Night Owl 6

home *** CD-ROM | disk | FTP | other *** search

/ Night Owl 6 / Night Owl's Shareware - PDSI-006 - Night Owl Corp (1990).iso / 030a / tbscan20.zip / TBSCAN.DOC < prev next >

Wrap

Text File | 1991-01-27 | 36KB | 791 lines

Documentation for TbScan V2.0 Regulations with regard to use and distribution of TbScan --------------------------------------------------------- Both TbScan and the accompanying documentation are FREE-WARE. This simply means the program is covered by the copyrights of ESaSS, but can be used and distributed freely as long as the following regulations are observed. + The program can be used by everyone, this also includes commercial organisations, such as companies. + For neither the TbScan program nor the accompanying docu- menations any charges may be made. + Concerning the distribution of the TbScan program no administration and/or shipping costs exceeding the amount of $5,- may be charged. + Distribution of TbScan may only take place when both the program and the documentation are left unmodified and only when the complete program is supplied. + So it is not allowed to distribute the program apart from the documentation. + ESaSS accepts no responsibility in case the program malfunctions or does not function at all. + ESaSS can never be held responsible for damage, directly or indirectly resulting from the use of TbScan. + Using TbScan means that you agree on these regulations. Description TbScan ------------------ TbScan is a program that was developed to trace viruses, Trojan Horses and other threats to your valuable data. It is a so-called virus scanner. A virus scanner is a program that is able to search a signature that has been determined beforehand. Most viruses consist of a unique signature, so by means of checking for the appearance of this signature we can see whether or not a program has been infected. By searching all your program files for the signatures of all viruses already identified you can easily find whether your system has been infected and, if that is the case, with which virus. By now already lots of virus scanners have been developed. However TbScan has a number of important and unique characteristics. These are: + TbScan works extremely fast. Most virus scanners do not work very quickly. This is nevertheless very important because you are surely one of those people who do not like to stare at their display for a quarter of an hour. When a program works slowly it is used less often, that is a fact. And even the best virus scanner is worthless when it is not used. That is why special attention has been paid to the speed of the program. The result is that on average TbScan works ten times faster compared to other virus scanners. This speed can be achieved due to four measures: 1) The program has completely been written in machine language. 2) The program uses the obsolete but faster FCB functions of DOS. 3) The string search routine is highly optimised, and makes use of special algorithms. 4) The program does not read the whole file, but only the part in which viruses could appear. This is safe because of the built-in interpreter that determines the internal structure of a program. At the end of this file you can read more about this interpreter. + TbScan can work separately from viruses that are already active in the memory. This is possible through a built- in debugger! A lot of viruses are memory resident, which means they lodge themselves in the memory of your computer. From there they can easily influence all active programs you use. There are already viruses that "desinfect" a program file, as soon an attempt is made to read it. When such a virus is active, a virus scanner, reading a program file in order to check it, finds that the file is not infected (which is true at that moment). But after the program file has been read the file is immediately infected again. So the virus scanner reports that no virus has been found, but in reality it is actually there. TbScan offers a unique solution for this problem: it contains an automatic debugger that works its way through the chain of interrupts "single stepping" until it reaches the DOS program code. It saves the address which is then found and uses it for the communication with DOS. In this way viruses will not see anything of the operations of TbScan. + TbScan is fully programmable by means of a data file. Most of the time viruses spread quickly. After a new virus has been found there is often no time to adapt your virus checker in order to make it capable of recognizing this new virus. That is why TbScan uses a data file in which the signatures of the viruses occur. This file can quickly be adapted, possibly by yourself, for example when you are informed of a new virus through the media. TbScan supports among other things the format which is used in the file "virscan.dat". This file is regularly adapted and can be obtained at a lot of data banks. + TbScan supports wildcards in the signature. A lot of viruses