Shareware Overload

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Overload / ShartewareOverload.cdr / virus / delouse1.zip / DELOUSE.DOC < prev next >

Wrap

Text File | 1988-03-03 | 18KB | 381 lines

***************************************************************** ** DELOUSE V1.0 ** ** 3/2/88 ** ** Documentation ** ** ** ** "When everyone really is out to get you ** ** then paranoid is just proper thinking." ** ** ** ** A program to assist in the detection of disk damage by ** ** Trojan or Virus programs. Designed by and for those of ** ** us who are especially paranoid. ** ***************************************************************** Program: DELOUSE Version level: 1.0 Type: Automated File comparison utility Language: Turbo Pascal v4.0 and above. Dependencies: MsDos/PCDos 2.0 and above. Author: Phillip M. Nickell Longmont, Colorado. Date: March 2, 1988 Ownership: Public domain release. Author retains no rights. Beta-Test Sites: Many thanks to the folks who tested and commented on the eficacy of this program. Metamorphosis PCBoard BBS - Longmont Colorado. Tony Ferris - Sysop. (303) 772-7229 Twin Peaks PCBoard BBS - Longmont Colorado. Ken Krueger - Sysop (303) 651-0225 All comments and suggestions are welcome. Bug reports are tolerated. Leave a message for Phil Nickell. NOTE: DELOUSE is distributed with the source code. If the copy you receive is without source code then perhaps you should be suspicious of what the .exe file contains. The .exe file should be 11776 bytes in length for release v0.9 (beta) and xxxxx for release 1.0. PURPOSE: This program is written in response to the threat by trojan and virus program and the damage that they can cause to a persons hard disk. This program will NOT prevent damage nor does it attempt to detect the actual presence of trojan programs. This program will ASSIST the user in determining that damage MAY HAVE OCCURRED and will thus allow the user to take what steps may be necessary to eradicate the bug. Just because some damage occured doesn't mean that a trojan got you. There are many 'normal' ways for files to get damaged. Errors occur, programs crash, disk drives drop a bit or two, power lines spike and cosmic rays can toggle a bit in memory to lock things up. Some programs even write configuration changes into their own .com or .exe files (Dumb - but that's another story) which could make you think that something untoward occured. There are, however, some real trojan and virus programs out there just waiting for the unwary. Most trojan and virus programs do their dark deeds by modifying existing system files that exist on most MSDos and PCDos machines. DELOUSE allows you to build a list of critical system files that are normally subject to attack and check them periodically for changes. If any changes have occurred, and if you have not make any changes in those files yourself, then PERHAPS something else made those changes for you without your knowledge. You can then investigate and attempt to find out why the changes occurred. There is no free lunch or magic potion here. This program is a tool to be used by the concerned and knowledgeable computer user. It will not help you if you don't use it, and like any tool it will not work properly if it is not used properly. If you are not familiar with files, directories and drive designators then you should probably get some assistance from an experienced computer user, as this program will cause more worry for you than solace. FILES IN THE ARCHIVE: DELOUSE.EXE The program. DELOUSE.DOC This documentation. DELOUSE.DAT is a list of files that you wish to test for errors. This file is just an example of what you might want to set up. You should make your own copy with a text editor. Don't use a word processor. DELOUSE.CHK is a file that is built and maintained by DELOUSE. It contains information about the various files and the checksum method used. You should know of this file but you should not modify it unless you are confident of what you are doing. DELOUSE.OLD not distributed, is a backup copy of delouse.chk that is created by the delouse MAKE operation by renaming the existing copy