Magnum One

home *** CD-ROM | disk | FTP | other *** search

/ Magnum One / Magnum One (Mid-American Digital) (Disc Manufacturing).iso / d23 / scanv84.arc / SCANV84.DOC < prev next >

Wrap

Text File | 1991-10-12 | 30KB | 676 lines

VIRUSCAN Version 7.9V84 Copyright (C) 1989, 1990, 1991 by McAfee Associates. All rights reserved. Documentation by Aryeh Goretsky. McAfee Associates (408) 988-3832 office 4423 Cheeney Street (408) 970-9727 fax Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps U.S.A. (408) 988-5138 BBS HST 9600 (408) 988-5190 BBS v32 9600 CompuServe GO VIRUSFORUM InterNet mcafee@netcom.com TABLE OF CONTENTS: SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2 - What VIRUSCAN is, system requirements AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2 - Verifying the integrity of VIRUSCAN WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .3 - Features, new viruses added in this release OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .4 - Detailed description of VIRUSCAN OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . .5 - How to use VIRUSCAN EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .8 - Samples of frequently-used options EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .9 - For running VIRUSCAN from batch files VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .9 - How to manually remove a virus REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .9 - How to register VIRUSCAN TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .10 - Information you should have ready when calling APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .11 - Creating a virus string file with the /EXT option APPENDIX B . . . . . . . . . . . . . . . . . . . . . . . . . .13 - Miscelleaneous Application Notes Page 1 VIRUSCAN Version 7.9V84 Page 2 SYNOPSIS VIRUSCAN (SCAN) is a virus detection and identification program for the IBM PC and compatible computers. VIRUSCAN will search a PC for known computer viruses in memory, the boot sector, the partition table, and the files of a PC and its disks. VIRUSCAN will also detect the presence of unknown viruses. SCAN works by searching the system for instruction sequences or patterns that are unique to each computer virus, and then reporting their presence if found. This method works for viruses that VIRUSCAN recognizes. SCAN can detect unknown viruses in files and boot sector by appending validation (CRC) codes to .COM and .EXE files and then checking the files against their codes for changes, warning that an infection may have occurred if the file has been modified in any way, and by checking boot sectors for generic routines that a boot sector virus must have. SCAN can check for new viruses from a user-supplied list of virus search strings. VIRUSCAN runs on any PC with 256Kb and DOS version 2.00 or greater. AUTHENTICITY VIRUSCAN runs a self-test when executed. If SCAN has been modified in any way, a warning will be displayed. The program will still continue to check for viruses, though. If SCAN reports that it has been damaged, it is recommended that a clean copy be obtained. VIRUSCAN versions 46 and above are packaged with the VALIDATE program to ensure the integrity of the SCAN.EXE file. The VALIDATE.DOC instructions tell how to use the VALIDATE program. The VALIDATE program distributed with VIRUSCAN may be used to check all further versions of SCAN. The validation results for Version 7.9V84 should be: FILE NAME: SCAN.EXE SIZE: 51,870 DATE: 10-7-91 FILE AUTHENTICATION Check Method 1: 9008 Check Method 2: 03A7 If your copy of SCAN.EXE differs, it may have been modified. Always obtain your copy of VIRUSCAN from a known source. The latest version of VIRUSCAN and validation data for SCAN.EXE can be obtained off of McAfee Associates' bulletin board system at (408) 988-4004 or from the Computer Virus Help Forum on CompuServe. Beginning with Version 72, all McAfee Associates programs for download are archived with PKWare's PKZIP Authentic File Verification. If you do not see the "-AV" message after every file is unzipped and receive the message "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files then do not run them. If your version of PKUNZIP does not have verification ability, then this message may not be displayed. Please contact McAfee Associates if your .ZIP file has been tampered with. VIRUSCAN Version 7.9V84 Page 3 WHAT'S NEW Version 83 of VIRUSCAN was skipped due to a trojan version 84 that appeared last January. Version 84 of SCAN is being released early due to the appearance of an entirely new type of virus, called the DIR2 or FAT virus that