home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
virus
/
delouse1.zip
/
DELOUSE.DOC
< prev
next >
Wrap
Text File
|
1988-03-03
|
18KB
|
381 lines
*****************************************************************
** DELOUSE V1.0 **
** 3/2/88 **
** Documentation **
** **
** "When everyone really is out to get you **
** then paranoid is just proper thinking." **
** **
** A program to assist in the detection of disk damage by **
** Trojan or Virus programs. Designed by and for those of **
** us who are especially paranoid. **
*****************************************************************
Program: DELOUSE
Version level: 1.0
Type: Automated File comparison utility
Language: Turbo Pascal v4.0 and above.
Dependencies: MsDos/PCDos 2.0 and above.
Author: Phillip M. Nickell
Longmont, Colorado.
Date: March 2, 1988
Ownership: Public domain release. Author retains no rights.
Beta-Test Sites:
Many thanks to the folks who tested and commented
on the eficacy of this program.
Metamorphosis PCBoard BBS - Longmont Colorado.
Tony Ferris - Sysop. (303) 772-7229
Twin Peaks PCBoard BBS - Longmont Colorado.
Ken Krueger - Sysop (303) 651-0225
All comments and suggestions are welcome. Bug
reports are tolerated. Leave a message for Phil
Nickell.
NOTE:
DELOUSE is distributed with the source code. If the copy you
receive is without source code then perhaps you should be
suspicious of what the .exe file contains. The .exe file
should be 11776 bytes in length for release v0.9 (beta)
and xxxxx for release 1.0.
PURPOSE:
This program is written in response to the threat by trojan
and virus program and the damage that they can cause to a
persons hard disk. This program will NOT prevent damage nor
does it attempt to detect the actual presence of trojan
programs. This program will ASSIST the user in determining
that damage MAY HAVE OCCURRED and will thus allow the user
to take what steps may be necessary to eradicate the bug.
Just because some damage occured doesn't mean that a trojan
got you. There are many 'normal' ways for files to get
damaged. Errors occur, programs crash, disk drives drop a
bit or two, power lines spike and cosmic rays can toggle a
bit in memory to lock things up. Some programs even write
configuration changes into their own .com or .exe files
(Dumb - but that's another story) which could make you think
that something untoward occured. There are, however, some
real trojan and virus programs out there just waiting for
the unwary.
Most trojan and virus programs do their dark deeds by
modifying existing system files that exist on most MSDos and
PCDos machines. DELOUSE allows you to build a list of
critical system files that are normally subject to attack
and check them periodically for changes. If any changes
have occurred, and if you have not make any changes in those
files yourself, then PERHAPS something else made those
changes for you without your knowledge. You can then
investigate and attempt to find out why the changes
occurred. There is no free lunch or magic potion here. This
program is a tool to be used by the concerned and
knowledgeable computer user. It will not help you if you
don't use it, and like any tool it will not work properly if
it is not used properly. If you are not familiar with files,
directories and drive designators then you should probably
get some assistance from an experienced computer user, as
this program will cause more worry for you than solace.
FILES IN THE ARCHIVE:
DELOUSE.EXE The program.
DELOUSE.DOC This documentation.
DELOUSE.DAT is a list of files that you wish to test
for errors. This file is just an example
of what you might want to set up. You
should make your own copy with a text
editor. Don't use a word processor.
DELOUSE.CHK is a file that is built and maintained
by DELOUSE. It contains information
about the various files and the checksum
method used. You should know of this
file but you should not modify it unless
you are confident of what you are doing.
DELOUSE.OLD not distributed, is a backup copy of
delouse.chk that is created by the
delouse MAKE operation by renaming the
existing copy of delouse.chk to
delouse.old and creating a new
delouse.chk file.
DELOUSE.PAS This is the Turbo Pascal source code
file. In this day of trojan programs, it
is really nice to have the source code
so that you can be sure of the program
and how it works. You must have Turbo
Pascal v4.0 to properly compile this
code.