of delouse.chk to delouse.old and creating a new delouse.chk file. DELOUSE.PAS This is the Turbo Pascal source code file. In this day of trojan programs, it is really nice to have the source code so that you can be sure of the program and how it works. You must have Turbo Pascal v4.0 to properly compile this code. OPERATING DELOUSE: Syntax: DELOUSE { Make | Check } [ METHOD=n ] Examples: DELOUSE MAKE DELOUSE CHECK DELOUSE MAKE METHOD=2 DELOUSE CHECK >PRN You must specify either MAKE or CHECK on the command line. The make option causes DELOUSE to build a new DELOUSE.CHK file which is used later to check up on the files. You can optionally specify METHOD=N where N is 1, 2 or 3. The method number is used by the MAKE operation and is ignored by the CHECK function. Read theory of operation for more information. The last example above shows the check option screen output being re-directed to the printer. Delouse requires approximately 90k of ram memory to run. If you don't have enough memory it will tell you how much more it needs to run properly. INSTALLING & RUNNING DELOUSE. If you will be using DELOUSE on a hard disk you should preferably make a separate subdirectory for it. You can also run it from any floppy drive and test files on a hard disk if you wish. Copy DELOUSE.EXE into the subdirectory. You might wish to copy DELOUSE.DAT into the subdirectory also. Edit DELOUSE.DAT with a text editor (edlin, qedit, brief, etc.) so that it lists all of the system files that you wish to check on. The distribution copy of DELOUSE.DAT contains a list of most all the file names that you might want to check on. Use it to guide your efforts. After you get the files set up, run DELOUSE MAKE from the directory or disk where you installed it. DELOUSE expects to find the DELOUSE.DAT file in the current subdirectory and it will create DELOUSE.CHK in the same current directory. During the make operation, DELOUSE will echo the data that it is writing into the DELOUSE.CHK file. It will also warn you of any files listed in the DELOUSE.DAT file that it was unable to open and do a checksum calculation on. You should modify the DELOUSE.DAT file to correct any problems and run the make option again. After the make operation has been completed the DELOUSE.DAT file is not required as it is only used during the make phase. Now you can run DELOUSE CHECK at any time to check on those files that you are trying to protect. Move to the subdirectory where you have DELOUSE installed. Run DELOUSE CHECK. DELOUSE will read the DELOUSE.CHK file and compare the data against the files named there. If a file has been changed, DELOUSE will report that something has changed. If one of the files is missing, DELOUSE will report that also. If you have gone ahead and modified the DELOUSE.CHK file against all warnings and messed it up, then DELOUSE will attempt to warn you about that also. DELOUSE can be run from a batch file. DELOUSE will set the dos ERRORLEVEL to 1 or 2 for various problems. Errorlevel 2 overrides errorlevel 1. ERRORLEVEL 1 No command line options found No DAT file (make) No CHK file (check) Errors in DAT file such as files not found during MAKE Errors in CHK file such as format errors. ERRORLEVEL 2 Target file checksum mismatch during CHECK Target file missing during CHECK EXAMPLE BATCH FILE: ECHO OFF DELOUSE CHECK >PRN IF NOT ERRORLEVEL 2 GOTO ENDIT2 ECHO A FILE DID NOT PASS THE CHECKSUM TEST OR A>PRN ECHO FILE WAS FOUND MISSING FOR THE CHECKSUM TEST >PRN GOTO ENDIT0 :ENDIT2 IF NOT ERRORLEVEL 1 GOTO ENDIT1 ECHO DELOUSE FAILED TO RUN PROPERLY >PRN ECHO PLEASE CHECK IT OUT >PRN GOTO ENDIT0 :ENDIT1 ECHO THERE WERE NO DELOUSE ERRORS >PRN :ENDIT0 CAUTIONARY NOTE: It has occured to me, and it will eventually occur to some warphead, that the DELOUSE.DAT and DELOUSE.CHK files provide a perfect roadmap to all of the files on your system that you believe are critical to your operation. It is probably a good idea to keep delouse on floppy disks and run it from there. That way the roadmap is not accessible during normal day-to-day operations. If you keep those files on your hard disk then for goodness sakes keep them away