Magnum One

home *** CD-ROM | disk | FTP | other *** search

/ Magnum One / Magnum One (Mid-American Digital) (Disc Manufacturing).iso / d1 / cleanp63.arc / CLEAN63.DOC < prev next >

Wrap

Text File | 1990-06-02 | 20KB | 399 lines

CLEAN-UP VIRUS REMOVER Version 3.5 V63 Copyright 1989, 1990 McAfee Associates 4423 Cheeney Street Santa Clara, CA 95054 408 988 3832 (voice) 408 988 4004 (BBS) Executable Program (CLEAN.EXE): CLEAN contains a self test at load time. If CLEAN has been modified in any way, a warning will be displayed. The program will still continue to repair and clean infected programs, however. In addition, versions 55 and above are packaged with a VALIDATE program that will authenticate the integrity of CLEAN.EXE. Refer to the VALIDATE.DOC instructions for the use of the validation program. The validation results for V63 should be: SIZE: 58,835 DATE: 6-02-1990 FILE AUTHENTICATION: Check Method 1 - 429C Check Method 2 - 062E You may also call the McAfee Associates bulletin board at 408 988 4004 to obtain on-line SCAN.EXE verification data. The VALIDATE program distributed with CLEAN may be used to authenticate all future versions of CLEAN. Notes on Version 63: Version 63 has been one of the most painful versions we have put together. There have been 17 new viruses and virus sub-strains discovered in the 35 days since the release of version 62. We have also added a major feature to allow SCAN and CLEAN-UP to check inside of programs compressed with LZEXE; we've added Yankee Doodle and Vacsina to the list of recoverable viruses in CleanUp; we've undertaken an accounting of the numerous sub-strains of each virus; we've repaired over a dozen loopholes that allowed certain sub-strains to slip through; and we've added a new program to the product line called VCOPY that replaces the DOS copy command and does automatic scanning during a copy function. In addition, we've been struggling with the issue of how to count viruses in a meaningful way that does not place us in a seemingly disadvantageous competitive position. For example: Numerous anti-virus programs advertise the number of viruses that they are able to detect, and these numbers range from less than 50 to over 100. On analysis, these numbers included all of the known sub-strains of the viruses, and their virus count by our classification was always substantially less. We group viruses by major type, where possible, to make it easier to manage, both from an identification and removal basis. But on a sheer numbers comparison, SCAN appears in a weaker light. After careful thought, we decided to stick with our classification scheme, but in the VIRLIST.TXT we will list the known variants detected in parentheses. By the competition's counting scheme, we now identify 167 viruses. By our count, we identify 97. The 17 new viruses and new sub-strains added for version 63 have come from a variety of sources. Vesselin Bontchev from Bulgaria submitted three new variants of the 512, one new variant of the W-13 virus and two entirely new viruses that have surfaced in Eastern Europe. Dave Chess from IBM provided me with three new viruses collected through the various IBM contacts. Patricia Hoffamn provided one new virus and two new variants submitted from users of the FidoNet network. The Icelandic virus researcher Fridrik Skulason provided one new virus. The remaining four were submitted directly by Homebase users. The VIRLIST.TXT document describes the main operating characteristics of the new viruses. To avoid duplication of effort, I am referring users to Patricia Hoffman's most current VSUM document for a detailed description of the new viruses. OVERVIEW: CLEAN-UP kills and removes computer viruses, and in most instances it repairs infected files, re-constructs damaged programs and returns the system to normal operation. CLEAN-UP works for all viruses identified by the current version of McAfee Associates' SCAN. CLEAN-UP searches the entire system looking for the virus that you wish to remove. When found, the infected file is identified, the virus is isolated and removed, and for the more common viruses, the infected file is repaired. If the file is infected with a less common virus that cannot be separated from the file, the infected file is wiped from the disk and deleted from the system. A warning message is displayed by CLEAN-UP before erasing any files, and you have the option of overriding the erase function. The common viruses that CLEAN-UP is able to remove successfully and repair and restore the damaged programs are: Jerusalem B Alabama Jerusalem