home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Gold Medal Software 4
/
Gold Medal Software - Volume 4 (Gold Medal) (1994).iso
/
virus
/
hsv358us.arj
/
HS.TXT
< prev
next >
Wrap
Text File
|
1994-03-03
|
22KB
|
607 lines
HS v3.5, Boot Virus detection and repair
Contents
1. What is HS?
2. Benefits of this program
3. Compatibility
4. Installation
5. Features
6. How good is HS?
7. Error messages, and other messages from HS
8. Disclaimer, Licensing, Prices, Address
1. What is HS?
HS v3.5 is a small program written to protect against boot
viruses. It checks for changes in the boot sectors of your
harddisk. It will find almost any boot virus, notify you of
the virus, and cold boot your machine after removing the virus.
A copy of the infected boot sector is stored for later examination.
I wrote the program because I couldn't find the virus protection
setup I wanted. My program executes in less than a second, and
generates no output to the screen, as long as no virus is detected.
You will no longer waste your time on boot virus infections!
2. Benefits of this program
A) Very fast
B) Easy to install
C) Catches almost any boot virus
D) Small (less than 5 KB)
E) Automatic removal of detected viruses
F) Works with stealth viruses (even hardware stealth)
G) Does not need regular upgrades
H) Inexpensive
3. Compatibility
HS supports:
PCs and PS/2s
DOS 3.2 --> 7.0
DR-DOS 6.0 & Novell DOS 7.0
OS/2 2.0's Boot Manager
Windows NT's FlexBoot
HS will not RUN under OS/2 or Windows NT, but OS/2 and NT have
"multboot" capabilities and it is possible to use HS when booting
DOS on these "multboot" systems.
4. Installation
1) Make sure your machine is virus free
2) Copy HS.COM and HS.SYS to your harddisk
3) Run HS.COM /M [drive:][path][Savefile]
Where Savefile is an optional filename for the file
containing a copy of the original Master Boot Record
and the DOS Boot Record of the active drive.
The default name for the Savefile is C:\BOOT.HS
Quite a few boot infectors will cause the machine to hang if you
use an alternative primary shell (like 4DOS.COM or NDOS.COM instead
of COMMAND.COM). It is therefore advisable to invoke HS from your
CONFIG.SYS rather than from AUTOEXEC.BAT, as the lines contained in
CONFIG.SYS are handled before control is given to the primary shell.
This gives HS a chance to get rid of the virus and restore the
machine to a working state before you experience such a crash.
4) Insert a line like:
DEVICE=[drive:][path]HS.SYS [drive:][path][Filename]
near the top of your CONFIG.SYS
If this generates a conflict another possibility is,
Install=[drive:][path]HS.COM [drive:][path][Filename]
near the bottom of your CONFIG.SYS
A third possibility would be to place a line like,
[drive:][path]HS.COM [drive:][path][Filename]
near the top of your AUTOEXEC.BAT
If you are running DR-DOS 6.0, you should use,
DEVICE=[drive:][path]HS.SYS [drive:][path][Filename]
DR-DOS does not support the INSTALL= statement. Using INSTALL
with DR-DOS may cause the machine to hang.
5) Run the [drive:][path]HS.COM [drive:][path][Savefile] from
the command line to check that everything works.
6) Reboot your machine to check that it boots without problems.
7) If everything works smoothly without any error messages,
HS is properly installed.
8) If you want extra security it is a great idea to make
a special recovery diskette. Such a diskette may be used
when a boot virus causes the machine to crash before the
CONFIG.SYS or the AUTOEXEC.BAT is processed. For example
a boot virus infection of Form or No_INT will cause the
machine to crash or halt if you use the Boot Manager that
comes with OS/2 2.1. In such situations a bootable,
virus free, write-protected DOS diskette containing HS.COM
and its Savefile, is all you need to get the machine back to
its working state within seconds.
9) If there is a problem you can try to solve it by checking out
the explanation of the error messages, described later in this
document, or you can contact me by E-Mail. See end of document.
5. Features
*) /M [drive:][path][Savefile]
The /M option has to be used the first time you run HS,
and again each time you have repartitioned your harddisk,
or installed a new version of any operating system you are
running on your computer, for example when you upgrade to
a newer version of DOS. When you upgrade the BIOS, change
harddisk controller, or harddisk, it is a good idea to
disable and reinstall HS.
