintaining megabytes of data which will not
be accessed anymore by the scanner. On the other hand, the
directories and the FAT are accessed a lot, and a disk cacher
could increase the performace a lot if it would restrict itself
to these areas. The solution is to disable the standard disk
cacher and installing one that "knows" which data will be
re-used and which not. TbScan disables any disk cacher and
installs its own one. Depending on the hardware specifications
of a machine, disabling the original cacher increases the
scanning speed with about 10% and installing its own one with
another 10%.
TbScan dynamically optimizes the lookahead buffers of DOS (the
Y parameter of the "BUFFERS=X,Y" command in the config.sys).
Temporary disabling the DOS lookahead buffers increases the
scanning speed for the same reasons as disabling a disk cacher
increases the speed.
6.2.2. The code interpreter
Viruses can infect program files only in certain ways. For a
virus there is only one single point in a program file of which
it is certain that it must be executed, namely the starting
point of the program. It cannot be sure of any other point and
that is why it will not try to put its first code on an
arbitrary spot of the program that it is planning to infect.
The virus will always have to put AT LEAST one instruction at
the entry point of the program.
Page 38
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
TbScan uses this knowledge to restrict the number of bytes that
have to be read in of a file as much as possible. Just as the
loader of DOS itself, it determines where the entry point of
the program is located. (At the beginning of a COM-file and on
an address, specified in the EXE-header of an EXE-file.)
This is however not enough; there can also be a jump or another
branch instruction on the located entry point of the program.
TbScan will follow this jump until it does not come across a
jump anymore. Then we have found the real starting point of the
program or, in case it has been infected, the virus.
There is a possibility however that on a certain moment TbScan
has reached the end of a chain of jumps and then finds that
there are new significant IP modifying instructions (calls,
rets, irets, jumps) not far from the found starting point.
Does this future jump point to the virus code, or are we
already on the right location? TbScan does not take any risk
and in such a case it will read in the whole file to search for
viruses. Only when it is 100% sure to have found the real
starting point of a file, where in addition at least 20 bytes
of continuous code are situated (the code is "stable" then),
TbScan will be satisfied with checking only the surrounding 4
Kb of the found code. (Almost all viruses use less than 4 Kb
and of viruses using more than 4 Kb the signature in the first
4 Kb of the virus is used as the signature.)
6.2.3. The algorithms
When TbScan processes a file it prints "Checking", "Tracing",
"Browsing", "Analyzing" or "Skipping".
6.2.3.1. Checking
"Checking" means that TbScan has successfully located the entry
point of the program, and is scanning a frame of about 4Kb
around the entry point. If the file is infected the signature
of the virus will be in this area. "Checking" is a very fast
and reliable scan algorithm.
Checking will be used on most files if you run TbScan in
default mode.
6.2.3.2. Tracing
"Tracing" means that TbScan has successfully traced a chain of
jumps or calls to locate the entry point of the program, and is
scanning a frame of about 4Kb around the entry point. If the
file is infected the signature of the virus will be in this
area. "Tracing" is a fast and reliable scan algorithm.
Tracing will be primary used for TSR-type COM files or Turbo
Page 39
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Pascal compiled programs.
6.2.3.3. Analyzing
"Analyzing" means that TbScan is scanning the entire file
(except for the exe-header which can not contain any viral
code). This algorithm will be used if "Checking" or "Tracing"
can not be safely used. This is the case when the entry-point
of the program contains other jumps and calls to code located
outside the scanning frame. "Analyze" is a slow algorithm.
Because it processes almost the entire file (also data area's)
there is a greater chance of false alarms. In the past all
reported false alarms occured with this algorithm. This
algorithm can be forced on the command line with the -analyze
option. It is however not recommended for a routine scan due to
its tend to issue false alarms. "Analyze" or "Browse" will be
used while scanning memory, bootsectors, SYS and BIN files.
6.2.3.4. Browsing
"Browsing" is almost the same algorithm as "Analyzing", but it
performs a little better on files containing long sequences of
low ASCII, 00 or FF bytes. On other files (like compressed
files) it performs worse, so TbScan selects the best algorithm
for every file. "Browsing" is as reliable as "analyzing" but
also has the same tendency to cause false alarms. In fact,
every dumb scan algorithm (i.e. algorithm without
intelligence) will suffer from this kind of unreliability.
6.2.3.5. Skipping
"Skipping" will be performed on SYS and OVL files only.