was recently discovered. This virus does not attach directly to programs, but instead modifies directory entries for executable files so that the cluster pointers point to the virus instead of the executable files. The virus in turn loads and executes the programs. This means that if the virus is resident on an infected system, then any executable file copies or backups will transfer the virus. If the virus is not memory resident, then the executable files cannot be copied or backed up. Only the virus will be copied. There is no current technique, short of a re-format, that can remove this virus. Clean-Up is therefore also being modified to deal with this virus and will be released simultaneously with this version of SCAN. Two new options were added to the VIRUSCAN program, /CHKHI and /MAINT. When VIRUSCAN is run with the /CHKHI option it will check memory from 0Kb to 1088Kb. When VIRUSCAN is run with the /MAINT option, it will check MS-DOS 4.0+ installed hard disks that have been damaged by a boot sector virus. 49 new viruses were added. Viruses that were reported at multiple sites include: 748 reported in California and Texas, the Dec 28 from Zaragoza University in Spain, Miky from Bolivia and Florida, Mosquito, the Sunday-2 from Canada, R-11, and Tokyo. Other viruses added in this release include the #1, 789, 1014, 1661, 1840, 2480, BackTime, Boys, Burghofer, CADKill, CD, Cinderella, Damage, Demon, Dropper, Europe-'92, ETC, Gotcha, Hero, Hitchcock, Jerk, Klaeren, M128, Mini-45, Manta, Mule, NewCom, Nobock, Possessed, QP3, R10, R11, Scud, Spanish, Spanz, Topo, Tuesday, Twin-351, V125, V-483, V812, and Xabaras viruses. For a listing of the viruses that were added, please refer to the enclosed VIRLIST.TXT file for a short description. For a more complete description, please refer to Patricia Hoffman's VSUM listing. VIRUSCAN Version 7.9V84 Page 4 In addition to the enhancements to SCAN, we are now running the Compuserve Computer Virus Forum. Updates to SCAN, virus information, and product support may be obtained by typing GO VIRUSFORUM after logging on to Compuserve. A free introductory membership to Compuserve is also available to users of SCAN. Please read the enclosed Compuserve document for details. OVERVIEW VIRUSCAN scans diskettes or entire systems for pre-existing computer virus infections. It will identify the virus infecting the system, and tell what area of the system (memory, boot sector, file) the virus occupies. An infected file can be removed with the overwrite-and-delete option, /D which will erase the file. The CLEAN-UP program is also available to automatically disinfect the system and repair damaged areas whenever possible. VIRUSCAN Version 82 identifies all 301 known computer viruses along with their variants. Some viruses have been modified so that more than one "strain" exists. Counting such modifications, there are 897 virus variants. The twenty most common viruses which account for over 98% of all reported PC infections are also identified by SCAN. The accompanying VIRLIST.TXT file lists describes all new, public domain, and extinct computer viruses identified by SCAN. The number of variants of each virus is listed in parentheses after the virus name. All known computer viruses infect one or more of the following areas: the hard or fixed disk partition table (also known as the master boot record); the DOS boot sector of hard disks and floppy disks; or one or more executable files within the system. Executable files include operating system files, .COM files, .EXE files, overlay files, or any other files loaded into memory and executed. A virus that infects more than one area, such as a boot sector and an executable file is called a multipartite virus. VIRUSCAN identifies every area or file that is infected, and indicates both the name of the virus and CLEAN-UP I.D. code used to remove it. SCAN will check the entire system, an individual diskette, subdirectory, or individual files for existing viruses. VIRUSCAN can also check files for unknown viruses with the Add Validation and Check Validation options. This is done by computing a code for a file, appending it to the file, and then validating the file against that code. If the file has been modified, the check will no longer match, indicating that viral infection may have occurred. SCAN uses two independently generated CRC (Cyclic Redundancy Check) checks that are added to the end of program files to do this. Files which are self-checking should not be validated since this will "set off" the program's self-check. Files which are self-modifying may have different values