encrypt themselves after each infection, so the signatures always look different. There is one part of the virus however that cannot be modified: the routine that has to "unpack" the modified part of the virus. But it is a misunderstanding that this part of the virus always should look the same. The fact is there are viruses that pepper their unpack-routine with useless instructions which have no effect and which are continuously replaced by other nonsensical instructions. Although the unpack-routine always functions the same, it looks different every time because of these changing fake instructions! By inserting wildcards on places where the fake instructions occur in the signatures of the data file, such a virus can still be traced and identified. This is the case because any character may be used on the place of a wildcard. It is also possible to skip a variable amount of garbage bytes in the signature. + TbScan supports normal text as the signature. Most signatures are inserted in ASCII-HEX. But when desired you can also specify a normal text as the signature. In this case you put the text between double quotation marks. + TbScan can also search the memory of your PC for viruses. When in the future viruses should be created that for some reason cannot be found in the program file anymore, TbScan offers you the possibility of tracing them in the memory of your PC itself. So in any case you will know whether or not your PC has been infected by a certain virus. + TbScan also searchs for viruses in the partition table of the hard disk. Some viruses use the partitiontable as their residence. Not all virus scanners inspect the partition table. USAGE OF THE PROGRAM -------------------- TbScan is easy to use. The syntaxis is as follows: TBSCAN [<path>][<filename>]... [<options>]... Drive and path show from where should be searched. To search the disk C:\ and disk D:\ you have to enter: TBSCAN C:\ D:\ When no filename has been specified but only a drive and/or path, then the specified path will be used as top-level path. All its subdirectories will be processed too. When a filename has been specified then only the specified path will be searched. Subdirectories will not be processed. Wildcards in the filename are allowed. It is allowed to specify "*.*". All executable files will be processed. If you want the non-executables to be processed too, then you have to specify the "-a" parameter in combination with the filename. "TBSCAN TEST.DAT" will always cause that no file will be processed: test.dat is not an executable file. In this case you have to specify the -a parameter. It is possible to specify so-called options on the command line. The following options are available: -h = help, display this helptext. -f <filename> = use specified signature file -q = quiet mode, don't print filenames. -v = verbose, display entry addresses. -m = enable "More" prompt. -d = use direct calls into DOS and BIOS. -a = force analyze on all files. -s = skip bootsector and partition table. -r = skip resident virus scan. +r = search all viruses in memory. -l [<filename>] = create logfile. +l [<filename>] = append logfile. -n = do not search in subdirectories. +n = always search in subdirectories. -u = unauthorized signatures allowed. -F You can override the default path en name of the signature file by using this option. -Q By default TbScan shows the name of every file it checks, together with the used scanning method and the result of the inspection. When this option has been specified you will only see a counter at work when TbScan is operating. Of course, infected files will be printed on the screen anyway. -V If you use this switch, TbScan will display the position from the beginning of a file where the first stable code has been found. This is the position of the part of the file that will be scanned. -M When you enter the parameter -M TbScan will stop after it has checked the contents of one display. This gives you the possibility to look at the results. (Of course the program takes the number of lines of the display you use into account.) -A Normally TbScan only uses the analysis method when the program to be checked is too complicated for the builtin interpreter. But through option -A you can force TbScan to use the analysis method allways. Keep in mind though that the program will work more slowly then. When no filename has been specified only executable files will be analyzed. If a filename has been specified, then ALL matching files will be searched for viruses. In that case TbScan will also search for EVERY virus in the list: the file type will be ignored. -D TbScan communicates with DOS through interrupt 21h. To prevent this from being "monitored" by viruses, option -D can be entered. TbScan will use its built-in debugger to work its way through the chain of interrupts until it has reached the DOS entry point. This address is shown on the display and after that moment it will be used for the communication with DOS. The same applies