TopWare Tools

home *** CD-ROM | disk | FTP | other *** search

/ TopWare Tools / TOOLS.iso / tools / top1576 / gepackt.exe / USERGUID.DOC < prev

Wrap

Text File | 1993-05-25 | 81.5 KB | 2,157 lines

Welcome to ANTIVIRAL TOOLKIT PRO ───────────────────── Welcome to Antiviral ToolKit Pro. This package can be used as conventional and/or professional (Pro) antiviral system. Table of Contents ──────────────────────────────────────────────────────────────────── 1. Installation and getting started with -V 1.1 Using -V to detect and cure viruses 1.2 It seems that I catch infection. What can I do? 2. Antiviral scanner/remover -V 2.1 Description and features 2.1.1. Main features 2.1.2. Main features of the Pro version 2.1.3. Main database features 2.2 -V command line options 2.3. Interface and Menu commands 2.3.1. Scan commands (Alt-S) 2.3.2. View commands (Alt+V) 2.3.3. Edit commands (ALt+E) (Pro version) 2.3.4. Tools commands (Alt+T) 2.4. Antiviral DataBase (Pro version) 2.4.1. FILE record (Pro version) 2.4.2. JMP record (Pro version) 2.4.3. MEMORY record (Pro version) 2.4.4. SECTOR record (Pro version) 2.4.5. The Link of the Special Procedures (Pro version) 2.5. Help System 2.6. Scan messages 3. Antiviral resident monitor -D 3.1. -D command line options 3.2. -D messages 3.2.1. Virus detection 3.2.2. Changing and renaming of COM- and EXE-files 3.2.3. Memory and buffers check 3.2.4. Writing to disk at absolute address and formating disk 3.2.5. 'Dangerous' DOS functions call 3.2.6. The register window 3.3. Memory map 4. Antiviral utilities -U.COM 4.1. Using antiviral utilities -U 4.2. Menu "Utilities" -U 4.2.1. The memory map -U 4.2.2. The interrupt vectors -U 4.2.3. Tracer -U 4.2.4. Interceptor -U 4.3. Menu "Object" -U 4.3.1. The hexadecimal memory/file/sector dump -U 4.3.2. The disassembler -U 4.4. Menu "Setup" -U 4.4.1. Get Info Status ──────────────────────────────────────────────────────────────────── 1. Installation and getting started with -V ──────────────────────────────────────────────────────────────────── The installation procedure is very simple. If you have the floppy disk with the package you should copy all the files from it to newly created subdirectory of your hard drive (for example "C:\-V") or use toolkit from the floppy. If you have packed file (which is downloaded from BBS for example) you should unpack it to the same subdirectory. After copying or unpacking the packet is ready to use. This product is professional antiviral toolkit. It contains four main executable files: - antiviral scanner/remover -V.EXE; - antiviral scanner/remover/database editor -VPRO.EXE; - antiviral monitor -D.COM; - antiviral utilities -U.COM. If you are ordinary USER it's better to run antiviral scanner -V.EXE only. By running -V.EXE you can test your disk(s) for the viruses presence. The -V.EXE is integrated environment scanner. The control for -V.EXE is based on standard pop-up menus and dialog boxes. By pressing F1 key or by using Help menu you will get all the information needed. If you are SYSTEM PROGRAMMER you can use the professional features of this package - the database editor, antiviral monitor and utilities which are used for detecting and analysis of new not known viruses. 1.1 Using -V to detect and cure viruses ──────────────────────────────────────────────────────────────────── While running -V.EXE loads the antiviral database(s) at the first time and then test the system memory for the memory resident virus presence. Then the Test Dialog Box appears on the screen. Press ENTER key to test all your hard disks for the viruses or point the path of the files to test. If you want to change the run-time options you should press Alt-S hot key for calling Setup Dialog Box. For next testing you should press F9 key or select Scan|Test menu. For cure the infected files you should press Ctrl-F9 or select Scan|Cure menu. To exit -V.EXE press the standard hot key Alt-X or select Scan|Exit menu. 1.2 It seems that I catch infection. What can I do? ──────────────────────────────────────────────────────────────────── The first step is running -V.EXE for testing all the programs files (executable/batch/SYS/overlay) and sectors of your disks including floppies. If the infected files/sectors are found, run the Cure process. If the viruses are not found it's better to scan the disks another time with enabled Display Warnings option in Setup Box. If -V.EXE displays a lot of the same warning messages you should call the system programmer or connect us or to upload one of these files to our BBS to analyze. For more information see topic "Computer viruses detection and removal methods" of the -V.EXE Help system. ──────────────────────────────────────────────────────────────────── 2. Antiviral scanner/remover -V ──────────────────────────────────────────────────────────────────── The -V.EXE antiviral tests and recovers files and disk Boot sectors infected by the viruses. You can read the list of the known viruses in APPENDIX A. 2.1 Description and features ──────────────────────────────────────────────────────────────────── The -V.EXE antiviral checks: - the system memory; - files are pointed by user; - the hard disk sectors containing Master Boot Record, - the disk sectors containing Boot-sector; - File Allocation Table; Apart from this, a test for detecting viruses unknown to the program is carrying out; this allows to identify in due time about 90% of boot viruses and 50% of file viruses, not included in the antiviral program