home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Night Owl 9
/
Night Owl CD-ROM (NOPV9) (Night Owl Publisher) (1993).ISO
/
051a
/
tbav603.zip
/
INTRO.DOC
< prev
next >
Wrap
Text File
|
1993-06-15
|
48KB
|
1,501 lines
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
Table of Contents
1. COPYRIGHT, LICENCES AND DISCLAIMER................ 2
1. Copyright..................................... 2
2. Distribution and usage........................ 2
3. Disclaimer.................................... 3
4. Trademarks.................................... 3
5. Registration.................................. 3
6. The registration key.......................... 3
2. INTRODUCTION TO THUNDERBYTE ANTI VIRUS............ 5
1. An overview................................... 5
1. Signature scanning........................ 5
2. Integrity checking........................ 5
3. Heuristic analysis........................ 5
4. High speed................................ 5
5. A reconstructive cleaner.................. 5
6. A heuristic cleaner....................... 5
7. Resident signature scanner................ 6
8. Resident integrity checker................ 6
9. Bootsector immunizer...................... 6
10. MBR/CMOS maintenance..................... 6
11. Memory guard............................. 6
12. Disk guard............................... 6
13. File guard............................... 6
14. Network support.......................... 6
2. TbSetup....................................... 7
3. TbScan........................................ 7
4. TbDriver...................................... 7
5. TbScanX....................................... 7
6. TbCheck....................................... 7
7. TbMem......................................... 8
8. TbDisk........................................ 8
9. TbFile........................................ 8
10. TbClean...................................... 8
11. TbUtil....................................... 8
12. Compatibility................................ 9
13. MS Windows................................... 9
3. EXAMPLE SETUPS................................... 11
1. Initial installation......................... 11
2. Creation of a recovery diskette.............. 11
3. Network maintenance.......................... 12
1. Using DOS REPLACE........................ 12
2. Using PkUnZip.Exe........................ 13
4. Prevention of illegal software............... 13
5. Prevention of viruses........................ 13
6. Detection of viruses......................... 14
7. A full protected system...................... 15
8. Protection against employees................. 15
9. System maintenance........................... 16
10. Recovering from viruses..................... 16
4. MISCELLANEOUS INFORMATION........................ 18
1. Who are we?.................................. 18
Page i
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
2. Updates...................................... 18
3. Distribution of the signature file........... 18
4. Language support............................. 19
5. Thanks....................................... 19
5. A VIRUS, NOW WHAT?............................... 20
1. Prevention................................... 20
2. Confirmation................................. 20
3. Identification............................... 21
4. Don't Panic.................................. 21
5. Global recovering............................ 22
6. NAMES AND ADDRESSES.............................. 23
1. Contacting the author........................ 23
2. ESaSS B.V.................................... 23
3. TBAV registration/support sites.............. 23
4. TBAV commercial package...................... 23
Page ii
Page 1
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
1. COPYRIGHT, LICENCES AND DISCLAIMER
1. Copyright
All Thunderbyte Anti-Virus utilities are copyright 1989-1993
Thunderbyte B.V.. All rights reserved. The diskettes provided
with the Thunderbyte Anti-Virus utilities are not copy protected.
This does not imply that they can be freely copied in unlimited
quantities. The Thunderbyte Anti-Virus utilities are protected by
copyright law, which applies to computer software as well.
2. Distribution and usage
The Thunderbyte Anti-Virus utilities and the accompanying
documentation are SHAREWARE. You are hereby granted a licence by
Thunderbyte B.V. to distribute the evaluation copy of the software
and its documentation, subject to the following conditions:
1. The evaluation package of the Thunderbyte Anti-Virus utilities
may be distributed freely without charge in evaluation form only.
2. The evaluation package of the Thunderbyte Anti-Virus utilities
may not be sold or licensed. Neither may a fee be charged for
its use. If a fee is charged in connection with the Thunderbyte
Anti-Virus utilities at all, it should only cover the cost of
copying or distribution. UNDER NO CIRCUMSTANCES should payment
of such fees be understood to constitute legal ownership.
3. The evaluation package of the Thunderbyte Anti-Virus utilities
must be presented in its complete form. It is not allowed to
distribute the program and its documentation files separately.
4. Neither the software nor its documentation may be amended or
altered in any way.