to the communications with the disk system: TbScan first searches for the entry point of the BIOS, and performs direct calls into it. Resident programs, such as viruses, are then excluded from taking part in the virus scan process. This implies however that the regular resident programs remain ignorant too with regard to the file access by TbScan. That is why you must not enter this option when you use a multitasker or when you are connected to a local area network. Also note that many protection software will be fooled by TbScan when using the -D option. Don't be surprised when it scans files you don't actually have any access to... When you do use this option do not popup resident programs while TbScan is active! This is because resident programs do not know that someone performs file access. The use of disk cachers is no barrier to the use of option -D. When you have installed the ThunderByte card in your PC, TbScan will not search for the DOS entry point, but for the entry point of ThunderByte. Otherwise ThunderByte should warn you (correctly) that a program performs direct calls into DOS and the BIOS. So only ThunderByte remains between TbScan and DOS/BIOS. Since no viruses can be inserted between ThunderByte and DOS/BIOS, this is completely save. -S With this option there will be no search for viruses in the bootsector of your hard disk. -R Through this option TbScan will not search for viruses in the memory of your PC. +R If you specify this option TbScan will search for all viruses of the signature file in the memory of your PC. -L When you use this parameter, TbScan creates a LOG-file. The default filename is TBSCAN.LOG and will be created in the current directory. You may optionally specify a path and filename. In the LOG-file all infected program files are listed. The filenames are mentioned including the complete path name. +L This option is the same as the -L option, except that if there already exists a log file the log information will be appended instead of overwritten. -N TbScan will default search in subdirectories for executable files, except when a filename (or wildcards) are specified. If you use this option TbScan will never search in subdirectories. +N If you use this option TbScan will always search in subdirectories, even when you specify a filename or wildcards. Only subdirectories matching the filename mask will be scanned too. -U TbScan checks the signature file for modifications. If you change the contents of that file TbScan will issue a warning. If you don't want the warning to be displayed, use the -U option. EXAMPLES: TBSCAN \ -s Process all executable files in the root directory and its sub directories. Skip the bootsector scan. TBSCAN \*.* Process all executable files in the root directory. Don't process sub directories. TBSCAN test.dat -l c:\test.log No file will be processed. TEST.DAT is not an executable. A LOG file with the name c:\test.log will be created. TBSCAN test.dat test.tmp -a Search test.dat and test.tmp for ALL viruses using the analyze method. TBSCAN C:\ -a Process all executable files in the root directory and its sub directories. Use the analyze method. TBSCAN C:\*.* -a Process ALL files in the root directory. Search for ALL viruses in ALL files. The analyze-method will be used. Sub directories will not be processed. The last two examples shows the difference in behaviour of the /A parameter when a filename and when no filename has been specified. If you want to use certain options always it can be handy to use the environment variable "TBSCAN" for this. If you always use the option -s you can insert the following line into your autoexec.bat: SET TBSCAN=-S TbScan now always acts like you specified the -s option on the command line! TbScan looks for the data file in the way mentioned hereunder: 1) If the -F option is used it will use the specified file. 2) It searches in the active directory for a file with the name TBSCAN.DAT. 3) It searches for TBSCAN.DAT in the same directory as the program file TBSCAN.COM itself is located (only DOS 3+). 4) It searches in the active directory for a file with the name VIRSCAN.DAT. As long as TbScan has not found any infected programs you will only see a list containing inspected files or, when you use option -Q, a counter at work. As soon as an infected program has been found, the name of the infected program and the name of the virus are printed (regardless of the use of option -Q). You will see one of the next three terms behind every file name: "Scanning", "Tracing", "Analyzing". This indicates the way in which the file is checked. Behind these terms you will see that, dependent on size, structure and kind of file, a number of plus signs appear. These indicate how often a complete part of the file, bootsector or memory has been searched for viruses. The process can be aborted by pressing Ctr-C or Escape. FORMAT OF THE DATA FILE ----------------------- The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or modified with every