home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Atari Forever 4
/
Atari Forever 4.zip
/
Atari Forever 4.iso
/
PD_THEMA
/
ANTIVIR
/
VKILLER
/
VKILLER.DOC
next >
Wrap
Text File
|
1998-03-14
|
16KB
|
293 lines
VKILLER Version 3.11 February, 1990
This Archive contains the most recent version of VKILLER, the virus
detect-and-kill utility for the Atari ST.
The program works in medium or high resolution, and is completely mouse/icon
driven. The program may also be controlled by the keyboard. In this
document, all the keyboard commands are indicated as capital letters, but
that is not mandatory. Lower case letters will provide the same functions.
In most cases, the first letter of the label under an icon is the key that
will accomplish the same function of as a click on the icon.
Click on the FLOPPY A icon, or press the "A" key, to check the disk in drive
A for a virus. Click on the FLOPPY B icon, or press the "B" key, to check
the disk in drive B for a virus. When you access a disk, the program reads
in the boot sector, both copies of the File Allocation Table (FAT), the
disk's root directory, and the first few data sectors.
Once you have accessed a disk to check it for a virus, you can write the
data from the disk into a file, print it, or show it on the screen.
To write the disk data into a file, click on the "FILE" icon, or press the
"F" key. A file selector will appear. Use it to designate the file you wish
to write. The resulting file is not executable, even if the boot sector of
the floppy was an executable one. It is a data file with an image of the
significant portions of the disk.
To print the data, click on the PRINT icon, or press the "P" key. An alert
box will appear. You may choose to print either the same data that is
available in the "SHOW" window, or only the boot sector.
To show the data on the screen, click on the SHOW icon, or press the "S"
key. The window will expand to nearly the full screen, and display all the
data read from the disk. Use the window's scroll bar to move back and forth
through the data. Close the data window, by clicking on the close box, to
return to the main screen. Pressing any of the active keyboard keys will
also close the data window and return to the main screen.
If the disk contains a virus, or garbage in the boot sector, you can clean
it up by clicking on the KILL icon, or pressing the "K" key. When the
program executes a "KILL", it writes zeroes into all the non critical bytes
in the boot sector. No other portion of the disk is altered, and any files
on the disk are left intact. The resulting boot sector provides a disk
readable by both ST's and MS-DOS systems. It is not necessary to display a
disk's data before executing a kill on it. You can insert a disk and press
"K", or click on the Kill icon, immediately. The disk's boot sector will be
read, the critical portions preserved, and the non critical portions zeroed
out.
If you wish to install a "Guard" boot sector on a disk, click on the guard
icon, or press the "G" key. A dialog box will appear, offering a choice of
two types of guard boot sectors.
The first guard boot sector is the "Display" type. It contains a simple
program which will display the message "Virus free disk" when the system is
powered up or reset with that disk in drive A. Once the message has been
displayed, the program returns to the operating system to continue with the
power up sequence. It does not remain in memory. If you reset the system
with that disk in drive A, and the message does not appear, you should
immediately check that disk for a virus. The only reason why the message
would not appear is if the boot sector has been altered, possibly by a
spreading virus. This guard boot sector is an adaptation of one originally
written by Mark S. Powell.
The second guard boot sector is the monitoring type. This one also displays
a message at power up and reset. Unlike the display version, however, this
guard remains active in memory until the system is reset again. Of course,
if the disk in drive A at the next reset contains the guard boot, it will be
reloaded again. Otherwise, it is removed from the system.
While the monitor is active, it checks the boot sector of every disk that is
accessed by the ST. If it detects an executable boot sector on any disk, it
will flash the screen colors, and sound a warning tone. If the disk just
accessed was not one that should have an executable boot sector, you should
become suspicious. The monitor will not issue a warning for disks which
contain copies of itself.
Vkiller now contains a feature for repairing the boot sector of a damaged
disk. Activate it by clicking on the repair icon, or pressing the "R" key.
It will not re-create executable boot sectors, such as those required for
self booting games. When a disk boot sector is damaged, the disk will be
deemed unreadable by the ST's operating system. If only the boot sector is
damaged, repairing it may allow the data on the disk to be recovered.
When you activate the repair function, a dialog box appears. It contains all
the data that can vary in a disk's boot sector. The individual entries are
each editable. They will originally contain whatever value was read from the
disk. This may not be reasonable or valid if the boot sector was corrupted.
The actual data that is in the boot sector is a bit more obscure than what
the dialog presents, but the needed data can be calculated from what is
presented in the dialog.