5. By granting you the right to distribute the evaluation copy of
the Thunderbyte Anti-Virus utilities, you do not become the
owner of these utilities in any form.
6. Thunderbyte B.V. accepts no responsibility in case the program
malfunctions or does not function at all.
7. Thunderbyte B.V. can never be held responsible for damage,
directly or indirectly resulting from the use of the Thunderbyte
Anti-Virus utilities.
8. Using the Thunderbyte Anti-Virus utilities means that you agree
to these conditions.
Any other use, distribution or representation of the Thunderbyte
Page 2
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
Anti-Virus utilities is expressly forbidden without the written
permission of Thunderbyte B.V.
3. Disclaimer
Neither Thunderbyte B.V. nor anyone else who has been involved in
the creation, production or delivery of the Thunderbyte Anti-Virus
utilities or the documentation grants any warranties in respect to
the contents of the software or the documentation and each
specifically disclaims any implied warranties of merchantability or
fitness for any purpose. Thunderbyte B.V. reserves the right to
revise the software and the documentation and to make changes from
time to time in the contents without obligation to notify any
person.
4. Trademarks.
The Thunderbyte Anti-Virus utilities are registered trademarks of
Thunderbyte B.V.. All other product names mentioned are
acknowledged to be the marks of their producing companies.
5. Registration.
THIS IS NOT FREE SOFTWARE! If you paid a 'public domain' vendor for
this program, you paid for the service of copying the program, and
not for the program itself. Proceeds from such transactions would
never reach the makers of this product. You may evaluate this
product, but if you decide to make use of it, you should register
your copy.
To register: run the REGISTER program, and return the resulting
form to a Thunderbyte shareware registration site.
We offer several inducements to you for registering. First of all,
you are entitled to support for the Thunderbyte Anti-Virus
utilities, which can be quite valuable at times.
Some very enhanced features (like the TbScan option 'extract') are
only available to registered users. Once you have become a
registered user, these advanced options will be made available
to you.
Your regisrations allow us to enhance our products and to keep them
up to date!
6. The registration key
Registered users receive the information and instructions to
Page 3
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
generate their TBAV.KEY. The key file will contain important
information such as the licence number and the name of the
licensee.
The key file TBAV.KEY is NOT to be sold or transferred in any way.
The Thunderbyte Anti-Virus utilities do search for the key file in
the current directory. If they do not find it there, they search
the same directory where the program file itself resides.
If the key file is corrupt or invalid, the Thunderbyte Anti-Virus
utilities continue without error message although your version of
the Thunderbyte Anti-Virus utilities will then be treated as an
unregistered SHAREWARE version. If your key is only valid for some
of the Thunderbyte Anti-Virus utilities, the other utilities will
ignore it when run.
Although you are allowed to evaluate the Thunderbyte Anti-Virus
utilities for a reasonable period of time, it is ILLEGAL to use
them in combination with a key, produced without authorization of
Thunderbyte B.V. or ESaSS B.V., or generated by any software not
distributed by Thunderbyte B.V. or ESaSS B.V..
Page 4
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
2. INTRODUCTION TO THUNDERBYTE ANTI VIRUS
1. An overview
What is Thunderbyte Anti-Virus? Thunderbyte Anti-Virus (TBAV) is a
toolkit designed to protect against, and recover from computer
viruses.
There are already many anti-virus packages, so you may wonder what
is so special about these utilities. Here is a quick overview. Note
that this overview is not complete, it just highlights a few of the
many remarkable features.
1. Signature scanning
The signatures used by this package are updated as soon as a
new virus appears. You can always download the most recent
version of this signature file from one of our support Bulletin
Board Systems. A special program is supplied to add signatures
yourself in case of emergency.
2. Integrity checking.
TbScan performs an integrity check automatically, and it does
not have the false alarm rate other integrity checkers have.
The goal is to detect viruses and not to detect configuration
changes!
3. Heuristic analysis.
TbScan is the world's first scanner that incorporates heuristic
analysis in a normal scan session. Heuristic analysis is a
technique that makes it possible to detect about 90% of all
viruses by searching for suspicious instruction sequences
rather than using any signature. This is possible because
TbScan contains a real disassembler and code analyzer.
4. High speed.
In a normal scan session, TbScan is faster than any other
scanner, even with signature scanning, integrity checking and
heuristic analysis fully enabled!
