home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
virus
/
expel.zip
/
EXPEL.DOC
< prev
next >
Wrap
Text File
|
1989-11-27
|
39KB
|
1,117 lines
------------------------------------
E X P E L
Version 1.0
A virus control device
------------------------------------
U S E R M A N U A L
------------------------------------
Toltech, PO Box 68, St Lambert
QC, Canada, J4P 3N4
Copyright (c) 1989 by Toltech, All rights reserved
- CONTENTS -
Page
1.0 GENERAL INFORMATION .................................... 1
1.1 Foreword ........................................... 1
1.2 Why Shareware? ..................................... 1
1.3 Registration ....................................... 1
1.4 Order Form ......................................... 1-2
1.5 Warranty ........................................... 3
2.0 INTRODUCTION ........................................... 4
2.1 Virus background ................................... 4
2.1.1 Biological viruses ............................. 4
2.1.2 Computer viruses ............................... 4
2.2 Program overview ................................... 5
2.2.1 Initial infection prevention ................... 5
2.2.2 Virus detection and elimination ................ 6
2.2.2.1 Detection .................................. 6
2.2.2.2 Elimination ................................ 7
2.2.3 Activation prevention .......................... 7
2.2.3.1 Bombs ...................................... 7
2.2.3.2 Boot infectors ............................. 8
3.0 GETTING STARTED ........................................ 8
3.1 Distribution files ................................. 8
3.2 Backup ............................................. 8
3.3 Installation ....................................... 8
3.3.1 Floppy drives .................................. 8
3.3.2 Hard disks ..................................... 10
3.4 Auto-protection .................................... 10
3.5 Running the program ................................ 10
4.0 FUNCTIONS AND SETTINGS ................................. 10
4.1 The control panel .................................. 10
4.2 Help system ........................................ 10
4.3 Write function ..................................... 11
4.3.1 Paths setting .................................. 11
4.3.1.1 Source path ................................ 11
4.3.1.2 Archive name ............................... 11
4.3.1.3 Saving all parameters ...................... 11
4.3.2 CRC count setting (Adjust button) .............. 12
4.3.3 Extensions setting ............................. 12
4.4 Lock and Unlock functions .......................... 12
4.5 Verify function .................................... 13
4.6 Filter function .................................... 13
4.7 Sample function .................................... 14
4.8 Track function ..................................... 14
1.0 GENERAL INFORMATION
1.1 Foreword.
EXPEL is not a public domain program and it is not a free
program, but we let you to copy it freely and share it
with your friends. We only ask that you copy EXPEL complete
and unmodified, with all of its accompanying files.
We also give you the right to use EXPEL on a trial basis. In
case you decide that you want to use the program after
evaluation, we ask you to register your copy. Please note
that the use of EXPEL, exept for a short evaluation period,
is forbidden to any person, group, institution, or any legal
entity.
1.2 Why Shareware?
We are distributing EXPEL as a Shareware program because :
- We think that we made a major break-through in the field
of protection against viruses and we want to distribute this
program as quickly as possible so as to "equalize" the odds
of surviving a viral attack for as many users as possible.
- The Shareware concept allows to lower the price, cutting
off packaging and distribution costs.
- We like the idea of the final user evaluating a program
and paying only if he decides to use it.
- Above all, we believe that computer users are honest
enough to support our work if the product is good enough.
1.3 Registration.
You can register for EXPEL in two ways:
1) If you already have a current version of the program,
send $25.00 for registration plus $5.00 for freight and
handling; You obtain the licence to use this program and to
use any future updates, you will be kept informed of
updates, and we will mail you the next update disk as soon
as available.
2) Send $35.00 for registration plus $5.00 freight and
handling in case you need a copy of the program right away.
We mail you immediatly a disk with the latest version, plus
you are entitled to the same benefits as 1).
1.4 Order Form.
Please use the following order form.
