home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Night Owl 9
/
Night Owl CD-ROM (NOPV9) (Night Owl Publisher) (1993).ISO
/
051a
/
hawk220.zip
/
FILEHAWK.TXT
< prev
next >
Wrap
Text File
|
1993-04-04
|
38KB
|
1,463 lines
Filehawk 2.20
(c) 1991-1993 David Kesterton
65 Front St.W., Suite 116-32
Toronto, Ontario M5J 1E6
voice: (416) 340-1195
[first BBS release: April, 1993]
Purpose
Over the past five years, personal computers have become infested, not with
viruses but with virus scanners. These scanners function on the same basic
assumption: that if they can't find a virus signature, your system is safe.
Let loose upon your computer like village vigilantes armed with pitchforks,
they poke and prod your memory and hard drive, sometimes driving a virus or
two into the open, thereby reaffirming their heroic stature. But what they
discover is only what they look for: old, known viruses.
New viruses are being written and released at an ever increasing rate. But
before they can be caught and analysed, a system or two must be victimized.
Filehawk is intended to detect hostile system activity that might otherwise
be unnoticed by more popular security software. It should not be considered
a replacement to your favorite scanner, but a partner.
Features
■ Backup and restore Partition Sector
■ Backup and restore Dos Boot Sector
■ Backup and restore File Allocation Tables
■ Announce directory structure changes
■ Announce file structure changes
■ Scan new and changed files for virus signatures
■ Scan new and changed files for Trademarks and Keywords
■ Announce companion file and system time error warnings
Distribution
Filehawk is available only as follows:
1) a limited demo: 'HAWKxxx.yyy' [where 'xxx' is the version, 'yyy' is an
archive format, the first release being HAWK220.ZIP]. This version may
be listed on BBS's and freely copied. All files should be included and
none of the contents may be changed.
2) a corporate license or individual registration, which has been modified
to display the name of the licensed corporation or registered user, and
which is only available directly from the author or any of his assigned
agents.
Filehawk may not be distributed by anyone not assigned by the author. It
may only be distributed in a limited demo format as defined in (1) above.
Filehawk License Agreement:
Filehawk and its accompanying programs and files located on the original
registration diskette, including subsequent versions, upgrades and revisions
are collectively referred as Filehawk.
Individual Registration
A registered user (one person) may use Filehawk on one or more machines,
as long as the usage is confined to the original registered user, and his or
her immediate family (spouse and children). The registration period is for
the lifetime of the user.
Corporate License
A corporate license for Filehawk extends to the entire corporation, all
of its employees, and their immediate families (spouse and children) on all
of their machines within one nation, for one year. A Government "corporate"
license extends to all departments of one Government entity; e.g., Federal,
Provincial, State, Municipal.
An individual or corporate enterprise may make any number of backup and
usage copies as long as the spare copies are not sold, rented, loaned or in
any other manner made available to outside users; specifically, individuals
or corporate entities who do not hold valid registrations or licenses.
You may not modify any copyright notices or programs or original files.
Technical Support is not included in any fee, but will not be withheld,
unreasonably. Documented and mailed definitions of questions, discoveries,
or problems arising from the use of Filehawk which may not be referenced in
the documentation will be given preferential support.
Warranty:
The author licenses Filehawk AS IS for machines commonly trademarked or
known as IBM, IBM-compatible, and models for which Filehawk was intended to
be used, which are known or trademarked as PC, XT, AT, PS/n, 286, 386, 486.
Warranty is limited to the ability of Filehawk to perform its functions
error-free. If Filehawk cannot perform its ordinary functions to the total
satisfaction of the registered individual or licensed enterprise within two
months of the acceptance of the registration or license, write to request a
full refund, with no questions asked. Simply submit a promise to delete all
copies of Filehawk.
For any claim related to the performance of Filehawk, any liability to
actual damages will be limited to fees paid.