"Skipping" simply means that the file will not be scanned. As a
matter of fact, there are many SYS files that contain no code
(like CONFIG.SYS). It makes absolutely no sense to scan these
files for viruses. The same applies to .OV? files. Only a few
of them contain an EXE-header and are suitable for a virus. If
a virus is reported to infect overlay files it means that the
virus monitors the DOS exec-call (function 4Bh) and infects
every program being invoked with this call. Overlay files
without EXE-header will never be invoked via DOS, so no virus
will be able to infect such an "overlay". If a file has the
extension OV? but isn't really an overlay file it will be
skipped. Surprisingly enough, most .OV? files are just named so
by their programmers, but they are absolutely not real overlay
files and a virus can infect them as much as it can do with a
.TXT file, with other words: not at all.
The -analyze switch forces TbScan to use "analyze" or "browse"
on these files.
6.2.4. The -compat option
Page 40
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
The -compat option is used to increase compatibility if the
default behaviour of TbScan causes problems. The differences
between default and compatibility mode are:
- TbScan tries to bypass disk cachers in default mode.
However, in compatibility mode TbScan does not
interfere with the disk interrupts and will not disable
any disk caching software.
- In default mode, TbScan installs a disk cacher if
enough memory is available. In the compatibility mode
TbScan never installs the internal disk cacher.
- In default mode, TbScan dynamically optimizes the DOS
disk buffers (the Y-parameter of the BUFFERS=X,Y
command) to achive the best performance while scanning.
When TbScan terminates it restores the original DOS
configuration. However, in the compatibility mode
TbScan does not alter any internal DOS configuration.
- While scanning memory, TbScan temporary disables the
interrupts for each 32 Kb-block being scanned. In
compatibility mode however TbScan performs a
non-destructive scan and does not disable interrupts
at all. It offers the highest compatibility, but memory
scanning may slow down considerably in some
circumstances.
- If the -compat switch has been specified TbScan does
not use AVR-modules to scan memory. Files are still
processed by the AVR-modules. Memory AVR-modules might
contain virus specific function requests that might
interfere with resident software.
6.2.5. Recursing through directories
Since you might be interested in a high scan speed rather than
a well-organized scan order, TbScan digs into a subdirectory as
soon as it detects one. This can result in a confusing screen
output, files of subdirectories can be printed on the screen in
a mixed order.
root
file.1
file.2 subdir1
subdir1 file.11
file.3 file.12
file.4 file.13
Files will be accessed in the following order:
file.1
file.2
Page 41
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
file.11
file.12
file.13
file.3
file.4
Although file.2 and file.3 reside in the same directory the
files of subdir1 will be inserted between them.
6.3. The Sanity check
TbScan performs a sanity check when it fires up. However, to be
honest, it is NOT possible for software to be sure for 100% it is
not infected. If this was the case the virus problem could be
solved by incorperating a self check in every program.
Unfortunately, self-checking works as long as the program is not
infected by a so called "stealth" type virus. A stealth virus is
able to hide itself completely for every self check. This is not a
TbScan bug, it applies to ALL software that performs a sanity
check. Therefore, we recommend to put a clean TbScan on a write
protected diskette. Use this diskette to check other machines once
you find a virus in your own machine.
6.4. How many viruses does it detect?
Some people think that TbScan recognizes only 300 viruses, based
upon the fact that the signature file contains only 300 signatures.
What they not realise is that the signatures are family
signatures, and that means that just one signature covers multiple
viruses. For instance, the Plo/Jerusalem signature detects over 25
viruses which are all based on the "original" Jerusalem virus! Only
one (wildcarded) signature is used to cover all these mutants.
Some competitive products count every virus mutant as a single
virus, and it will not be suprising that they claim to detect over
800 viruses. However, TbScan detects the same amount (and often
more!) of viruses with "only" 300 signatures.
6.5. Testing the scanner
Many people like to test the product they are using. While it is
very easy to test for instance a word processor, it is very
difficult to test a smart scanner like TbScan. You can not extract
25 bytes of an executable and put it in the data file just to see
whether TbScan finds the "signature". It is likely that TbScan does
NOT find it because it only scans the entry-area of the file and
the "signature" might be extracted from some other location within
the file. Even the -analyze option will not always cause the
"test-signature" to be detected.
Page 42
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
But, you might think, how can I test the scanner if defining a
"test-signature" does not work? I think you can't, unless you are
an experienced assembler programmer. Sorry, but testing a
disassembling scanner should be performed by virus experts only.