OPERATING DELOUSE:
Syntax: DELOUSE { Make | Check } [ METHOD=n ]
Examples: DELOUSE MAKE
DELOUSE CHECK
DELOUSE MAKE METHOD=2
DELOUSE CHECK >PRN
You must specify either MAKE or CHECK on the
command line. The make option causes DELOUSE to
build a new DELOUSE.CHK file which is used later
to check up on the files.
You can optionally specify METHOD=N where N is 1,
2 or 3. The method number is used by the MAKE
operation and is ignored by the CHECK function.
Read theory of operation for more information.
The last example above shows the check option
screen output being re-directed to the printer.
Delouse requires approximately 90k of ram memory
to run. If you don't have enough memory it will
tell you how much more it needs to run properly.
INSTALLING & RUNNING DELOUSE.
If you will be using DELOUSE on a hard disk you should
preferably make a separate subdirectory for it. You can also
run it from any floppy drive and test files on a hard disk
if you wish. Copy DELOUSE.EXE into the subdirectory. You
might wish to copy DELOUSE.DAT into the subdirectory also.
Edit DELOUSE.DAT with a text editor (edlin, qedit, brief,
etc.) so that it lists all of the system files that you wish
to check on. The distribution copy of DELOUSE.DAT contains
a list of most all the file names that you might want to
check on. Use it to guide your efforts.
After you get the files set up, run DELOUSE MAKE from the
directory or disk where you installed it. DELOUSE expects
to find the DELOUSE.DAT file in the current subdirectory and
it will create DELOUSE.CHK in the same current directory.
During the make operation, DELOUSE will echo the data that
it is writing into the DELOUSE.CHK file. It will also warn
you of any files listed in the DELOUSE.DAT file that it was
unable to open and do a checksum calculation on. You should
modify the DELOUSE.DAT file to correct any problems and run
the make option again. After the make operation has been
completed the DELOUSE.DAT file is not required as it is only
used during the make phase.
Now you can run DELOUSE CHECK at any time to check on those
files that you are trying to protect. Move to the
subdirectory where you have DELOUSE installed. Run DELOUSE
CHECK. DELOUSE will read the DELOUSE.CHK file and compare
the data against the files named there. If a file has been
changed, DELOUSE will report that something has changed. If
one of the files is missing, DELOUSE will report that also.
If you have gone ahead and modified the DELOUSE.CHK file
against all warnings and messed it up, then DELOUSE will
attempt to warn you about that also.
DELOUSE can be run from a batch file. DELOUSE will set the
dos ERRORLEVEL to 1 or 2 for various problems. Errorlevel 2
overrides errorlevel 1.
ERRORLEVEL 1 No command line options found
No DAT file (make)
No CHK file (check)
Errors in DAT file such as files not found
during MAKE
Errors in CHK file such as format errors.
ERRORLEVEL 2 Target file checksum mismatch during CHECK
Target file missing during CHECK
EXAMPLE BATCH FILE:
ECHO OFF
DELOUSE CHECK >PRN
IF NOT ERRORLEVEL 2 GOTO ENDIT2
ECHO A FILE DID NOT PASS THE CHECKSUM TEST OR A>PRN
ECHO FILE WAS FOUND MISSING FOR THE CHECKSUM TEST >PRN
GOTO ENDIT0
:ENDIT2
IF NOT ERRORLEVEL 1 GOTO ENDIT1
ECHO DELOUSE FAILED TO RUN PROPERLY >PRN
ECHO PLEASE CHECK IT OUT >PRN
GOTO ENDIT0
:ENDIT1
ECHO THERE WERE NO DELOUSE ERRORS >PRN
:ENDIT0
CAUTIONARY NOTE:
It has occured to me, and it will eventually occur to some
warphead, that the DELOUSE.DAT and DELOUSE.CHK files provide
a perfect roadmap to all of the files on your system that
you believe are critical to your operation. It is probably
a good idea to keep delouse on floppy disks and run it from
there. That way the roadmap is not accessible during normal
day-to-day operations. If you keep those files on your
hard disk then for goodness sakes keep them away from the
root directory where everyone would know to look for 'neat
stuff'. Put 'em about 6 directory levels down where they
would be more difficult to locate.
