Night Owl 9

home *** CD-ROM | disk | FTP | other *** search

/ Night Owl 9 / Night Owl CD-ROM (NOPV9) (Night Owl Publisher) (1993).ISO / 051a / hawk220.zip / FILEHAWK.TXT < prev next >

Wrap

Text File | 1993-04-04 | 38KB | 1,463 lines

Filehawk 2.20 (c) 1991-1993 David Kesterton 65 Front St.W., Suite 116-32 Toronto, Ontario M5J 1E6 voice: (416) 340-1195 [first BBS release: April, 1993] Purpose Over the past five years, personal computers have become infested, not with viruses but with virus scanners. These scanners function on the same basic assumption: that if they can't find a virus signature, your system is safe. Let loose upon your computer like village vigilantes armed with pitchforks, they poke and prod your memory and hard drive, sometimes driving a virus or two into the open, thereby reaffirming their heroic stature. But what they discover is only what they look for: old, known viruses. New viruses are being written and released at an ever increasing rate. But before they can be caught and analysed, a system or two must be victimized. Filehawk is intended to detect hostile system activity that might otherwise be unnoticed by more popular security software. It should not be considered a replacement to your favorite scanner, but a partner. Features ■ Backup and restore Partition Sector ■ Backup and restore Dos Boot Sector ■ Backup and restore File Allocation Tables ■ Announce directory structure changes ■ Announce file structure changes ■ Scan new and changed files for virus signatures ■ Scan new and changed files for Trademarks and Keywords ■ Announce companion file and system time error warnings Distribution Filehawk is available only as follows: 1) a limited demo: 'HAWKxxx.yyy' [where 'xxx' is the version, 'yyy' is an archive format, the first release being HAWK220.ZIP]. This version may be listed on BBS's and freely copied. All files should be included and none of the contents may be changed. 2) a corporate license or individual registration, which has been modified to display the name of the licensed corporation or registered user, and which is only available directly from the author or any of his assigned agents. Filehawk may not be distributed by anyone not assigned by the author. It may only be distributed in a limited demo format as defined in (1) above. Filehawk License Agreement: Filehawk and its accompanying programs and files located on the original registration diskette, including subsequent versions, upgrades and revisions are collectively referred as Filehawk. Individual Registration A registered user (one person) may use Filehawk on one or more machines, as long as the usage is confined to the original registered user, and his or her immediate family (spouse and children). The registration period is for the lifetime of the user. Corporate License A corporate license for Filehawk extends to the entire corporation, all of its employees, and their immediate families (spouse and children) on all of their machines within one nation, for one year. A Government "corporate" license extends to all departments of one Government entity; e.g., Federal, Provincial, State, Municipal. An individual or corporate enterprise may make any number of backup and usage copies as long as the spare copies are not sold, rented, loaned or in any other manner made available to outside users; specifically, individuals or corporate entities who do not hold valid registrations or licenses. You may not modify any copyright notices or programs or original files. Technical Support is not included in any fee, but will not be withheld, unreasonably. Documented and mailed definitions of questions, discoveries, or problems arising from the use of Filehawk which may not be referenced in the documentation will be given preferential support. Warranty: The author licenses Filehawk AS IS for machines commonly trademarked or known as IBM, IBM-compatible, and models for which Filehawk was intended to be used, which are known or trademarked as PC, XT, AT, PS/n, 286, 386, 486. Warranty is limited to the ability of Filehawk to perform its functions error-free. If Filehawk cannot perform its ordinary functions to the total satisfaction of the registered individual or licensed enterprise within two months of the acceptance of the registration or license, write to request a full refund, with no questions asked. Simply submit a promise to delete all copies of Filehawk. For any claim related to the performance of Filehawk, any liability to actual damages will be limited to fees paid. System Requirements: Filehawk 2.20 was created for and intended to be used on machines known or trademarked as PC, XT, AT, PS/n, 286, 386, and 486. The program requires a minimum of 256K RAM and Dos 3.0 or higher. For Windows (tm) users, Filehawk should be defined as an MS-DOS utility or application. Fees Individual Registration: $40 (Includes all Provincial & Federal Sales Tax, and Shipping and Handling fees, whether local or outside Canada. Corporate License: $2 per company computer. Minimum fee is $50. A maximum of 10 diskettes will be shipped for any Corporate License. Your company representative is responsible for making additional copies for the purpose of distributing Filehawk to other branches, departments and users. If the registered user or company representative does not specify the size of diskette, a 3 1/2 inch diskette will be