Shareware Overload

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Overload / ShartewareOverload.cdr / virus / cleanp67.zip / CLEAN67.DOC < prev next >

Wrap

Text File | 1990-10-05 | 15KB | 317 lines

CLEAN-UP VIRUS REMOVER Version 5.1 V67 Copyright 1989, 1990 McAfee Associates 4423 Cheeney Street Santa Clara, CA 95054 408 988 3832 (voice) 408 988 4004 (BBS) Executable Program (CLEAN.EXE): CLEAN contains a self test at load time. If CLEAN has been modified in any way, a warning will be displayed. The program will still continue to repair and clean infected programs, however. In addition, versions 55 and above are packaged with a VALIDATE program that will authenticate the integrity of CLEAN.EXE. Refer to the VALIDATE.DOC instructions for the use of the validation program. The validation results for V67 should be: SIZE: 92,065 DATE: 10-05-1990 FILE AUTHENTICATION: Check Method 1 - 7F1A Check Method 2 - 0D91 You may also call the McAfee Associates bulletin board at 408 988 4004 to obtain on-line SCAN.EXE verification data. The VALIDATE program distributed with CLEAN may be used to authenticate all future versions of CLEAN. Notes on Version 67: Version 67 is able to remove and repair four new viruses: Whale, Invader, Slow, and EDV. OVERVIEW: CLEAN-UP kills and removes computer viruses, and in most instances it repairs infected files, re-constructs damaged programs and returns the system to normal operation. CLEAN-UP works for all viruses identified by the current version of McAfee Associates' SCAN. CLEAN-UP searches the entire system looking for the virus that you wish to remove. When found, the infected file is identified, the virus is isolated and removed, and for the more common viruses, the infected file is repaired. If the file is infected with a less common virus that cannot be separated from the file, the infected file is wiped from the disk and deleted from the system. A warning message is displayed by CLEAN-UP before erasing any files, and you have the option of overriding the erase function. The common viruses that CLEAN-UP is able to remove successfully and repair and restore the damaged programs are: Jerusalem B Alabama Jerusalem A Ping Pong Jerusalem E Stoned Dark Avenger Pakistani Brain Suriv03 Payday Alameda 1701 1704 Disk Killer Ping Pong-B Ashar Sunday 1260 4096 Yankee Doodle Vacsina V800 Joshi Fish Vienna Zerobug Whale Invader Slow EDV These viruses account for the overwhelming majority of infection occurrences. All other known viruses will be identified and isolated by CLEAN-UP and the infected files' area of disk will be wiped clean and the files will be removed from the system. ****** I M P O R T A N T ****** * Note: EXE viruses cannot be successfully removed from all infected .EXE files in 100% of the cases. A few EXE programs will be damaged beyond repair by the infection and they will have to be deleted. In all cases, however, the virus in the file will be killed and rendered harmless by CLEAN-UP. Additionally, removing the Stoned virus can cause loss of the partition table in systems with non-standard disk controllers or systems that use special purpose device drivers for disk access. If you are removing the Stoned virus, as a precaution back-up all critical data before running Clean-up. Loss of the partition table will cause -- LOSS OF ALL DATA ON THE DISK. ******* FOLLOW THE REMOVAL INSTRUCTIONS CLOSELY ******* * POWER DOWN AND RE-BOOT FROM A CLEAN DISKETTE BEFORE BEGINNING * RUNNING CLEAN-UP: Before running CLEAN-UP, verify the suspected virus infection by running VIRUSCAN (SCAN.EXE) Version 55 or greater. SCAN will identify the virus strain and sub-strain and will display the I.D. to be used as input to the CLEAN-UP program. CLEAN-UP uses this I.D. to determine which virus to seek out and remove. The I.D. for each virus is displayed inside a set of brackets - [ ]. For example, the I.D. for the Disk Killer virus will be displayed by SCAN as [Killer]. This identical identifier must be used in the command line of CLEAN-UP in order to remove the Disk Killer virus. *** Important: Before you begin the disinfection process, you MUST power down the infected computer and then re-boot the computer from a clean, write-protected system diskette. This step is very important. It will remove the virus from