data base. The -V.EXE antiviral checks whether its own file has been modified, and if it is the case, reports about it. 2.1.1. Main features ──────────────────────────────────────────────────────────────────── The main features are: - the removing the viruses from the files and sectors. It's better to restore the infected files from the backup copies but if it's impossible the -V.EXE antiviral restores the infected objects in their original form (if it's possible) or in a form closest to the original one. - the two modes of detection: the main mode and the slow mode. The main mode is a standard working mode and it's enough in most of cases. By using main mode the antiviral analyzes the file header and the addresses where the program flying is passing from the header. In some cases the viruses hit the files incorrect: they write themselves into the file and do not change the file header. In these cases the slow mode is using. The -V.EXE antiviral in the slow mode scans all the contents of the files. - the test and disinfection of the system memory. It's recommended to boot from the virus-clean system floppy before testing the files and sectors for viruses. It's needed for the guaranteed absence the viruses in the memory because the memory resident virus can prevent for the file recovering and ever to infect the files are scanning. There are the memory resident viruses which waits for the antiviral program execution and when this antiviral is started these viruses damaged to disk sectors (see the viruses "Caz"). - the files and system sectors can be tested for the changes in their bodies by using control sum (CRC) algorithm. If on next testing the antiviral -V.EXE finds the differences between the old and new control sums then -V.EXE displays the message about the detected changes in the file/sector. - the powerful Help-system that contains the full information about the viruses and the methods about the removing the viruses. It's possible to call demo-effects while reading the virus descriptions. - the support of the mouse, screen format 43/50 lines for EGA/VGA adapters. The antiviral allows to change and save current options. 2.1.2. Main features of the Pro version ──────────────────────────────────────────────────────────────────── The antiviral scanner/remover -V.EXE version Pro contains the antiviral database editor. By using this editor it's possible to append the antiviral records to the database. In these records the control for the virus searching and removing is describing. By using these records user can detect and remove the new unknown virus by one's own. The antiviral database contains the 4 types of the records: JMP - the calculation of the Entry Point into the file (file viruses only); FILE - the methods of the detection/removing the file viruses; SECTOR - the methods of the detection/removing the sector viruses; MEMORY - the methods of the detection/removing the TSR viruses; The database fields are appending in the half-automatically mode: it's enough to point where to search the virus, how to remove it, to point the infected file or the file containing the infected sector and the information about this virus will be inserted into the new database record. 2.1.3. Main database features ──────────────────────────────────────────────────────────────────── The main database features are: - using the virus control sums but not the virus mask. The checksums of the parts of the virus code are placing into the records but not the part of the code for comparing. This feature will decrease the size of the database and cause fast scanning; - the several standard methods of the virus detection and removing. More than 10 standard methods of the virus removing causes the easy appending of the information about the new viruses into the database; - dynamical linker of the special subroutines. This feature is using while detection and removing the viruses that use the encryption, nonstandard methods of file/sector/memory infection. In these cases it's enough to write own C or Assembler program that decrypts/remove the viruses, compile this program to OBJ-file and insert this OBJ-file into the database record. This special subroutine will be linked with main EXE-module and will be calling while processing the database record; - the calls to external functions. The special subroutines that are appended to database can access external names (constants, functions, arrays and structures). The external names are dividing to standard (i.e. defined into the main EXE-module) and special (i.e. defined by user in one of the database records). So the viruses from one virus family that use one decryption manner can be decrypted by one special subroutine that called from the several records with different arguments. In this case it's needed to write one decryption subroutine, compile it, append it into the one of the database records and then it's enough to call this name from the database record. 