ASCII editor. All lines beginning with ";" are comment lines. TbScan ignores these lines completely. When the ";" character is followed by a percent-sign the remaining part of the line will be displayed on the screen. A maximum of 15 lines can be printed on the screen. Nice for "HOT NEWS"... In the first line the name of a virus is expected. The second line contains one or more of the next words: BOOT SYS EXE COM HIGH LOW These words may be separated by spaces, tabs or commas. BOOT means that the virus is a bootsector virus. SYS, EXE and COM indicate the virus can occur in files with these extensions. Also overlay files (with the extension OV?) will be searched for EXE viruses. HIGH shows that the virus can occur in the memory of your PC located above the TbScan program itself. LOW means that the virus can occur in the memory of your PC located under the TbScan program itself. In the third line the signature is expected in ASCII-HEX. Every virus character is described by means of two characters. Instead of two HEX characters, two question marks (the wild- card) may also occur. The latter means that every byte on that position matches the signature. Below you will find an example of a signature: A5E623CB??CD21??83FF3E You can also use the asterisk followed by an ASCII-HEX character to skip a variable amount of bytes in the signature. The ASCII-HEX character specifies the amount of bytes that should be skipped. The signature could be: A5E623CB*3CD2155??83FF3E The next sequence of bytes will be recognised as a virus: A5E623CB142434CD21554583FF3E Instead of a signature in ASCII-HEX you can also specify a normal text. This should be put between double quotation marks. A correct signature is for example: "I have got you!" This series of three lines should be repeated for every virus. Between all lines comment lines may occur. LIMITATIONS ----------- + 128 Kb of free memory is sufficient. + DOS version 2.0 or later is obligatory. + The size of the data file has a maximum of 64 Kb. + The name of a virus may consist of maximally 30 charac- ters. + The ASCII-HEX signature can consist of maximally 80 characters. + Up to 500 different signatures may be given. + Directories may be nested up to 15 levels. ERRORMESSAGES ------------- Errormessages that can be displayed: + Not enough memory There is not enough free memory. + Error in data line at line <number>. There is an error in the mentioned line of the data file. + Failed to find DOS entry point. TbScan has not been able to find the DOS entry point, but continues as if option /D has not been specified. + Error reading bootsector. The bootsector could not be read and is therefore not checked. + Limit exceeded. The data file was too long or too many virus signatures occur in it. + Data file not found. TbScan has not been able to find the data file. + Command line error. A wrong parameter has been given to TbScan. + No matching files found. The path specified does not exist, is empty, or the specified file does not exist. + No matching executable files found. The path specified does not exist, is empty, or the specified file does not exist or is not an executable file. TbScan terminates with one of the following exit codes: Error level 2 when path or command line is not correct. Error level 1 when infected files were found. Error level 0 when everything was okay. THE INTERPRETER --------------- You can safely skip this part of the documentation. It just offers information to programmers who want to know why and how the file interpreter of TbScan is working. Viruses can infect program files only in certain ways. For a virus there is only one single point in a program file of which it is certain that it must be executed, namely the star- ting point of the program. It cannot be sure of any other point and that is why it will not try to put its first code on an arbitrary spot of the program that it is planning to in- fect. The virus will always have to put AT LEAST one jump at the entry point of the program. TbScan uses this knowledge to restrict the number of bytes that have to be read in of a file as much as possible. Just as the loader of DOS itself, it determines where the entry point of the program is located. (At the beginning of a COM-file and on an address, specified in the EXE-header of an EXE-file.) This is however not enough; there can also be a jump or another branch instruction on the found starting point of the program. TbScan will follow this jump until it does not come across a jump anymore. Then we have found the real starting point of the program or, in case it has been infected, the virus. There is a possibility however that on a certain moment TbScan has reached the end of a chain of jumps and then finds that there are new significant IP modifying instructions (calls, rets, irets, jumps) not far from the found starting point. Does this future jump point to the virus code or are we alrea- dy on the right spot? TbScan does not take any chances and in such a case it will