System Requirements:
Filehawk 2.20 was created for and intended to be used on machines known
or trademarked as PC, XT, AT, PS/n, 286, 386, and 486. The program requires
a minimum of 256K RAM and Dos 3.0 or higher.
For Windows (tm) users, Filehawk should be defined as an MS-DOS utility
or application.
Fees
Individual Registration: $40 (Includes all Provincial & Federal Sales Tax,
and Shipping and Handling fees, whether local or outside Canada.
Corporate License: $2 per company computer. Minimum fee is $50.
A maximum of 10 diskettes will be shipped for any Corporate License. Your
company representative is responsible for making additional copies for the
purpose of distributing Filehawk to other branches, departments and users.
If the registered user or company representative does not specify the size
of diskette, a 3 1/2 inch diskette will be assumed.
Sample Filehawk Screen
|i
Thursday August 27, 1993 6:13 pm LOG.000
0:50
System Update Paths/Files Update Paths/Files Comparison {Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available
System BACKUP and UPDATE file created
-File Allocation Table BACKUP created-
New pathname: \DOS
New pathname: \UTILITIES
New filename: \IBMBIO.COM
New filename: \IBMDOS.COM
New filename: \TESTER.COM
New filename: \STARTQ.EXE
|i
Filehawk v2.20 paths hdn EXE COM BAT SYS BIN OVL files
(c) 1991-1993 old 0 0 0 0 0 0 0 0 0
David Kesterton new 2 1 3 1 2 1 1 1 27
|i
50% \UTILITY\IBMDOS.COM
<ESC> exit scanner
Methods
System Comparison is a series of hard drive examinations which includes the
copying and comparing of the Partition Boot Sector, Dos Boot Sector and the
File Allocation Tables. Executable files, those with the extensions: .COM,
.EXE, .BAT, .SYS, and 4 optional extensions, are "checksummed" and compared
for changes. Contaminated boot sectors or scrambled File Allocation Tables
can be restored from the copies.
System Scanning is a search of system memory and executable files for virus
signatures, trademarks and keywords. Filehawk automatically keeps a record
of files already scanned. It will scan only files that are new or changed.
The search for trademarks and keywords allows Filehawk to alert the user to
the presence of some viruses immediately upon their release into the public
domain.
Quick Start - The Only Start
Boot up your system from a clean, write-protected diskette, preferably from
an original system boot diskette. Do not run any shells or applications of
any kind. This is imperative for the first run only.
Copy all program files to any directory. Run FILEHAWK.EXE. You require no
command line, no arguments, no setup, and no intervention. The run is over
when the Options Menu appears. After exploring the options, press <ESC> to
exit to Dos.
In order for the program to run, it must have its data file -- FILEHAWK.BIN
in the same directory. It will create its own update file -- FILEHAWK.SAV,
which it uses to compare the system for changes. It will also generate one
log file for each run.
The First Run
|i
System Update Paths/Files Update Paths/Files Comparison Virus Scanning
System BACKUP and UPDATE file created
"System BACKUP and UPDATE file created"
Filehawk creates its own update file the first time it executes. This holds
boot sector copies as well as path and file vital statistics. By comparing
and updating the contents, Filehawk can alert you to system abnormalities.
In the demonstration version, the update file is called FILEHAWK.SAV.
In the licensed version, for security purposes, the name of the update file
is uniquely defined for the registrant.
|i
{System Update Paths/Files Update Paths/Files Comparison Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
System BACKUP and UPDATE file created
"Master Boot Sector copy created"
"Dos Boot Sector copy created"
Since there is no update file the first time you execute Filehawk, the boot
sector copies will be created and stored. If an infection already exists on
those sectors, then bad copies are being made. Only the virus scanner or a
study of abnormal system activity can point to pre-infection.
