home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
virus
/
vshld75.zip
/
VSHLD75.DOC
< prev
Wrap
Text File
|
1991-02-26
|
29KB
|
646 lines
VSHIELD Version 3.1V75
VSHIELD1 Version 0.2
Copyright (C) 1989, 1990, 1991 by McAfee Associates.
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
TABLE OF CONTENTS
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
- What VSHIELD is, system requirements
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . . .2
- Verifying the integrity of VSHIELD
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Features, new viruses added in this release
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
- Detailed description of VSHIELD
OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . . .6
- Options to use with VSHIELD
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
- Samples of frequently-used options
INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . .9
- How to install VSHIELD on your system
EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . . .9
- For running VSHIELD from batch files
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . . .10
- What to do if a virus is found
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . . .11
- How to register VSHIELD in the U.S. and abroad
TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . .11
- Information you should have ready when calling
APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . .12
- Creating an exception list for the /CERTIFY option
VERSION NOTES. . . . . . . . . . . . . . . . . . . . . . . . . .13
- Program history
Page 1
VSHIELD Version 3.1V75 Page 2
SYNOPSIS
VSHIELD is a virus prevention program for IBM PC and
compatible computers. It will prevent viruses from infecting your
system. When VSHIELD first loads it will search the PC for known
computer viruses in memory, the partition table, boot sector,
system files, and itself and then install itself as a
Terminate-and-Stay-Resident (TSR) program. It will then scan all
programs before allowing the system to execute them. If any
program contains a virus, VSHIELD will refuse to allow it to
execute. It will also not allow the system to be warm-booted from
any diskette which contains a boot-sector virus. VSHIELD can
optionally check files that have been validation coded by the
VIRUSCAN (SCAN) program for new, unknown viruses.
VSHIELD can monitor a system for viruses by checking a program
for virus signatures, checking the validation code added by the
VIRUSCAN program to a file, or do both. Two separate programs are
available. The first, VSHIELD.EXE, does known-virus and validation
checking. The second program, VSHIELD1.EXE, does validation
checking only. The VSHIELD programs will monitor all program loads
regardless of the disk they occur on.
VSHIELD optionally provides access control functions to reduce
the risk of introducing computer viruses from unknown software.
VSHIELD will run on any PC with 256Kb and DOS version
2.0 or greater. VSHIELD1 uses 6Kb of system memory. VSHIELD uses
37Kb of system memory in non-swap mode, or 3Kb if swapping-to-disk
is specified.
AUTHENTICITY
VSHIELD is packaged with the VALIDATE program to ensure the
integrity of the VSHIELD.EXE and VSHIELD1.EXE files. The
VALIDATE.DOC instructions tell how to use the VALIDATE program.
The VALIDATE program is distributed with VSHIELD and may be used
to check all future versions of VSHIELD.
The validation results for the VSHIELD Version 75 and
VSHIELD1 Version 0.2 programs should be:
FILE NAME: VSHIELD.EXE VSHIELD1.EXE
SIZE: 32,211 11,281
DATE: 02-26-1991 02-14-1991
FILE AUTHENTICATION
Check Method 1: 59CD 6B40
Check Method 2: 07F3 103E
If your copy of the VSHIELD programs differ, they may have been
modified. Always obtain your copy of VSHIELD from a known source.
The latest version of VSHIELD and validation codes for VSHIELD.EXE
and VSHIELD1.EXE can be obtained off of McAfee Associates bulletin
board system at (408) 988-4004.
VSHIELD Version 3.1V75 Page 3
Beginning with Version 72, all McAfee Associates programs for
download are archived with PKWare's PKZIP Authentic File
Verification. If you do not see the "-AV" message after every file
is unzipped and receive the message "Authentic Files Verified!
# NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files
then do not run them. If your version of PKUNZIP does not have
verification ability, then the message may not be displayed.
Please contact McAfee Associates if your .ZIP file has been
tampered with.