*) When a change in one of your boot sectors is found, HS will
assume it is a boot virus. It will notify the user, and ask
for a key press as a confirmation that the user wants to
remove the virus. It will cold boot the machine after having
removed the virus and dumped the infected boot sector to the
file C:\INF.HS.
*) At any time you can
TYPE C:\INF.HS
to get information about past infections.
If no infections have occurred since HS was installed on the
machine, no C:\INF.HS file will exist. If your machine has
been infected the file contains a header with time & date of
detection, and type of infector (MBR or DBR). Below the
header are all the infected boot sectors stored (Max. 13).
*) If you reach 13 infections you will be asked to insert a
write-enabled and pre-formatted diskette in drive a:. The
file C:\INF.HS will be copied to the diskette, and then
removed from your harddisk. A request for you to send the
diskette to me will appear on the screen. Then your machine
will cold boot after you have pressed a key. By sending me
the diskette with the INF.HS file, you may help me to
improve my program. However, most people will never reach
13 boot virus infections.
*) HS has only four components:
HS.SYS ; The main program, invoked from CONFIG.SYS
Savefile ; Datafile with a copy of the MBR & DBR
INF.HS ; Infection log
HS.COM ; Command line version of HS. Used to install.
*) A virus can trap interrupts and trick programs requesting
information about the contents of the sectors where the virus
resides. HS uses no interrupts. Only direct calls to the
ROM BIOS disk routines are used when reading the boot sectors
of your harddisk. Direct calls to "Read Only Memory" can't
possibly be trapped by a virus, so HS should never be tricked
by a stealth virus.
*) The Savefile is always checked for validity. If it is
destroyed or tampered with, the user will be notified,
and HS will not use it.
*) If you failed to disable HS in your CONFIG.SYS or AUTOEXEC.BAT
before you ran FDISK and made changes to the partition table,
HS will ask you if you just repartioned your disk, and if you
reply positively it will give you a chance to boot from a
certified virus free system diskette and update the Savefile
of HS by doing a HS /M [drive:][path][Savefile].
*) A boot virus could remove itself from the harddisk during
the boot process and, by hooking one or more interrupts,
write itself back after both CONFIG.SYS and AUTOEXEC.BAT
have been handled by DOS. To avoid getting bypassed by such
viruses HS.SYS will perform interrupt vector checking that
should catch most viruses using this kind of stealth. HS.COM
does not perform such vector checking, and does not detect
such viruses. As of November 1993 only one virus is known to
use this stealth technique. It is recommended to use HS.SYS
instead of HS.COM, and to load it as the first device in the
CONFIG.SYS (place it near the top). The earlier HS.SYS is
loaded from the CONFIG.SYS, the better are the chances for
the vector checking to detect new boot viruses.
6. How good is HS?
HS v3.5 has successfully detected and removed all boot viruses
I have tested it against. Since I don't have all known boot
viruses (far from it!), I can't claim a 100% detection. To do
so it would be necessary to run HS against all known viruses,
on all possible machines, running all possible configurations.
Since new viruses are created every day, it is NOT possible to
prove a 100% detection of all viruses or, in this case, a 100%
detection of all boot viruses. But I don't know of any boot
virus that will not be successfully detected and removed by HS,
and it should be quite difficult to write a virus that bypasses it.
7. Error messages, and other messages from HS v3.5
---
Unknown partition table format, aborting!
---
None of the four entries in the partition table is set active, making
it a non-standard format which HS will not try to handle.
---
BIOS mismatch, HS v3.58 was installed with a different BIOS, reinstall HS!
---
If the ROM BIOS handler for INT 13h has changed since the "Savefile"
creation by the /M option, HS will display this message. Either you
are trying to use a savefile that was created on another machine, or
you have changed or upgraded the BIOS, harddisk controller or harddisk.
The QEMM ST ("STEALTH") option may also cause this error message.
---
Savefile tampered with, system unprotected!
---
If the Savefile has been damaged or changed, in any way, you will get the
message shown above. The message may also appear if you specify a file
not created by HS.
---
Error in volume label change detection routine, please contact the author.