control in memory and prevent the virus from continuing to infect during the clean-up process. After Re-booting from the clean diskette, run SCAN on the diskette to verify that it is indeed not infected. To run CLEAN-UP type: CLEAN d1: d2: ... dn: [virusname] /a /many where: dn: - Drive designators for drives to be cleaned. (up to 10 drives may be cleaned with one command) [virusname] - The virus I.D. (brackets must be included) /a - Option to check all files /many - Option to allow cleaning multiple floppies Examples: CLEAN C: D: [Jeru] will clean Jerusalem from C and D drives CLEAN C:\TEMP [Dav] /a Will clean Dark avenger from C:\TEMP and will search all file extensions for the virus CLEAN-UP will display the name of each infected file as it is found. When the virus has been removed from each file, a "successful" message will be displayed. NOTE: If a file has been infected multiple times by a virus, clean will display the name of the file and the "successful" message for each infection occurrence. Thus, multiple lines will be displayed for each file infected more than once. After running CLEAN-UP, run SCAN again, this time with the /a option, to ensure that all remnants of the virus have been removed. After cleaning the fixed disk drives, SCAN all floppies and if any infections are found, remove them with CLEAN-UP. The clean-up I.D.'s for each of the known viruses are listed in brackets below: Oropax [Oro] Pakistani Brain [Brain] 4096 [4096] Chaos [Chaos] AIDS Trojan [AIDS] Virus-90 [90] Amstrad [Amst] Devil's Dance [Dance] Holland Girl [Holland] Datacrime II-B [Crime-2B] Do-Nothing virus [Nothing] Sunday virus [Sunday] Lisbon virus [Lisb] Typo COM virus [Typo] DBASE virus [Dbase] Ghost / Ghostball Boot Ghost COM Version [Ghost-C] New Jerusalem [Jeru] Alabama [Alabama] Yankee Doodle [Doodle] 2930 [2930] Ashar [Brain] AIDS / Taunt [Taunt] Disk Killer / Ogre [Killer] 1536 / Zero Bug [Zero] MIX1 [Mix1] Dark Avenger [Dav] 3551 / Syslock [Syslock] Vacsina [Vacs] Ohio Typo Swap / Israeli Boot Datacrime II [Crime-2] Icelandic-II / System [Ice-2] Pentagon 3066 / Traceback [3066] Datacrime-B [Crime-B] Icelandic [Ice] Saratoga [Toga] 405 [405] 1704 Format [170X] Fu Manchu / 2086 [Fu] 1280 / Datacrime [Crime] 1701 / Cascade [170X] 1704 / Cascade-B [170X] Stoned / Marijuana [Stoned] 1704 / Cascade [170X] Ping Pong-B / Cascade Boot [Ping] Den Zuk Ping Pong / Bouncing Dot [Ping] Vienna-B [Vienna-B] Lehigh [Lehigh] Vienna / DOS-62 [Vienna] Jerusalem-B [Jeru] Yale / Alameda [Alameda] Friday 13th COM virus [13] Jerusalem-A / 1813 [Jeru] Suriv03 / Jerusalem-E [Jeru] Suriv02 [jeru-D] Suriv01 [April] Taiwan [Taiwan] Halloechen [Hal] Perfume [Fume] Joker [Joke] Icelandic-3 [Ice-3] 1260 [1260] Virus-101 [101] V2000 [2000] Saturday 14th [Sat14] 1720 [1720] 1210 [1210] Christmas Tree [XA1] 1392 [1392] Korea [Korea] 2000-B [Solano] Kennedy [Kennedy] Yankee-2 [Doodle2] Eight Tunes [1971] June 16th [June16] V800 [800] Murphy [Murphy] Shake [Shake] Fish-6 [Fish] Liberty [Liberty] Frere Jacques [frere] Slow [Slow] W-13 [W13] JoJo [JoJo] Victor [Victor] 5120 [5120] June 13 [J13] Form [Form] Print Screen [Prtscr] Microbes [Micro] Joshi [Joshi] Vp [VP] RedX [RedX] 1024 [1024] Sorry [Sorry] 1381 [1381] Aramagedon [Arma] Taiwan-3 [T-3] VHP [VHP] Stoned-II [S-2] 1008 [1008] Flash [Flash] Fellowship [Fellow] Flip [Flip] Doom2 [Dm2] Wolfman [Wolf] Plastique [Plq] V2100 [2100] 1226 [1226] Ontario [Ont] P1 [P1] 400 [400] AirCop [AirCop] 1253 [1253] Mardi Bros. [Mardi] TCC [TCC] 651 [651] Anthrax [Atx] Casper [Casper] Burger [Burger] Leprosy-B [Lepb] Christmas-J [C-J] Wisconsin [Wisc] Sott's Valley [2133] Black Monday [BMON] 1605 [1605] Whale [Whale] Nomenclature [Nom] REGISTRATION: CLEAN-UP is a required registration shareware product. It may be use in a home environment for a registration fee of $35. Please use the enclosed REGISTER.DOC file for registration information. For corporate, organizational or agency use, however, a corporate site license is required. For site license information please contact: McAfee Associates 4423 Cheeney Street Santa Clara, CA 95054 408 988 3832 (voice) 408 988 4004 (BBS) 408 970 9727 (Fax) Version Notes Version 66: Version 66 is able to remove and repair four new viruses: Joshi, Vienna, Fish6, and Zerobug. All of these viruses have