OS ID: This is an ASCII data string. It is designed to
provide the identity of the operating system under which
the disk was formatted. It can contain anything. It is
not used by the ST operating system in the current version,
but is supplied for MS-DOS compatibility.
Serial Number: This number is used to tell disks from each
other. The number should be different on every disk. This
box will originally contain the number that came from the disk.
You can enter any value you wish, if you so desire. The
legal range of entries is from 0 - 16,777,215. It should
be stated here that the three bytes in which this number is
stored are also used for the operating system ID on MS-DOS
systems, and will usually have the version number of the
formatter. If you regularly move disks back and forth with
MS-DOS systems, you may encounter problems using them in your
ST, since many will appear have the same serial numbers.
You shoud, therefore, avoid the numbers which correspond
to the MS-DOS versions:
1.0 - 3,223,088 through 1.9 - 3,223,097
2.0 - 3,288,624 through 2.9 - 3,288,633
3.0 - 3,354,160 through 3.9 - 3,354,169
4.0 - 3,419,696 through 4.9 - 3,419,705
Format ID - Also for MS-DOS compatibility, and not used
by the ST. The normal ID value is F9.
Reserved Sectors - The number of sectors at the beginning
of the disk which are not used for the FATs, Directory,
or data. Unless you are attempting to something very
unusual, this should always be 1 (for the boot sector).
Hidden Sectors - Sectors at the beginning of the disk
which should not be accessed. This should be zero.
Sides on Disk - Either 1 or 2. If you come up with a
three sided disk, I'd be very interested in seeing it.
Tracks on Disk - The standard format for an ST is 80.
Extended formatters may provide 81 or 82, if your drive
can strp in that far. Some 5.25" disk drives have 40 tracks.
Sectors per Track - The standard for the ST (and MS-DOS)
is 9. Some extended formatters, including "TWISTER",
use 10, while others will go to 11. The ST's desktop
formatter always uses 9.
Sectors per FAT - The FAT is the File Allocation Table.
It is a map of how the folders and files are positioned
on the disk. The ST standard is 5. This is more than
adequate, since the capacity of the disk only requires
3. A disk formatted in an MS-DOS system will have 3.
When viewed as data, a FAT looks like a bunch of garbage.
There will always be two copies of it, at the start of a
disk. You can use the "Show" feature of Vkiller to look
at the disk. If sectors 1 and 4 look the same, and the
directory starts at sector 7, the disk has a 3 sector FAT.
If sectors 1 and 6 look the same, and the directory starts
in sector 11, the disk has a 5 sector FAT.
Directory Sectors - The number of disk sectors provided
for the disk directory. The ST standard is 7.
If the data in the dialog appears to be nonsense, the disk's boot sector has
been corrupted. This may be due to a wide range of reasons, not just a
virus. To set the values to the ST standards, you can enter the appropriate
values for each item, or select the "Set Defaults" button. It will set the
normal values for most of the entries, and generate a random serial number.
You should, however, insure that the number of tracks, sectors, and sides on
the disk are correct for that particular disk. If you aren't certain, you
can use the "Scan Disk" function.
When you select the scan disk function, a dialog with a number of selectable
boxes appears. To repair a damaged disk, the program must know the number of
tracks, sectors per track, and sides on the disk. If you know any of those
facts, enter them in the dialog by clicking on the appropriate boxes. If you
don't know, leave the boxes unselected. The program will attempt to
determine the disk's configuration by reading different areas, to establish
any of the entries that you do not provide. You can also have a set of
default values inserted by clicking on the "Default" button.
Since the number of tracks on a disk may vary, the program will attempt to
determine how many tracks were originally on the disk by stepping the disk
head in and reading data, until it reaches an unreadable area. It will not
continue stepping in past an unreadable track, but it will continue stepping
in until it does reach an unreadable track. This, of course, will be one
track further than the the disk's formatting originally extended. While it
is extremely unlikely, it is possible that repeated execution of this
stepping in operation, which could extend beyond the range of the drive,
could cause the disk's head to become mis-aligned. It has not occurred
through weeks of testing, and would probably require thousands of such
operations, but it is possible. If you wish to prevent the head from
stepping in past some specific track, click on the last track you wish the
disk to access, and select the "Limit" box. The head will not be stepped in
beyond the track you select, even if that track does contain readable data.
Of course, if an unreadable track is detected before that limit is reached,
no further stepping will occur.
