home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Diamond Collection
/
The Diamond Collection (Software Vault)(Digital Impact).ISO
/
cdr35
/
cm8105b.zip
/
MANUAL.TXT
< prev
next >
Wrap
Text File
|
1995-02-06
|
16KB
|
452 lines
Page 1 Page 1
___________________________________________________________________________
ChekMate Known\Unknown Virus
Detection Utility
Copyright (c) 1994,1995 by Martin Overton. All rights reserved.
Written by: Internet:
Martin Overton, <Martin@salig.demon.co.uk>
8 Owl Beech Place, <gbsalmgo@ibmmail.com>
Horsham,
West Sussex,
RH13 6PQ,
UNITED KINGDOM
+44 (1403)-241376
THE INFORMATION AND CODE PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES.
_____________________________________________________________________
This program executable, bait files and related files may be
distributed freely as long as no money is charged for the program
itself or any of its components. This program MUST be distributed
as a whole with its associated files and this document.
This version of ChekMate may not be distributed as a part of any
commercial package without prior written agreement of the author.
_____________________________________________________________________
This program was developed entirely using personal time and personal
resources.
It is fully functional and there are no 'nag' screens or crippled
functions.
It has been tested on many different PCs and DOS versions with no
problems encountered.
This program has no connection with ,or is endorsed by my employers.
Page 2
___________________________________________________________________________
License:
_______
ChekMate is hereby released under the Shareware concept.
For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK)
Companies or other institutions using ChekMate or interested in a
site license MUST contact the author to arrange a SITE license.
The author retains the copyright of ChekMate and all of its
components.
ChekMate or any of its components may not be used as part of any
other package unless written agreement is obtained from the author.
ChekMate must not be modified in any way.
Thanks:
______
Thanks to Philip Tong for early Beta testing and a copy of the then
unknown 'Dalian_China' or 'Gene_1991' (name still not agreed by CARO)
virus which ChekMate captured.
Thanks also go to Stephan Loescher for his suggestions for improve-
ments and constructive feedback.
Requirements:
____________
ChekMate requires you to have an IBM PC Compatible running DOS 3.3
or later and at least 128Kb of memory and a Hard Disk.
DEBUG must also be on your PC in your Path.
What is ChekMate:
________________
ChekMate is a DOS based virus detection utility written
originally for my own purposes. Other people have seen and
/or used ChekMate and suggested that I release it as a virus
detection tool.
So here it is!
ChekMate was written to detect new and known file, boot and
partition table viruses. It should be used alongside a good
quality virus scanner. It is NOT a substitute for a virus
scanner.
It will detect most file infector, boot sector or partition
table viruses. It will also detect many memory resident viruses.
Page 3 Page 3
___________________________________________________________________________
Why was ChekMate Written:
________________________
I frequently receive suspect files from people throughout the
world that believe, either rightly or wrongly,they are infected
with a new/unkown or known virus.
I needed a way to confirm that the file/disk was indeed infected.
My first step was to scan it for known viruses, if that did not
detect a known virus then the infected file/disk was run on a
'sheep-dip' PC and ChekMate was then used to tempt the virus into
infecting one or more of the bait files or the Boot sector or
Partition Table.
In all cases the virus was caught by ChekMate. Either by infecting
one or more of the BAIT files or the Boot Sector or Partition
Table.
Many people do not perform a daily scan of their PC, because it
takes too long (3-20 Minutes). ChekMate takes under 20 seconds to
run, even on 80286 based systems.
How ChekMate Works:
__________________
Every time ChekMate is run, it will first test the DOS memory
for modifications (unless you disable this test, see below).
ChekMate, when run for the first time will create a series of
Finger-Print (.CHK) files of the following:
COMMAND.COM or alternate command processor.
CHEKMATE.EXE
THE BOOT SECTOR(s)
THE PARTITION TABLE
101.COM
1001.COM
1001.EXE
4001.COM
4001.EXE
Any other time that ChekMate is run it will match the Finger-
Print files with the actual files or image files taken at runtime.
These Finger-Print (.CHK) files are not CRC's (Checksums, as these
are easily fooled by some viruses) but are actual code fragments of
the start and in some cases the end of the file or area.
If these Finger-Print files do NOT match the runtime images, then
you will be warned that one or more of the files/areas have been
changed. The actual area/file name will be displayed.
If a change is detected then ChekMate will return to DOS without
checking any other files/areas for modifications.