|i
{System Update Paths/Files Update Paths/Files Comparison Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available
System BACKUP and UPDATE file created
"FAT Tables Match [+13.83 Meg]
"16.8 MEGABYTES free space available"
The next procedure in the System Update is a comparison of the FATS or File
Allocation Tables. If they do not match, then your files are at risk. The
[+13.83 Meg] shows that 13,830,000 bytes were added to the system since the
last update. This value is approximate because it is derived from the FAT,
and is primarily used for evaluating FAT integrity. The next announcement,
"16.8 MEGABYTES free space available", is a necessary reminder which alerts
the user to a resource that some trojans and viruses tamper with.
|i
{System Update Paths/Files Update Paths/Files Comparison Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available
System BACKUP and UPDATE file created
-File Allocation Table BACKUP created-
"-File Allocation Table BACKUP created-"
Every time you run Filehawk, a File Allocation Table backup will be created
and saved. In the licensed version, this backup can be used to restore the
scrambled or damaged FAT tables.
|i
System Update {Paths/Files Update Paths/Files Comparison Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available
System BACKUP and UPDATE file created
-File Allocation Table BACKUP created-
"Paths/Files Update"
The Paths/Files Update procedure reads each executable file and generates a
"checksum" value. This is the most effective method of determining any and
all system changes. In the first run, starting values are chosen at random
resulting in file checksums that are uniquely initialized for each machine.
You will have to initiate a first run for each computer that you operate.
|i
System Update Paths/Files Update {Paths/Files Comparison Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available
System BACKUP and UPDATE file created
-File Allocation Table BACKUP created-
New pathname: \DOS
New pathname: \UTILITIES
New filename: \IBMBIO.COM
New filename: \IBMDOS.COM
"Paths/Files Comparison"
This procedure compares the last run's update checksums to determine system
changes. During this first run, all paths and files are seen as new. Many
messages will scroll rapidly up the window area. You will have a chance to
view all of the messages after all procedures have ended.
|i
Filehawk v2.20 paths hdn EXE COM BAT SYS BIN OVL files
(c) 1991-1993 old 0 0 0 0 0 0 0 0 0
David Kesterton new 2 1 3 1 2 1 1 1 27
|i
000K <ESC> to bypass Memory Scan
|i
Before the files are scanned for viruses, the first megabyte of memory will
be scanned for signatures.
|i
System Update Paths/Files Update Paths/Files Comparison {Virus Scanning
Master Boot Sector copy created Dos Boot Sector copy created
FAT Tables Match [+13.83 Meg] 16.8 MEGABYTES free space available
System BACKUP and UPDATE file created
-File Allocation Table BACKUP created-
New pathname: \DOS
New pathname: \UTILITIES
New filename: \IBMBIO.COM
New filename: \IBMDOS.COM
"Virus Scanning"
This procedure scans only files that are new or changed. Since this is the
first run, all executables are new, so all will be scanned.
|i
Thursday August 27, 1993 6:13 pm LOG.000
0:50
|i
The date-and-time line identifies the run. System problems, including date
dependent viruses, can be traced to previous runs. The log for the current
run appears on the same line. This file contains the record of events and
conditions the program has detected. All variations, however insignificant,
can later be studied for suspicious activity.
The countdown timer, located beneath the current log, estimates the minutes
and seconds remaining to complete the update and comparison procedures. As
an approximate value which was calculated during the last run, it gives the
means of evaluating a system's performance. Abnormal running times will be
announced, since these can result from a virus or a system defect.
|i
Filehawk v2.20 paths hdn EXE COM BAT SYS BIN OVL files
(c) 1991-1993 old 0 0 0 0 0 0 0 0 0
David Kesterton new 2 1 3 1 2 1 1 1 27
|i
During the Paths/Files update, counts will be kept and displayed. The last
column represents the total number of files of all extensions. Executables
(EXE, COM, BAT, SYS, BIN, OVL) are listed in separate columns. Notice that
hidden files are also counted, since viruses will sometimes create them for
their own use. The "old" line contains counts from the last run; the "new"
line contains the totals from the current run. Variations between each run
will be highlighted because their importance should not be ignored. In some
infections, unaccountable totals may be the only indication that a virus is
at work on the system.