5. A reconstructive cleaner.
A reconstructive cleaner that removes viruses by using the
integrity check information for a guaranteed 100% restoration.
6. A heuristic cleaner.
The worlds first heuristic cleaner! Heuristic cleaning is a
Page 5
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
technique that makes it possible to remove even unknown
viruses, without any information about the virus and without
any information about the original file! Literally, the cleaner
removes the unknown from the unknown! The success rate of this
unknown virus remover is 80%, which even beats conventional
cleaners that require predefined virus information.
7. Resident signature scanner.
A resident signature scanner that can swap itself into
expanded, XMS, or high memory, using only 1Kb of conventional
memory!
8. Resident integrity checker.
A resident integrity checker for higher protection. It is fast
and consumes only 600 bytes of memory.
9. Bootsector immunizer.
The TbUtil program can install a new master boot record which
has some unique virus detection capabilities, without becoming
resident in memory!
10. MBR/CMOS maintenance.
Master boot record, bootsector, and CMOS; save, restore and
checking facilities.
11. Memory guard.
A memory guard program that detects viruses and prevents them
from going resident in memory.
12. Disk guard.
A disk guard program that detects viruses and prevents them
from overwriting and formatting the disk. It also traps direct
disk writes, tunneling and direct calls into the BIOS code.
13. File guard.
A file guard program that detects viruses and prevents them
from infecting programs.
14. Network support.
Most other resident anti-virus products offer you the choice to
invoke them before the network is loaded and losing the
protection after the logon procedure, or to invoke the anti-
virus software AFTER the logon to the network, resulting in a
partially unprotected system. The Thunderbyte Anti-Virus
Page 6
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
utilities recognize the network software and take appropriate
actions to ensure their functionality.
2. TbSetup
TbSetup is a program that collects information from all software
found on your system. The information will be put in files named
Anti-Vir.Dat. The information maintained in these files can be used
for integrity checking, program validation, and to clean infected
files.
3. TbScan
TbScan is one of the fastest (and at this moment the fastest)
virus scanner available. Besides its blazing speed it has many
configuration options, it can detect mutants of viruses, it can
bypass stealth type viruses, etc.
The most remarkable feature is the ability of TbScan to disassemble
files. This makes it possible to detect suspicious instruction
sequences and to detect yet unknown viruses. TbScan can detect 95%
of the viruses without any information like signatures or checksum
files! This generic detection is named heuristic analysis.
Another feature of TbScan is the integrity checking it performs
when it finds the Anti-Vir.Dat files generated by TbSetup.
4. TbDriver
TbDriver is a memory resident utility. This driver is needed by the
resident TBAV utilities. It takes care for the pop-up window, the
language support, the network support, the MS-Windows support, etc.
5. TbScanX
TbScanX is the memory resident version of TbScan. This signature
scanner remains resident in memory and automatically scans those
files which are being executed, copied, de-archived, downloaded,
etc.
TbScanX performs very fast, and does not require much conventional
memory. 1Kb of upper memory is sufficient.
6. TbCheck
TbCheck is a memory resident integrity checker. This program
remains resident in memory and checks automatically every file just
Page 7
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
before it is being executed. TbCheck uses a very fast integrity
checking method and it consumes only 400 bytes of memory. It can be
configured to reject files with incorrect checksums, and/or to
reject files that do not have a corresponding Anti-Vir.Dat record.
7. TbMem
TbMem detects attempts from program to remain resident in memory,
and makes sure that no program can remain resident in memory
without permission. Since most viruses remain resident in memory,
this is a powerfull weapon against all those viruses, known or
unnown. Permission information is maintained in the Anti-Vir.Dat
files.
8. TbDisk
TbDisk detects attempts from programs to write directly to disk
(without using DOS), direct calls into the ROM-BIOS, attempts to
format, etc., and makes sure that no malicious program will succeed
in destroying your data. Permission information about the rare
programs that write directly and/or format the disk is maintained
in the Anti-Vir.Dat files.
9. TbFile
TbFile detects attempts from programs to infect other programs. It
also guards read-only attributes, detects illegal timestamps, etc.
It will make sure that no virus succeeds in infecting programs.
10. TbClean
TbClean is a generic file cleaning utility. It uses the
Anti-Vir.Dat files generated by TbSetup to enhance file cleaning
and/or to verify the results. TbClean can however also work without
these files. It disassembles and emulates the infected file and
uses this analysis to reconstruct the original file.