WHAT'S NEW
Version 75 of VSHIELD adds protection against the Cancer,
Lazy, Phantom, V-299, and V-555 viruses. For more information
about these viruses, please refer to the enclosed VIRLIST.TXT file.
VSHIELD Version 3.1V75 Page 4
OVERVIEW
VSHIELD is a memory-resident program that prevents viruses
from infecting your computer. VSHIELD does this by checking
program files before they are loaded into the computer and
executed. If a virus is found, or a program does not match its
validation check, or a file is not on the /CERTIFY list, then
VSHIELD will not allow the file to be executed, preventing the
virus from infecting your system. VSHIELD will also check the disk
the computer is booting from for boot sector and partition table
viruses. In the event that a virus is found, VSHIELD will not
allow the system to reboot and will prompt the user to insert a
clean, write-protected boot disk and run the VIRUSCAN program
to determine the extent of the infection.
When VSHIELD is placed in the AUTOEXEC.BAT file, it will
install itself each time the system is turned on or rebooted. It
will proceed to check the memory, partition table, boot sector,
system files, and itself for viruses and then install itself as a
Terminate-and-Stay-Resident (TSR) program. It then monitors all
program loads for viruses. If a virus is found using Level I
protection, a warning message will be displayed stating the name
of the modified file. If a virus is found using Level II or III
protection, a warning message will be displayed stating the
filename and name of the virus. Loading will then be terminated,
preventing infection of the system by the infected program.
If a program is loaded using the /CERTIFY option that has not been
validated or is not on the exception list, then a message will
be displayed saying that access has been denied.
When the power is turned off and the system is booted (without
VSHIELD) off an infected floppy, VSHIELD will detect the
infection the next time VSHIELD is executed. VSHIELD level II and
III protection will also prevent partition table and boot sector
infector viruses from infecting the system during a a warm reboot
of the system (Ctrl-Alt-Del). It does thsi by examining the
diskette being booted from and halting the reboot process if a
virus is found.
VSHIELD has four levels of user-selectable protection:
- Level I protection, provided by the VSHIELD1 program, checks
the Cyclic Redundancy Check (CRC) validation code values added
to programs by the VIRUSCAN program's /AV option. If a
program no longer matches its validation code VSHIELD1 will
not allow it to execute. VSHIELD1 will also check the
partition table and boot sector validation codes, if present.
Level I protection provides a minimal degree of protection,
and it is recommended that Level II protection or above be
used if system resources permit.
VSHIELD Version 3.1V75 Page 5
- Level II protection, provided by the VSHIELD program, checks
program files for virus signatures. A virus signature is a
piece of code or pattern unique to each computer virus strain.
VSHIELD will check the memory, partition table, boot sector,
system files, and itself for viruses before installing itself
as a TSR program. It will then check programs loaded after
it installs itself for computers viruses. If a virus is
found, VSHIELD will not allow the program to execute. VSHIELD
will also not allow a computer to be warm-rebooted from a
diskette infected with a partition table or boot sector
infector.
- Level III protection is a combination of Level I and Level II
Protections.
- Level IV protection is access control and allows the user to
specify which programs can and can not be run. Level IV
protection can be set up so that only programs that are listed
in a certification file may be run on a given system. It may
also be set up so that only those programs that have been
validated by VIRUSCAN may be run.
Each level of protection has its advantages and disadvantages.
The Level I protection, VSHIELD1, requires the least amount
of system overhead, using #Kb of system memory. It provides
minimal protection, however.
The Level II, III, and IV protections requires 37Kb of system
memory, but this can be reduced to 3Kb by using the /SWAP option.
The /SWAP option leaves a VSHIELD kernel in memory that swaps
the main body of the program in and out of memory as needed.
VSHIELD will add an average of four seconds to each program
load, and six seconds to each reboot. Using the /SWAP option adds
an additional 600 milliseconds to each program load. VSHIELD
will not degrade the performance of the system in any way once a
program has been loaded.
