home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Elysian Archive
/
AmigaElysianArchive.iso
/
virus
/
viruz224.lha
/
Docs
/
VirusZ.doc
< prev
next >
Wrap
Text File
|
1992-09-09
|
33KB
|
639 lines
|
·` __/ _ --+--
/| / /`\ /(____ | . . __|__ _ \/_________. - - ----- --- --
·/\ / | \/__/ \ __ \ · I\_/I /\____)\ /\ _ °/ ---- -- --- - -
|°| |!| /___` |\ II \|\_/|· | /° __ / \ / / - c0nt®0[/aTz -
| | | I | //| | __ /`| |i /i \_ \_/ \/· //\ ------ -
| I\/ / |//·|/ || \ | I: I /\ \ \\ \// /~ \ - --
\ `// |// | || \I ^ /|/ \~\ \\ _|_ // \
\_.\/// |/_/|___°I|_°/ \____/_|\._______/ | /________/°/ Ve®$i0n 2.24
\/ \/ \
\
SOME NOTES CONCERNING LAW AND ORDER
-----------------------------------
1. Copyright
------------
All parts of the VirusZ package are written and copyright © by Georg
Hörmann with exception of the reqtools.libraries which are written and
copyright © by Nico François who gave the permission to use the
libraries and installation scripts in any freely distributable software
package.
2. Disclaimer
-------------
The executionable and non-executionable parts of this software package
may NOT be altered by any means (this includes editing, reprogramming,
crunching, and resourceing), except archiving. The author is in NO way
liable for any changes made to any part of the package, or consequences
thereof as he is in NO way liable for damages or loss of data directly
or indirectly caused by this software.
3. Distribution
---------------
Neither fees may be charged nor profits may be made by distributing
this piece of software. Only a nominal fee for cost of magnetic media
may be acceptable. Outside a single machine environment, you are NOT
allowed to reproduce only some parts of the package, but you have to
copy it completely. See this list of contents for verification:
VirusZ (dir)
Docs (dir)
Brain.doc
Brain.doc.info
VirusZ.doc
VirusZ.doc.info
VirusZ.history
VirusZ.history.info
Libs (dir)
decrunch.library
reqtools.library.13
reqtools.library.20
Docs.info
Install
Install.info
Install.script
VirusZ
VirusZ.info
VirusZ.info
Note that the original package was released as 'VirusZ224.run' archive.
If any parts were already missing when you received this package, look
out for another source to get your software in future.
4. Shareware
------------
VirusZ is no longer Freeware, but Shareware. This means you are still
allowed to copy the software freely, but you have to pay a fee to the
author if you use VirusZ regularly. Not paying your fee is both immoral
and illegal. If you already have registered for any former releases,
paying the fee again is optional. Suggested donation is DM 10 or an
equivalent amount in any other currency. Anything else will not be
accepted. By now, I had more expense than profit by sending all you
folks your disks back etc. If you want me to continue my work, don't
try to cheat me.
Submissions with new material (viruses/crunchers) are welcome. If you
want your disks back, either enclose enough money for postage or stamps
(inside Germany). If you send me useful stuff, you will additionally
receive the latest update of VirusZ on your disk. Contact me at the
following address:
Georg Hörmann
Am Lahnewiesgraben 19
W-8100 Garmisch-Partenkirchen
Phone: +49-(0)8821-71978
Germany
!!! IMPORTANT NOTE FOR REGISTERED USERS !!!
-------------------------------------------
I will no longer offer the update service for registered users. I had
nothing but trouble in the past with sending dozens of disks around the
world. Some versions of VirusZ always showed some bugs right after
releasing them. If I release the latest versions on BBS boards and PD
disks only, the risk of losing a lot of money isn't that high as it is
if I have to send all bugged updates twice. This becomes too expensive.
I know that it's not your fault when I make mistakes, but it's a
difference between updating an text editor and a virus killer. The
editor will be updated 1 or 2 times a year, but new versions of a virus
killer have to be released at least every 4th week. Errare humanum est.