Fortunately, you don't have to rely on our tests solely. There are
some anti-virus magazines who regulary publice tests of all virus
scanners. At the end of this document you will find some addresses
of recommended magazines. Anyway, third parties tested our scanner
amongs others, and they found TbScan to have a very high hit rate.
It detects even more viruses than many populair scanners.
6.6. Scan scheduling
Is is recommended to "plan" how and when you scan your system.
Creation of a special TbScan boot-diskette is highly recommended.
Boot from your original DOS diskette. Use the diskcopy command to
copy the DOS diskette to a new diskette. Delete all files on this
diskette, except the two hidden system files and command.com.
Copy all TbScan files to the diskette. Make a new autoexec.bat file
which should contain the line "TbScan C:\". Write protect the
diskette with the write protect tab.
The following scan sessions (listed in order of importance) are
recommended:
- Run TbScan once a week without the -analyze and without the
-quick option from A WRITE PROTECTED BOOTABLE DISKETTE. Boot
from this diskette before invoking the scanner. We agree that
it is awfull to boot from a diskette, but it is the only way to
be sure that no stealth virus is resident in memory.
- It is recommended to invoke a daily scan without the -quick and
without the -analyze option. You can invoke TbScan with the
-once option from within the autoexec.bat file to perform the
daily scan session automatically. It is not necessary to boot
from the bootable TbScan diskette to perform the daily scan.
- You can optionally run TbScan with the -quick option after the
lunch.
- It is recommended to use the -analyze option once a month. Note
that this option disables disassembly and algorithmic search,
so it should not be used on every scan session.
The -sector and the -mutant option should never be used in a normal
scan session but only when you expect the system to have a virus.
6.7. Extensions to the format of the data file
Page 43
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
There are some other scanners which understand the data file format
of TbScan. Some of these scanners understand certain extensions
of the data file which can be considered really weird, and we will
not implement them. These extensions include special signatures for
upper memory, overlay files, and numerous specific confusing
filename extensions, different keywords for the same items, and
XOR-decryption directives. TbScan scans the upper memory for
LOW-type viruses (since any LOW-type TSR can be loaded in upper
memory with DOS 5.0), overlay files for EXE-type viruses (since
overlays are just a special kind of EXE file), and XOR decryptions
can be performed better from within AVR modules.
6.8. Compressed files
Many executable files are compressed or packed. They contain an
unpack routine which unpacks the executable in memory to the
original program image. The simplest compressor is the Microsoft
ExePack program. This compressor is even included in the link
program itself (use the /E option while linking to pack the
executable), so it isn't surprising that many files are compressed.
Many programs have been compressed afterwards. If the program
contained a virus the virus has been compressed too. The virus will
still be able to execute, but a scanner will no longer recognize
the virus because the signature is compressed too.
Note that if the file becomes infected after it has been compressed
the virus is not compressed and will be visible as usual. The
problem only exists when a file has been infected first and
compressed afterwards.
However, you can consider this as a minor problem, since files are
often compressed by the programmer of the product, and most
programmers are aware of the existence of viruses. If the
programmer did not compress the file, well, then the file is not
compressed and the problem does not exist at all. At least, if you
obtain the original version of a program. If you obtain a "copy
from a copy, i.e. an illegal copy", well, one of the previous
"owners" of the product might have compressed the file, and then
you are in trouble.
Anyway, if you have a virus inside a compressed file, the virus
itself might not be visible on that file, but the other files that
will be infected by this virus will carry the virus as usual, hence
the signature will be visible for all the newly infected files. So,
if you have a virus inside a compressed file, the scanner will
still detect the presence of the virus on all other programs,
except for the compressed file that brought the virus into your
system.
TbScan displays a "p" behind every file that might have been
Page 44
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
compressed with ExePack or any other compressor. TbScan does not
unpack files, since too many files are compressed, and
uncompressing every file would only be possible for a limited
number of compression schemes, would be very time consuming, and
last but not least not necessary. Once a compressed file has proved
itself to contain not a virus, it will not be possible for the file
to get infected internally afterwards. It makes no sense to unpack
these files every time. If there isn't a virus the first time,
there isn't one at subsequent times.
6.9. Other products
A virus scanner is just one of the tools that are available to
defend your system against viruses. Other products that might help
you in your battle against viruses are:
- Checksummers.
Calculating a cryptographic checksum (or CRC) of every file and
comparing it with previously recorded information may tell you
whether a file has been changed since the last checksum event.