1
O R D E R F O R M
Mail to : Toltech
PO Box 68 St-Lambert,
QC, Canada, J4P 3N4
Please send:
____ EXPEL registration.............. $ 25.00 each $ ______
(No disk now, one update disk later)
____ EXPEL registration and disk .... $ 35.00 each $ ______
(Disk now plus one update disk later)
Subtotal ............................................ ______
Discount ............................................ ______
(Quebec residents please add 9% sales tax) .......... ______
Subtotal ............................................ ______
Freight/Handling .......................... $ 5.00 $ ______
Total ..............................................$ ______
[] VISA [] MASTERCARD [] CHECK ENCLOSED [] MONEY ORDER
----------------------(Sorry, no COD)-----------------------
Name : ___________________________________________________
Company:____________________________________________________
Address:____________________________________________________
____________________________________________________
____________________________________________________
Phone : _(____)____________________
Card #: _____________________________Exp. Date : ___________
Quantity discounts :
6 - 10 copies : 10% discount
11 - 20 copies : 15% discount
21+ copies : 25% discount
Site licensing agreements also available. Please write for
details.
2
1.5 Warranty
This program is distributed "AS IS", without any warranty
as to its performance. The entire risk as to the quality and
performance of the program is assumed by the user.
THE ABOVE WARRANTY IS IN LIEU OF ALL WARRANTIES, EXPRESS,
IMPLIED, OF STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES OF PERFORMANCE AND FITNESS FOR A
PARTICULAR PURPOSE AND OF ANY OTHER WARRANTY OBLIGATION ON
THE PART OF TOLTECH. IN NO EVENT SHALL TOLTECH OR ANYONE
ELSE WHO HAS BEEN INVOLVED IN THE CREATION AND PRODUCTION OF
THIS PROGRAM BE LIABLE FOR INDIRECT, SPECIAL, OR
CONSEQUENTIAL DAMAGES, SUCH AS, BUT NOT LIMITED TO, LOSS OF
ANTICIPATED PROFITS OR BENEFITS RESULTING FROM THE USE OF
THIS PROGRAM, OR ARISING OUT OF ANY BREACH OF THIS WARRANTY.
3
2.0 INTRODUCTION
In this manual we will describe EXPEL on a general level,
and then we will explain how to use each function.
2.1 Virus background.
2.1.1 Biological viruses.
Biological viruses are the smallest biological entities
known to man. Some strains are 300 times smaller than a
red blood cell.
Viruses are composed of a nucleus protected by a thin
envelope of proteins. This nucleus is made of chains of
nucleic acids (DNA and RNA). The nucleic acids carry the
information that directs the activity of cells.
When a virus gets into a cell, its nucleic code is executed
by the host cell; this code asks the cell to create more
viruses and after some time, the viruses destroy the cell to
exit and start to look for new target cells.
Some strains delay the reproduction phase; they penetrate
a cell and lay dormant, replicating only when the host cell
replicates. Then one day the virus awakes and start
to multiply itself.
2.1.2 Computer viruses.
A computer virus behaves almost exactly like the
biological versions; it is a small program, generally hidden
into an executable file, that enters a computer system and
tries to replicate itself each time the host program is
executed.
The difference between a biological virus and the electronic
version is that the last one infects others program from
within the host program.
At some point after the beginning of the replication phase,
the viruses will start to perform various destructive or
obstructive acts.
4
2.2 Program overview.
EXPEL can be considered as a defensive mecanism doubled by
an offensive weapon. EXPEL is the reunion of an infection
prevention module, an infection detection module, and a
non-specific infection removal module in a single software
device.