assumed. Sample Filehawk Screen |i Thursday August 27, 1993 6:13 pm LOG.000 0:50 System Update Paths/Files Update Paths/Files Comparison {Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available System BACKUP and UPDATE file created -File Allocation Table BACKUP created- New pathname: \DOS New pathname: \UTILITIES New filename: \IBMBIO.COM New filename: \IBMDOS.COM New filename: \TESTER.COM New filename: \STARTQ.EXE |i Filehawk v2.20 paths hdn EXE COM BAT SYS BIN OVL files (c) 1991-1993 old 0 0 0 0 0 0 0 0 0 David Kesterton new 2 1 3 1 2 1 1 1 27 |i 50% \UTILITY\IBMDOS.COM <ESC> exit scanner Methods System Comparison is a series of hard drive examinations which includes the copying and comparing of the Partition Boot Sector, Dos Boot Sector and the File Allocation Tables. Executable files, those with the extensions: .COM, .EXE, .BAT, .SYS, and 4 optional extensions, are "checksummed" and compared for changes. Contaminated boot sectors or scrambled File Allocation Tables can be restored from the copies. System Scanning is a search of system memory and executable files for virus signatures, trademarks and keywords. Filehawk automatically keeps a record of files already scanned. It will scan only files that are new or changed. The search for trademarks and keywords allows Filehawk to alert the user to the presence of some viruses immediately upon their release into the public domain. Quick Start - The Only Start Boot up your system from a clean, write-protected diskette, preferably from an original system boot diskette. Do not run any shells or applications of any kind. This is imperative for the first run only. Copy all program files to any directory. Run FILEHAWK.EXE. You require no command line, no arguments, no setup, and no intervention. The run is over when the Options Menu appears. After exploring the options, press <ESC> to exit to Dos. In order for the program to run, it must have its data file -- FILEHAWK.BIN in the same directory. It will create its own update file -- FILEHAWK.SAV, which it uses to compare the system for changes. It will also generate one log file for each run. The First Run |i System Update Paths/Files Update Paths/Files Comparison Virus Scanning System BACKUP and UPDATE file created "System BACKUP and UPDATE file created" Filehawk creates its own update file the first time it executes. This holds boot sector copies as well as path and file vital statistics. By comparing and updating the contents, Filehawk can alert you to system abnormalities. In the demonstration version, the update file is called FILEHAWK.SAV. In the licensed version, for security purposes, the name of the update file is uniquely defined for the registrant. |i {System Update Paths/Files Update Paths/Files Comparison Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created System BACKUP and UPDATE file created "Master Boot Sector copy created" "Dos Boot Sector copy created" Since there is no update file the first time you execute Filehawk, the boot sector copies will be created and stored. If an infection already exists on those sectors, then bad copies are being made. Only the virus scanner or a study of abnormal system activity can point to pre-infection. |i {System Update Paths/Files Update Paths/Files Comparison Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available System BACKUP and UPDATE file created "FAT Tables Match [+13.83 Meg] "16.8 MEGABYTES free space available" The next procedure in the System Update is a comparison of the FATS or File Allocation Tables. If they do not match, then your files are at risk. The [+13.83 Meg] shows that 13,830,000 bytes were added to the system since the last update. This value is approximate because it is derived from the FAT, and is primarily used for evaluating FAT integrity. The next announcement, "16.8 MEGABYTES free space available", is a necessary reminder which alerts the user to a resource that some trojans and viruses tamper with. |i {System Update Paths/Files Update Paths/Files Comparison Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available System BACKUP and UPDATE file created -File Allocation Table BACKUP created- "-File Allocation Table BACKUP created-" Every time you run Filehawk, a File Allocation Table backup will be created and saved. In the licensed version, this backup can be used to restore the scrambled or damaged FAT tables. |i System Update {Paths/Files Update Paths/Files Comparison Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available System BACKUP and UPDATE file created -File Allocation Table BACKUP created- "Paths/Files Update" The Paths/Files Update procedure reads each executable file and generates a "checksum" value. This is the most effective method of determining any and all system changes. In the first run, starting values are chosen at random resulting in file checksums that are uniquely initialized for each machine. You will have to initiate a first run for each computer that you operate. |i System Update Paths/Files Update {Paths/Files Comparison Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available System BACKUP and UPDATE file created -File Allocation Table BACKUP created- New pathname: \DOS New pathname: \UTILITIES New filename: \IBMBIO.COM New filename: \IBMDOS.COM "Paths/Files Comparison" This procedure compares the last run's update checksums to determine system changes. During