home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
virus
/
virusck.zip
/
README
< prev
next >
Wrap
Text File
|
1988-02-21
|
4KB
|
98 lines
Matt Cohen VIRUSCK.EXE -
PO Box 10589 Written in 'C'
State College, PA 16805-0589 Turbo or Microsoft C
Source code: 83 lines
Object Code: 12k
Requires:
DOS 2.0 or greater.
Virus Check Program: VIRUSCK.EXE
I am a graduate student in Electrical Engineering at the Pennsylvania State
University. As part of preparation for my thesis work at the Engineering
Computer Laboratory, I have written a program which I think will be
useful in detecting viruses.
A computer virus is a program which attaches itself to another program (or
itself) when run, causing that program to also act as a virus. The normal
function of the program can then be performed, leaving you with no clue of
the virus's existence.
It is extremely difficult to guard a computer system against a virus.
Anywhere there are shared programs, there is the potential for a virus
to cause damage and spread unchecked and even undetected. For example, a
compiler which compiles another version of itself is a virus.
If you suspect a program may a virus, this program MAY be able to
find it before it can do any real damage to your system (and before you
can spread it)
This program attempts to detect a virus in two ways:
1. It notes whether a program changes it's size or modification time.
2. It tells you if any named files had sizes or times changed.
Note that either of these two conditions does not guarantee a virus, but
gives an indicator (particularly '1') of a possible virus.
It is also possible that a virus will bypass the detection scheme.
Unfortunately, if a virus is detected, it will have already infected
itself or another (possibly unknown) program. If this happens
you may be able to tell which program was infected by looking for the
program(s) with the newest modification time.
You should make a backup of your hard disk and all the files you intend to check
(including virusck.exe) before you use this program! Put them on a write
protected bootable disk. Also read the file VIRUSCK.DOC and the software license
before you use the program.
WHAT TO DO IF YOU THINK YOU HAVE FOUND A VIRUS:
If you type
A:>virusck COMMAND.COM
A:>exit
and you get a message saying
the sizes or times are different, first write down all the numbers,
and then:
1. Immediately reboot off a known good (write protected) system disk.
2. Copy the infected COMMAND.COM to a blank formatted disk.
3. Do a directory of the infected disk, noting all the file
access times and look for times that match the time when you ran
virusck. These files are probably also infected. You also should check
the 'hidden' system files (using Norton, or PCTOOLS, or one of the
many utility programs).
4. Copy all the infected files to the blank disk.
SEND me the disk IMMEDIATELY!! I may be able to find a way to kill the
virus.
5. Copy your backup copy of all the infected files, overwriting the
possibly infected ones.
6. Run virusck on the old COMMAND.COM again. If you get the same message
you are in trouble. You can try again on another backup copy,
if you have one. If you are already infected on your backups, You will have
to find a way to rid yourself of the virus (throwing away the backups and
starting again with all new software is one way).
If you are not convinced about the validity of the virusck program,
do the following:
1. Try and get another copy from a different bulletin board.
2. Look at the binary files using strings.exe, debug, or a disk editor.
3. Use the flushot program.
4. Write protect everything.
If you are still not convinced,
I will send you the 'C' source code for $10.00 with the stated condition in
writing from you that you won't distribute it and will use it only for
validity testing purposes.