11. TbUtil
Some viruses copy themselves onto the partition table of the hard
disk. Unlike bootsector viruses, they are hard to remove. The only
solution would seem to be to low-level format the hard disk and to
create a new partition table.
TbUtil offers a more convenient alternative to such radical
measures. It makes a back-up of your uninfected partition table
and boot sector. If these get infected in your system, the TbUtil
Page 8
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
back-up can be used as a verifying tool and as a means to restore
the original (uninfected) partition table and bootsector without
the need for a disk format. The program can also restore the CMOS
configuration for you.
If a back-up of your partition table is not available, TbUtil will
try to create a new partition table anyway, again avoiding the need
for a low-level format.
Another important feature of TbUtil is that it can be used to
replace the partition table code by new code that offers greater
resistance to viruses. The TbUtil partition code will be executed
before the boot sector gains control, enabling it to check this
sector in a clean environment. The TbUtil partition code performs
a CRC calculation on the boot sector just before control is passed
to it. If the boot sector has been modified the TbUtil partition
code will warn you about this. The TbUtil partition code also
checks the RAM lay-out and informs you whether or not it has been
changed. It carries out these checks each time you boot from your
hard disk.
Note that once the boot sector has been executed unchecked, it is
very difficult to check it afterwards. A virus could have become
resident in memory during boot-up and have hidden its presence.
Once again, TbUtil will offer you a great deal of security here
as it is active BEFORE the boot sector is executed.
Also note that the use of TbUtil is much more convenient than the
traditional strategy of booting from a clean DOS diskette for an
undisturbed inspection of the boot sector.
12. Compatibility
The Thunderbyte Anti-Virus utilities are designed to cooperate with
networks, MS-Windows, DR-DOS, etc.
13. MS Windows
The Thunderbyte Anti-Virus utilities are Microsoft Windows
compatible. The utilities remain active in every DOS box, without
mixing the operation of the adjacent windows. All TBAV utilities
can also be invoked in a graphics DOS box inside Windows.
What you will not find in the TBAV package are fancy looking
Windows programs. There are several reasons for this omission:
- A Windows scanner never offers additional functionality.
Instead, a Windows scanner requires more system resources,
becomes larger and slower, and performs less reliable. The only
'gain' would be a prettier screen lay-out. If the screen layout
Page 9
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
is your major concern, TBAV is not the Anti-Virus package for
you!
- If one of the Windows files gets infected, Windows will most
likely refuse to work and hang the machine. Just in this case
you need a scanner to see what is going on, but you can not use
it anymore!
- To cope with stealth viruses it is required to boot from a
clean DOS diskette before running the scanner. But, ever tried
to boot Windows off a diskette?
TBAV provides fine Windows support, but no nonsense.
Page 10
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
3. EXAMPLE SETUPS
1. Initial installation
In the following examples it is assumed that all utilities are
copied in a directory named TBAV. If this is not the case, execute
the following commands:
MD C:\TBAV
COPY *.* C:\TBAV
C:
CD \TBAV
For all example setups it is required that TbSetup has been
executed:
TbSetup C:\
If your system has more hard disks or disk partitions you should
repeat the TbSetup invocation for every drive or partition.
It is also highly recommended to make a recovery diskette. The
example setups assume you have created such a recovery diskette.
It is also highly recommended to read the manuals of all the TBAV
products. The example setups outlined below are just intended to
give you some ideas about the use of the TBAV utilities, and these
examples are not intended as a full featured protection setup!
2. Creation of a recovery diskette
A recovery diskette is required to get rid of any virus in the
future. Without such a diskette, you will never be able to get rid
of any virus! So, take a few minutes to make this diskette now!
Take a new, empty diskette, put it in drive A:, go to your DOS
directory and execute the following commands:
Format A:\ /S
Copy SYS.COM A:
Now return to the TBAV directory:
CD \TBAV
Execute the batch file MakeResc:
MakeResc A:
Now copy any other utilities you think you need in case of an
emergency to the diskette. A tiny editor - to edit Config.Sys
and/or AutoExec.Bat - is also highly recommended.
If your hard disk needs some special device driver to be accessed
Page 11
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
(like a Stackered disk), copy the required device drivers also to
the recovery diskette and install the drivers in the Config.Sys
file on drive A:. Consult the manual of these device drivers for
additional help.