this first run, all paths and files are seen as new. Many messages will scroll rapidly up the window area. You will have a chance to view all of the messages after all procedures have ended. |i Filehawk v2.20 paths hdn EXE COM BAT SYS BIN OVL files (c) 1991-1993 old 0 0 0 0 0 0 0 0 0 David Kesterton new 2 1 3 1 2 1 1 1 27 |i 000K <ESC> to bypass Memory Scan |i Before the files are scanned for viruses, the first megabyte of memory will be scanned for signatures. |i System Update Paths/Files Update Paths/Files Comparison {Virus Scanning Master Boot Sector copy created Dos Boot Sector copy created FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available System BACKUP and UPDATE file created -File Allocation Table BACKUP created- New pathname: \DOS New pathname: \UTILITIES New filename: \IBMBIO.COM New filename: \IBMDOS.COM "Virus Scanning" This procedure scans only files that are new or changed. Since this is the first run, all executables are new, so all will be scanned. |i Thursday August 27, 1993 6:13 pm LOG.000 0:50 |i The date-and-time line identifies the run. System problems, including date dependent viruses, can be traced to previous runs. The log for the current run appears on the same line. This file contains the record of events and conditions the program has detected. All variations, however insignificant, can later be studied for suspicious activity. The countdown timer, located beneath the current log, estimates the minutes and seconds remaining to complete the update and comparison procedures. As an approximate value which was calculated during the last run, it gives the means of evaluating a system's performance. Abnormal running times will be announced, since these can result from a virus or a system defect. |i Filehawk v2.20 paths hdn EXE COM BAT SYS BIN OVL files (c) 1991-1993 old 0 0 0 0 0 0 0 0 0 David Kesterton new 2 1 3 1 2 1 1 1 27 |i During the Paths/Files update, counts will be kept and displayed. The last column represents the total number of files of all extensions. Executables (EXE, COM, BAT, SYS, BIN, OVL) are listed in separate columns. Notice that hidden files are also counted, since viruses will sometimes create them for their own use. The "old" line contains counts from the last run; the "new" line contains the totals from the current run. Variations between each run will be highlighted because their importance should not be ignored. In some infections, unaccountable totals may be the only indication that a virus is at work on the system. OPTION MENU |p PARTITION SECTOR DOS BOOT SECTOR FILE EXTENSIONS EVENT LOGS RESTORE FAT HELP |p After the run completes, the Option Menu appears. The choices allow you to study the run, and correct some of the more obvious system problems. |p PARTITION SECTOR |p Select this to look at an ASCII representation of your Partition Sector, or Master Boot Record. Commercial virus scanners will see only the signatures they were programmed to see. They are unable to detect all malicious code. By comparing a copy of the original sector with what is currently contained in that sector, the slightest change will announce the contamination. Restore the sector if infected, or make a new backup copy if changed. |p DOS BOOT SECTOR |p The same options that are available for the partition sector, are available for the DOS boot sector. Restore if infected or generate a new backup if changed. |p FILE EXTENSIONS |p Hostile code is most likely to attack files with the extensions .COM, .EXE, .BAT, and .SYS. For this reason, Filehawk always updates and compares files with these extensions. With this option, you may select up to 4 additional extensions for regular updating and scanning. |p EVENT LOGS |p Because large numbers of events can scroll rapidly out of the viewing area, this option allows you to review and print the results of each run. |p RESTORE FAT |p Many Trojans, as well as viruses, will scramble one or both File Allocation Tables. Although it is preferable to copy the FILEHAWK.FAT backup file off your hard drive, Filehawk is capable of finding it on your scrambled drive. This option allows you to attempt a recovery of the FAT, without which your files would be inaccessible. This option is only available in registered and licensed versions. PARTITION BOOT MESSAGES Master Boot Sector copy created The first run creates a backup copy of the MBR. Because you cannot be certain that the Master Boot Record was a good and uncontaminated sector when this copy was made, you should carefully study system activity over the next few runs of Filehawk. Partition Boot Sector is unchanged The original MBR matches the copy byte for byte, indicating no threat to your Partition sector. This is the message you expect to encounter every time you run Filehawk. * Cannot read Partition Boot Sector * For some reason, Filehawk was not able Security software may be installed * to read the sector. This may occur if a security program was installed which relocates or encodes the sector. Test this by using a utilities program which can read absolute disk sectors. It is likely that a marauding virus will be equally locked out. If you receive this message, make certain that you performed the first run ONLY AFTER booting the computer from an original, write-protected boot diskette. ! Partition Boot Sector Has Changed ! If you have not adjusted the partition sector by