With EXPEL we don't need to know if we are attacked by a
Lehigh virus or a Sunnyvale slug or any other viral strain
(being polite) to survive and fight back. All we need is a
basic understanding of viruses behaviour :
Initial Activation
infection |
| |
| .----------Replication-----------. |
v v v v
x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx *
Time -------->
The fact that each and every strain of virus will follow
this pattern was used to design EXPEL, because we don't know
for sure all of the existing virus in the world and we
certainly don't know what sick versions will be invented in
some rubber s..t brains in the future, but we know that a
virus always does 3 things :
- He gets into the system, so there will be some new code
someplace.
- He will try to replicate, so we should have even more
alien code around.
- He will eventually hurt the system, so we have to catch
him before its too late.
If it does not replicate but do harm right away, then its a
bomb, not a virus, and very simple actions will protect you
against these pests (See 2.2.3.1).
2.2.1 Initial infection prevention.
EXPEL permits you to write-protect files at will, thus
preventing 90% of viral strains to infect you computer
system. You can write-protect files selectivelly,
specifying the extensions of files to be protected, or
you can decide to write protect the whole disk.
BUT, you should know that if someone is able to
write-protect files, then someone may think of a virus
able to unprotect them and pass thru this line of defence.
5
2.2.2 Virus detection and elimination.
The real strenght of EXPEL starts with its virus detection
capabilitities, and continues with the edge he gives you in
case of positive detection.
2.2.2.1 Detection.
The whole subject of detection is important, because
it is vital to know if the system is infected to
clean it before the activation phase, and it is
equaly important to know that the system is clean
for the sake of peace of mind is very important. So don't
panic, don't trash all your disks if "something seems
strange". We bring you tools to know what's really going
on...
Generally viruses will replicate by writing code into
other files, preferably executable files. Some strains
will write into any file that they can find, some will
attach only to executable file (with .EXE or .COM
extensions, for example), some will infect only
COMMAND.COM, and so on.
EXPEL permits you record the state of your files at any
point in time, writing a CRC number for each file into
an archive file (A CRC, or Cyclic Redundancy Check, is
a special count of the bytes of a file, often used in
data transmission to ensure that files are sent and
received unmodified).
Later on, the verification of this CRC number will
permit us to know if all the bytes are the same and if
they are in the same sequence as before : any virus
trying to infect a file will alter this CRC number,
and thus will be detected by the verification functions
of EXPEL. It is then a simple matter to eradicate the
virus by erasing the file.
The beauty of this kind of approach is that even if
the CRC archive is built after the initial infection
(but not too long, right?!), often it will be possible
to KNOW that a virus is present, because he will continue
to replicate and alter more files: being aware of the
infection will permit us to use the elimination sections
of EXPEL.
With its detection potential, EXPEL thus represents a
fine defensive tool.
6
2.2.2.2 Elimination.
After detection, EXPEL goes one step further :
we know that a virus got in and we know one or more
files where he hides, so we extract a sample of the
virus code from one of the files and we use this
sample to track and eliminate all of the virus
offspring off our disks. Note that it is not necessary
to know the virus beforehand to clean any computer
disks.
Because of its total clean-up capabilities, EXPEL
is a powerfull weapon against viruses.
If each infected user is a dead end for any virus,
the odds of having the kind of epidemic situations
we recently had will be considerably lowered.
Note that EXPEL will not try to patch a contaminated
file after detection: even if we know where is the alien
code in the file, even if we could for example insert a
jump instruction before the virus code pointing to the
beginning of clean code, we don't know what kind of bomb
we may create by trying to "clean" this particular file
remotly.
So we propose only the safest alternative : erasure of
the file, hoping that Saint-Backup is with you (erasure
only necessary if the file is an executable file; data
files can be kept as is, because they are never executed
and so will not give any reproduction or activation
opportunity to viruses).
But we are very open to comments because this is a
rather radical decision. We are in fact waiting for
users feed-back to take or not the decision to include a
"return maybe to the prior state" type of function in
coming updates.
2.2.3 Activation prevention.
EXPEL will help prevent most viral strains to get into
their activation phase, but two specific cases will need
separate handling.