INTRODUCTION
------------
1. VirusZ Philosophy
--------------------
VirusZ is another try to make the perfect viruskiller. Although there
are already hundreds of killers, none had to offer the, in my opinion,
most important features. These are to be short, fast and not to keep
the user from working by opening a big screen with hundreds of gadgets
or locking the drives. If you like that type of killer, forget VirusZ.
2. Why Use VirusZ?
------------------
VirusZ has been tested on Kickstart 1.2/1.3 and on OS 2.0 and worked
just fine. It also works with WorkBench and Kickstart -> 39.82 <- !!!!
It offers several OS 2.0 features even under Kick 1.2/1.3 like gadget
activation via keyboard. All windows use the full screen size, have a
built-in Topaz 8 font to prevent any trouble, bring themselves to the
front when started and set up a wait pointer for the other windows.
VirusZ recognizes 468 bootblocks (193 boot viruses). The file checker
is one of the fastest available and not only detects 69 file viruses,
but it also offers you the unbelieveable feature of decrunching files.
The totally new bootblock lab offers all important bootblock operations
on one screen. The whole software is written 100% in assembly language
for lightning speed. The memory checker removes all known viruses from
memory without 'Guru Meditation' and checks memory for viruses
regularly. VirusZ has easy to use intuitionized menus including keycuts
for both beginners and experienced users. It performs a self-test on
every startup to prevent link virus infection. VirusZ works in the
background and uses less than 0.5% of your processing time (use Xoper
to verify). Last but not least, VirusZ is regularly updated and hence
offers you perfect protection against the latest viruses.
3. Some Notes About SHI
-----------------------
I'm member of SHI (Safe Hex International) for a couple of weeks now
and I want to thank Erik Loevendahl Soerensen for his VirusZ support.
He asked me to include the following in my documentation:
ABOUT SAFE HEX INTERNATIONAL
If you know a virus programmer you can get a reward of $ 1000 for
supplying his name and address. The fact is that the law punishes data
crime very severely (5 years in jail in most countries).
We are an international group with more than 250 members who have
started trying to stop the spreading of viruses. Let me give you some
example:
1. Our motto is: "Safe Hex, who dares do anything else today?".
2. A virus bank containing all well known virus killer programmes.
3. We help people to get money back lost by virus infection.
4. We write articles about virus problems for 8 magazines.
5. We release the newest and the best virus killers around.
6. We have more than 20 "Virus Centers" worldwide where you
can get free virus help by phoning our "Hotline", and the
newest killers translated in your own language at very little
cost.
For more information contact:
SAFE HEX INTERNATIONAL (Please send a "Coupon-Response
Erik Loevendahl Soerensen International" and a self addres-
Snaphanevej 10 sed envelope, if you want infor-
DK-4720 Praestoe mation about SHI by letter).
Denmark
Phone: + 45 55 99 25 12
Fax : + 45 55 99 34 98
GETTING STARTED
---------------
1. For The Very First Time
--------------------------
VirusZ requires the 'reqtools.library' in order to work correctly.
Included in this package are two versions of the 'reqtools.library',
one for Kick 1.3 and one for OS 2.0. Chose the one that fits with your
OS, copy it to the 'libs:' drawer of your boot disk and remove the
suffix (simply rename it). If you don't want to do the copy work
yourself, click on the 'Install' icon from WorkBench. This will start
an installation script. If you want to use the decrunch feature, you'll
additionally need the 'decrunch.library'.
2. If You Already Have Used VirusZ
----------------------------------
Make sure that you only copy the latest library versions to your libs:
drawer. Also verify the settings in the prefs menu if you have saved
them with an old VirusZ version because versions higher than 2.19 use a
new preferences file format.
3. The First Step To Glory
--------------------------
Starting VirusZ is nothing more than typing its name to any CLI/Shell
or double-clicking its icon from WorkBench. There are several message
alerts included in the startup module. If anyone of these flashes up,
there is something wrong. These alerts are self explaining so we skip a
detailed description. If the 'VirusZ's hunk structure has been
modified!' alert comes up, your copy of VirusZ might be infected by a
virus or might have been crunched with a bad cruncher (in fact most
crunchers are bad).