VSHIELD1 will add an average of 1 second to each program load.
NOTE: VSHIELD and VSHIELD1 should not be used simultaneously.
Either one or the other should be selected.
VSHIELD Version 3.1V75 Page 6
OPERATION
IMPORTANT NOTE: CREATE A BACKUP DISK BY COPYING THE VSHIELD
PROGRAMS TO A BLANK FLOPPY AND WRITE-PROTECTING IT BEFORE RUNNING
THE PROGRAMS. THIS WILL GIVE THE USER A VALID BACKUP IN CASE THE
PROGRAMS BECOME INFECTED.
VSHIELD and VSHIELD1 will monitor your system for attempts to
load an infected program. If an infected program is loaded,
VSHIELD will display a message stating the name of the file, the
virus infecting it, and will prevent the file from being executed;
and VSHIELD1 will display a message stating the name of the file,
the fact that it has been modified, and will prevent the file from
being executed.
To run VSHIELD type:
VSHIELD /CERTIFY filename /CONTACT message /CV /F pathname /LOCK
/M /NB /NOMEM /SWAP pathname
Options are:
/CERTIFY filename - Enable access control with exception list
/CONTACT message - Display message when virus is found
/CV - Check validation codes added by VIRUSCAN
/LOCK - Halt and freeze system when virus is found
/M - Scan memory for all viruses during install
(see restrictions below)
/NB - Disable boot sector checking
/NOMEM - Skip memory checking
/REMOVE - Uninstall VSHIELD from memory
/SWAP pathname - Install VSHIELD kernel as memory-resident
/F pathname - Required parameter for DOS 2.0 or earlier
The /CERTIFY option allows a systems administrator to control
access to executable files. This can be used to prevent
unauthorized software from running that could introduce a computer
virus. When run with the /CV option, /CERTIFY allows only files
that have had validation codes inserted into them with the VIRUSCAN
program to execute. An exception list of "trusted" files can also
be made to allow files on the exception use to be executed. if
/CERTIFY is used wothout the /CV option, then only those programs
in the exception list will be allowed to run on the system. For
instructions on how to create an exception list, refer to Appendix
A.
NOTE: Running /CERTIFY without /CV option or an exception list
will prevent all programs other than DOS internal commands from
being run.
The /CONTACT option displays a contact name and phone number
when a virus is found. The name and number message can be fifty
(50) characters long, and can contain any characters. If the
message begins with a slash "/" or a hyphen "-" then the message
must placed in quotation marks.
VSHIELD Version 3.1V75 Page 7
The /CV option checks validation codes inserted by the
VIRUSCAN program to provide Level III protection as defined above.
If a file no longer matches its validation code, VSHIELD will
report that the file has been modified, that viral infection may
have occurred, and will not allow the program to execute. If the
/CV option is not specified, VSHIELD will provide Level II (virus
signature) checking only. For information about the installation
of CRC validation codes, please refer to the VIRUSCAN program
documentation.
The /F option is required if the user wishes to use the /SWAP
command and is running DOS 2.0 or earlier. The /F option tells
VSHIELD where it has been loaded from. The complete pathname must
be specified.
The /LOCK option will halt the system if a virus is found so
that processing cannot continue.
The /M option tells VSHIELD to check system memory for all
known computer viruses that are memory resident before installing
itself. By default, VSHIELD only checks memory for critical and
"stealth" viruses, which are viruses that can cause damage or
spread during the scanning process. If a critical or "stealth"
virus is found, VSHIELD will stop the system and advise the user
to cold boot the machine from a clean copy of DOS and scan the
system for viruses. For a listing of critical viruses, see the
VIRUSCAN documentation.
The /NOMEM option is used to turn off all memory checking for
viruses during installation. It should only be used when a system
is known to be free of viruses. This option can not be used with
the /M option.