Most viruses change executable code at the begining and/or end of
a file or area. ChekMate checks for this sort of modification.
Page 4
__________________________________________________________________________
Installation:
____________
Copy all the files to a floppy disk and write protect it. This disk can
then be used in the event of a virus outbreak to replace infected
ChekMate files. Also copy the .CHK files after ChekMate is run for the
first time.
Before installation, ensure that the Validation information is correct.
The Validation information was generated by Validate 2.00 from McAfee
CHEKMATE EXE 45514 02-06-95 1:05a E88B EC25
CHEKMATE CHK 128 02-06-95 1:05a A78B 012B
CHEKMATE PIF 545 02-06-95 1:05a 1A34 D81B
GETPART EXE 11485 02-06-95 1:05a B222 8409
101 COM 101 02-06-95 1:05a 1582 7D78
1001 COM 1001 02-06-95 1:05a 19A5 437A
4001 COM 4001 02-06-95 1:05a 20D4 BE3C
1001 EXE 1001 02-06-95 1:05a 813D CB55
4001 EXE 4001 02-06-95 1:05a 1950 43F1
FILECHK1 CHK 160 02-06-95 1:05a 6D3D CB79
FILECHK2 CHK 160 02-06-95 1:05a 18DF 75F2
If these value do NOT match the files included with this
document then please inform me and do not run them.
1.
Create a directory for this program and copy the files listed
below to that directory:
CHEKMATE.EXE -> The Main Program File
CHEKMATE.ICO -> Windows Icon File for ChekMate
CHEKMATE.PIF -> Windows PIF File for ChekMate
CHEKMATE.CHK -> ChekMate Finger-Print file
GETPART.EXE -> Takes a Snap-Shot of the PARTITION TABLE
FILELIST.INI -> Program INI File (See Later)
FILECHK1.CHK -> Bait files Finger-Print file (Start of Files)
FILECHK2.CHK -> Bait files Finger-Print file (End of Files)
101.COM \
1001.COM \
1001.EXE - - -> Bait files
4001.COM /
4001.COM /
(Bait files are simple files that display a message and return to
DOS, they act as a decoy to tempt a virus into infecting it.
They have no other purpose and DO NOT execute any other code or files.)
The BAIT files can be replaced with your own versions of BAIT or
any other executable file if you so wish.
BUT, don't forget to edit the FILELIST.INI file if you do that.
Page 5
___________________________________________________________________________
2.
a.If you want to run ChekMate from Windows then:
Use the 'File' 'New' menu option in Program Manager to create
an entry for this program. (PIF file supplied.)
Edit the .PIF file to reflect the correct run-time directory.
b.If you are running it from DOS then:
Add it to your AUTOEXEC.BAT, either add the line below:
C:\<Directory_Name>\CHEKMATE.EXE
Also ensure that the FILELIST.INI is in the ROOT directory '\'.
OR
Create a batch file that contains the following lines:
CD\<Directory_Name>
CHEKMATE.EXE
CD\
<Directory_Name> should be the directory where you placed ChekMate
eg. C:\WINDOWS\CHEKMATE
c.Edit the FILELIST.INI file (Shown Below) if required:
+---------------------+---------------------------------------------+
| Example File | What each line is/means |
+---------------------+---------------------------------------------+
| C:\BAIT | The Directory That ChekMate is Installed in |
*| C:\COMMAND.COM | Path & Name of Command Processor in use. |
!| 1 | Number of drives (Physical or Logical) | |
#| 640 | The BASE DOS Memory as reported by MEM /C |
| 101.COM,101 | 101 Byte .COM Bait file, Size in bytes |
| 1001.COM,1001 | 1001 Byte .COM Bait file, Size in bytes |
| 4001.COM,4001 | 4001 Byte .COM Bait file, Size in bytes |
| 1001.EXE,1001 | 1001 Byte .EXE Bait file, Size in bytes |
| 4001.EXE,4001 | 4001 Byte .EXE Bait file, Size in bytes |
+---------------------+---------------------------------------------+
This file MUST exist and the contents MUST be correct or ChekMate
will NOT work correctly.
* The command processor may not be COMMAND.COM, 4DOS & NDOS are also
supported as common replacements for COMMAND.COM.
See your COMSPEC setting for the 'active' command processor and
the correct path. Type 'SET' at the DOS prompt to view COMSPEC.