Now execute TbSetup as follows:
TbSetup A:
The diskette is now almost ready. MAKE THE DISK WRITE PROTECTED BY
USING THE WRITE PROTECT TAB! Label the diskette with 'Recovery'.
Now store the diskette into a safe place. Do not use it until you
need it!
3. Network maintenance
The signature file TbScan.Sig should be replaced frequently. This
can be a lot of work if you want to update all work stations on a
network manually. Fortunately, there are several possibilities to
do this job automatically.
1. Using DOS REPLACE
Maintain a directory \TBAV_UPD\ on a public server drive. If there
is a new version of TBAV or the signature file TbScan.Sig you
should place it in this directory.
The work stations should run a batch file automatically after the
user logges in on the network. This is in most situation already
the case. This batch file should contain the following lines:
rem Update the anti-virus product if a new one is available.
replace x:\tbav_upd\*.* c:\tbav /u /r
'Replace' is a standard DOS utility. It copies the files specified
by the first parameter ONLY if they are newer than the files
specified in the second parameter.
Make sure the 'replace' command is in the current path, and that
the paths specified are valid for your configuration.
So in most cases the 'replace' command doesn't do anything at all,
except when you just updated the x:\tbav_upd directory. Now you
have to update only one drive with the new signature file or
anti-virus software, and all workstations will update themselves as
soon as they log in!
You can also add the /S option if you want REPLACE to scan all
directories on the workstations drive for matching files.
Note:
Page 12
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
Do not forget to run TbSetup on the new utilities in the
x:\tbav_upd directory. This makes sure that the REPLACE command
also copies the new Anti-Vir.Dat file.
2. Using PkUnZip.Exe
Maintain a directory \TBAV_UPD\ on a public server drive. If there
is a new version of the TBAV distribution archive you should place
it in this directory.
The work stations should run a batch file automatically after the
user logges in on the network. This is in most situation already
the case. This batch file should contain the following lines:
rem Update the anti-virus product if a new one is available.
PkUnZip -n -o x:\tbav_upd\TBAV???.ZIP c:\tbav
Make sure the file PkUnZip.Exe is in the current path, and that the
paths specified are valid for your configuration.
So in most cases the 'PkUnZip' command doesn't do anything at all,
except when you just updated the ZIP files in the x:\tbav_upd
directory. Now you have to update only one drive with the new
anti-virus software, and all workstations will update themselves as
soon as they log in!
4. Prevention of illegal software
A lot of companies do not want their users to install or execute
unauthorized software. TBAV can help to prevent this.
Add to the Config.Sys the following lines:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbCheck.Exe secure
Execute TbSetup on the system.
TbSetup C:\
Reboot the system.
Press Ctrl-Alt-Del.
If the user now tries to execute new software - software not
authorized by TbSetup -, TbCheck does not allow these files to be
executed.
5. Prevention of viruses
To prevent virusses from doing any harm on your system, execute or
install the following products:
Page 13
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
Execute TbUtil to make a backup of the partition table and to
replace the partition code by a partition sector with virus
detection capabilities:
TbUtil immnunize a:tbutil.dat
Add the following lines to the config.sys file:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbScanX.Exe
Device=C:\TBAV\TbMem.Exe
Device=C:\TBAV\TbFile.Exe
Add the following line to the autoexec.bat file:
C:\TBAV\TbDisk
Reboot the system.
Press Ctrl-Alt-Del.
It is very likely that some of the TBAV utilities display a message
when you boot again. This because some programs that are invoked
perform operations that are monitored by the TBAV utilities. TBAV
has to 'learn' which programs perform these operations. If you
respond with 'Y' everytime, TBAV will remember this for next time,
and it will not bother you again with these messages and questions.
Reboot the system again.
Press Ctrl-Alt-Del.
The TBAV utilities now monitor the system and warn you if something
suspicious - or worse - is going on! They also warn you if a new
file contains a virus. In all situations, viruses are detected
before they can do any harm.
6. Detection of viruses
To detect viruses AFTER an infection occured, you can also use the
TBAV utilities.
Add the following lines to the config.sys file:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbCheck.Exe
Add the following line to the autoexec.bat file:
C:\TBAV\TbScan C:\ once
Reboot the system.