The /NB option will tell VSHIELD not to look at the partition
table and boot sector.
The /REMOVE option will uninstall the VSHIELD program and
remove it from memory. If other memory-resident programs prevent
VSHIELD from being uninstalled an error message will appear.
The /SWAP option tells VSHIELD to install only its kernel as
memory resident. The VSHIELD program will then be swapped in and
out of memory as needed from a hard disk or RAM disk. The
placement of a path after the /SWAP command is optional, and should
only be used if VSHIELD is to be swapped from other than the path
from which it is being executed.
NOTE: The /SWAP parameter should only be used if the computer has
a limited amount of system memory available for memory-resident
programs. It is recommended that VSHIELD be used without the /SWAP
option whenever memory permits.
VSHIELD Version 3.1V75 Page 8
To run VSHIELD1 type:
VSHIELD1 /NB /REMOVE
Options are:
/NB - Bypass boot sector checking
/REMOVE - Uninstall VSHIELD1 from memory
The /NB option will tell VSHIELD not to look at the partition
table and boot sector. This option should only be used if VSHIELD1
continually reports that the boot sector has been modified. This
occurs on some old Hewlett Packard and Zenith systems because they
modify the boot sector each time the system is booted. Check your
system's manual to determine if your system contains self-modifying
boot code.
The /REMOVE option will uninstall the VSHIELD1 program and
remove it from memory. If other memory-resident programs prevent
VSHIELD1 from being uninstalled an error message will appear.
EXAMPLES
The following examples are shown as they would be typed in on
the command line.
VSHIELD1
To install VSHIELD (Level I protection)
VSHIELD
To install VSHIELD (Level II protection)
VSHIELD /CV
To install VSHIELD (Level III protection)
VSHIELD /CV /CERTIFY EXCPTN.LST
To Install VSHIELD (Level IV protection) with CRC and
exception list checking.
VSHIELD /SWAP
To install VSHIELD kernel only as memory resident and
swap from root directory of disk on DOS 3.0+ system
VSHIELD /SWAP /F C:\VSHIELD.EXE
To install VSHIELD kernel only as memory resident and
swap from root directory of disk on DOS 2.0 system
VSHIELD /CV /CONTACT "Please Contact the PC Help Desk"
To install VSHIELD using Level III protection, and
display
a message if virus is found.
VSHIELD Version 3.1V75 Page 9
INSTALLATION
VSHIELD and VSHIELD1 should be normally placed at the
end of the AUTOEXEC.BAT file. The exception is any AUTOEXEC file
that contains a DOS Shell routine. In this circumstance, VSHIELD
or VSHIELD1 should be loaded immediately prior to the Shell
routine.
If network drivers are being used, VSHIELD *MUST* be
loaded AFTER the network drivers, preferably at the end of the
AUTOEXEC. This is because network drivers replace normal DOS
functions in a manner that prevents VSHIELD from recognizing
program loads if VSHIELD is loaded first. Running VSHIELD after
network drivers have been loaded will ensure proper virus
protection.
It is recommended that VSHIELD be used in non-swap mode if
free memory permits. Use of the /SWAP option may cause conflicts
with programs that fail to allocate memory properly. If conflicts
occurs do occur, remove the /SWAP option and reboot the machine.
If there is not enough memory to load VSHIELD in non-swap mode,
than the VSHIELD1 program should be used instead.
ERROR LEVELS
VSHIELD will set the following DOS ERRORLEVELS prior to going
resident:
VALUE | DESCRIPTION
------+--------------------------
0 | No viruses found
1 | One or more viruses found
2 | Abnormal termination (program error)
VSHIELD Version 3.1V75 Page 10
VIRUS REMOVAL
What do you do if a virus is found? You can contact McAfee
Associates for assistance with manually removing the virus, for
disinfection utilities, and for more information about the virus.
When an infection is found, the VIRUSCAN program should be run
to scan the entire system to determine the extent of infection.