OPTION MENU
|p
PARTITION SECTOR
DOS BOOT SECTOR
FILE EXTENSIONS
EVENT LOGS
RESTORE FAT
HELP
|p
After the run completes, the Option Menu appears. The choices allow you to
study the run, and correct some of the more obvious system problems.
|p
PARTITION SECTOR
|p
Select this to look at an ASCII representation of your Partition Sector, or
Master Boot Record. Commercial virus scanners will see only the signatures
they were programmed to see. They are unable to detect all malicious code.
By comparing a copy of the original sector with what is currently contained
in that sector, the slightest change will announce the contamination.
Restore the sector if infected, or make a new backup copy if changed.
|p
DOS BOOT SECTOR
|p
The same options that are available for the partition sector, are available
for the DOS boot sector.
Restore if infected or generate a new backup if changed.
|p
FILE EXTENSIONS
|p
Hostile code is most likely to attack files with the extensions .COM, .EXE,
.BAT, and .SYS. For this reason, Filehawk always updates and compares files
with these extensions. With this option, you may select up to 4 additional
extensions for regular updating and scanning.
|p
EVENT LOGS
|p
Because large numbers of events can scroll rapidly out of the viewing area,
this option allows you to review and print the results of each run.
|p
RESTORE FAT
|p
Many Trojans, as well as viruses, will scramble one or both File Allocation
Tables. Although it is preferable to copy the FILEHAWK.FAT backup file off
your hard drive, Filehawk is capable of finding it on your scrambled drive.
This option allows you to attempt a recovery of the FAT, without which your
files would be inaccessible.
This option is only available in registered and licensed versions.
PARTITION BOOT MESSAGES
Master Boot Sector copy created The first run creates a backup copy of
the MBR. Because you cannot be certain
that the Master Boot Record was a good
and uncontaminated sector when this copy was made, you should carefully study
system activity over the next few runs of Filehawk.
Partition Boot Sector is unchanged The original MBR matches the copy byte
for byte, indicating no threat to your
Partition sector. This is the message
you expect to encounter every time you run Filehawk.
* Cannot read Partition Boot Sector * For some reason, Filehawk was not able
Security software may be installed * to read the sector. This may occur if
a security program was installed which
relocates or encodes the sector. Test
this by using a utilities program which can read absolute disk sectors. It is
likely that a marauding virus will be equally locked out. If you receive this
message, make certain that you performed the first run ONLY AFTER booting the
computer from an original, write-protected boot diskette.
! Partition Boot Sector Has Changed ! If you have not adjusted the partition
sector by adding or subtracting one of
the partitions, then a virus may be at
fault. After Filehawk completes, select the Partition Sector option, compare
the original sector bytes to the copy, and restore the sector from the backup
if necessary. Take careful note of any other abnormal events on your system.
Go back to prior logs, studying them for unreasonable system changes.
Dos Boot Messages
Dos Boot Sector copy created Filehawk stores a copy of the Dos boot
sector during the initial run. If the
hard drive sector was already infected
when the backup was made, a contaminated record will be used for comparisons.
Carefully observe system activity during subsequent runs of Filehawk.
Dos Boot Sector is unchanged The existing sector matches the backup
byte for byte. If you are certain that
there was no pre-infection of the hard
drive, then your drive and files are safe. This is the message you expect to
see every time you run Filehawk.
* Cannot read DOS Boot Sector * You may encounter this if the Dos boot
Security software may be installed * sector has been relocated. The likely
cause is security software. If you are
certain that such a protection program
is responsible, then you may ignore the message. It is likely that the sector
will be equally unavailable to most hostile software.
!!! Dos Boot Sector Has Changed !!! If you have installed a new version of
Dos, this message will result. If you
have not updated your Dos version, the
next most likely culprit is a virus. If the former is the case then you will
want to make a new backup copy. When Filehawk concludes, select the Dos Boot
Sector option. Choose option 1# to make a new backup copy, or 2# to restore
the original Dos boot sector.