Press Ctrl-Alt-Del.
TbCheck will warn you if files have been changed. TbScan is invoked
automatically once a day.
Page 14
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
7. A full protected system
The best protection is achieved with the following setup.
Execute TbUtil to make a backup of the partition table and to
replace the partition code by a partition sector with virus
detection capabilities:
TbUtil immunize a:tbutil.dat
Add the following lines to the config.sys file:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbCheck.Exe
Device=C:\TBAV\TbScanX.Exe
Device=C:\TBAV\TbMem.Exe
Device=C:\TBAV\TbFile.Exe
Add the following line to the autoexec.bat file:
C:\TBAV\TbDisk
C:\TBAV\TbScan C:\ once
Reboot the system.
Press Ctrl-Alt-Del.
It is very likely that some of the TBAV utilities display a message
when you boot again. This because some programs that are invoked
perform operations that are monitored by the TBAV utilities. TBAV
has to 'learn' which programs perform these operations. If you
respond with 'Y' everytime, TBAV will remember this for next time,
and it will not bother you again with these messages and questions.
Reboot the system again.
Press Ctrl-Alt-Del.
The TBAV utilities now monitor the system and warn you if something
suspicious - or worse - is going on! They also warn you if a new
file contains a virus. In all situations, viruses are detected
before they can do any harm. Viruses are also detected after they
are installed on the system for any reason.
8. Protection against employees.
Most of the TBAV utilities are interactive. They require
communication with the user if something is going on. In companies
however it may be that the system operator is the only one who
should commnicate with TBAV in case something is going on. All TBAV
utilities support the option 'secure'. If this option is specified,
the TBAV utilities will not ask the user for permission before
allowing dangerous operations: TBAV will always deny all dangerous
and suspicious operations.
Page 15
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
9. System maintenance.
Unfortunately, a system needs maintenance. This maintenance also
affects the TBAV utilities. The signature file of TbScan needs a
frequent update. You can obtain a new signature file on one of our
support Bulletin Board Systems.
It is likely that you add, update or replace programs on your
system. If you do so, do not forget to use TbSetup to make or
update the fingerprints of these programs!
If you install a new version of DOS, the bootsector will be
changed. If you change the configuration of your disks, the
partition table and/or CMOS configuration will change. You need to
create a new recovery diskette in these cases.
10. Recovering from viruses.
DO NOT MAKE A NEW BACK-UP OF YOUR SYSTEM THAT WILL OVERWRITE AN
ALREADY EXISTING BACK-UP. Make a separate back-up instead and label
it as being infected and unreliable.
When recovering from a virus infection it is important that you
boot from the uninfected, write-protected, recovery diskette. (If
you followed our recommendations, you have a diskette labeled
'recovery').
Do NOT run any program from your hard disk! The virus must be
denied access to your memory while you clean up the system. TbCheck
will warn you if you accidentially try to execute an infected or
unauthorized program of your hard disk.
Run TbScan for an indication about what is wrong. TbScan will
report the virus name if the virus is known, or it will report file
changes in case the virus is unknown.
TbScan C:\ logname=lpt1
Also run TbUtil to compare the bootsector, partition code and
CMOS configuration.
TbUtil compare
If the bootsector or partition code contains a virus, you can use
TbUtil to remove the virus from these items:
TbUtil restore
In case of a file virus, restore all executables. TbClean is not
recommended unless you don't have a back-up of the uninfected
executable files. Depending on the kind of virus it might also be
necessary to replace all data files.
Once the system has been cleaned, check all diskettes, back-ups,
Page 16
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
etc. One infected diskette can cause you the same trouble all over
again. Therefore we highly recommend you to take measures to
protect your system against re-infections, since there is always
the possibility that you forgot to clean up one of your diskettes.
Use a virus scanner frequently, install a resident scanner (like
TbScanX), or even better, install the Thunderbyte PC Immunizer card.
Page 17
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
4. MISCELLANEOUS INFORMATION
1. Who are we?
The Thunderbyte Anti-Virus utilities have been developed by Frans
Veldman, chief executive of the ESaSS and Thunderbyte company.
ESaSS is the company that developed the well-known Thunderbyte
card, the first hardware PC immunizer, and has gained a great
deal of experience with and knowledge of viruses and
assembler-written system software. Of course, we do have a large
collection of viruses to test our products on.