from the root directory where everyone would know to look for 'neat stuff'. Put 'em about 6 directory levels down where they would be more difficult to locate. I have decided to distribute the source code, so encrypting the DELOUSE.DAT and DELOUSE.CHK files would be a futile exercise. When the source code is available any encryption scheme (other than long prime number public key cryptography) is mostly wasted. Anyone wanting to crack the system is able to read the code. I believe that it is better that the source code be available so that users can feel more comfortable about the program. THEORY OF OPERATION: DELOUSE uses simple checksumming methods to detect changes in the target files. This is not very sophisticated, but is good enough for what is being done here. We are just trying to detect that a change took place, not trying to transfer error-free data across the phones. DELOUSE actually uses three different checksum algorithms. All are simple but slightly different in the way they calculate the checksum. The checksum method is usually chosen at random when the MAKE option us used. The method number is recorded in the DELOUSE.CHK file to allow the proper method to be used when checking the files. You can, if you wish, force DELOUSE to use one of checksum methods by putting METHOD=N on the command line, where N is 1, 2 or 3. This would allow you to manually compare the DELOUSE.CHK file against an earlier copy of DELOUSE.CHK where the same checksum method was used. This would be a good method to use to check for changes several days or weeks apart. Just remember that the DELOUSE.CHK file is rotated into the DELOUSE.OLD file when you run the MAKE option. If you want to save a copy of the DELOUSE.OLD file make sure you do so before you run make again. Why, might you ask, does DELOUSE use random selection of checksum method? There is a possibility that one of the Trojan/Virus programmers would attempt to work around any one simple checksum method of testing files. The random selection of checksum methods will just make it a bit more difficult for them. DELOUSE is designed to read any system and hidden files. This includes IBMBIO.COM and IBMDOS.COM. DELOUSE goes to special efforts to make sure that the files are only read and never written into - safety comes first here! DELOUSE uses normal DOS services to read all files. There is no direct disk access taking place. The distribution copy of DELOUSE.EXE should pass Check4Bomb tests and any other Virus/Trojan detection program. If it does not then you should be wary. FILE FORMATS: DELOUSE.DAT - This is the file YOU create or modify. Each line contains a full path name to a file that you want to check. Comment lines are allowed - They must start with the word !NOTE (5 characters). Blank lines are ignored. Example DELOUSE.DAT file. !note - always check on your command.com files C:\COMMAND.COM C:\DOS\COMMAND.COM !note - IBM PCdos system files are good targets. c:\ibmbio.com c:\ibmdos.com !note - MSDos system files are good targets c:\io.sys c:\msdos.sys !note - device drivers are potential targets c:\dos\driver.sys c:\dos\ansi.sys c:\dos\vdisk.sys !note - you might want to check on your memory resident !note programs like CED or SideKick c:\util\ced.com c:\sk\sk.com !note - you can also check files on different drives a:autoexec.bat a:command.com a:config.sys !note - and how about the more popular major application !note programs? Dbase-3, Lotus-123, Qmodem etc. DELOUSE.CHK - this is the file that is created by DELOUSE and should not be modified. The first field is a character which describes the checksum method used for checksumming the file. It will be 1, 2 or 3. The second field is the calculated checksum itself. The third field is the full path name of the file. Typical DELOUSE.CHK file: !NOTE - This file created by DELOUSE. DON'T MODIFY. 1 1075880 C:\COMMAND.COM 1 1075880 C:\DOS\COMMAND.COM 1 904824 C:\IBMBIO.COM 1 1449251 C:\IBMDOS.COM 1 54968 C:\DOS\DRIVER.SYS 1 71679 C:\DOS\ANSI.SYS 1 140431 C:\DOS\VDISK.SYS 1 267197 C:\UTIL\CED.COM 1 2132698 C:\SK\SK.COM 1 256 A:AUTOEXEC.BAT 1 1075880 A:COMMAND.COM END OF DELOUSE DOCUMENTATION.