4. How To Use ReqTools Requesters
---------------------------------
VirusZ uses three types of ReqTools requesters: Requests asking for a
decision, Information Requesters informing you about something and File
Requesters to select files/drawers. You can satisfy them not only by
clicking their gadgets, but also via shortcuts. These are:
Positive Response: <RETURN>, <LAMIGA><V>
Negative Response: <ESC>, <LAMIGA><B>
The positive gadget is the leftmost always printed in bold, whereas the
negative is the rightmost.
AUTOMATIC FEATURES
------------------
1. General Information
----------------------
VirusZ does lots of things in the background which you will never
notice until there is something wrong. All the automatic features
described below will only work if no other VirusZ windows are currently
open. Read the preferences chapter below if you want to customize any
of the following functions.
2. The Bootblock Check
----------------------
Every disk inserted will be checked for bootblock viruses and
non-standard bootcode. This ensures that your bootblocks stay clean.
Every known virus will cause a request asking you what to do. You can
either go to the bootblock lab or ignore it. The last possibility is
not recommended. If your disk contains anything else than a virus or a
standard bootblock, it will be checked for known custom bootblocks.
Whenever such a known bootblock appears, it's surely not a virus and
can be ignored. If the bootblock isn't a known custom one, VirusZ first
checks its checksum. If this is not correct, VirusZ simply ignores it
because it wouldn't be executed anyway. But if all conditions are met,
the bootblock will be reported as unknown. This might happen with most
bootload games or demos, so do NOT install anything you don't know. You
might trash the program that depends on this boot. But if you are sure
that it's a new virus, save the bootblock (you can use VirusZ for this)
install the original bootblock and send me the copy for inclusion in
VirusZ.
3. The Disk-Validator Check
---------------------------
Currently there exist two viruses that link themselves to this program.
You can find the Disk-Validator in the L: directory of most disks. It
was originally thought to correct possible small errors on a disk and
is called from the ROM if necessary. The viruses use the feature of
being installed by the system itself by corrupting some data on the
infected disks that causes the ROM to load the Disk-Validator. Instead
of repairing the disk, they install themselves in memory. VirusZ finds
both viruses in memory and on disk and offers you the possibility to
delete them. Since the original Disk-Validator is copyright Commodore,
I'm not allowed to include it in my program. You must copy it back to
the cleaned disk from a heal one yourself whenever a virus was deleted.
Note that this information is only valid for Kick 1.2/1.3 since under
OS 2.0, the Disk-Validator is in the ROM.
4. The Virus & Vector Check in Memory
-------------------------------------
This is the real memory check looking for known viruses. It's executed
once on startup, and whenever VirusZ finds a virus, you will get a
request telling you which virus was removed. VirusZ removes them
automatically. Viruses will not only be patched or disabled, but they
will be removed from memory completely.
After looking around for known viruses, the reset vectors will be
checked. If any of them are set, you will get directly to the 'VirusZ
Vector Check'. See a detailed description of this in the vector check
chapter below.
In addition to the startup memory check, VirusZ repeats the memory
check regularly. The time passed between two checks can be changed by
the user, default is 10 seconds. This is the safest way to find and
remove file- and linkviruses in memory. These viruses can appear in
memory any time an infected file is executed. So whenever VirusZ
reports a virus in memory, check the disks you are working with at the
moment for infection. Note that the time passed between two checks will
be slightly shorter on NTSC machines since VirusZ is PAL oriented and
works with 50Hz.
NOTE: VirusZ will no longer delete all Resident Modules when it removes
a virus from memory. You still can find your recoverable RAM-Disk
after resetting as if nothing has happened. The only reason for a
lost RAM-Disk can be the virus that has been removed.
USING VIRUSZ'S MENU
-------------------
To use all other features offered by VirusZ, you have to use menu items
to call the corresponding functions. These can only be used if VirusZ's
window is active. Note that the background features won't work as long
as any other windows are opened (which is the case with all functions
called via menu).