for the same program depending upon the modifications. VIRUSCAN adds validation codes to .COM and .EXE files only. The validation codes for the partition table, boot sector, and system files, are kept in a hidden file called SCANVAL.VAL in the root directory. To detect boot sector viruses, SCAN checks the boot sector for signs of viral code. If suspicious code is found, SCAN will report that it has found a Suspcious Boot Sector Virus. VIRUSCAN can also be updated to search for new viruses via an External Virus Data File option, which allows the user to provide the VIRUSCAN program with new search strings for viruses. VIRUSCAN can display messages in either English or French. VIRUSCAN works on stand-alone and networked PC's, but not on a file server. For networks, the NETSCAN server drive scanning program must be used. VIRUSCAN Version 7.9V84 Page 5 OPERATION IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING YOUR SYSTEM TO PREVENT INFECTION OF THE VIRUSCAN PROGRAM. VIRUSCAN will check each area or file on the designated drive(s) that could be host to a virus. If a virus is found, a message is displayed telling the name of the infected file or system area and the name of the identified virus. SCAN will examine files for viruses based on their extensions. The default file extensions supported by SCAN are .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions can be added to SCAN or all files on disk can be selected for scanning. To run VIRUSCAN type: SCAN d1: ... d10: /A /AV /CHKHI /CV /D /E .xxx .yyy .zzz /EXT d:filename /FR /MAINT /MANY /NLZ /NOBREAK /NOMEM /NOPAUSE /REPORT d:filename /RV /SUB Options are: \ - Scan root directory and boot area only /A - Scan all files, including data, for viruses /AV - Add validation codes to specified files /CHKHI - Check memory from 0Kb to 1088Kb /CV - Check validation codes for files /D - Overwrite and delete infected file /E .xxx .yyy .zzz - Scan overlay extensions .xxx .yyy .zzz /EXT d:filename - Scan using external virus information file /FR - Display messages in French /M - Scan memory for all viruses (see below for specifics) /MAINT - Scan MS-DOS 4.0+ boot sector damaged disk /MANY - Scan multiple floppies /NLZ - Skip internal scan of LZEXE compressed files /NOBREAK - Disable Ctrl-C / Ctrl-Brk during scanning /NOMEM - Skip memory checking /NOPAUSE - Disable screen pause when scanning /REPORT d:filename - Create report of infected files /RV - Remove validation codes from specified files /SUB - Scan subdirectories (d1: ... d10: indicate drives to be scanned) The /A option will cause SCAN to check all files on the referenced drive. This should only be used if a file-infecting virus has already been detected. Otherwise the /A option should only be used when checking a new program. The /A option will add a substantial time to scanning. This option takes priority over the /E option. The /AV option allows the user to add validation codes to the files being scanned. If a full drive is specified, SCAN will create validation data for the partition table, boot sector, and system files of the disk as well. Validation adds ten (10) bytes to files; the validation data for the partition table, boot sector, and system files is stored separately in a hidden file in the root directory of the scanned drive. VIRUSCAN Version 7.9V84 Page 6 The /CHKHI option checks the memory above 640Kb that can be used on AT (286) and 386 systems for computer viruses. This includes the 384Kb Upper Memory Area from 640Kb to 1024Kb, and the 64Kb High Memory Area from 1024Kb to 1088Kb. On XT systems with extended memory cards installed, this will cause the first 64K of RAM to be scanned again. This option can not be used with the /NOMEM option. The /CV option checks the validation codes inserted by the /AV option. If the file has been changed, SCAN will report that the file has been modified, and that viral infection may have occurred. Using the /CV option adds about 25% more time to scanning. NOTE: Some older Hewlett Packard and Zenith PC's modify the boot sector or partition table each time the system is booted. This will cause SCAN to continually notify the user of boot sector or partition table modifications if the /CV switch is selected. Check your system's manual to determine if your system contains self-modifying boot code. The /D option tells VIRUSCAN to prompt the user to overwrite and delete an infected file when one is found. If the user selects "Y" the infected file will be overwritten with hex code C3 [the Return-to-DOS instruction] and then deleted. A file erased by the /D option can not be recovered. If the