adding or subtracting one of the partitions, then a virus may be at fault. After Filehawk completes, select the Partition Sector option, compare the original sector bytes to the copy, and restore the sector from the backup if necessary. Take careful note of any other abnormal events on your system. Go back to prior logs, studying them for unreasonable system changes. Dos Boot Messages Dos Boot Sector copy created Filehawk stores a copy of the Dos boot sector during the initial run. If the hard drive sector was already infected when the backup was made, a contaminated record will be used for comparisons. Carefully observe system activity during subsequent runs of Filehawk. Dos Boot Sector is unchanged The existing sector matches the backup byte for byte. If you are certain that there was no pre-infection of the hard drive, then your drive and files are safe. This is the message you expect to see every time you run Filehawk. * Cannot read DOS Boot Sector * You may encounter this if the Dos boot Security software may be installed * sector has been relocated. The likely cause is security software. If you are certain that such a protection program is responsible, then you may ignore the message. It is likely that the sector will be equally unavailable to most hostile software. !!! Dos Boot Sector Has Changed !!! If you have installed a new version of Dos, this message will result. If you have not updated your Dos version, the next most likely culprit is a virus. If the former is the case then you will want to make a new backup copy. When Filehawk concludes, select the Dos Boot Sector option. Choose option 1# to make a new backup copy, or 2# to restore the original Dos boot sector. FILE ALLOCATION TABLE MESSAGES FAT Tables Match The two tables match, byte for byte. Since the FATs point to the location of each file, some viruses and many more trojans attempt to scramble these tables. As long as the File Allocation Tables match, integrity of the file structure is maintained. FATS Do Not Match [-8.0 Meg] Unlike boot sectors which can change for sometimes valid reasons, the FAT tables should always match. If this message is displayed, then a serious condition has occured. For this reason, the megabyte message informs the user of the potential degree of damage. If the value is large -- greater than 0.5 Meg -- it is likely that the FATs have been scrambled. -File Allocation Table BACKUP created- Each time you run Filehawk, a FAT BACKUP will be created. Stored as a file, the copy is compressed on the drive itself. Should the hard drive File Allocation Tables be destroyed, restoration can proceed as long as the sectors where the backup was saved have not been tampered with. It would be in your best interest to always copy this backup to a floppy immediately after running Filehawk. FAT restoration is only available in the registered/licensed versions. ** Warning! excess changes in File Allocation Table # This common message indicates potential danger to your hard drive. Based on FAT calculations, it is determined that more than 2 megabytes of additions or deletions have occured. If you are responsible for the many additions or deletions, there is no problem. But if you did not engineer the changes, then review the results of Filehawk's comparison routine with care. DIRECTORY/PATH MESSAGES PATH DELETED \SAMPLE1 Filehawk announces the removal or the addition of a subdirectory. A NEW PATHNAME \SAMPLE2 common event, this helps to paint the total picture of incidents or conditions which may be affecting your hard drive. In some situations, a seemingly minor event may be far more significant when matched with other occurences. It is not unusual for hostile software to create new directories in order to hide malignant executables. !PATH HIDDEN! \SAMPLE1 Paths are not normally hidden, so from this warning you should look for the creation of hidden files. Path Visible: \SAMPLE2 Hidden subdirectories that become visible are rare events that must be brought to your attention. Path number exceeds maximum allowable Filehawk records a maximum of 255 pathnames. Beyond that, the paths are ignored. FILENAME MESSAGES FILE DELETED TEST.EXE If you did not delete the file, a trojan may be responsible. NEW FILENAME TEST.COM Some viruses create new files for their own purposes. Be alert to the addition of a .COM version of a file with an .EXE extension. If two files with the same name exist in the the same directory, the .COM file will be executed first. This is a standard technique of some hostile software. A separate warning will be given if this situation is encountered for the first time. FILE CHANGED! TEST.COM Viruses replicate by changing the contents of other files. They can attach themselves to the start or end of executables, or overwrite sections of the object file. If this warning appears, be certain that you were responsible for changing the file contents. If you did not, then most likely a virus was responsible. Filehawk automatically scans files that have changed. If Filehawk's scanner, or any other scanner fails to find hostile code in any file which has changed for no apparent reason, a virus is still the probable cause. ATTRIBUTES CHANGED TO ----> READ ONLY -HIDDEN- *SYSTEM* +ARCHIVE+ NORMAL. One or more of the attributes may be changed in a file. It is not unusual for a utility or backup program to update file attributes, usually from Normal to Archive. But be alert to the removal of Read Only or Hidden attributes from major system files. All attribute changes should be accounted for. Dup filename \DOS\CHKDSK.COM Duplicate filenames for the most \CHKDSK.COM part indicate redundancy. Delete one copy to free up space. This announcement is made for changed or new files with the result that it appears once only for the same files. Number of files exceeds maximum storage allotment. Filehawk can remember up to 3000 executable files. If this message appears, it may be time for you to archive little used or redundant files. Virus Scanning Messages <!