The VIRUSCAN program is available for download off of McAfee
Associates' BBS.
The CLEAN-UP universal virus disinfection program is available
and will disinfect the majority of reported computer viruses. It
is updated frequently to remove new viruses. The CLEAN-UP program
can be downloaded from McAfee Associates' BBS.
It is strongly recommended that you get experienced help in
dealing with viruses, especially critical viruses that can damage
or destroy data [for a listing of critical viruses, pleae refer to
the VIRUSCAN program documentation] and partition table or boot
sector infecting viruses, as improper removal of these viruses
could result in the loss of all data and use of the disk(s).
IF CLEAN-UP IS NOT AVAILABLE:
For Boot Sector Infectors
Power down the infected system and boot off of an uninfected,
write-protected diskette. Use the DOS SYS command to attempt
to overwrite the boot sector. This works in many cases. Run
VIRUSCAN to see if the virus has been eradicated. If this
does not work, do a file-by-file backup of the system followed
by a low-level format of the disk. For a floppy diskette,
copy the files off of the infected diskette using the DOS COPY
command, not XCOPY or DISKCOPY which can transfer the virus.
Reformat or discard the infected floppy.
For File infectors
Power down the infected system and boot off of an uninfected,
write-protected diskette. Run VIRUSCAN with the /D and /A
options. Scan all original disks for viruses and replace
programs from them if clean.
For Partition Table Infectors
Power down the infected system and boot off of an uninfected,
write-protected diskette. Do a file-by-file backup of the
system (in other words, do not backup the partition table).
Do a low-level format (PREP) of the disk. Repartition the
disk with DOS FDISK. Do a high level format with the DOS
FORMAT command. Reload files from the backup.
Disinfection utilities are available for the majority of reported
computer viruses, these programs can be downloaded directly from
McAfee Associates' BBS or purchased directly from McAfee
Associates.
VSHIELD Version 3.1V75 Page 11
REGISTRATION
A registration fee of $25.00US is required for the use of
VSHIELD by individual home users. Registration is for one year and
entitles the holder to unlimited free upgrades off of McAfee
Associates' bulletin board. Diskettes are not mailed unless
specifically requested. Add $9.00US for diskette mailings.
Registration is for home users only and does not apply to
businesses, departments, organizations, government agencies, or
schools, who must obtain a site license for use. Contact McAfee
Associates for more information.
Outside of North America, registration and support may be
obtained through the agents listed in the accompanying AGENTS.TXT
text file.
TECHNICAL SUPPORT
In order to facilitate speedy and accurate support, please
have the following information ready when you contact McAfee
Associates:
- Program name and version number.
- Type and brand of computer, hard disk, plus any
peripherals.
- Version of DOS you are running, plus any TSRs or device
drivers in use.
- Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.
- The exact problem you are having. Please be as specific
as possible. Having a printout of the screen and/or
being at your computer will help also.
McAfee Associates can be contacted by BBS or fax twenty-four hours
a day, or call our business office at (408) 988-3832, Monday
through Friday, 8:30AM to 6:00PM Pacific Standard Time.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
VSHIELD Version 3.1V75 Page 12
APPENDIX A: Creating an Exception List for the /CERTIFY Option
The Exception List data file should be created with an editor
or word processor and saved as an ASCII text file. Be sure each
line ends with a CR/LF pair.
NOTE: The /CERTIFY option is intended for use in environments
where there is significant risk of viral infection due to the use
of unauthorized software. It is not intended for use in an
environment where new software is introduced on a continious basis.
When /CERTIFY is run with the /CV option, only files that have been
validated by the VIRUSCAN program will be allowed to run. When run
with an Exception List, only files in that list will be allowed to
run. Running /CERTIFY with both the /CV option and an exception
list will allow both files that have been validated with the
VIRUSCAN program and files on the exception list to be run.
The Exception List uses the following format:
d:\pathnam1\filenam1.ext
*comment
.