I have decided to distribute the source code, so encrypting
the DELOUSE.DAT and DELOUSE.CHK files would be a futile
exercise. When the source code is available any encryption
scheme (other than long prime number public key
cryptography) is mostly wasted. Anyone wanting to crack the
system is able to read the code. I believe that it is better
that the source code be available so that users can feel
more comfortable about the program.
THEORY OF OPERATION:
DELOUSE uses simple checksumming methods to detect changes
in the target files. This is not very sophisticated, but is
good enough for what is being done here. We are just trying
to detect that a change took place, not trying to transfer
error-free data across the phones.
DELOUSE actually uses three different checksum algorithms.
All are simple but slightly different in the way they
calculate the checksum. The checksum method is usually
chosen at random when the MAKE option us used. The method
number is recorded in the DELOUSE.CHK file to allow the
proper method to be used when checking the files. You can,
if you wish, force DELOUSE to use one of checksum methods by
putting METHOD=N on the command line, where N is 1, 2 or 3.
This would allow you to manually compare the DELOUSE.CHK
file against an earlier copy of DELOUSE.CHK where the same
checksum method was used. This would be a good method to use
to check for changes several days or weeks apart. Just
remember that the DELOUSE.CHK file is rotated into the
DELOUSE.OLD file when you run the MAKE option. If you want
to save a copy of the DELOUSE.OLD file make sure you do so
before you run make again.
Why, might you ask, does DELOUSE use random selection of
checksum method? There is a possibility that one of the
Trojan/Virus programmers would attempt to work around any
one simple checksum method of testing files. The random
selection of checksum methods will just make it a bit more
difficult for them.
DELOUSE is designed to read any system and hidden files.
This includes IBMBIO.COM and IBMDOS.COM. DELOUSE goes to
special efforts to make sure that the files are only read
and never written into - safety comes first here!
DELOUSE uses normal DOS services to read all files. There is
no direct disk access taking place. The distribution copy of
DELOUSE.EXE should pass Check4Bomb tests and any other
Virus/Trojan detection program. If it does not then you
should be wary.
FILE FORMATS:
DELOUSE.DAT - This is the file YOU create or modify.
Each line contains a full path name to a file that you want
to check. Comment lines are allowed - They must start with
the word !NOTE (5 characters). Blank lines are ignored.
Example DELOUSE.DAT file.
!note - always check on your command.com files
C:\COMMAND.COM
C:\DOS\COMMAND.COM
!note - IBM PCdos system files are good targets.
c:\ibmbio.com
c:\ibmdos.com
!note - MSDos system files are good targets
c:\io.sys
c:\msdos.sys
!note - device drivers are potential targets
c:\dos\driver.sys
c:\dos\ansi.sys
c:\dos\vdisk.sys
!note - you might want to check on your memory resident
!note programs like CED or SideKick
c:\util\ced.com
c:\sk\sk.com
!note - you can also check files on different drives
a:autoexec.bat
a:command.com
a:config.sys
!note - and how about the more popular major application
!note programs? Dbase-3, Lotus-123, Qmodem etc.
DELOUSE.CHK - this is the file that is created by DELOUSE and
should not be modified.
The first field is a character which describes the checksum
method used for checksumming the file. It will be 1, 2 or 3.
The second field is the calculated checksum itself. The
third field is the full path name of the file.
Typical DELOUSE.CHK file:
!NOTE - This file created by DELOUSE. DON'T MODIFY.
1 1075880 C:\COMMAND.COM
1 1075880 C:\DOS\COMMAND.COM
1 904824 C:\IBMBIO.COM
1 1449251 C:\IBMDOS.COM
1 54968 C:\DOS\DRIVER.SYS
1 71679 C:\DOS\ANSI.SYS
1 140431 C:\DOS\VDISK.SYS
1 267197 C:\UTIL\CED.COM
1 2132698 C:\SK\SK.COM
1 256 A:AUTOEXEC.BAT
1 1075880 A:COMMAND.COM
END OF DELOUSE DOCUMENTATION.