Keep in mind however that checksum programs work only reliable
if the system is not infected while the initial checksum
calculation is performed. Note also that no checksum program is
able to detect stealth viruses, except if you boot from a clean
write protected diskette before performing the checksum
calculations. Note also that it is normal that some
executables change, they might store configuration information
inside the executable itself. It is up to the user to
interpret the information of the checksummer. Checksummers
should only be used as an indication, but you can never rely on
them. They have a high false positive rate, and also a high
false negative rate. They can however be a handy additional
tool.
- Memory resident scanners.
Scanning a system should be performed often. However, if you
extract a file from an archive, or download a file, or just
copy a file from a diskette, you should re-invoke your scanner
to check whether you brought a virus in your system. This is
tedious, and not many people have the discipline to do this
every time. A resident scanner that automatically scans every
file being created or modified on your system will be a
valuable additional tool. Most resident scanners however
consume much of your precious memory and slow down system
performance. A resident scanner you might consider is TbScanX.
It does not use much memory if you configure it to utilize
expanded or unused video memory, and it performs very fast.
- Virus removal utilities.
Virus removal utilities (also called cleaner software) can be
used after a file has been infected, to separate the virus from
Page 45
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
the file. Although the removal utilities are very populair we
don't recommend to use them. You better restore the original
files in case of infection. If you still don't have any backup,
make it NOW! There are many viruses that look like known
viruses but in fact they are a slightly different virus (a
mutant). The removal utility might not recognise the virus as
being a mutant, and the utility removes too many or too less
bytes, causing all executables to get damaged inreversible.
- Memory resident monitoring software.
It is possible to install software that monitors all DOS and
BIOS activity and traps attempts to modify exectuable files,
attempts to install TSR's, attempts to modify bootsectors, etc.
Although these systems can be very reliable, it is always
possible to bypass software with software. Keep also in mind
that the protection software has to be in memory before any
virus. This is possible for TSR type viruses, but bootsector
viruses install themself in memory before any protection
software can be loaded. And if the virus is in memory before
the protection software, the virus can reroute all interrupts
and the protection software will not be able to detect anything
suspicious. Another disadvantage is that resident monitoring
software consumes a lot of you precious memory.
- Hardware immunizers.
Hardware immunizers are the best possible solution. They don't
consume much memory, are guaranteed to be first in memory, they
are even active before the machine tries to boot and they can
not be bypassed. A disadvantage is that installing such a
device is more difficult compared to other anti-virus tools,
and requires a free expansion slot.
Page 46
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
7. MISCELLANOUS INFORMATION
7.1. Distribution of the signature file
The signature file (VIRSCAN.DAT) is updated every month. It will be
distributed in an archive named VSIGYY##.ZIP (YY = Year, ## =
release sequence number). Emergency updates are released in a file
named ADDNSIGS.DAT which will be distributed in an archive named
ASIGYY##.ZIP (YY = Year, ## = release sequence number).
Most Bulletin Board Systems get a fresh copy of these files within
48 hours after the Master Copy on Bamestra BBS is updated.
7.2. Notes
Some people use a shell or batch file to extract a file from an
archive and use TbScan to scan a file immediately. This works fine,
except when you have a non-write-through disk cacher. In this case
the just created file might not be written to the disk yet, and
TbScan will not find the file because it bypasses the disk cacher.
If this applies to you, write the files to a ramdisk, or use the
-compat switch or flush the cacher before invoking TbScan.
7.3. The TbScan.Sys driver
TbScan tries to bypass disk cachers and viruses, and it performs
direct calls into the BIOS code. In some circumstances however this
can cause problems. Although the -compat option always solves these
problems it also decreases the scan speed. Most of the
compatibility problems can be solved without the -compat option if
you install the device driver TbScan.Sys.
System configurations causing problems that can be solved by
TbScan.Sys are:
- Hard disks requiring a special device driver to operate.
- 80386 based systems running in V86 mode (Qemm, Windows),
equipped with a harddisk controller that requires a
transfer buffer in conventional memory. These systems
always have some kind of device driver that provides the
buffering service, or the Qemm DiskBuff option is used.
To solve the problem install TbScan.Sys into the Config.Sys file
AFTER the hard disk device driver and/or memory manager, but BEFORE
a disk cacher. TbScan.Sys uses only 64 bytes, and it can be loaded
high.
7.4. Exit codes
Page 47
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
TbScan terminates with one of the following exit codes:
Errorlevel 0: no viruses found, no error occured.
Errorlevel 1: some error occured.
Errorlevel 255: sanity check failed.
Errorlevel >1 and <128: one or more viruses detected.