---
This error message indicate that you are experiencing a situation I never
thought would happen in real life. I would then have to make some changes
to the code handling the automatic volume-label updating of the savefile
used by HS.
---
Attempt to find entry point with method 3 failed! Contact the author.
---
An error message that may occur on future hardware configurations. If
you get this error message I will have to make some changes to the code
handling a very rare situation. It concerns VESA Local-Bus harddisk
controllers with several different ROM BIOS disk routines. They are
chosen during boot, or by setting DIP-switches on the controller-card.
---
HS.COM v3.58
Checks integrity of MBR & DBR using previously saved information.
Syntax: HS [/M] [Savefile]
Savefile File containing copy of original MBR & DBR
/M Makes copy of MBR & DBR
---
This message appears on the screen if you type HS/? or similar.
---
Error tracing BIOS entry point, probably VIRUS in memory, HS will not run!
---
This message should only appear if you are infected by a virus, or if
you have some very special hardware or software installed. Control
Access Packages (e.g., DiskSecure and SafeMBR) may cause this problems.
Try booting from a virus free system diskette, then use a scanner and
check for viruses. If no viruses are found you could try to run
HS /M [drive:][path][Savefile] again.
Some rare configurations may also cause this to happen. for example
the ST option ("STEALTH") of Quarterdecks QEMM386.SYS memory manager,
Version 6 and above. If you want to use QEMM's STEALTH on a computer
running HS, you should use the EXCLUDE STEALTH option as well (XST).
To determine which segment to exclude from being "Stealthed" you should
disable STEALTH, reboot, and run QEMM-XST.COM. It will display the
correct exclude option and segment.
---
Incompatible DOS, HS will not run!
---
Running HS under any OS returning anything else than v3.2-7.0 will
cause this message to be displayed. As an example, OS/2 will return
a version-number of 10 or greater in its DOS BOX, so HS will not run.
---
"Savefile" not found!
---
"Savefile" will be replaced by the name specified by you in the
CONFIG.SYS, AUTOEXEC.BAT, or on the command line. If you did not
specifiy a file name, HS.COM, when executed, will default to C:\BOOT.HS.
If the specified or default savefile cannot be found, the above error
message will be displayed. Either the filename or path is wrong, or the
file has been deleted or was never created.
---
Unable to read/write Savefile or C:\INF.HS, system unprotected!
---
Either HS is unable to create a valid Savefile or INF.HS file, or it is
unable to read one of these files. Lack of disk space may lead to such
an error. Check that the files are on your harddisk and that they are
available to HS. If you by a mistake type C;\ instead of C:\ you will
also get this error message. The same will probably be the case with
other illegal characters in the filename.
---
Read/Write error on harddisk, system unprotected!
---
A call to the BIOS disk routines (INT 13h) failed. THIS SHOULD NEVER
HAPPEN. It may indicate a harddisk error. Retry the command. If it
still does not work you should get expert help.
---
HS v3.58
Only Partition table in MBR has changed!
Did you just repartition your harddisk ? (Y/N)
---
If the partition table (Offset 1BEh-1FEh in the MBR) was the only area
in the Master Boot Record to change, and INT 13h is not trapped, HS
will assume that the user has performed changes in the partition table.
HS assumes you failed to update the Savefile and will give you a chance
to do so. If you have no knowledge of any such changes you should either
reply NO or get help from a person with knowledge of system software and
computer boot viruses.
---
Insert a certified virus free system diskette, cold boot from it,
and rescan the harddisk for any viruses. If no viruses are found
you can run HS /M [Savefile] and boot from the harddisk again.
Press any key to cold boot...
---
This message appears if you reply Y for YES to the question;
"Did you just repartition your harddisk?"
---
╒════════════════ HS.SYS v3.58 ═══════════════╕
│ │
│ ?BR Infector │
│ Press a key to clean up virus, or │
│ turn off your PC and get expert help! │
│ │
╘═════════════════════════════════════════════╛
---
This is the message displayed if HS.SYS finds that a change has occurred
in the Master Boot Record or the DOS Boot Record of your harddisk. This
normally means that a boot virus has infected your machine and has been
detected by HS. It will be removed when the user confirms this action by
the single press of a key. HS.COM displays a very similar message.