2.2 -V command line options ──────────────────────────────────────────────────────────────────── On calling from DOS -V.EXE supports the following format: -V [OPTIONS ...] [file or disk NAME] OPTIONS: /T To test files and sectors for presence of a virus (by default). In this mode, searching for viruses and virus-like blocks in files and disk boot sectors is carrying out. A virus in a file could be detected only when the file has been really infected by the virus. /- To recovering files and boot sectors infected by a virus. Infected files and sectors are searching and recovering in this mode. Files and sectors are recovering in their original form (if possible), or in a form closest to the original one. The boot-sectors or MBR the standard MS-DOS 5.0 are writing if it's impossible to restore the original ones. /W[A] [filename] To save in the protocol file (in -V.MSG by default) messages reported in the scan window. /WA - to add messages to the already existing file, otherwise the file will be deleted. Filename - the name of the protocol file messages will be written into. /D - Daily test (runs -V ones every day). For use in batch mode. /M - To skip memory test. /P - Not to test hard disk MBR. /B - Not to test disk Boot sector. /F - To test disks FATs. /O - Not to cure read-only files. /S - To turn off sound signal. /Y - To skip the dialogues. For using in batch mode. /Q - To exit to DOS after testing or cure, otherwise the main antiviral menu will be invoked. For using in batch mode. /? - To show the command-line help. NAME: Names of files and disks to be tested and recovered. It is possible to use in the filenames wildcard symbols '?' and '*'. When only the name of a disk has been specified, for example 'A:', then all the files with name extensions .COM, .EXE, .SYS, and .OV? of all the directories of the specified disk will be tested or cured. If "A:*.COM" is specified, all the .COM-files of all the directories of disk A: will be tested or cured; if A:\DOS\*.COM is specified - then all the files on disk A: of the directory \DOS will be cured or tested. If "*:*.*" is specified then all the files of all the disks (from the C: drive) and directories will be tested. For example, on typing the instruction -V /T /W C:*.* D:\MY_PROG\*.EXE D:*.COM /Y /Q all the files on disk C: will be tested, then all .EXE-files of disk D: of directory \MY_PROG, and thereafter all .COM files on disk D:. The work register will be written into the file -V.MSG. Once the test is performed return to DOS occurs. 2.3. Interface and Menu commands ──────────────────────────────────────────────────────────────────── This program have standard Turbo-Vision user interface. Press F10 to activate menu system. Use right-left up-down and enter keys to select item. These submenu available with menu: Scan (Alt+S) View (Alt+V) Edit (ALt+E) (Pro version) Tools (Alt+T) 2.3.1. Scan commands (Alt-S) ──────────────────────────────────────────────────────────────────── With the Scan menu, you can test or cure your files. Scan│Test (F9) ──────────────────────────────────────────────────────────────────── With the Test command, you can test pointed objects for the virus presence. Start dialog appears before test or cure scanning: ╔═[■]═════════════ Test ══════════════════╗ ║ ║ ║ Mask _c:____________________ ▐▌ ║ ║ ║ ║ ║ ║ OK ▄ Setup ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════╝ In the Mask field you should type one or more path strings that are used while scanning. The Mask field can include wildcard ('?' and '*' characters), the subdirectories names, the logical drive names. The MBR and Boot sectors are tested if that object is set as 'checked' in Setup Dialog. The subdirectories are testing if these objects are set as 'checked' in Setup Dialog also. For example: C:\COMMAND.COM - scan file C:\COMMAND.COM C:\*.COM - scan all COM-files C:*.* - scan all files from drive C: C: D: E:*.COM - scan all files with default extensions from C: and D: then scan all COM-files from E: *: - scan all files with default extensions from logical disks (C:, D:, ...) After object pointing press OK. Some messages will appears in the information windows. Scan│Cure (Ctrl+F9) ──────────────────────────────────────────────────────────────────── With the Cure command, you can test pointed objects on virus presents and cure ones. Request Dialog appears, if virus detected while curing, and set Request for cure in Setup: ╔═[■]═════════════ Cure Request ═════════════════╗ ║ ║ ║ File: E:\VIRUS\v.com ║ ║ ║ ║ Virus: Yankee-2C ║ ║ ║ ║ Cure ▄ Delete ▄ Skip ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ║ ║ Cure All ▄ Delete All▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════╝ Commands are: Cure - cure this file Cure All - cure all files without request Delete - delete infected file Delete All - delete all infected files Skip - skip curing this file Cancel - cancel scanning Scan│RAMCure ──────────────────────────────────────────────────────────────────── With the RAMCure command you can cure the memory parts of the viruses. This operation can be performed automatically at the start of the program. Scan│Cure & make CRC ──────────────────────────────────────────────────────────────────── With the Cure & make CRC command you can remove the viruses and create the CRC table at the same time. The CRC check is in use if the Use CRC option of the Setup is set on. It allows to check modification of the file/sector and to accelerate scanning about 2 times when CRC table was made. Scan│Setup ──────────────────────────────────────────────────────────────────── Setup command brings Setup Dialog, and you can tune different options if needed. ╔═[■]══════════════════ Scan Setup ══════════════════════╗ ║ ║ ║ Mask _c:_______________________ ▐▌ ║ ║ ║ ║ Default extensions Options ║ ║ () Programs [X] Scan Subdirectories ║ ║ ( ) All files [ ] Warnings ║ ║ ( ) User defined: [X] Cure Readonly ║ ║ _exe,com_____ [X] Request for cure ║ ║ [ ] Use CRC ║ ║ Objects [ ] Slow search ║ ║ [X] MBR [X] Beep ║ ║ [X] Boot [X] Auto test dialog ║ ║ [ ] FAT ║ ║ [X] Files Memory options ║ ║ [X] Memory [X] Check Interrupts ║ ║ [ ] Check Buffers ║ ║ ║ ║ OK ▄ Save ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════════════╝ Mask In this field you should type one or more path strings that are used for scan procedure. The Mask field can include wildcard characters '?' and '*', the subdirectories names, the logical drive names. Default extension The files that have these extensions would be tested by default (when the file extensions not pointed directly in the Mask field). The default extensions are: *.bat, *.com, *.exe, *.ov?, *.sys. Object The list of the objects for scanning: MBR (Master Boot Record), Boot (boot sector), FAT (File Allocation Table), Memory (RAM) and Files. Options: - scan subdirectories - display scan warnings (default off) - cure files, that have Read Only attribute - display request before cure - use CRC table to detect object modification - slow search: scan all file's body instead entry point (default off) - beep: sound control - call Test directly after program loading Save Save the setup settings into the configuration file -V.INI. Scan│Save Report ──────────────────────────────────────────────────────────────────── Save Report command brings Report Dialog. You can save scan information in the text file or print it. ╔═[■]════════════════ Report ════════════════════╗ ║ ║ ║ To ( ) Printer [X] Statistics ║ ║ () File [X] Scan info ║ ║ E:\APP\-V.msg [ ] Check up info ║ ║ ║ ║ OK ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════╝ Switch 'To' is used for direct report to printer or file Switches: [X] Statistics - include statistic information in report [X] Scan info - include scan information in report [ ] Check up info - include information about uninfected objects in report Scan│Dos Shell ──────────────────────────────────────────────────────────────────── With the DOS Shell command, you can leave the program temporarily to perform a DOS command or run another program. To return to this program, type EXIT at the DOS prompt. Scan│Exit (Alt+X) ──────────────────────────────────────────────────────────────────── The Exit command terminates the program -V.EXE. The program terminates automatically after scanning if command line includes the /Q option. 2.3.2. View commands (Alt+V) ──────────────────────────────────────────────────────────────────── The View menu contains commands to close, move and perform other window-management commands. The most of the windows in this program support all the standard window elements including scroll bars, the close box and the zoom icons. View│Scan Window (F7) ──────────────────────────────────────────────────────────────────── Choose Scan Window to open the window which is used for the output of the main scan information and the messages. This window opens automatically when you start to check the files/sectors/memory. View│Check Up Window (Alt+F7) ──────────────────────────────────────────────────────────────────── Choose Check Up Window to open the window which is used for the output "OK" information. This window opens automatically when you start check the files/sectors/memory. View│Statistics ──────────────────────────────────────────────────────────────────── Choose Statistics to view scan statistic information. This info appears after scanning. View│Clear Messages ──────────────────────────────────────────────────────────────────── Choose Clear Messages to clear all the messages in both of the Scan and Check Up windows. View│25/50 Lines (Alt+F9) ──────────────────────────────────────────────────────────────────── Choose 25/50 Lines to change mode of the screen. View│Zoom (F5) ──────────────────────────────────────────────────────────────────── Choose Zoom to resize the active window to the maximum size. If the window is already zoomed, you can choose this command to restore it to its previous size. You can also double-click anywhere on the window's title bar (except where an icon appears) to zoom or unzoom the window. View│Next (F6) ──────────────────────────────────────────────────────────────────── Choose Next to cycle forwards through the windows on the desktop. View│Close (Alt+F3) ──────────────────────────────────────────────────────────────────── Choose Close to close the active window. You can also click the Close box in the upper right corner to close a window. View│Resize (Ctrl+F5) ──────────────────────────────────────────────────────────────────── Choose Resize to resize and move the active window. Use UP,DN,LT,RT to move, SHIFT-(UP,DN,LT,RT) to resize window. Press ENTER when done. 2.3.3. Edit commands (ALt+E) (Pro version) ──────────────────────────────────────────────────────────────────── Submenu Edit used for manipulating with virus bases. Edit│Open Base (F3) (Pro version) ──────────────────────────────────────────────────────────────────── The Open Base command displays the Open Base dialog box. With this dialog box you can select the base to edit with Base Editor. With Base Editor you can edit base. Keys: Up,Dn,PgUp,PgDn - moving through records Ins - new record Del - delete record Ctrl+Ins - get record into clipboard Ctrl+Del - cut record into clipboard Shift+Ins - paste record from clipboard Select record and press ENTER. Form Dialog appears. With Form Dialog you can modify different fields in record. Use TAB to move through fields. Edit│Close Base (Pro version) ──────────────────────────────────────────────────────────────────── The Close