2.2.3.1 Bombs.
A bomb is a program that is supposed to perform a
specific task and does some destructive act instead,
like reformating disks or trashing FAT areas.
A bomb is not a virus because it blows the first time
the carrying program is run (called a Trojan). There
is no replication phase.
Some bombs are also created by innocent programmers: an
unknown bug may lock a computer or do anything else.
In order to survive bombs, never try a new program on
a hard disk. Always run it first from a floppy. The
attack being immediate, the bomb will have only the
floppy disk available as potential victim.
7
2.2.3.2 Boot infectors.
The boot sector is the first sector of disks that have
DOS on them: when you boot a computer with this kind of
disk in the drive, the little program written in the boot
sector is loaded and executed. This little program is then
supposed to load the operating system in memory.
A boot infector is a very special type of virus that
"lives" outside of files. He is in the boot area, and if
you boot your computer with an infected disk, the virus
code is executed right at the start and takes control.
This virus will replicate by writing himself in the boot
sector of any new disk that he can reach (Some strains
will also create fake bad sectors and hide in them).
As for bombs, the defensive tactic is simple: NEVER boot
from an alien disk.
3.0 GETTING STARTED
3.1 Distribution files.
Here is a list of the distribution files. Please verify that
you have a correct set.
| Name | Description | Size | Date | Time |
|------------|-----------------|---------|----------|-------|
| EXPEL.EXE | Main program. | 112 189 | 11/27/89 | 00:48 |
| EXF.EXE | Filter utility. | 23 840 | 11/26/89 | 02:44 |
| EXPEL.DOC | This manual. | 39 225 | 11/27/89 | 00:53 |
3.2 Backup.
Please make an immediate backup copy of the EXPEL files.
In case of infection, it may be usefull to have a clean set
ready to be used.
3.3 Installation.
There is no special installation apart from deciding where
the related files will be kept. EXPEL will use an archive
file to store the CRCs and an optional configuration file to
save the parameters selected in previous sessions.
When you run EXPEL, you can write the archive in any
directory or disk drive, but the configuration file is
written by EXPEL in the current directory only.
3.3.1 Floppy drives.
You could keep for example several archive files on the
same diskette, or write an archive file on each disk that
you want to monitor.
8
Example 1:
***********************************
* EXPEL DISKETTE *
* *
* *
* *
* - EXPEL.EXE * <-Program file.
* *
* - EXPEL.CFG * <-Configuration file.
* *
* - CRC.D1 * }
* - CRC.D2 * } Archives.
* - CRC.D3 * }
***********************************
Example 2:
***********************************
* EXPEL DISKETTE *
* *
* *
* *
* - EXPEL.EXE * <-Program file.
* *
* - EXPEL.CFG * <-Configuration file.
* *
* *
* *
* *
***********************************
***********************************
* DISKETTE 1 *
* *
* *
* *
* - ARC.CRC * <-Archive.
* *
* ***********************************
* * DISKETTE 2 *
* * *
* * *
******** *
* - ARC.CRC * <-Archive.
* *
* ***********************************
* * DISKETTE 3 *
* * *
* * *
******** *
* - ARC.CRC * <-Archive.
* *
* *
* *
* *
* *
***********************************
9
3.3.2 Hard disks.
You may create a sub-directory and copy all the EXPEL
related files into it. Later on you will be able to enter
all needed access paths from inside the program.
3.4 Auto-protection.
EXPEL.EXE is auto-protected, meening that the program will
not execute if something or someone modifies or adds to its
code. Like an extinguisher that would throw gazoline at a
fire, a contaminated security program is worthless; so this
virus control device spends a couple of seconds at load time
to make sure everyting is ok.
3.5 Running the program.
To load and run EXPEL, type EXPEL at the DOS prompt.
If you use a monochrome display card, the program should
detect it and adjust to black and white. If you have a
monochrome monitor connected to a color card, type
EXPEL /m to switch to mono.