FILE ALLOCATION TABLE MESSAGES
FAT Tables Match The two tables match, byte for byte.
Since the FATs point to the location
of each file, some viruses and many
more trojans attempt to scramble these tables. As long as the File Allocation
Tables match, integrity of the file structure is maintained.
FATS Do Not Match [-8.0 Meg] Unlike boot sectors which can change
for sometimes valid reasons, the FAT
tables should always match. If this
message is displayed, then a serious condition has occured. For this reason,
the megabyte message informs the user of the potential degree of damage. If
the value is large -- greater than 0.5 Meg -- it is likely that the FATs have
been scrambled.
-File Allocation Table BACKUP created- Each time you run Filehawk, a FAT
BACKUP will be created. Stored as
a file, the copy is compressed on
the drive itself. Should the hard drive File Allocation Tables be destroyed,
restoration can proceed as long as the sectors where the backup was saved have
not been tampered with. It would be in your best interest to always copy this
backup to a floppy immediately after running Filehawk.
FAT restoration is only available in the registered/licensed versions.
** Warning! excess changes in File Allocation Table # This common message
indicates potential
danger to your hard
drive. Based on FAT calculations, it is determined that more than 2 megabytes
of additions or deletions have occured. If you are responsible for the many
additions or deletions, there is no problem. But if you did not engineer the
changes, then review the results of Filehawk's comparison routine with care.
DIRECTORY/PATH MESSAGES
PATH DELETED \SAMPLE1 Filehawk announces the removal or
the addition of a subdirectory. A
NEW PATHNAME \SAMPLE2 common event, this helps to paint
the total picture of incidents or
conditions which may be affecting
your hard drive. In some situations, a seemingly minor event may be far more
significant when matched with other occurences. It is not unusual for hostile
software to create new directories in order to hide malignant executables.
!PATH HIDDEN! \SAMPLE1 Paths are not normally hidden, so
from this warning you should look
for the creation of hidden files.
Path Visible: \SAMPLE2 Hidden subdirectories that become
visible are rare events that must
be brought to your attention.
Path number exceeds maximum allowable Filehawk records a maximum of 255
pathnames. Beyond that, the paths
are ignored.
FILENAME MESSAGES
FILE DELETED TEST.EXE If you did not delete the file, a
trojan may be responsible.
NEW FILENAME TEST.COM Some viruses create new files for
their own purposes. Be alert to
the addition of a .COM version of
a file with an .EXE extension. If two files with the same name exist in the
the same directory, the .COM file will be executed first. This is a standard
technique of some hostile software. A separate warning will be given if this
situation is encountered for the first time.
FILE CHANGED! TEST.COM Viruses replicate by changing the
contents of other files. They can
attach themselves to the start or
end of executables, or overwrite sections of the object file. If this warning
appears, be certain that you were responsible for changing the file contents.
If you did not, then most likely a virus was responsible.
Filehawk automatically scans files that have changed. If Filehawk's scanner,
or any other scanner fails to find hostile code in any file which has changed
for no apparent reason, a virus is still the probable cause.
ATTRIBUTES CHANGED TO ----> READ ONLY -HIDDEN- *SYSTEM* +ARCHIVE+ NORMAL.
One or more of the attributes may be changed in a file. It is not unusual for
a utility or backup program to update file attributes, usually from Normal to
Archive. But be alert to the removal of Read Only or Hidden attributes from
major system files. All attribute changes should be accounted for.
Dup filename \DOS\CHKDSK.COM Duplicate filenames for the most
\CHKDSK.COM part indicate redundancy. Delete
one copy to free up space. This
announcement is made for changed
or new files with the result that it appears once only for the same files.
Number of files exceeds maximum storage allotment.
Filehawk can remember up to 3000 executable files. If this message appears,
it may be time for you to archive little used or redundant files.