A Ping Pong Jerusalem E Stoned Dark Avenger Pakistani Brain Suriv03 Payday Alameda 1701 1704 Disk Killer Ping Pong-B Ashar Sunday 1260 4096 Yankee Doodle Vacsina These viruses account for the overwhelming majority of infection occurrences. All other known viruses will be identified and isolated by CLEAN-UP and the infected files' area of disk will be wiped clean and the files will be removed from the system. ****** I M P O R T A N T ****** * Note: EXE viruses cannot be successfully removed from all infected .EXE files in 100% of the cases. A few EXE programs will be damaged beyond repair by the infection and they will have to be deleted. In all cases, however, the virus in the file will be killed and rendered harmless by CLEAN-UP. Additionally, removing the Stoned virus can cause loss of the partition table in systems with non-standard disk controllers or systems that use special purpose device drivers for disk access. If you are removing the Stoned virus, as a precaution back-up all critical data before running Clean-up. Loss of the partition table will cause -- LOSS OF ALL DATA ON THE DISK. ******* FOLLOW THE REMOVAL INSTRUCTIONS CLOSELY ******* * POWER DOWN AND RE-BOOT FROM A CLEAN DISKETTE BEFORE BEGINNING * RUNNING CLEAN-UP: Before running CLEAN-UP, verify the suspected virus infection by running VIRUSCAN (SCAN.EXE) Version 55 or greater. SCAN will identify the virus strain and sub-strain and will display the I.D. to be used as input to the CLEAN-UP program. CLEAN-UP uses this I.D. to determine which virus to seek out and remove. The I.D. for each virus is displayed inside a set of brackets - [ ]. For example, the I.D. for the Disk Killer virus will be displayed by SCAN as [Killer]. This identical identifier must be used in the command line of CLEAN-UP in order to remove the Disk Killer virus. *** Important: Before you begin the disinfection process, you MUST power down the infected computer and then re-boot the computer from a clean, write-protected system diskette. This step is very important. It will remove the virus from control in memory and prevent the virus from continuing to infect during the clean-up process. After Re-booting from the clean diskette, run SCAN on the diskette to verify that it is indeed not infected. To run CLEAN-UP type: CLEAN d1: d2: ... dn: [virusname] /a /many where: dn: - Drive designators for drives to be cleaned. (up to 10 drives may be cleaned with one command) [virusname] - The virus I.D. (brackets must be included) /a - Option to check all files /many - Option to allow cleaning multiple floppies Examples: CLEAN C: D: [Jeru] will clean Jerusalem from C and D drives CLEAN C:\TEMP [Dav] /a Will clean Dark avenger from C:\TEMP and will search all file extensions for the virus CLEAN-UP will display the name of each infected file as it is found. When the virus has been removed from each file, a "successful" message will be displayed. NOTE: If a file has been infected multiple times by a virus, clean will display the name of the file and the "successful" message for each infection occurrence. Thus, multiple lines will be displayed for each file infected more than once. After running CLEAN-UP, run SCAN again, this time with the /a option, to ensure that all remnants of the virus have been removed. After cleaning the fixed disk drives, SCAN all floppies and if any infections are found, remove them with CLEAN-UP. The clean-up I.D.'s for each of the known viruses are listed in brackets below: Oropax [Oro] Pakistani Brain [Brain] 4096 [4096] Chaos [Chaos] AIDS Trojan [AIDS] Virus-90 [90] Amstrad [Amst] Devil's Dance [Dance] Holland Girl [Holland] Datacrime II-B [Crime-2B] Do-Nothing virus [Nothing] Sunday virus [Sunday] Lisbon virus [Lisb] Typo COM virus [Typo] DBASE virus [Dbase] Ghost / Ghostball Boot Ghost COM Version [Ghost-C] New Jerusalem [Jeru] Alabama [Alabama] Yankee Doodle [Doodle] 2930 [2930] Ashar [Brain] AIDS / Taunt [Taunt] Disk Killer / Ogre [Killer] 1536 / Zero Bug [Zero] MIX1 [Mix1] Dark Avenger [Dav] 3551 / Syslock [Syslock] Vacsina [Vacs] Ohio Typo Swap / Israeli Boot Datacrime II [Crime-2] Icelandic-II / System [Ice-2] Pentagon 3066 / Traceback [3066] Datacrime-B [Crime-B] Icelandic [Ice] Saratoga [Toga] 405 [405] 1704 Format [170X] Fu Manchu / 2086 [Fu] 1280 / Datacrime [Crime] 1701 / Cascade [170X] 1704 / Cascade-B [170X] Stoned / Marijuana [Stoned] 1704 / Cascade [170X] Ping Pong-B / Cascade Boot [Ping] Den Zuk Ping Pong / Bouncing Dot [Ping] Vienna-B [Vienna-B] Lehigh [Lehigh] Vienna / DOS-62 [Vienna] Jerusalem-B [Jeru] Yale / Alameda [Alameda] Friday 