Base command used for save and close the base. Edit│Save Base (F2) (Pro version) ──────────────────────────────────────────────────────────────────── The Save Base command used for save the base. Edit│Save All (Ctrl+F2) (Pro version) ──────────────────────────────────────────────────────────────────── The Save All command used for save all opened bases. Edit│Cut (Shift+Del) (Pro version) ──────────────────────────────────────────────────────────────────── The Cut command used for cut record into clipboard. You can use Paste command to paste record from clipboard. Edit│Copy (Ctrl+Ins) (Pro version) ──────────────────────────────────────────────────────────────────── The Copy command used for copy record into clipboard. You can use Paste command to paste record from clipboard. Edit│Paste (Shift+Ins) (Pro version) ──────────────────────────────────────────────────────────────────── The Paste command used for paste record from clipboard. You can use Copy command to copy record into clipboard and Cut command to cut record into clipboard. Edit│Active Bases (F4) (Pro version) ──────────────────────────────────────────────────────────────────── The Active Bases command brings Set dialog box. With Set Dialog you can edit set of base active during scan. Keys: Up,Dn,PgUp,PgDn - moving through line Ins - new line Del - delete line 2.3.4. Tools commands (Alt+T) ──────────────────────────────────────────────────────────────────── The Tools menu contains commands to run utilities, to backup and restore system area. Tools│Backup system area ──────────────────────────────────────────────────────────────────── Choose Backup system area to make reserve copy of the system area of the computer ( CMOS info, MBR (HD 0), Boot sector (Active partition)). This copy makes file -V.SBK (Drive A:).(Rescue disk) To restore system area in case of infection by unknown virus choose Restore system area command. Tools│Restore system area ──────────────────────────────────────────────────────────────────── Choose Restore system area to restore the system area of the computer ( CMOS info, MBR (HD 0), Boot sector (Active partition)) from reserve copy in case of infection by unknown virus. Reserve copy must be previously made with Backup system area command. This copy makes file -V.SBK (Drive A:).(Rescue disk) Tools│Utilities ──────────────────────────────────────────────────────────────────── This command used for launching Antiviral utilities for analyze system area of the computer. 2.4. Antiviral DataBase (Pro version) ──────────────────────────────────────────────────────────────────── Antiviral DataBase (DB) is the file which contains the records of the several different types. The main types of records are: MEMORY, SECTOR, JMP, FILE. The object codes and the comment are the additional types of the records. The control sums are using for virus detection instead the conventional signatures. The using of DB is based on the several standard methods of the detection and the cure. There is the possibility of attaching the object code files into the records by using the function Link. It needs if the virus uses nonstandard methods of the infection or if it is self-encrypted. The MEMORY records contain the information for the search procedure and the deactivating for the memory resident viruses. The SECTOR records contain information for the searching and removing the viruses from the sectors. The FILE records contain information for the searching and removing the viruses from the files. Records of type JMP is used for the virus entry point calculation. For EXE files JMP record calculates the start address of module, for SYS files it calculates the STRATEGY & INTERRUPT subroutines addresses, for COM files it analyzes the code of the beginning of the file. Windows EXE-files are tested at two addresses - at the entry address of DOS-part of the module and at the address of the Windows main entry point. Two control sums are used in the SECTOR and FILE records: rough (on small length code) and final (on large length code). The MEMORY record contains one sum only. Antiviral -V.EXE puts the code of the file or the sector into internal logical pages (blocks of memory). Next pages used: HEADER, PAGE_A, PAGE_B, PAGE_C. Page HEADER contains the tested sector (400h bytes) or 400h bytes of the code of the beginning of the file. Pages PAGE_A and PAGE_B are filled while file is processing. Algorithm of filling of these pages described in JMP records. Page PAGE_C used by the special (decrypt or cure) subroutines. There is another one virtual page, named FILE. It isn't a block of memory. Elements of page FILE has signed offsets. Null address of page FILE equals to file entry point. For appending the information about new virus into DB it needs: to select the type of new record, to type name of virus, to fill other fields of form, to point search and remove methods and to use SUM command of the form for calculation of the control sums. If you describe virus that haven't the code which is useful for calculating the sums ("polymorphic") then it's needed to set the length of the first control sum to zero and link the object code of the decryptor by LINK command of the form. In this case you should calculate the second control sum in PAGE_C. Attention! All the digits in all the fields are hexadecimal. 