McAfee Associates' CLEAN- UP program is available, it is recommended that CLEAN be used to remove the virus instead of SCAN, since in most cases it will recover the infected file. Boot sector and partition table infectors can not be removed by the /D option and require the CLEAN-UP virus disinfection program. The /E option allows the user to specify an extension or set of extensions to scan. Extensions should include the period character "." and be separated by a space after the /E and between each other. Up to three extensions may be added with the /E. For more extensions, use the /A option. The /EXT option allows VIRUSCAN to search for viruses from a text file containing user-defined search strings in addition to the viruses that already SCAN checks for. The syntax for using the external virus data file is /EXT d:filename, where d: is the drive name and filename is the name of the external virus data file. For instructions on how to create an external virus data file, refer to Appendix A. NOTE: The /EXT option is intended for users to add strings for detection of computer viruses on an interim or emergency basis. When used with the /D option, it will delete infected files. This option is not recommended for general use and should be used with caution. The /FR option tells VIRUSCAN to output all messages in French instead of English. The /M option tells VIRUSCAN to check system memory for all known computer viruses that can inhabit memory. SCAN by default only checks memory for critical and "stealth" viruses, which are viruses which can cause catastrophic damage or spread the infection during the scanning process. SCAN will check memory for the following viruses in any case: VIRUSCAN Version 7.9V84 Page 7 1024 1253 1554 1963 1971 2100 2560 337 3445-Stealth 4096 512 Anthrax Anti-Tel Brain Dark Avenger Darth Vader Disk Killer Doom2 EDV Empire Fish6 Form Greemlin Invader Joshi Microbes Mirror Murphy Nomenclature Phantom Plastique Polish-2 P1R (Phoenix) Sentinel Stoned Tequila Taiwan-3 Whale Zero-Hunt If one of these viruses is found in memory, SCAN will stop and advise the user to power down, and reboot the system from a virus-free system disk. Using the /M option with another anti-viral software package may result in false alarms if the other package does not remove its virus search strings from memory. The /M option will add 6 to 20 seconds to the scanning time. The /MAINT option is used to scan hard disks partitioned with DOS 4.0 or above that have been damaged by a boot sector or partition table infecting virus. Attempts to access disks damaged in such a manner result in an "invalid media" message being displayed. The /MAINT option will only scan the partition table and boot sector, not the files. The /MANY option is used to scan multiple diskettes placed in a given drive. If the user has more than one floppy disk to check for viruses, the /MANY option will allows the user to check them without having to run SCAN multiple times. If a system has been disinfected, the /MANY and /NOMEM options can be used to speed up scanning of disks. The /NLZ option tells VIRUSCAN not to look inside files compressed with the LZEXE file compression program. SCAN will still check the programs for external infections. The /NOBREAK option disables Control-C or Control-Break from stopping VIRUSCAN while running. The /NOMEM option is used to turn off all memory checking for viruses. It should only be used when a system is known to be free of viruses. The /NOMEM option can not be used with the /CHKHI or /M options. The /NOPAUSE option disables the "More..." prompt that appears when SCAN fills up a screen with data. This allows VIRUSCAN to run on a machine with multiple infections without requiring operator intervention when the screen fills up with messages from the SCAN program. The /REPORT option is used to generate a listing of infected files. The resulting list is saved to disk as an ASCII text file. To use the report option, specify /REPORT on the command line, followed by the device and filename [See EXAMPLES below for samples]. The /RV option is used to remove validation codes from a file or files. It can be used to remove the validation code from a diskette, subdirectory, or file(s). Using /RV on a disk will remove the partition table, boot sector, and system file validation. This option can not be used with the /AV option. The /SUB option allows SCAN to scan subdirectories under a a subdirectory when scanned. Previously, SCAN would only recursively check subdirectories if a logical device (e.g., C:) was scanned. VIRUSCAN Version 7.9V84 Page 8 EXAMPLES