been reported at multiple sites. In addition, 27 new viruses have been included in the Clean-Up detection and eradication processing. An outline of the new viruses in included in the enclosed file - VIRLIST.TXT. For a complete description of the viruses, please refer to Patricia Hoffman's VSUM document. Version 64: Version 64 of CLEAN repairs a number of small bugs in version 63, including the inability to catch the Fish-6 virus in memory and an infrequent false alarm with the Korea virus when running AppleTalk. A re-structuring of CLEAN's scanning technique was also required due to the appearance of another fully encrypted virus (V2P2). This virus has no string that is common for all iterations of the virus, so that a virus-specific search technique was required. In addition, 14 new viruses have surfaced from various parts of the world. Of the 14 viruses, two appear to be fairly virulent. The Joshi virus, from India, is a boot sector and partition table infector which activates on the 5th of January. When activated, it locks up the machine and displays the message "Type Happy Birthday Joshi". The system stays locked until the user types the happy birthday message. In addition the virus causes problems in writing to or reading from 1.2Mb diskettes. The second virus is from Taiwan and has been named the Taiwan-3 virus. It infects EXE and COM files, including COMMAND.COM. It is memory resident and randomly appears to garble the File Allocation Table of the hard drive. Both viruses have been reported at multiple sites. The twelve additional viruses are outlined in the enclosed VIRLIST.TXT file. For a detailed description of each, please refer to Patricia Hoffman's VSUM document. The V800 virus has been added to the list of viruses that can be removed without deleting the infected programs. Version 63: Version 63 has been one of the most painful versions we have put together. There have been 17 new viruses and virus sub-strains discovered in the 35 days since the release of version 62. We have also added a major feature to allow SCAN and CLEAN-UP to check inside of programs compressed with LZEXE; we've added Yankee Doodle and Vacsina to the list of recoverable viruses in CleanUp; we've undertaken an accounting of the numerous sub-strains of each virus; we've repaired over a dozen loopholes that allowed certain sub-strains to slip through; and we've added a new program to the product line called VCOPY that replaces the DOS copy command and does automatic scanning during a copy function. In addition, we've been struggling with the issue of how to count viruses in a meaningful way that does not place us in a seemingly disadvantageous competitive position. For example: Numerous anti-virus programs advertise the number of viruses that they are able to detect, and these numbers range from less than 50 to over 100. On analysis, these numbers included all of the known sub-strains of the viruses, and their virus count by our classification was always substantially less. We group viruses by major type, where possible, to make it easier to manage, both from an identification and removal basis. But on a sheer numbers comparison, SCAN appears in a weaker light. After careful thought, we decided to stick with our classification scheme, but in the VIRLIST.TXT we will list the known variants detected in parentheses. By the competition's counting scheme, we now identify 167 viruses. By our count, we identify 97. The 17 new viruses and new sub-strains added for version 63 have come from a variety of sources. Vesselin Bontchev from Bulgaria submitted three new variants of the 512, one new variant of the W-13 virus and two entirely new viruses that have surfaced in Eastern Europe. Dave Chess from IBM provided me with three new viruses collected through the various IBM contacts. Patricia Hoffamn provided one new virus and two new variants submitted from users of the FidoNet network. The Icelandic virus researcher Fridrik Skulason provided one new virus. The remaining four were submitted directly by Homebase users. The VIRLIST.TXT document describes the main operating characteristics of the new viruses. To avoid duplication of effort, I am referring users to Patricia Hoffman's most current VSUM document for a detailed description of the new viruses.