2.4.1. FILE record (Pro version) ──────────────────────────────────────────────────────────────────── Fields ====== Type the type of the record (COM or/and EXE or/and SYS or/and WIN) Name the virus name Page_1 the page for the control sum 1 Offset_1 the offset for the control sum 1 Len_1 the length for the control sum 1 Sum_1 the control sum 1 Page_2 the page for the control sum 2 Offset_2 the offset for the control sum 2 Len_2 the length for the control sum 2 Sum_2 the control sum 2 Cure_Method the remove method Cure_Page the page for the cure method Cure_Data_1 the cure data Cure_Data_2 the cure data Cure_Data_3 the cure data Cure_Data_4 the cure data Cure_Cut the number of the bytes to cut file Tail the tail length Commands ======== Link calls dialog for attach the object code to the record Sum calls dialog for calculate the control sums The record processing algorithm =============================== The file is dispatched by the JMP records (the calculation of the EP, EP_Next values, filling the HEADER, PAGE_A, PAGE_B pages) before calling the virus check loop. The check loop processes all the file records. For each file record the first control sum is calculated (on page pointed by the field Page_1 from Offset_1 on Len_1 bytes). This sum is compared with the value from the field Sum_1. If these values are equal then the second control sum is calculated (on page pointed by field Page_2 from Offset_2 on Len_2 bytes). The decode procedure is calling before the second control sum calculation if that procedure presents in linked module. If the second control sum is equal to the Sum_2 field then -V.EXE removes the viruses according to the method pointed in the field Cure_Method. The fields Cure_Page, Cure_Data_1, Cure_Data_2, Cure_Data_3, Cure_Data_4, Cure_Cut are used for removing the virus. The field Tail (the length from entry point to end of file) used as the control value. The field Cure_Page used for pointing the page from which the data for cure is getting with the offsets Cure_Data_x. If Cure_Page=FILE then the data for cure is getting from the tested file with the offsets EP+Cure_Data_x. The Cure_Data_x fields are signed. The Cure Methods ================ MOVE and LEHIGH --------------- These methods repair the first bytes of the file. It used against the viruses that append themselves to end of the file and correct the file beginning. Repairing: Cure_Data_2 bytes are copying to beginning of the file with offset Cure_Data_3 from page, pointed by Cure_Page with offset Cure_Data_1. If the file is the COMMAND.COM file then it fill file with 0 from the Entry_Point minus Cure_Cut offset to the end of the file, else it sets the file length to the Entry_Point minus Cure_Cut offset. The Cure_Data_4 field is not using. JERUSALEM --------- It used against the viruses witch write themselves into the file beginning and shift the file body. Repairing: The file is moved to the beginning on Cure_Data_1 bytes. The file length is decreased by Cure_Data_1 + Cure_Cut bytes. The Cure_Page, Cure_Data_2, Cure_Data_3, Cure_Data_4 fields are not using. START ----- It used against viruses witch write themselves into the file beginning and move the original beginning to the end of the file. Repairing: The file length is decreased by Cure_Cut bytes, then the part of the code is moved from the end of file to the beginning. If the file length is less than Cure_Data_1*2, then it moves File_Length minus Cure_Data_1 bytes (File_Length after decreasing by Cure_Cut bytes), else is moves Cure_Data_1 bytes and the file length is decreased by Cure_Data_1 bytes. The Cure_Page, Cure_Data_2, Cure_Data_3, Cure_Data_4 fields are not using. EXE_CISS, EXE_CISS_10, EXE_CIS, EXE_CIS_10, EXE_CI, EXE_CI_10 ------------------------------------------------------------- EXE-file header repair methods EXE_CISS - repair the values of all the header register fields (CS,IP,SS,SP) EXE_CIS - repair the values of CS, IP and SS header register fields EXE_CI - repair the values of CS and IP header register fields EXE_CISS_10, EXE_CIS_10, EXE_CI_10 methods are equal to listed above with one exception: the CS and SS header register fields are decreased by 10h before restoring. The values of the header register fields for all the Pages except FILE: CS - word ptr Cure_Page[Cure_Data_1] IP - word ptr Cure_Page[Cure_Data_2] SS - word ptr Cure_Page[Cure_Data_3] SP - word ptr Cure_Page[Cure_Data_4] Cure_Data_x are unsigned. The values for the header register fields if Cure_Page=FILE: CS - word ptr File[EP+Cure_Data_1] IP - word ptr File[EP+Cure_Data_2] SS - word ptr File[EP+Cure_Data_3] SP - word ptr File[EP+Cure_Data_4] Cure_Data_x are signed. The file length is decreased by EP minus Cure_Cut bytes. The EXE-module size fields of EXE-header are corrected too. SYS_SI and SYS_I ---------------- SYS-file header repair methods SYS_SI - repair the value of the Strategy and Interrupt header fields SYS_I - repair the value of the Interrupt header field The values for the header fields: Strategy - word ptr Cure_Page[Cure_Data_1] Interrupt - word ptr Cure_Page[Cure_Data_2] DELETE ------ It deletes the infected file. SPECIAL ------- For the complex methods if the virus uses the encryption or the stealth algorithm the standard methods are not allowed. In this situation you should write the special procedure to cure the virus, then compile it and attach the object code to the record by Link command. Example ======= The COM-file is infecting by the virus "Tiny". On infection this virus appends to file 4 bytes of beginning of the file, then it appends 140 bytes of the virus body, then it modifies the first four bytes of the file (jmp to the