13th COM virus [13] Jerusalem-A / 1813 [Jeru] Suriv03 / Jerusalem-E [Jeru] Suriv02 [jeru-D] Suriv01 [April] Taiwan [Taiwan] Halloechen [Hal] Perfume [Fume] Joker [Joke] Icelandic-3 [Ice-3] 1260 [1260] Virus-101 [101] V2000 [2000] Saturday 14th [Sat14] 1720 [1720] 1210 [1210] Christmas Tree [XA1] 1392 [1392] Korea [Korea] 2000-B [Solano] Kennedy [Kennedy] Yankee-2 [Doodle2] Eight Tunes [1971] June 16th [June16] V800 [800] Murphy [Murphy] Shake [Shake] Fish-6 [Fish] Liberty [Liberty] Frere Jacques [frere] Slow [Slow] W-13 [W13] JoJo [JoJo] Victor [Victor] 5120 [5120] REGISTRATION: CLEAN-UP is a required registration shareware product. It may be use in a home environment for a registration fee of $35. Please use the enclosed REGISTER.DOC file for registration information. For corporate, organizational or agency use, however, a corporate site license is required. For site license information please contact: McAfee Associates 4423 Cheeney Street Santa Clara, CA 95054 408 988 3832 (voice) 408 988 4004 (BBS) 408 970 9727 (Fax) Version Notes Version 62: Version 62 identifies and removes four new viruses. The first is a COM and EXE infector called the Eight Tunes virus (also called the 1971 virus). This virus is memory resident and randomly plays one of eight German folk songs on the system speaker. It appears to have no destructive code within it. The virus adds approximately 1975 bytes to infected files. A second musical that appeared in the past two weeks is the Yankee Doodle-2 virus. This virus is similar to the first Yankee Doodle, except that it plays the Yankee Doodle tune as soon as an infected program is executed. It infects EXE files only. The third virus reported is a small non-memory resident COM infector called the Kennedy virus. It appears to have no destructive or disruptive code but it does contain a reference to the Kennedy family inside the virus code. The fourth virus is a destructive virus called the June 16th virus. It is a non-resident virus that infects COM files, including the Command Interpreter (COMMAND.COM). On every June 16th, the virus activates and replaces all FAT entries with the word "ZAPPED". Version 61: Version 61 is able to detect five new viruses reported since March 1, 1990. The first virus was submitted by Dave Chess of IBM. It is a destructive COM and EXE infector called the Saturday the 14th virus. The virus activates every Saturday that falls on the 14th of any month and causes the first 100 sectors of the A, B, and C drives to be overwritten. The net result is loss of all of the control information for the media assigned to those drives. The Partition table, Boot Sector and FAT will be destroyed. The virus is 685 bytes long and is memory resident. The second new virus is the 1392 virus which was also submitted by Dave Chess of IBM. The virus does little damage, other than corruption of the infected programs, but it does display the following message: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A." No idea what this means. The virus changes the date of infected files to the date of infection; it is memory resident; it infects both COM and EXE files, including COMMAND.COM and is 1392 bytes long. The third new virus is the XA1, or Christmas Tree virus. It was submitted by Christoff Fischer of West Germany. It is an encrypted virus that only infects COM files. It activates on April the 1st and destroys the partition table of the hard disk. From December 24th till January 1st it will draw a full screen picture of a christmas tree when an infected program is executed. It is not memory resident. The fourth and fifth new viruses were discovered in Spain and are called the 1720 and 1210 viruses. The 1720 infects both COM and EXE files, while the 1210 only infects EXE files. Little is know of these viruses at this point other than that the 1720 appears to be destructive. The viruses were named after their respective lengths. In addition to the above new viruses, version 61 fixes a bug which caused it to mis-identify the Korea Virus. Version 60: Version 60 identifies four new viruses that have been reported from widely dispersed parts of the world. The first virus, the Solano 2000, or Dyslexia virus, was widely and suddenly reported in Solano County California in late February and Early March 1990. The first person to isolate and submit the virus was Edward Winters. The virus is 2000 bytes long, but bears no resemblance to the V2000 virus from Bulgaria. The virus infects only COM files, is memory resident, and infects each file as it is executed. The virus randomly reverses