read in the whole file to search for viru- ses. Only when it is 100% sure to have found the real starting point of a file, where in addition at least 20 bytes of continuous code are situated (the code is "stable" then), TbScan will be satisfied with checking only the first 3 Kb of the found code. (Almost all viruses use less than 3 Kb and of viruses using more than 3 Kb the signature in the first 3 Kb of the virus is used as the signature.) A nice advantage of this interpreter is that the number of times a false alarm is given decreases. Because of this signa- tures can be shorter than usual which is desirable because the unmodified parts of the viruses become shorter every time. Behind the name of every program the used method appears. These are: 1) Scanning. This means TbScan has been able to find the entry point of the program with succes and that the code it has found there was stable. 2) Tracing. This means TbScan has followed a chain of at least 1 jump from the entry point. The final code was stable. This method will be used especially for TSR's because most of the time they start with a jump instruc- tion. 3) Analyzing. Because there was no stable code on the found position TbScan was not completely sure of where the starting point of the program was. For safety the whole file is read in and inspected. Files with extension SYS are always searched according to this method. Obviously, if you want to, you can force TbScan by means of option -A to use always the analyzing method. Note: Most viruses will be found in a file that has been searched according to the analysis method. However this does not mean this method is more reliable than the other ones, but it is a result of the fact that a virus in a program relocates itself first most of the time (adapt CS/IP relation). This is always accompanied by a CS and IP modifying instruction because of which TbScan automatically (and correctly) concludes the code is not stable enough. That is why an infected program is often checked using the analysis method. THUNDERBYTE ----------- Virus scanners have a number of very serious disadvantages! + They cannot prevent infection. Virus scanners can only tell you whether or not your system has been infected and if so, whether any damage has already been done. By then only a good (non-infected) backup can still save you. + They can only recognize viruses that have already been identified. When a new virus has been launched it will take a while before someone discovers it. After that it will take some time before a reliable signature is dis- tilled from the virus and it will also take a while for you to get hold of the newest virscan.dat. All this means that there is a real chance that your system is infected at a moment virus scanners have not yet recognized "your" virus! + You will have to do an active operation in order to protect your system: namely executing the virus scanner. Even with TbScan this takes time and so it is unpleasant. Certainly when a PC is used by more than one person, like for instance in companies, things go wrong quite often. Viruses get more and more advanced. Among other things because of all the attention the media is paying to the phenomenon computer virus. It has even become a real sport for sick minds to write computer viruses. Even viruses that have no stable signature anymore have already been discovered. Because TbScan allows wildcards in the data file it can still trace this kind of viruses quite often. But it will not take much time anymore before viruses will be created that have no special charac- teristics at all by which they can be identified. And then even TbScan cannot help you anymore. Even viruses that look for the DOS entry point in the same way as TbScan does, avoiding detection by protection programs in an effective way, already exist. To provide programs with a checksum is neither a solution: as soon as a file is read in, viruses can disinfect it, so every infected program looks like one that is not. There is however ONE solution for the abovementioned problems: *** ThunderByte! *** ThunderByte was developed to protect Personal Computers against computer viruses, Trojan Horses and other threats to valuable data. It is a hardware protection, consisting of an adapter card, an installation and configuration program and a clear manual. The working of ThunderByte is not based on knowledge of specific viruses, so ThunderByte also protects against future viruses. A hardware protection offers much more protection than a software protection. ThunderByte is already active before the operating system is loaded, so the computer will be totally protected right after the starting of the PC. Because of the many configuration possibilities and the intelligent algorisms, the use of ThunderByte will never become a burden: you will hardly notice the presence of ThunderByte in an environment without any viruses. Advantages of a hardware protection: + The protection uses very little (1Kb) RAM + The protection