virus body): 4D DEC PB E9 xx xx JMP NEAR Loc_Virus It needs to register new JMP record, because the code of the virus jump is not standard: JMP record: Name Tiny Len_1 02 Sum_1 xxxxxxxx <<< sum is calculated with Sum command by example Offset_2 00 Len_2 00 Sum_2 00 Jmp_Method OFFSET Jmp_Data 02 Then you should register new FILE record: Type COM Name Tiny Page_1 PAGE_A Offset_1 00 Len_1 08 Sum_1 xxxxxxxx <<< sum is calculated with Sum command by example Page_2 PAGE_A Offset_2 00 Len_2 40 Sum_2 xxxxxxxx <<< sum is calculated with Sum command by example Cure_Method MOVE Cure_Page FILE Cure_Data_1 -04 Cure_Data_2 04 Cure_Data_3 00 Cure_Data_4 00 Cure_Cut -04 Tail 8C 2.4.2. JMP record (Pro version) ──────────────────────────────────────────────────────────────────── Fields ====== Name the name of the record (information field) Len_1 the length for the control sum 1 Sum_1 the control sum 1 Offset_2 the offset for the control sum 2 Len_2 the length for the control sum 2 Sum_2 the control sum 2 Jmp_Method the method of jump Jmp_Data the data for jump method Commands ======== Link calls dialog for attach the object code to the record Sum calls dialog for calculate the control sums The record processing algorithm =============================== The file is dispatched by the JMP records (the calculation of the EP, EP_Next values, filling the HEADER, PAGE_A, PAGE_B pages) before calling the virus check loop. After the file opening the 400h bytes from the file beginning are red into the pages Header and Page_A. The contents of other pages are set to zero. After that -V.EXE run the JMP loop for detecting the file entry point (EP). The first control sum on Len_1 bytes of the page Header is calculated for each JMP record. This value is compared with the value of the field Sum_1. If these values are equal then the second control sum in the page Header from Offset_2 on Len_2 bytes is calculated. If the second control sum is equal to the value of the Sum_2 field then the value of EP is calculated according to the method which is pointed by the field Jmp_Method with data from the field Jmp_Data. The 400h bytes of the code from the file at the offset EP are red into the page Page_A. This procedure repeats one time for filling EP_Next and Page_B by using the page Page_A instead of the page Header. The EP Calculation Methods ========================== OFFSET ------ It used to dispatch the commands like: xxxx:0100 E9 xx xx JMP NEAR Loc_Virus .... .... xxxx:0100 E8 xx xx CALL NEAR Loc_Virus .... .... or the instruction combinations like: xxxx:0100 90 NOP xxxx:0101 E9 xx xx JMP NEAR Loc_Virus .... .... The EP value is calculated as address of command, where control is passed to by instruction JMP NEAR or CALL NEAR. EP = word ptr Header[Jmp_Data] + Jmp_Data + 2. ADDRESS ------- It used to dispatch the commands of the COM-files like: xxxx:0100 68 xx xx PUSH OFFSET Vir_Loc xxxx:0103 C3 RET .... .... xxxx:0100 B8 xx xx MOV AX, OFFSET Vir_Loc xxxx:0103 FF D0 CALL AX .... .... The EP value is calculated as the address of command, where control passed to by the RET/JMP/CALL instruction. EP = word ptr Header[Jmp_Data] - 0100h. DATA ---- It used to dispatch commands of the COM-files like: xxxx:0100 FF 26 04 01 JMP WORD PTR [0104] xxxx:0104 xx xx DW Vir_Offset .... .... EP = word ptr File [Jmp_Data] - 0x100. SPECIAL ------- For complex commands the standard methods are not allowed. In that situation you should write the special procedure to calculate EP, then compile it and attach the object code to the record by the Link command. The dispatch of the EXE-file header and the short jumps instruction use SPECIAL methods. Example ======= The code of the infected file beginning: 0000 90 NOP 0001 90 NOP 0002 E9 xx xx JMP Virus The fields filling: Name nop_nop_jmp Len_1 0003 Sum_1 xxxxxxxx <<< sum is calculated with Sum command by example Offset_2 0000 Len_2 0003 Sum_2 xxxxxxxx <<< sum is calculated with Sum command by example Jmp_Method OFFSET Jmp_Data 0003 2.4.3. MEMORY record (Pro version) ──────────────────────────────────────────────────────────────────── Fields ====== Name the virus name Method the search method Segment the value of the segment Segm (method ADDRESS) Offset_1 the offset value for search Control_Byte the control byte Len_1 the length for the control sum 1 Sum_1 the control sum 1 Offset_2 the offset of the replace code Len_2 the length of the replace data ( <5 ) Replace_Bytes the bytes for replacing Commands ======== Link calls dialog for attach the object code to the record Sum calls dialog for calculate the control sums The record processing algorithm =============================== -V.EXE scans the set of the addresses Segm:Offs according to the Method field. For each of the addresses it compares the byte of the system memory at the address Segm:Offs + Offset_1 with the value of the Contol_Byte field. If these value are equal then it calculates the control sum at the address Segm:Offs + Offset_1 on the Len_1 bytes. If the control sum is equal to the Sum field then -V.EXE displays the message and replaces the Len_2 bytes from Segm:Offs+Offset_2 by the sequence of the bytes from the Replace_Bytes field. The Search Methods ================== ADDRESS ------- The search at one fixed address. Segm and Offs are pointed by the field. The value of Offs is equal to the zero. CUT --- The search in the memory that is 'cut' from DOS. The Segm value is changed from the end of the Z block of DOS memory blocks till A000h by increasing by