You may also get this message if you have upgraded your version of DOS
without updating the savefile for HS. Usually any new version of DOS
will make enough changes in either the MBR or DBR to trigger HS. So you
should disable HS in the CONFIG.SYS or AUTOEXEC.BAT during such updates
of the operating system.
The question mark displayed in the message above is replaced by an M or a D.
MBR = Master Boot Record (The first physical sector on a PC-style harddisk)
DBR = DOS Boot Record (Active partitions first sector)
---
New copy of MBR and DBR made
---
After HS has successfully created its Savefile you should receive this
message.
---
Volume label has changed. "Savefile" updated.
---
If you change the volume label of your boot drive, newer versions of
DOS may update the volume label field in the DBR. HS will detect when
such an update has occurred. Instead of flagging the change as a virus,
it automatically updates the Savefile to match the new DBR. It will
display the above message to notify the user of the change. The volume
label field inside the DBR is a datafield, so this feature of HS cannot
be exploited in any usefull way by future boot infectors.
---
Please insert a pre-formatted, write enabled, diskette in Drive A:
And press any key...
---
When you have had 13 boot sector infections on your machine since HS
was installed, it will ask you to insert a diskette so it can copy the
C:\INF.HS file to the diskette (to A:\INF.13). The C:\INF.HS file will
be deleted. It has reached its maximum size, and HS will create a new
C:\INF.HS upon the next boot sector infection. If you wish to preserve
the infection log contained in the C:\INF.HS file, which was moved to
the file A:\INF.13, you could do a TYPE A:\INF.13>Filename.Ext, or a
TYPE A:\INF.13>PRN to get the report printed.
---
Help us in the fight against viruses.
Send the diskette to:
Henrik Stroem
Stroem System Soft
Husebyveien 58c, 7078 Saupstad
Trondheim, Norway
Or email the file, in UUEncoded format, to hstroem@ed.unit.no
Press any key...
---
To aid me in improving my program it may be of help to study more
viruses. It also helps to know which viruses are common, and where
they have been detected. So by sending me the viruses you get infected
by, you are helping me. Thanks!
---
HS.SYS has found an interrupt vector that points to the Top of Memory!
This indicates that a virus probably is present in memory.
The system will now be cold booted to remove the virus.
To ignore this warning, press SHIFT-C... (Any other key will cold boot)
---
After HS.SYS has checked the MBR and DBR for any changes, and none were
found, it will do a check to see if some of the more important interrupts
points to the Top of Memory. The SHIFT-C Ignore option will only be given
if there was no memory-size mismatch and the second user interrupt was
unused. If you get this message every time you boot, you should probably
cold boot from a virus-free, system diskette and use a scanner to check for
viruses. Also try to run HS from the floppy. If you still get this message
something is conflicting with HS, and you should contact me (by E-Mail),
or get other expert help to find out what is happening. If there really is
a virus in memory, a reboot should usually kill it.
---
8. Disclaimer, Licensing, Prices, Address
Disclaimer
The author takes NO responsibility for unwanted effects from the
use of HS v3.5, or any of its components!
Licensing
This program is NOT freeware, but non-commercial users are free
to use it on their home machines.
Any company interested in using HS v3.5 on their computers can
buy a site-license! This site-license is reasonably priced and
is valid for all computers owned by that particular company,
department, institute or similar. Upgrades can be obtained on
the InterNet by Anonymous FTP, by E-Mail, or other similar
services. If you want me to send you a diskette with the latest
version by mail, it will cost an additional $20. HS does not
use signatures, and therefore does NOT require regular upgrades.
New versions will contain new features, and bug fixes if any
bugs are discovered.
A site-license will usually be valid for ONE year.
If you have any questions you may contact me either by mail
or by E-Mail.
Prices
Non-commercial user = Free
Single commercial user = $15
Company with up to 20 machines = $50
Company with up to 200 machines = $200
Company with more than 200 machines = Contact the author
Prices are in US dollars. Numbers above 10 are approximate.
You receive an invoice confirming your order. The invoice is
valid as a site-license when it has been paid.
Address
Henrik Stroem
Stroem System Soft
Husebyveien 58c, 7078 Saupstad
Trondheim, Norway
E-Mail: hstroem@ed.unit.no or hstroem@pvv.unit.no