EXPEL will then verify its own integrity and look for the
file EXPEL.CFG in the current directory. If not found, the
program will use default settings for the archive name,
path, extensions and CRC security level.
4.0 FUNCTIONS AND SETTINGS
4.1 The control panel.
The functions and settings are choosen on the control panel
of EXPEL. Push the first letter of any button to operate or
set the device. No confirmation is ever needed, so just make
sure that you push the right button.
For almost each button, pushing the ESCAPE key will abort
the current function.
4.2 Help system.
There is two help systems. The first one is the lower bar,
where information is displayed as required by the current
context. The second is called via the Help button. You then
push the first letter of any other button to obtain a short
description of the corresponding setting or function, and
you push the ESCAPE key when you want to exit.
10
4.3 Write function.
This function lets you to write the CRC numbers for the
selected files into the archive file. Push W to start, push
the ESCAPE key to abort.
EXPEL will always include the CRC of COMMAND.COM (if found
in the root directory) at the beginning of the archive file,
because COMMAND.COM proved to be a preferred target for many
viruses.
Before using the Write function, you must set some
parameters :
4.3.1 Paths setting.
Push the Paths setting button to enter the source path and
the archive path and name.
4.3.1.1 Source path.
The source path is the access path used by EXPEL to
select which files to monitor with a CRC. The path name
can be made of a drive reference coupled with some
sub-directories names.
- Entering C:\PUBLIC\TEST as the source path will ask
EXPEL to include the files on drive C: that are in the
\PUBLIC\TEST sub-directory.
- Entering C:\PUBLIC will ask to include files on drive C:
that are in the \PUBLIC directory and also the
sub-directories of \PUBLIC.
- Entering \ only will monitor all directories and
sub-directories for the current drive.
4.3.1.2 Archive name.
Pushing ENTER after the source path entry brings you to
the archive name field.
You may enter a path and an archive name. By default
EXPEL will create an archive named CRC.CHK in the current
directory. You can change this name by entering as needed
a drive, path and name (It may be wise to select your
own archive names, as an added security).
4.3.1.3 Saving all parameters.
When you are asked if you want to save the paths, type
Y for yes or N for no to save or not the paths in a file
named EXPEL.CFG (current directory).
11
Note that the CRC count setting and the extensions
setting are also saved along with the paths.
Note also that the EXPEL.CFG file is automatically locked.
4.3.2 CRC count setting (Adjust button).
You can select the CRC speed and accuracy by choosing a
number from 1 to 9.
With a value of 1, the CRC includes each and every byte of
the monitored files. It is the highest security level.
With a value of 9, the CRC jumps 8 bytes and includes the
9th byte. It is the fastest check available.
This means that if for example a CRC is computed every 6
bytes, a virus would have to be as small as 5 bytes to stay
undetected, which is very unlikely.
So EXPEL gives you a gradient of security levels and speed
levels, but it also gives you 9 possible CRC numbers for the
same file, enough to fool an hypothetical virus trying to
adjust the CRC of a file in which he wants to hide.
To exit the Adjust area, push a number or push the ESCAPE
key.
4.3.3 Extensions setting.
Push the Ext. button to enter the extensions of the
monitored files. By default, EXPEL includes the .EXE, .COM,
.BAT, .SYS and .BAS extensions. They are all extensions of
executable files, because monitoring data files may take a
lot of time. Also only executable files are able to spread
an infection, and some viruses don't even duplicate in data
files.
To change or add to the extensions, use the arrow keys to
position the cursor, then type the letters of the extension
(without a period). You may use wildcards (? or *), and you
have to use the ESCAPE key to exit.
The extensions are used by the Write function, the Lock and
Unlock functions, and by the Track function.
4.4 Lock and Unlock functions.
You may write-protect or unprotect a file or a whole
directory with the Lock and Unlock functions.
Push L or U to call the selected function and enter the full
name of a file (path + node + extension).