! ChekMate will handle up to drive F: (The FILELIST.INI entry
would then need to be 4)
# This is usualy 640Kb (655,360 Bytes), Some systems may report
639Kb due to HD controllers 'borrowing' 1Kb for their own purposes.
If this causes problems or you run ChekMate under OS/2, you can disable
this test by setting this value to 0 (Zero).
Page 6
___________________________________________________________________________
Dos ERRORLEVEL Returns:
______________________
The following errorlevel values are returned when ChekMate
exits back to DOS.
0 = No modifications detected
1 = COMMAND.COM (or other COMMAND processor) appears to have been changed
2 = ChekMate.EXE appears to have been changed
3 = The BOOT SECTOR appears to have been changed
4 = The PARTITION TABLE appears to have been changed
5 = One or more of the BAIT files appear to have been changed
6 = The DOS BASE Memory amount appear to have been changed
Q. What can you do with this information?
A. You can use the errorlevels returned in a batch file
to automatically run your favourite virus scanner when
ChekMate detects a modification to your system.
e.g. CHECK.BAT
@ECHO OFF
CLS
CHEKMATE.EXE
IF NOT ERRORLEVEL 1 GOTO :End
:Ooops!
C:\SCANNER\F-PROT.EXE C:
:End
The batch file above will only run your virus scanner if the
errorlevel returned from ChekMate is greater than or equal to
one. If zero (All OK) then don't run the virus scanner.
Help/Command Line Switches:
__________________________
To get help, run:
CHEKMATE.EXE /H
or
CHEKMATE.EXE /?
Other command line switches:
/CREATE Creates a 'new' set of Finger-Print files.
Usualy only used after DOS upgrade or
after cleaning up after a virus attack.
/NOEXPOSE Used to only check Finger-Print files
against original files/area. Does NOT
execute BAIT files.
Mainly used if you substitute the BAIT
files for other executable program files.
/MONO Force ChekMate to run in Monochrome mode.
(ChekMate will detect many MONO video cards
automatically.)
Page 7
___________________________________________________________________________
Known problems/limitations:
__________________________
1) May not detect Companion viruses very quickly. But as soon as
one of the bait files are infected it will alert you. A companion
virus is very easy to spot as it makes a 'Companion' .COM file
for ANY .EXE file on the infected system.
2) May not detect direct action non-TSR viruses very quickly.
Most new viruses are TSR (memory resident) variants.
The best way to test 'suspect' files is to place them in the same
directory as ChekMate, Virus Scan them and if they are not reported
as infected, then run them from there. Then run ChekMate.
**** REMEMBER TO BACKUP YOUR SYSTEM FIRST ****
3) Link viruses, such are DIR II may not be detected as no executable
code is changed.
Latest Version:
______________
The latest version of this application should always be available
from the site that you originally obtained it. The main site is the
SimTel archives or one of the mirror sites.
Source code is only available to companies interested in developing
a comercial version of ChekMate or program based on ChekMate.
Source code will also be made available to companies who wish to
have a customised version written. Contact the author to discuss.
Page 8
___________________________________________________________________________
Bug reports, suggestions, etc...
________________________________
If you catch a virus with ChekMate in one of the Bait files, then
please send me a copy for analysis. I will send a reply to anyone
who sends me such a file. If possible I will send a search string to
correctly identify the new virus to aid removal.
Mail files to the E-Mail or Postal address at the top of this document.
(If you e-mail the file(s) then please use UUENCODE or MIME.)
Send all bug reports, suggestions, etc to the E-Mail or Postal address
at the top of this document.
If you like this program, let other people know about it!
Post your comments in comp.virus or anywhere else that is relevant.
If you contact me to let me know you are using ChekMate I will send
you a Windows Write formatted version of this manual. It will
contain more information about ChekMate and removing viruses.
You will also be informed when new versions are released.
Let people know about it!
If you use and/or like ChekMate, then please drop me a line to
let me know that you are using it. This will allow me to know the
future development requirements.
If you have tested ChekMate against any viruses then please let me know
the outcome of these tests, whether the results are good or bad. For
details of viruses that ChekMate has been tested against, please see
the file enclosed in this ZIP file, TESTS.TXT.
!!! STOP PRESS !!!
__________________
If enough interest is shown, then a Windows version will be written.
So, if you want a Windows version, then let me know, NOW!
___________________________________________________________________________
*** END OF DOCUMENT ***