contiguous numeric data in the video buffer. No other damage has been observed. The second virus, ItaVir, was submitted by Andrea Salvia and Emilio Caravaglia of Milan Polytechnic in Milan, Italy. The virus is 3,880 bytes long, infects only EXE files and is not memory resident. The virus is activated based on the amount of time it has been in the system (apparently a random time greater than 24 hours) and when activated, it sequentially writes all values (between 0 and 255) to all I/O ports in the system. The result is a dramatic confusion of all peripherals. The video monitor will flicker and if the monitor is VGA, will also hiss. The boot sector is also wiped out and the system will be non-bootable on power-up. The third virus, Vcomm, was submitted by Yuval Tal from Rehovot, Israel. It is a non-memory resident EXE infector and is 1074 bytes long. After the virus is first executed, it infects one other EXE file and then modifies the in-memory Command Interpreter so that the DOS COPY command no longer works. No other disruptions have been reported from this virus. The fourth virus is a boot sector infector submitted from Korea. Limited analysis has been done so far on this virus other than developing an identifier. The virus has been named the Korea Virus. Version 59: Version 59 now removes a number of new variations of the Vienna, Yankee Doodle and Vacsina. These variations were submitted by researchers in Eastern Europe. The variations of the Yankee Doodle and Vacsina appear to be earlier trial versions of these viruses. They don't appear to be harmful, other than corrupting the programs that are infected and there have been no reported incidents of infection in the U.S. or Western Europe. The variations of Vienna are likewise apparently harmless. A completely new virus has also been added to the scan list. Called the V2000 virus, it works as follows: It installs resident in memory and then searches for and infects the Command Interpreter (COMMAND.COM). It will then infect any COM or EXE file whenever the file is opened. Thus, the executable files are infected whenever they are executed, copied or manipulated in any way. The virus hides the length increase of infected files, much like the 4096, so the user will not see the increased file lengths in the listing displayed by the DIR command. The virus is very virulent and has caused system crashes and lost data, as well as causing some systems to become non-bootable after infection. The 4096 virus has been added to the list of viruses that can be removed without erasing the infected program. Version 57: CLEAN57 has been substantially modified to allow removal of viruses that use variable encryption techniques. Two such viruses surfaced for the first time in January. These viruses cannot be accurately identified and removed with simple I.D. strings. The changes to SCAN now allow these two viruses to be positively identified, and identification and removal of future viruses that use similar techniques has been simplified. Both of these encrypted viruses were written as "experimental" viruses. One surfaced on a number of bulletin boards in Minnesota under the name of COM_AIDS.ZIP. I have named it the 1260 virus, although it is based in part on the original Vienna virus. The other was written by Patrick Toulme in Washington D.C. (author of Virus-90). He has called the new virus Virus-101. Neither of these viruses was designed to be destructive - they just attach themselves to other programs. However, there is no such thing as a "harmless" virus. All viruses corrupt the code of the host programs, and none enter your system under invitation. And none have yet successfully been contained. Even the most well designed and coded "harmless" virus will cause problems in some mix of hardware/BIOS/DOS-Version/Memory-resident-programs etc. The Pakistani Brain is a prime example of this. For this reason we oppose the public distribution of any kind of virus. Once released, they cannot be controlled. In addition, many lazier hackers can easily modify "harmless" viruses to become destructive, and many instances of such modification exist. Thus, V57 of CLEAN removes both of these viruses. In addition to the above two viruses, V57 removes the Joker and Perfume viruses from Poland, the Icelandic-3 found by Fridrik Skulason in Iceland and the Halloechen virus reported by Christoff Fischer at the University of Karlsruhe in West Germany. These are detailed in VIRLIST.TXT. The 1260 Virus has been added to the list of viruses that can be removed without erasing the infected program.