To select a directory, enter its name followed by a reverse
slash. Files will be selected if they have one of the
extensions entered via the Ext. button (you may use
wildcards).
12
Examples :
- To lock a file in drive B named ZZZ.EXE, type B:\ZZZ.EXE
- To lock all files in the TEST directory, push the Ext.
button and enter * in an empty cell and push ESCAPE, then
push the Lock button and type \TEST\ followed by ENTER.
Note that it may be very unpractical to have each and every
files locked: data files often need to be written or erased.
We suggest to lock only the executable files (.EXE,.COM,...)
4.5 Verify function.
This function will read the files names and CRC numbers from
the archive file and compare them with the current CRCs. In
case of discrepancy, EXPEL warns you of a possible viral
attack, and asks you to choose the next action. You can :
- Delete the infected file.
But don't forget that you will need an infected file to
extract a virus sample later on. If you don't have a backup
copy of the file, this may be the only safe alternative.
- Update the CRC in archive.
In some cases, files may change because of natural events.
(For example, programmers are known to be very natural and
may (eventually) cause files modifications).
So this choice permits you to approve the modification.
- Print the file name.
Will print the name on LPT1, the parallel printer. Make sure
that the printer is well connected before printing.
- Continue.
Keeps the file untouched and goes on with the verification.
4.6 Filter function.
The filter function is used to verify a program before
loading it. The program CRC must have been previously
recorded into an archive file. The filter function will also
verify COMMAND.COM, if found.
Knowing the general virus behaviour, it may not be necessary
to do a full verification of all files at all times : A
virus will replicate when you load and execute one of its
vector programs, so all you may need is a verification of
the programs that you use.
In case a filtered file is found to be infected, EXPEL will
alert you and will not load and execute the file.
13
There is three different ways to call the filter function :
- From the EXPEL program, push the Filter button, then type
the name of the file, with the extension (It must be the
same path and name as recorded in the archive).
- From the command line, type EXPEL /f followed by the name
of the file.
- Or use the little utility program called EXP.EXE .
Type EXP /f (name of file). It is faster than the other
ways because EXP.EXE is smaller and not auto-protected.
Note that you must always enter the extension of the file,
and also the full access path if different from the current
directory.
4.7 Sample function.
This function is very simple to use : You need a modified
file (infected) and a clean copy of the same file that will
be used as reference.
Push the Sample button and then type the path and name of
the modified file, then type the path and name of the
reference file.
Just make sure not to invert the two names, or EXPEL will
give you an error message : first the infected file, then
the clean one.
Example : If you have an infected copy of ZZZ.EXE in drive A
and a clean copy of ZZZ.EXE in drive B, type A:ZZZ.EXE in
the upper field and B:ZZZ.EXE in the lower field.
EXPEL will then extract one or two samples from the infected
file. The samples will have the same name as the infected
file, and will be suffixed with S1 and S2 (Ex: ZZZ.S1).
Note that the sample code is scrambled before being written
into a file, as an increased security.
4.8 Track function.
The Track function is used to clean-up disks in case of
infection.
It will track the viruses on the source path that you submit
via the Paths button, in each and every file that has one of
the extensions entered via the Ext. button (you may use
wildcards).
When you push the Track button, EXPEL presents you a menu
where the available samples are listed (created with the
sample function). Use the arrow keys to select and push
ENTER to start the search.
Example: You have extracted a sample named ZZZ.S1 with the
sample function and you want to genocide this alien code off
you hard disk (one of the exceptional cases where killing
may be good for health !).
14
- Push the Paths button and type C:\ to track the virus in
all directories of drive C.
- Push the Ext. button and enter * in an empty cell to
select all files.
- Push the Track button, select ZZZ.S1 and push ENTER.
- EXPEL will start the search and ask you what to do if an
infected file is found (It may not be wise to destroy data
files).
- Time to die ...
* * *
15