The following examples are shown as they would be typed in. SCAN C: To scan drive C: SCAN A:R-HOOPER.EXE To scan file "R-HOOPER.EXE" on drive A: SCAN A: /A /CV To scan all files and check validation codes for unknown viruses on drive A:. SCAN B: /D /A To scan all files on drive B:, and prompt for erasure of infected files. SCAN C: D: E: /AV /NOMEM To add validation codes to files on drives C:, D:, and E:, and skip memory checking. SCAN C: D: /M /A /FR To scan memory for all known and extinct viruses, as well as all files on drives C: and D:, and output all messages in French. SCAN C: D: /E .WPM .COD To scan drives C: and D:, and include files with the extensions .WPM and .COD SCAN C: /EXT A:SAMPLE.ASC To scan drive C: for known computer viruses and also for viruses added by the user via the external virus data file option. SCAN C: /M /NOPAUSE /REPORT A:INFECTN.RPT To scan for all viruses in memory and drive C: without stopping, and create a log on drive A: called INFECTN.RPT SCAN C: D: /NOPAUSE /REPORT B:VIRUS.RPT To scan drives C: and D: for viruses without stopping, and create a log on drive B: called VIRUS.RPT SCAN E:\DOWNLOADS /SUB To scan all subdirectories under DOWNLOADS on drive E: VIRUSCAN Version 7.9V84 Page 9 EXIT CODES VIRUSCAN will set the DOS ERRORLEVEL upon program termination to: ERRORLEVEL | DESCRIPTION -----------+-------------------------- 0 | No viruses found 1 | One or more viruses found 2 | Abnormal termination (program error) If a user stops the scanning process, SCAN will set the ERRORLEVEL to 0 or 1 depending on whether or not a virus was discovered prior to termination of the SCAN. The /NOBREAK option can be used to prevent scanning from being stopped. VIRUS REMOVAL What do you do if a virus is found? You can contact McAfee Associates for help with removing viruses by BBS, FAX, telephone, or Internet. There is no charge for support calls to McAfee Associates. The CLEAN-UP universal virus disinfection program is available and will disinfect the majority of reported computer viruses. It is updated with each release of the SCAN program to remove new viruses. The CLEAN-UP program can be downloaded from McAfee Associates BBS, the SIMTEL20 archives on the InterNet, the McAfee Associates'-sponsored Computer Virus Help Forum on CompuServe, or from the agents listed in the enclosed text file. It is strongly recommended that you get experienced help in dealing with viruses, especially critical viruses that can damage or destroy data [for a listing of critical viruses, see the /M option under OPTIONS, above] and partition table or boot sector infecting viruses, as improper removal of these viruses could result in the loss of all data and use of the disk(s). For qualified assistance in removing a virus, please contact McAfee Associates directly or check the enclosed AGENTS.TXT file for an Authorized McAfee Associates Agent in your area. Agents may charge McAfee Associates normal support rates for their services. REGISTRATION A registration fee of $25.00US is required for the use of VIRUSCAN by individual home users. Registration is for one year and entitles the holder to unlimited free upgrades off of McAfee Associates BBS or CompuServe Computer Virus Help Forum. When registering, a diskette containing the latest version may be requested. Add $9.00US for diskette mailings. Only one diskette mailing will be made. Registration is for home users only and does not apply to businesses, corporations, organizations, government agencies, or schools, who must obtain a license for use. Contact McAfee Associates for more information. Outside of the United States, registration and support may be obtained from the Agents listed in the accompanying AGENTS.TXT file. VIRUSCAN Version 7.9V84 Page 10 TECH SUPPORT For fast and accurate help, please have the following information prepared when you contact McAfee Associates: - Program name and version number. - Type and brand of computer, hard disk, plus any peripherals. - Version of DOS you are running, plus any TSRs or device drivers in use. - Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at your computer will help also. McAfee Associates can be contacted by CompuServe Forum, BBS, fax, or InterNet 24 hours a day, or call our business office at (408) 988-3832, Monday through Friday, 8:30AM to 6:00PM Pacific Standard Time. McAfee Associates (408) 988-3832 office 4423 Cheeney Street (408) 970-9727 fax Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps U.S.A (408) 988-5138 BBS HST 9600 (408) 988-5190 BBS v32 9600 CompuServe GO VIRUSFORUM Internet mcafee@netcom.com If you are overseas, please