1. Check Files
--------------
See a description of the vector check in one of the next chapters.
2. Check Sectors
----------------
The sector checker makes it possible to scan a whole device for virus
corruption and sector/track errors. First you'll get a small selector
for the device to check. Ok and Cancel should be clear, Refresh tells
VirusZ to free its device list made on startup and rebuild a new one.
This is needed if you mount a device when VirusZ is already running.
The selector gadget in the middle works exactly like a standard OS 2.0
gadget, but is simulated with Kick 1.3 means. If you click on it, the
next device will be selected, if you press <SHIFT> while clicking, the
previous device is selected. You certainly can also use the shortcuts
by pressing the keys that correspond with the underlined characters.
If you made your choice and clicked Ok, the main display appears. It is
devided in two parts. The small box at the top is a progress indicator
which will be filled from the left to the right while checking, thus
telling you what percentage of the device is already checked. The big
box is the text display which contains all information about the
current status. Here you'll get all messages if VirusZ finds anything
that's not ok. Note that the sector checker will repair damages without
asking, i.e. you have to unprotect your disks before checking. If you
don't want to have any corrections, keep the disk write protected. The
damage caused by the following viruses will be recognized: Saddam,
Lamer Exterminator (3 versions), Warsaw Avenger, Fast Eddie, Little
Sven, Glasnost, Sachsen 3 and Nuked007 (SHIT). The damage caused by
Saddam and Little Sven will be repaired (blocks will be decrypted), the
others can only be detected. CheckSum errors will be repaired too. On
FFS devices, data blocks will be ignored. You can pause and exit
checking at any time by pressing a mouse button.
NOTE: With OS 2.0, the recoverable RAM-Disk is not initialized when
mounted, but when you access it the first time via DOS. If you check
the RAD: before accessing it, VirusZ will report a Saddam infection on
sector 880. This happens because the rootblock is not initialized yet
and is not really an infection.
3. Check Vectors
----------------
See a description of the vector check in one of the next chapters.
4. Bootblock Lab
----------------
See a description of the bootblock lab in one of the next chapters.
5. Preferences
--------------
See a description of the preferences in one of the next chapters.
6. About
--------
This displays some information about VirusZ.
7. Quit VirusZ
--------------
Think twice and you'll figure out the function of this.
FILE CHECK
----------
1. Introduction
---------------
In the early days of the Amiga viruses, nobody thought about file or
even link viruses. A good virus killer had to display the bootblock and
check some vectors. But nowadays, the greatest danger doesn't come from
the bootblock, but from files. Therefore this file check has been
created to check files for virus infection. See a list of all known
viruses in the file 'Brain.doc'. This file checker is quite unique as
it offers some possibilities which others lack. First it can decrunch
files for checking, second it can remove all virus links from a file in
one step where others only remove one link after the other. These
features are made possible thanks to a great file buffering method and
my own decrunch.library. If you have to chose a checker, use mine for
perfect checking:-)
2. How To Use It
----------------
First you have to select the path where files should be checked in the
file requester. Therefore the complete path must be included in the
string gadget of the requester. Click 'Ok' and we start checking all
files in the selected directory and its subdirectories. You can skip
checking subdirs by enabling the 'Skip Subdirectories' item in the
prefs window.
The main window will appear which is divided in two parts. The small
box at the top contains the current path we are checking in. The big
box is the text window where all filenames will be listed with a short
description.
VirusZ recognizes several types of data files (such as archives etc.)
and will print their names if possible. Crunched files will appear to
be reported as executables if you haven't enabled the 'Check Crunched
Files' item in the prefs window. Otherwise, they will be reported with
the packer name printed in bold. Viruses are reported by name (blue
background, white characters) and will cause a requester that informs
you about the type of virus. You may or may not remove the virus from
the infected file.
You can abort/pause checking at any time by pressing any mouse button.
3. Important Notes
------------------
The linkvirus removal code is absolutely reliable as long as the file
isn't damaged in any way. If the hunk structure is corrupted or
anything else disables removing, VirusZ will say 'Can't remove' and
then skip the file.