Virus Scanning Messages
<!> DANGER: A signature for the "Vicious" Virus is in:
\DOS\FORMAT.COM 2218
A virus signature has been identified in the file FORMAT.COM. This does not
necessarily mean that the file is infected. The signature scanning method is
the least reliable means of determining file infection. This is because the
method assumes that the signature is located only in an infected file. Since
it is possible for a signature to appear in an ordinary file, the file update
procedure is necessary for cross-referencing. If files which have changed on
the system show positive warnings, then they are likely infected. Additional
cross-referencing is accomplished with the trademark and keyword scans, since
infected files frequently contain more than one signature or keyword string.
The number after the filename, in this case "2218", is a reference code which
identifies the signature encountered. Include this number if writing to seek
more information.
<*> WARNING: a virus trademark can be found in the line:
this is a test showing BigGuys Incorporated as a sample trademark
located in: \UTILITY\TEST.EXE 3819
A 'trademark' is a string that a virus writer has included in at least one of
his creations. The author usually displays it as a trademark, which suggests
that if he creates more viruses, they will contain the same trademark. Where
this has occured in the past, the trademark has been repeated in a new virus.
This has resulted in Filehawk being able to detect some viruses in advance of
their release into the public domain.
The presence of a trademark does not confirm the existence of a virus. Study
the line in which the trademark appears, as this usually indicates whether or
not the author's intent is to announce his creation.
<+> Caution: a virus keyword can be found in the line:
this is a test showing SaMpLe as an example keyword
located in: \UTILITY\TEST.EXE 3733
Virus keywords are strings that tend to occur in hostile software. Because a
keyword can easily appear in uninfected files, the context of the string will
be significant. Keyword categories include: profanity, demonology, romance,
hostility, terrorism, and other predictably adolescent interests.
Filehawk is able to detect all uppercase-lowercase mixtures of a keyword, eg.
sample, SAMPLE, sAmPlE.
The presence of a keyword is least likely to confirm the existence of hostile
code. The keyword is normally supportive evidence where sometimes a trademark
or a signature merely suggest a virus. In itself, the keyword is not proof.
OTHER MESSAGES
System Update HAS EXCEEDED TIME ESTIMATE BY: 7 SECONDS
Paths/Files Update SHORTER THAN TIME ESTIMATE BY: 12 SECONDS
The length of time it takes for a procedure to run is saved and compared with
the current duration. Times greater than or less than 4 seconds are noted in
the log to help in system evaluation. If you have not added or deleted files
since the last run, and the time estimates are abnormally high, then a virus,
or another hostile event, may be active on your system.
*WARNING* Executable Files of the same name are in the same directory:
\UTILITY\BASIC.COM
\UTILITY\BASIC.EXE
One technique used by viruses, is to create a "COMPANION" file. A .COM file
containing the viral code will be created in the same path as a file with an
.EXE extension. Given the command to execute the file, Dos elects to run the
harmful .COM file, ignoring the intended .EXE file.
If you try running a .BAT file, while a .COM or .EXE file with the same name
exists in the same directory, the .COM or .EXE file will be executed by Dos.
It is not unusual to encounter companion files on ordinary systems. They are
used for a variety of reasons by normal applications. For this reason, the
announcement will occur once only -- for new and changed executable files.
UNABLE TO READ UPDATE FILE The update file stores adjustable data. When
it cannot be found, Filehawk creates one for
the first time. If it cannot be read, a hard
drive error is the likely cause.
INSUFFICIENT MEMORY Over time, because of the steady rise in the
142K REQUIRED 98K AVAILABLE number of virus signatures, memory needs are
expected to rise. Filehawk lets you know how
much memory it requires. The solution is to
run Filehawk before loading TSRs or run it outside of memory-gobbling shells.
The example shows the total memory Filehawk requires (142K), to process extra
signature data, and how much free memory is available (98K). In this example,
you must provide Filehawk with an additional 44K.
* COMMAND UNAVAILABLE * The demonstration version of Filehawk, available on
This is a demonstration some Bulletin Board Systems, does not allow the use
version only of all commands: restoring a scrambled FAT table is
the only feature not permitted on the demo version.
- end -