After all the physical configuration parameters have been entered or
determined, the original dialog box will re-appear. The values determined by
scanning the disk will have been updated. You may edit them again, if you
wish, before writing the disk's boot sector. After the disk has been
updated, the program returns to the familiar disk data window.
Since this boot sector rebuilding function starts with the data currently on
the disk, it can also be used as a means of altering the data on a
non-infected disk, such as setting serial numbers.
The Menu offers two features under the "Options" title. The first option,
"Quiet", will turn off the warning siren that sounds when a virus is
detected. Clicking on "Quiet" again will turn the siren back on.
Since some viruses check system data, such as ROM dates, to determine if
they can execute, a second "Option" is provided. Clicking on "System Info"
will cause the data window to display information about the system
parameters.
Exit the program by clicking on the "QUIT" icon, or pressing the "Q" key.
When the program detects a virus present on a disk, it will sound a warning
tone, and place a new button on the desktop. To see the details about the
particular virus located, click on the new "Known Virus" box, or press the
"D" key. If you find a lot of disks infected by a virus, and want to stop
the warning tone from sounding on each disk, select the "QUIET" item from
the "OPTIONS" menu.
If the disk contains an executable boot sector, but one that is recognized
as a standard system boot, it will be identified as a "System Disk".
Due to the way ST disks are layed out, and used, there are extra portions of
the FAT which are not normally accessed. There are also more directory
sectors than are typically used. In a freshly formatted disk, these areas
should contain only zeroes. There is a fairly reliable method for
determining when the unused portions of the disk have been altered. A
warning will appear in the disk data window when this situation is detected.
If the disk does not contain an executable boot sector, there is no harm in
this data area not being zeroed. Even if the disk has an unexpected
executable boot sector, this additional data area may not be significant.
The warning is provided for informational purposes only. Since the areas
being scanned for this situation may actually contain important data, the
program will not attempt to alter the data found in those areas. If the data
in this additional area is part of a virus, executing a kill on the boot
sector will render the data in this area harmless.
There are two real problems to keep in mind when dealing with viruses, and
disk boot sectors. The first is that not all executable boot sectors are
viruses. There are times when a boot sector is supposed to be executable.
Executing a KILL on such a boot sector will destroy whatever code was in the
boot sector, and may render the software on the disk useless. Generally
speaking, if the proper use of the software on the disk required you to
reset your ST, or power it off and on to start the program, then the boot
sector was supposed to be executable, and you should not execute a virus
kill on it. Any program which can be executed by clicking on it does not
require an executable boot sector. Consequently, disks used to store such
programs should not contain executable boot sectors.
The second problem is attempting to use VKILLER in a system which has been
infected by a virus, and the virus is executing (attempting to spread) while
VKILLER is attempting to clean it off disks. With all known ST viruses as of
this release (February, 1990), VKILLER will detect this situation. It will
provide instructions on the screen, informing you that there is an active
virus in the system at the time, the exact steps on how to get rid of it,
and how to start cleaning up your disks.
This version of VKILLER can recognize and eliminate 18 different ST viruses.
This is possible only because people who have encountered viruses that
earlier versions of the program did not recognize sent me copies of the new
viruses. If you encounter a virus that the program does recognize, there is
no need to contact me. Just eliminate the virus, and let anyone else you
have given a disk to know that their system may be infected. Give them a
copy of this program if you wish, it is free to anyone who would like it.
If, however, you encounter executable boot sectors spreading through your
library, and this version of VKILLER can't identify it, please contact me at
any of the addresses below. Keep one infected disk, and either send me the
disk, or the file generated by VKILLER's file function. Use the Kill
function to clean up the rest of the disks in your library.
As of this writing, I am investigating about 40 disks each month for new
viruses. If you mail me a disk, or a request for a disk copy of the latest
version, please include a stamped, self addressed return mailer.
VKILLER does not require any "license", "registration", or "shareware"
contributions. Of course, all such contributions are gratefully accepted,
but none are solicited. Circulate the program in any manner you wish. It may
be copied, and distributed freely, but it may not be sold. Reasonable (and
hopefully modest) charges for media, copying, or downloading are acceptable.
George R. Woodside
Voice: (818) 348-9174
Compuserve: 76537,1342
GEnie: G.WOODSIDE
USENET: woodside@ttidca
or: ..!{philabs|csun|psivax}!ttidca!woodside
US MAIL: 5219 San Felicaino Drive
Woodland Hills, CA 91364 USA