If VirusZ says 'Decrunching file...' and then reports 'Can't decrunch',
this either means you don't have enough memory or the cruncher isn't
supported yet by the decrunch.library. You should also note that VirusZ
doesn't use the decrunch feature for absolute crunchers, i.e. for
crunchers that decrunch their files to absolute addresses, because most
viruses wouldn't survive such a crunching process anyway.
If you get a message 'Can't load', this file is either unreadable or
you don't have enough memory.
VirusZ handles the protection bits automatically, i.e. saves their
original contents, then makes the file readable/writable and restore
them to their originals after checking. This is useful because you
don't have to mess around with the Protect command in your Shell.
4. Additional Hints
-------------------
It may happen that a file is first infected and then crunched. If you
want to save the cleaned file without having it decrunched, check it
again with decrunching disabled.
VECTOR CHECK
------------
1. Introduction
---------------
Mostly all viruses work in the same manner. Either they make themselves
resident and/or corrupt some libraries or devices with their code.
Therefore the vector check was designed to help you finding new viruses
that can't be recognized directly by VirusZ yet.
Most of the vectors and entrypoints that will be displayed are only
interesting for programmers, so I will try to avoid any explanations
that confuse the average user.
2. Usage
--------
The vector check window is nothing more than one big display. It stops
after every page and waits for a mouse button. The left button always
causes VirusZ to continue scrolling, if the last page was already
reached, the vector check will be terminated. The right button has a
double function. While scrolling, you can stop displaying any more
pages. Then, you are able to use the menu items attached to the vector
check window.
3. What Can I See From The Displayed Information?
-------------------------------------------------
Well, every vector has a short comment right of it. As long as you can
read 'Ok' there, everything is fine. Then it might happen that you read
something like 'SetPatch 38.25', this tells you that the changes done
to this vector are ok, because VirusZ recognized who did them. But if
you read 'Please Check', be alarmed. In fact, most of these unknown
changes are nothing more than an utility like the well known 'PP
Patchers'. If you have such an utility and you know the changes are
caused by it, please send it to me for inclusion.
4. The Vectors Menu
-------------------
Here you have the possibility to clear the reset vectors or to cause
VirusZ to show the vector check display again. This is especially
useful if you found some reset vectors set and cleared them. Now you
can verify the changes without leaving and calling the vector check
again. If the cleared vectors are still set after clearing them, you
can be 99% sure you have a new virus in your system. Keep cool, check
the bootblocks first and then try to detect any file changes. If you
find the virus, send it to me.
Note that the vector check menu supports multiselect (hold the right
button and select several items with the left button).
BOOTBLOCK LAB
-------------
1. A Short Introduction
-----------------------
The bootblock lab has been created because the old bootblock functions
of VirusZ (some will remember the 'Bootblocks' menu) were quite boring
and everything else but comfortable to use. This part of VirusZ is 100%
'User Interface Style Guide' compatible. All gadgets and menus look as
they should look under OS2.0 and I think they really look nice. All
gadgets can also be activated by pressing the key that corresponds with
the underlined character.
2. Drive Gadgets
----------------
You can find them in the left top corner of the window. What else
should they do than selecting the currently used drive.
3. Dump Gadgets
---------------
These are labeled 'Ascii' and 'Hex' and their function is to switch
between the two dump modes. The selected dump will be displayed in the
big window at the bottom.
4. Status Line
--------------
Here you can see the name of the bootblock that is currently loaded to
the buffer. If a function call fails or anything else happens, you will
get a report in this box too.
5. Scroll Gadget
----------------
It consists of one proportional gadget (I'm very proud of this, because
it was my first ever) and two little arrows at the bottom. It's main
function is to scroll through the bootblock dump displayed in the
window. This is only needed when displaying hex dump, because ascii
dump fits in the window anyway.
6. Quit
-------
Ahh, what was it?? Yes, you can leave the boot lab with this gadget.
7. Load
-------
Here you can load a bootblock from a file to the buffer. A
filerequester pops up were you have to select the file you want to
load. The bootblock will only be loaded to the buffer, not installed on
disk.