refer to the AGENTS.TXT file for a listing of McAfee Associates Agents for support or sales. VIRUSCAN Version 7.9V84 Page 11 APPENDIX A: Creating a Virus String File with the /EXT Option The External Virus Data file should be created with an editor or a word processor and saved as an ASCII text file. Be sure each line ends with a CR/LF pair. NOTE: The /EXT option is intended for emergency and research use only. It is an temporary method for identifying new viruses prior to the subsequent release of SCAN. A sound understanding of viruses and string-search techniques is advised as a prerequisite for using this option. The virus string file uses the following format: #Comment about Virus_1 "aabbccddeeff..." Virus_1_Name #Comment about Virus_2 "gghhiijjkkll..." Virus_2_Name . . "uuvvwwxxyyzz..." Virus_n_Name Where aa, bb, cc, etc. are the hexadecimal bytes that you wish to scan for. Each line in the file represents one virus. The Virus Name for each virus is mandatory, and may be up to 25 characters in length. The double quotes (") are required at the beginning and end of each hexadecimal string. SCAN will use the string file to search memory, the Partition Table, Boot Sector, System files, all .COM and .EXE files, and Overlay files with the extension .BIN, .OV?, .PGM, .PIF, .PRG, .SYS and .XTP. Virus strings may contain wild cards. The two wildcard options are: FIXED POSITION WILDCARD The question mark "?" may be used to represent a wildcard in a fixed position within the string. For example, the string: "E9 7C 00 10 ? 37 CB" would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or any other similar string, no matter what byte was in the fifth place. RANGE WILDCARD The asterisk "*", followed by range number in parentheses "(" and ")" is used to represent a variable number of adjoining random bytes. For example, the string: "E9 7C *(4) 37 CB" would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and "E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB" would not match since the distance between 7C and 37 is greater than four bytes. You may specify a range of up to 99 bytes. VIRUSCAN Version 7.9V84 Page 12 Up to 10 different wildcards of either kind may be used in one virus string. COMMENTS A pound sign "#" at the begining of a line will denote that it is a comment. Use this for adding notes to the external virus data file. For example: #New .COM virus found in file FRITZ.EXE from #Schneiderland on 01-22-91 "53 48 45 45 50" Fritz-1 [F-1] Could be used to store a description of the virus, name of the original infected file, where and when it was received, and so forth. APPENDIX B: Miscellaneous Application Notes CHECKING MEMORY FOR VIRUS ONLY VIRUSCAN can perform a quick check of for viruses in memory only. In this mode, the SCAN program will not check the disk for computer viruses. This option is useful for network administrators who need to check workstations for viruses before allowing them to log on to a LAN but can not run the VSHIELD program due to memory constraints. The command to enter is: SCAN NUL /M /CHKHI By designating NUL as the drive to be scanned, the SCAN program will check system memory for viruses (up to 1088Kb if the /CHKHI option is used) and then return to DOS without scanning any disks. SCAN will set the DOS ERRORLEVEL as it normally does. VIRUSCAN VALIDATION CODES If you have installed any new software or programson your system, and are running VIRUSCAN or VSHIELD with the check validation codes /CV option, you will need to reinstall validation codes to the new files with the add validation codes /AV option of VIRUSCAN. Additionally, the SCANVAL.VAL hidden file containing validation codes for the partition table, boot sector, COMMAND.COM, and system files may have to be replaced. The MS-DOS 5.00 SETVER.EXE file contains self-modifying code and can not have a validation code added to it. The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back on by running VIRUSCAN with the /RV and then the /AV options, and then removing the validation code from SETVER.EXE by typing " SCAN C:\DOS\SETVER.EXE /RV" and pressing enter. VIRUSCAN Version 7.9V84 Page 13 NOTE: This applies to any new version of DOS, as well as any programs which you install on your system. DOS 5 AND REFORMATTING INFECTING FLOPPIES If you are reformatting infecting floppy disks under DOS 5.0, be sure to add the /U switch to the FORMAT command. This tells DOS to do an Unconditional format of the disk, and not to save the original (infected) boot sector of the disk. This should be done to prevent the virus from reappearing by unformatting the disk.