.
d:\pathnam1\filenam2.ext
*more comments
Where "d:" is the name of the drive, "\pathnam1\" is the name of
the path, and "filename.ext" is the name of the file, including the
extension. Up to 1,000 characters worth of filenames can be
specified. Comment lines are preceded with an asterisk "*" and are
ignored by VSHIELD.
Running /CERTIFY without /CV option or an exception list will
prevent all programs other than DOS internal commands from being
run.
VSHIELD Version 3.1V75 Page 13
VERSION NOTES
Version 74, 74-B:
Version 74-B fixes a bug in V74 that caused VSHIELD to
misidentify the Stoned virus on some removable media.
Version 74 of VSHIELD adds 51 new viruses and over 100 new
variants of existing viruses, bringing the total number of known
computer viruses to 475.
The 1591 virus was sent to us from multiple sites in Quebec,
Canada, Oslo, Norway, and the United States. It is a
memory-resident file infector that attaches to .COM and .EXE files
when a disk is accessed via internal DOS commands.
The 903 virus was sent to us by Djennad Nasser from France.
It is a .COM file infector.
The Holocaust virus was sent to us by David Llamas of
Barcelona, Spain. It is a .COM file infector that uses "stealth"
type techniques.
The BeBe, Kuka, Kuka/Turbo, Lozinsky, MGTU, Nina, Off Stealth,
Polish-532, Sverdlov, Tiny-133, USSR-series, and Voronezh viruses
were discovered in the Soviet Union and Eastern Europe and sent to
us from numerous sources there and in Western Europe. They are not
believed to exist in the West.
The Christmas Violator, F-Word, Parity, Beeper, Best Wish,
Leapfrog Destructor, Happy New Year Hymm, Justice, Label, V961,
Swiss-143, Sentinel, Plague, Monxla-B, Little Pieces, IKC528,
Hybrid, Dir-Vir, Stone90, Saddam, and Iraqui Warrior viruses were
sent to us from various sources around the globe.
For more information about these viruses, please refer to the
enclosed VIRLIST.TXT file
Two new commands have been added to VSHIELD: The /CONTACT
option allows a custom message to be displayed if a virus is
found. The /CERTIFY option provides control over file execution.
It will prevent any program from being executed if it has not been
validated as an authorized program for a given site.
Version 72:
Version 72 prevents four new viruses, bringing the number of
known computer viruses to 162 known computer viruses, and their 261
associated variants:
The ZeroHunt virus was uploaded to Homebase BBS by Paul
Ferguson of Washington, D.C., USA. It is a memory-resident
infector that attaches itself to the stack space in .COM files.
Since the virus is attaching itself inside a file, as opposed to
adding itself to the beginning or end, the size of the file will
not change.
The Bloody! virus has been reported in Massachusetts, USA as
well as Taiwan and Europe. It infects the boot sector of a floppy
disk and the partition table of the hard disk. After approximately
128 reboots, the virus displays the message "Bloody! Jun. 4, 1989"
which is the date of the Tiananmen Square Massacre in Beijing,
China.
The Jeff virus is a .COM file infector that destroys data by
writing garbage to the hard disk. It contains the text "Jeff is
visiting your hard disk."
The Music Bug virus has been reported in Woodland Hills,
California and Orlando, Florida as well as Taiwan. It infects the
boot sector of a a floppy disk and the partition table of the hard
disk. The Music Bug plays children's nursery tunes after a
specified
time. It contains the text "MusicBug v1.06. MacroSoft Corp."
Version 71:
Version 71 of VSHIELD adds a lock feature to prevent users
from continuing to use the system if a virus is found. When the
/LOCK option is used, VSHIELD will freeze the system after
displaying a message identifying the virus and the virus location.
Version 71 of VSHIELD adds sixteen new viruses, bringing the
total number of known computer viruses to 157, and total number of
virus variants to 260