> DANGER: A signature for the "Vicious" Virus is in: \DOS\FORMAT.COM 2218 A virus signature has been identified in the file FORMAT.COM. This does not necessarily mean that the file is infected. The signature scanning method is the least reliable means of determining file infection. This is because the method assumes that the signature is located only in an infected file. Since it is possible for a signature to appear in an ordinary file, the file update procedure is necessary for cross-referencing. If files which have changed on the system show positive warnings, then they are likely infected. Additional cross-referencing is accomplished with the trademark and keyword scans, since infected files frequently contain more than one signature or keyword string. The number after the filename, in this case "2218", is a reference code which identifies the signature encountered. Include this number if writing to seek more information. <*> WARNING: a virus trademark can be found in the line: this is a test showing BigGuys Incorporated as a sample trademark located in: \UTILITY\TEST.EXE 3819 A 'trademark' is a string that a virus writer has included in at least one of his creations. The author usually displays it as a trademark, which suggests that if he creates more viruses, they will contain the same trademark. Where this has occured in the past, the trademark has been repeated in a new virus. This has resulted in Filehawk being able to detect some viruses in advance of their release into the public domain. The presence of a trademark does not confirm the existence of a virus. Study the line in which the trademark appears, as this usually indicates whether or not the author's intent is to announce his creation. <+> Caution: a virus keyword can be found in the line: this is a test showing SaMpLe as an example keyword located in: \UTILITY\TEST.EXE 3733 Virus keywords are strings that tend to occur in hostile software. Because a keyword can easily appear in uninfected files, the context of the string will be significant. Keyword categories include: profanity, demonology, romance, hostility, terrorism, and other predictably adolescent interests. Filehawk is able to detect all uppercase-lowercase mixtures of a keyword, eg. sample, SAMPLE, sAmPlE. The presence of a keyword is least likely to confirm the existence of hostile code. The keyword is normally supportive evidence where sometimes a trademark or a signature merely suggest a virus. In itself, the keyword is not proof. OTHER MESSAGES System Update HAS EXCEEDED TIME ESTIMATE BY: 7 SECONDS Paths/Files Update SHORTER THAN TIME ESTIMATE BY: 12 SECONDS The length of time it takes for a procedure to run is saved and compared with the current duration. Times greater than or less than 4 seconds are noted in the log to help in system evaluation. If you have not added or deleted files since the last run, and the time estimates are abnormally high, then a virus, or another hostile event, may be active on your system. *WARNING* Executable Files of the same name are in the same directory: \UTILITY\BASIC.COM \UTILITY\BASIC.EXE One technique used by viruses, is to create a "COMPANION" file. A .COM file containing the viral code will be created in the same path as a file with an .EXE extension. Given the command to execute the file, Dos elects to run the harmful .COM file, ignoring the intended .EXE file. If you try running a .BAT file, while a .COM or .EXE file with the same name exists in the same directory, the .COM or .EXE file will be executed by Dos. It is not unusual to encounter companion files on ordinary systems. They are used for a variety of reasons by normal applications. For this reason, the announcement will occur once only -- for new and changed executable files. UNABLE TO READ UPDATE FILE The update file stores adjustable data. When it cannot be found, Filehawk creates one for the first time. If it cannot be read, a hard drive error is the likely cause. INSUFFICIENT MEMORY Over time, because of the steady rise in the 142K REQUIRED 98K AVAILABLE number of virus signatures, memory needs are expected to rise. Filehawk lets you know how much memory it requires. The solution is to run Filehawk before loading TSRs or run it outside of memory-gobbling shells. The example shows the total memory Filehawk requires (142K), to process extra signature data, and how much free memory is available (98K). In this example, you must provide Filehawk with an additional 44K. * COMMAND UNAVAILABLE * The demonstration version of Filehawk, available on This is a demonstration some Bulletin Board Systems, does not allow the use version only of all commands: restoring a scrambled FAT table is the only feature not permitted on the demo version. - end -