2. Updates
The Thunderbyte Anti-Virus utilities are updated often. The updates
will be available on all Thunderbyte support BBSs but also a lot
of other BBSs will have the most recent version of our software
available.
The standard complete release will be named: TBAVxxx.ZIP.
The 'xxx' will be replaced by the three digit version number of the
Thunderbyte Anti-Virus utilities.
To maintain the high reliability of the products, beta releases
are available. They will not be distributed widely, but are just
available on the Thunderbyte support BBS in The Netherlands and in
the USA. They will only contain the files that have been changed.
Beta versions can be recognized because they have a 'B' in the
name: TBAVBxxx.ZIP.
To minimize download costs there will also be upgrade archives
which contain files that have been changed since the previous
official release. They will have a 'U' in their name: TBAVUxxx.ZIP.
The resident Thunderbyte Anti-Virus utilities are also available in
processor optimized formats. These processor optimized versions are
available for registered users only, and they are archived in a
file with a 'X' in the name: TBAVXxxx.ZIP.
3. Distribution of the signature file
The signature file (TBSCAN.SIG) is updated every month. It will be
distributed in an archive called TBSIG%##.ZIP (% = Year, ## =
release sequence number). Most Bulletin Board Systems will get a
fresh copy of this file within 48 hours after the Master Copy has
been updated at Thunderbyte support BBS in The Netherlands. The
most recent signature files can also be obtained from any other
Thunderbyte support BBS.
Page 18
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
4. Language support
The Thunderbyte Anti-Virus utilities do support several languages.
The language support files are distributed in archives named
TB<name><version>.ZIP, whereas <name> stands for the two or three
character country code, and version for the version number of TBAV.
A language support file for The Netherlands whould have the name
TBNL500.ZIP (version 5.00). You will find these language files on
most Thunderbyte support BBSes.
5. Thanks
The Thunderbyte Anti-Virus utilities would not have evolved to
their current state without the valuable contributions made by a
number of people. Special thanks to:
John Lots, for beta-testing and technical advice.
Eric Richet, for beta-testing.
Stephane Veaux, for beta-testing.
Alan Solomon, for testing and for the discovery of a FCB problem.
Harry Thijssen, for stimulating the scanner speed competition.
Jeff Cook, for revision and correction of the manual.
Fridrik Skulason, for cooperation of heuristic implementation.
Page 19
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
5. A VIRUS, NOW WHAT?
1. Prevention
It is always better to be safe now than to be sorry afterwards. You
can prevent an infection by using reliable software only, i.e.
software of which the origins are known.
MAKE SURE YOU HAVE AN UNINFECTED WRITE-PROTECTED BOOTABLE DOS DISK
STORED IN A SAFE PLACE. The disk will be needed in case of
infection. Without an uninfected bootable disk you will never be
able to get rid of any virus! The disk should be write-protected to
make sure it will remain uninfected!
Make sure you use TbSetup to maintain recovery information of all
executable files of your system!
Only boot from your hard disk or from your original DOS diskette.
NEVER use someone else's disk to boot from. Should you have a hard
disk, make certain that you have opened the door to your floppy
drive before resetting or booting your PC.
Use the DOS program ChkDsk frequently (without the /F switch).
ChkDsk is able to detect some viruses because the viruses change
the disk structure in an incorrect manner, causing disk errors in
the process.
Look out for changes in the behaviour of your software or system.
Any change in their behaviour is suspect, unless you know its
cause. Some highly suspicious symptoms are:
- The amount of available memory space has decreased.
- Programs need more time to execute.
- Programs do not operate as they used to, or cause the system
to crash or reboot after some time.
- Data disappears or get damaged.
- The size of one or more programs has increased.
- The screen behaves strangely, or you will find unusual
information displayed there.
- ChkDsk detects many errors.
2. Confirmation
Once you think your system may have been infected by a virus, try
to get confirmation. You can get confirmation by using a virus
scanner, or by booting from the uninfected write-protected DOS
diskette and comparing the files on the hard disk to the known
uninfected original copies. DO NOT RUN ANY PROGRAM ON THE HARD DISK
WHILE AND BEFORE PERFORMING THIS TEST TO PREVENT THE VIRUS FROM
GOING RESIDENT IN MEMORY. If the files have not been changed you
Page 20
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
are not dealing with a file virus. However, if they all appear
changed in the same manner, it is very likely that the files have
been infected. The bootsector is more difficult to test. Use the
DOS SYS command to replace the bootsector in case of doubt.