When a virus is detected the errorlevel is used as a
bit field:
bit 1 (02) SYS file infected.
bit 2 (04) EXE file infected.
bit 3 (08) COM file infected.
bit 4 (16) virus found in LOW memory.
bit 5 (32) virus found in BOOTsector.
bit 6 (64) virus found in HIGH memory.
An errorlevel of 26 means that a SYS, COM and LOW virus is found
(26 = 02+08+16).
7.5. Updates
If you use TbScan you will need updates of the data file. Depending
on the appearance of new viruses, new signatures will be added. You
can obtain the most recent data file on the Thunderbyte support
Bulletin Board System and many other independent BBS's. The name of
the file you should look for is VIRUSSIG.ZIP or TBVIRSIG.ZIP. On
the same BBS systems you can also find the most recent update of
the TbScan program. For a list of Bulletin Board System phone
numbers you should consult chapter 9.
7.6. Thanks
TbScan would not have been evolved to its current state without
the contribution of numerous of peoples. Special thanks to:
Jan Terpstra, for maintaining the signature file.
Righard Zwienenberg, for testing TbScan on over 20Mb of viruses.
John Lots, for beta-testing and technical advices.
Alan Solomon, for testing and discovery of a FCB problem.
Harry Thijssen, for stimulating the speed competition.
Robin Bijland, for advisory of the user interface and manual.
Page 48
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
8. OUR OTHER PRODUCTS
8.1. TbScanX
There is also a (shareware) memory resident version of TbScan
available with the name TbScanX. This version remains resident in
memory and automatically scans every file immediately when it is
going to be executed, copied, unarchieved, downloaded, etc.
TbScanX performs even faster compared to TbScan, and uses not much
memory. It is even possible to reduce the memory requirements of
TbScanX to zero! TbScanX is by example able to make use of unused
video-memory.
TbScanX is available on many BBSses. It is of course also available
at any Thunderbyte support BBS. At the end of this document you can
find some phone numbers.
8.2. TbRescue
Some viruses copy themself on the partition table of the hard disk.
Unlike bootsector viruses, they are hard to remove. The only
solution is to low-level the hard disk and to make a new partition
table.
TbRescue makes a backup of the partition table and bootsector, and
this backup can be used to compare and restore the original
partition table and bootsector once they are infected. You don't
have to format your disk anymore. The program can also restore the
CMOS configuration.
If you don't have a backup of your partition table, TbRescue will
try to create a new partition table, avoiding the need of a
low-level format.
Another important feature is that you can use TbRescue to replace
the partition table code by code that is more resistant against
viruses. The TbRescue partition code will be executed before the
bootsector gains control, so it is able to check the bootsector in
a clean environment. Once the bootsector is executed it is
difficult to check it, because the virus is already resident in
memory and can fool every protection. Instead of booting from a
clean DOS diskette just to inspect the bootsector, the TbRescue
partition code performs a CRC calculation on the bootsector just
before control is passed to it. If the bootsector has been modified
the Tbrescue partition code will warn you about this. The Tbrescue
partition code also checks the RAM layout and informs you when it
is changed. It does this every time you boot from your hard disk.
Page 49
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
8.3. Thunderbyte
Thunderbyte was developed to protect Personal Computers against
computer viruses, Trojan Horses and other threats to valuable data.
It is a hardware protection, consisting of an adapter card, an
installation and configuration program and a clear manual. The
working of Thunderbyte is not based on knowledge of specific
viruses, so Thunderbyte also protects against future viruses.
A hardware protection offers much more protection than a software
protection. Thunderbyte is already active before the operating
system is loaded, so the computer will be totally protected right
after the starting of the PC.
Because of the many configuration possibilities and the intelligent
algorithms, the use of Thunderbyte will never become a burden: you
will hardly notice the presence of Thunderbyte in an environment
without any viruses.
Of course Thunderbyte is Windows compatible and can be used in
Local Area Networks.
Advantages of a hardware protection:
+ The protection uses very little (1Kb) RAM
+ The protection is already active before the first boot attempt
of the PC, and therefore protects also against bootsector
viruses. A software protection can not protect you against
bootsector viruses, since it has not been executed at boot
time.
+ The hard disks can not be accessed directly anymore, because
Thunderbyte is connected to the hard disk cable.
+ It is impossible to forget to start Thunderbyte, even if the
machine is booting with a diskette.
Thunderbyte offers you many kinds of protection:
+ Protection against loss of data.
Thunderbyte is connected between the cable of the hard disk and
the controller. It prevents the hard disk from being accessed
directly. The only way to access the drive from now on is by
using interrupt 13h.