is already active before the first boot attempt of the PC, and therefore protects also against bootsector viruses. A software protection can not protect you against bootsector viruses, since it has not been executed at boot time. + De hard disks can not be accessed directly anymore, because ThunderByte is connected to the hard disk cable. + It is impossible to forget to start ThunderByte, even if the machine is booting with a diskette. ThunderByte offers you many kinds of protection: + Protection against loss of data. ThunderByte is connected between the cable of the hard disk and the controller. It prevents the hard disk from being accessed directly. The only way to access the drive from now on is by initiating an int 13h. In addition ThunderByte detects all direct disk writes which try to achieve a modification or damage of the data and it checks which program orders the execution of such operations. Only the operating system can preform these operations unmentioned. Standard DOS already has the possibility of protecting files against overwriting and modification by means of the read only attribute. However this protection can be very easily eliminated by software. But ThunderByte pre- vents this protection from being ruled out without this being noticed, so now it is nevertheless possible to protect your files effectively with a standard method. + Protection against infection. ThunderByte protects programs (files with the extension EXE, COM or SYS) against infection by judging all modifi- cations on their intention. The functionality is not influenced by this. Compiling, linking, etc., are not disturbed and neither are programs that save their confi- guration internally. Furthermore software can be protec- ted with the help of the aforementioned read only attribute. Attempts to modify the bootsector of the disk are detected, so the dreaded bootsector viruses are also eliminated. Keep in mind that the bootsector can hardly be protected by software. Only ThunderByte already beco- mes active before the system tries to boot! + Detection of viruses. In addition to the abovementioned ways of detecting the presence of viruses, ThunderByte can also do so because viruses carry out a number of special operations. For example, the marking of already infected programs in order to recognize them, is detected by ThunderByte. So are the attempts of viruses to reside in the memory in a suspicious way and the abnormal manipulations with interrupt vectors. + Password protection. ThunderByte has the possibility of installing a password. There are two kinds of passwords: one that is always asked for or one that you only have to enter when attempts are made to start from a diskette instead of the hard disk. + Safety. A lot of attention has been paid to the safety of ThunderByte The program code of ThunderByte is located in ROM and there is no way it can be modified. There is not one method of eliminating ThunderByte through software. All the important settings are realized with the help of dipswitches on the adapter card. And despite all their wasted intelligence, viruses will never be able to turn switches or to influence their read outs. Viruses that approach the controller of the hard disk directly will have a rude awakening: ThunderByte will only pass disk writes when the write or format command has followed the normal (checked) course. There are a lot of different versions of ThunderByte (functioning identically however) that are supplied on the basis of capriciousness. That is why knowledge of the internal working of only one ThunderByte system is not sufficient to damage or destroy its protective working. ThunderByte is constantly checking upon its own variables with a kind of control number that is different for each version. The positions of the memory where the variables are kept are also different for each version. + Extra possibilities. ThunderByte offers you some interesting bonuses, like booting from drive B:, formatting of 5,25" diskettes up to 428 Kb on a normal XT. CONCLUSION ---------- Are you surprised about the relative great effect and inventiveness of such a small (3 Kb) virusscan program? Get ThunderByte and keep on amazing yourself! If you appreciate TbScan or if it has already been of help in a difficult situation: Do not send us any money, but get yourself ThunderByte! NAMES AND ADDRESSES ------------------- For more information about Thunderbyte you can contact: ESaSS B.V. Tel: 31 - 80 - 238 689 P.o. box 1380 Fax: 31 - 80 - 228 192 6501 BJ Nijmegen Data: 31 - 85 - 212 395 The Netherlands (2:280/200 @fidonet) TbScan is written by Frans Veldman. TbScan and the signature files are available on ESaSS / Thunderbyte support BBS, Tel: 31-85-212395 (300/1200/2400 bps). If you are running a electronic mail system, you can also file-request TBSCAN to get the latest version of TBSCAN.COM, TBSCANX to get the resident automatic version of TBSCANX, and VIRUSSIG to obtain a copy of the latest update of the signature file.