Note that file viruses infect other programs. It is highly unlikely
that you will find a few infected programs on a hard disk used
frequently. If TbScan reports a virus in only 1% of the files on
your hard disk, you should treat it as a false alarm.
If you find a virus, do NOT use your copy of TbScan to check other
machines, unless you have copied it to a write-protected diskette
before the system became infected. Although TbScan performs a
sanity check on invocation, there are some viruses that are able to
fool a self-check, and TbScan might therefore carry such a virus
without detecting it itself.
3. Identification
Identify the virus. This is extremely important because if you know
which virus infected your system, you know what the virus must have
done there, and whether or not your data files can still be relied
upon.
You can use a virus scanner to identify a virus. Once you know the
name of the virus you should obtain additional information about
the virus. Log on to our support BBS, consult literature on this
subject, or consult a virus expert.
If the virus only infects executable files you need only replace
executable files. But if the virus swaps some bytes at a random
location of your hard disk each time you execute a program, you
have to replace your data files too, even though you didn't notice
any changes in the data files themselves.
4. Don't Panic!
The most important thing to do is NOT TO PANIC! Panicking doesn't
help you, as you need to be calm to deal with the situation
properly. In most cases of virus infection in the past, most of
the damage was done by the operator of the system, not by the virus
itself. Do nothing at all except for identifying the virus and
obtaining information about it. An instant reformat of your hard
disk(s) is the worst thing you can do. Once you know exactly what
the virus does, you can work out a strategy to recover from the
infection.
DO NOT MAKE A NEW BACK-UP OF YOUR SYSTEM THAT WILL OVERWRITE AN
ALREADY EXISTING BACK-UP. Make a separate back-up instead and label
it as being infected and unreliable.
Page 21
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
5. Global recovering
When recovering from a virus infection it is important that you
boot from an uninfected write-protected DOS diskette. Do NOT run
any program from your hard disk! The virus must be denied access to
your memory while you clean up the system.
Restore the DOS system and bootsector by using the DOS SYS command.
In case of a file virus, restore all executables. A virus removal
utility is not recommended unless you don't have a back-up of the
uninfected executable files. Depending on the kind of virus it
might also be necessary to replace all data files.
If the system has been infected by a virus that modifies the
partition table it might be necessary to perform a low-level
reformat of your hard disk(s). If you used a utility to back up the
partition table (like TbUtil) it isn't necessary to reformat the
disk(s). TbUtil restores the partition table for you.
Once the system has been cleaned, check all diskettes, back-ups,
etc. One infected diskette can cause you the same trouble all over
again. Therefore we highly recommend you to take measures to
protect your system against re-infections, since there is always
the possibility that you forgot to clean up one of your diskettes.
Use a virus scanner frequently, install a resident scanner (like
TbScanX), or even better, install the Thunderbyte PC Immunizer card.
Page 22
Thunderbyte Anti Virus. (C) Copyright 1989-1993 Thunderbyte B.V.
6. NAMES AND ADDRESSES
1. Contacting the author.
The Thunderbyte Anti-Virus utilities have been written by Frans
Veldman. You can contact him via the following electronic media:
Dutch support BBS Tel. +31-85-212395
Fidonet: 2:280/200
Internet: Veldman@esass.iaf.nl
Registered users can also phone for technical support. To register,
run the REGISTER.EXE program.
2. ESaSS B.V.
For more information about the Thunderbyte Anti-Virus utilities you
can contact:
ESaSS B.V. Tel: + 31 - 80 - 787 881
P.o. box 1380 Fax: + 31 - 80 - 789 186
6501 BJ Nijmegen Data: + 31 - 85 - 212 395
The Netherlands (2:280/200@fidonet)
(veldman@esass.iaf.nl)
3. TBAV registration/support sites.
In order to provide the global community with anti-virus coverage
in a timely manner, ESaSS B.V. has established an Agents program to
provide service, sales and support for our products around the
world. You will find all information if you run the REGISTER.EXE
program.
4. TBAV commercial package.
TBAV is also available as commercial package. You will find a list
of dealers/distributors in the Agents.Doc file.
Page 23