In addition Thunderbyte detects all direct disk writes which
try to achieve a modification or damage of the data and it
checks which program orders the execution of such operations.
Only the operating system can preform these operations
without Thunderbyte interception.
Page 50
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
DOS already has the possibility of protecting files against
overwriting and modification by means of the read only
attribute. However, this protection can be very easily
eliminated by software. Thunderbyte prevents this protection
from being ruled out without this being noticed, so now it is
possible to protect your files effectively via a standard DOS
command.
+ Protection against infection.
Thunderbyte protects programs (files with the extension EXE,
COM or SYS) against infection by judging all modifications on
their intention. The functionality is not influenced by this.
Compiling, linking, etc., are not disturbed and neither are
programs that save their configuration internally.
Furthermore, software can be protected via the aforementioned
read only attribute.
Attempts to modify the bootsector of the disk are detected, so
the dreaded bootsector viruses are also eliminated. Keep in
mind that the bootsector can hardly be protected by software.
Only Thunderbyte already becomes active before the system tries
to boot!
+ Detection of viruses.
In addition to the abovementioned ways of detecting the
presence of viruses, Thunderbyte can also do so because viruses
carry out a number of special operations. For example, the
marking of already infected programs in order to recognize
them, is detected by Thunderbyte. So are the attempts of
viruses to reside in the memory in a suspicious way and the
abnormal manipulations with interrupt vectors.
+ Password protection.
Thunderbyte has the possibility of installing a password.
There are two kinds of passwords: one that is always asked for
or one that you only have to enter when attempts are made to
start from a diskette instead of the hard disk.
+ Safety.
A lot of attention has been paid to the safety of Thunderbyte
The program code of Thunderbyte is located in ROM and there is
no way it can be modified.
There is not one method of eliminating Thunderbyte through
software. All the important settings are realized with the help
of dipswitches on the adapter card. And despite all their
wasted intelligence, viruses will never be able to turn
switches or to influence their read outs.
Page 51
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Viruses that approach the controller of the hard disk directly
will have a rude awakening: Thunderbyte will only pass disk
writes when the write or format command has followed the normal
(checked) course.
There are a lot of different versions of Thunderbyte
(functioning identically however) that are supplied randomly.
Therefore is knowledge of the internal working of only one
Thunderbyte system not sufficient to damage or destroy its
protective working.
Thunderbyte is constantly checking its own variables with a
checksum different for each version. The locations of the
memory where the variables are maintained are also different
for each version.
+ Extra possibilities.
Thunderbyte offers you some interesting bonuses, like booting
from drive B:.
Page 52
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
9. NAMES AND ADDRESSES
9.1. Contacting the author.
TbScan is written by Frans Veldman. You can leave messages on the
Dutch support BBS. Registered users can also phone ESaSS for
technical support. To register, see the file Register.Doc.
9.2. ESaSS
For more information about Thunderbyte you can contact:
ESaSS B.V. Tel: + 31 - 80 - 787 881
P.o. box 1380 Fax: + 31 - 80 - 789 186
6501 BJ Nijmegen Data: + 31 - 85 - 212 395
The Netherlands (2:280/200 @fidonet)
9.3. Thunderbyte support BBS's.
TbScan, TbScanX and the signature files (TbVirSig) are available on
Thunderbyte support BBS's:
Thunderbyte headquarters in the Netherlands: +31- 85- 212 395
(2:280/200 @fidonet)
Thunderbyte support Germany (Androtec): +49- 2381- 461565
(2:245/50 @fidonet)
Thunderbyte support Italy/S.Marino/Vaticano/Malta: +39- 766- 540 899
(2:335/5 @fidonet)
Thunderbyte support Australia (Calmer): +61- 2- 482- 1716
If you are running an electronic mail system, you can also
file-request TBSCAN to get the latest version of TBSCAN.EXE,
TBSCANX to get the resident automatic version of TBSCANX, and
VIRUSSIG to obtain a copy of the latest update of the signature
file.
9.4. Recommended magazines and organisations.
Virus Bulletin.
Virus Bulletin Ltd.
21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England.
Tel. +44-235-555139.
Page 53
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
National Computer Security Association.
227 West Main Street.
Mechanicsburg, PA 17055, United States.
Tel. +1-717-258-1816
Virus News International.
Berkley court, Millstreet, Berkhamsted, Hertfordshire, HP4 2HB,
England.
Tel. +44-442-877877.
Page 54
Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V.
Page 55