8. Save
-------
Counterpart of 'Load' which saves a bootblock as a file. Nothing more
to say, because it works exactly the same as 'Load'. These two
functions are useful for making bootblock backups of games, demos etc.
If the buffer is empty, nothing will happen.
9. Read
-------
Reads the bootblock of the currently selected disk to the buffer. Now
you can watch, save or print it.
10. Write
--------
Writes the buffer contents to the bootblock of the currently selected
disk. Only use this if you know what you are actually doing. An
overwritten bootblock cannot be restored in any way. An empty buffer
cannot be written.
11. Print
---------
Prints the dump of a bootblock. Make sure that your printer is online
or you will have to wait for this silly system request for appr. 30
seconds. This function always prints the bootblock dump you can
currently see in the window. If nothing was loaded, nothing will be
printed.
12. Install
-----------
Installs the bootblock selected in the settings menu to the currently
selected disk. Same as 'Write', you should only install disks when you
know that they will still work afterwards.
13. Settings Menu
-----------------
Here you can configure all important parts of the bootblock lab as you
like. Note that this menu supports multi-select (hold right button and
select items with the left button).
FastFileSystem BB: If enabled, the 'Install' command will install a
FFS bootblock (0x444f5301), otherwise you will get
a normal OFS bootblock (0x444f5300).
Uninstalled BB: If enabled, VirusZ will write an uninstalled bootblock
to the disk. This disk will no longer boot after a
reset, but works the same as before from Shell and
Workbench. If disabled, a standard OS 2.0 bootblock
will be installed. This bootblock works under
Kick 1.2/1.3 as well.
Correct CheckSum: Tells VirusZ to correct the checksum of a bootblock
before writing it to disk. If you install a bootblock
with a wrong checksum, the disk won't boot after a
reset.
Detect DiskChange: If set, the bootblock lab will behave like the main
part of VirusZ, i.e. whenever you insert a disk while
the bootblock lab is active, it will automatically
select this drive and read the bootblock.
Ask Before Action: If enabled, you will get an additional requester asking
you if you really want to continue with the selected
action. This works with 'Print', 'Write' and 'Install'
as these functions can do some harm if wrongly used.
PREFERENCES
-----------
1. The Main Idea
----------------
I think everyone of you knows those programs that always look the same
and do the same and you cannot change anything of their behaviour. I
didn't want VirusZ to become the same, so I added this fine preferences
window. It was designed having the User Interface Style Guide in mind.
All gadgets can be toggled via keypad too (see underlined character).
2. Action Gadgets
-----------------
These are the three gadgets at the bottom. 'Use' will cause VirusZ to
use the currently selected settings only for this session. 'Cancel'
ignores all changes made to the settings. 'Save' saves them to a file
called 'VirusZ.prefs' in your S: drawer that will be used on all
following startups. Additionally to the options specified in the prefs
window, the following will be saved too:
- the position of VirusZ's main window
- all settings of the bootblock lab
3. Audible & Visible Alarm
--------------------------
This enables/disables the fantastic sound and screen flash that warns
you when a virus has been detected on disk or in memory. Default is on.
4. Install Faked SnoopDos
-------------------------
This installs/removes a task called SnoopDos (only if the real SnoopDos
isn't installed) for protection against PowerPacker 3.2 trojan horse.
Fully compatible to the real SnoopDos, the option doesn't need any
processing time since the task is running at a low priority and waits
for a message that never arrives. Default: off.
5. Check Resident Vectors
-------------------------
This tells VirusZ whether to check the resident vectors during startup
and while running or not. Useful if VirusZ keeps on reporting your
recoverable RAM-disk or harddisk-device after every reset. Default is
off.
6. Report Custom Bootblocks
---------------------------
This will, if enabled, cause VirusZ to report known custom bootblocks
while checking your disks. Useful if you want to find a certain
bootblock and you simply can't remember where it was. Default is off.
7. Check Memory For Viruses
---------------------------
By disabling this item, you can tell VirusZ not to check memory for
viruses regularly. This does not disable the memory check on startup,