the one. The value of Offs is equal to the zero. MCB --- The search in the DOS memory blocks. The Segm value is changed in the segment addresses of all the MCB blocks. The value of Offs is equal to the zero. Attention! The Segm value is equals to the address of memory block body, not to the address of the memory CONTROL block (MCB). TRACE ----- The tracing the interrupts 21h and 13h. The values of Segm:Offs are changed in the list of the address where of all the over-segment jumps. SCAN ---- The scanning of the memory. The Segm value is changed from 0000h till segment address of -V.EXE by increasing by one. The value of Offs is equal to the zero. FULL_SCAN --------- The full scan of the memory. The Segm value is changed from 0000h till A000h by increasing by one. The value of Offs is equal to the zero. SPECIAL ------- The special search and removing procedure is called if this method is pointing. You should write the special procedure, compile it and attach the object code to the record by the Link command if you point this method. Example ======= The code in infected system memory: 1234:0123 80 FC 3D CMP AH,3Dh 1234:0126 74 xx JE Infect_File 1234:0128 E9 xx xx JMP Continue 1234:012B . . . . . . . . . The first deactivation method: TRACE ------------------------------------- The fields filling: Method TRACE Segment 0000 Offset_1 0000 Control_Byte 80 Len_1 8 Sum xxxxxxxx <<< sum is calculated by the Sum command Offset_2 3 Len_2 2 Replace_Bytes 90 90 The code in the memory after curing: 1234:0123 80 FC 3D CMP AH,3Dh 1234:0126 90 NOP 1234:0127 90 NOP 1234:0128 E9 xx xx JMP Continue 1234:012B . . . . . . . . . The second deactivation method: MCB ------------------------------------ The fields filling: Method MCB Segment 0000 Offset_1 0123 Control_Byte 80 Len_1 8 Sum xxxxxxxx <<< sum is calculated by the Sum command Offset_2 0126 Len_2 2 Replace_Bytes 90 90 2.4.4. SECTOR record (Pro version) ──────────────────────────────────────────────────────────────────── Fields ====== Type the type of the record (BOOT and/or MBR) Name the virus name Offset_1 the offset for the control sum 1 Len_1 the length for the control sum 1 Sum_1 the control sum 1 Page_2 the page for the control sum 2 Offset_2 the offset for the control sum 2 Len_2 the length for the control sum 2 Sum_2 the control sum 2 Cure_Method the remove method Cure_Page the page for the cure method Cure_Addr_A the cure data Cure_Addr_B the cure data Cure_Offset the cure data Commands ======== Link calls dialog for attach the object code to the record Sum calls dialog for calculate the control sums The record processing algorithm =============================== On the scanning the tested sector is red into the page Header (400h bytes). The contents of other pages is set to zero before running the detection loop. The first control sum is calculated in the page Header from Offset_1 on Len_1 bytes. If the first control sum is equal to the Sum_1 value then the second control sum is calculated in page which is pointed by Page_2 field from Offset_2 on Len_2 bytes. The decode procedure is called before calculating the second control sum, if this procedure presents in linked module. If the second control sum is equal to the Sum_2 field then -V.EXE removes the virus according to method which is pointed in the field Cure_Method. The Cure_Addr_A, Cure_Addr_B, Cure_Offset fields are used for removing the virus. The address of the sector (Boot or MBR) can be pointed by two methods: the physical address (head,track§or -- two arguments) or the logical address (the number of the sector of the logical disk -- one argument). These methods use different interrupts. Addressing Sector address Interrupt --------- ------------- --------- logical logical sector - CX int 25h/26h physical track and sector - CX int 13h head - DH The Cure Methods ================ ADDRESS ------- The absolute addressing is used. The original MBR or Boot sector is copying from the disk sector at the absolute address Cure_Addr_A/Cure_Addr_B (track§or/head or CX/DH in the int 13h format). The fields Cure_Page and Cure_Offset are not using. ABSOLUTE -------- The absolute addressing is used. The original MBR or Boot sector is copying from the disk sector at the absolute address CX/DH in the int 13h format, where CX and DH values are got from the page Cure_Page: CX = word ptr Cure_Page [Cure_Addr_A] + Cure_Offset DH = byte ptr Cure_Page [Cure_Addr_B] LOGICAL ------- It is the same as the ABSOLUTE method except the addressing method. The logical addressing is used: CX = word ptr Cure_Page [Cure_Addr_A] + Cure_Offset The Cure_Addr_B field is not used. DELETE ------ The standard MBR or Boot sector is placed into the disk sector. ATTENTION! This method can be dangerous if the disk has been formatted with not standard utilities. SPECIAL ------- For the complex methods when the virus uses the encryption or the stealth algorithm the standard methods are not allowed. In this situation you should write the special procedure to cure virus, then compile it and attach the object code into the record by the Link command. Example: ======== The Boot sector has been infected by the "Stone" virus. That virus saves the original Boot sector in the absolute sector at the address 3/1 (sector/head). Fields filling: Type BOOT Name Stone Offset_1 00 Len_1 08 Sum_1 xxxxxxxx <<< sum is calculated with Sum command by example Program_Flag NO Page_2 HEADER Offset_2 15 Len_2 80 Sum_2 xxxxxxxx <<< sum is calculated with Sum command by example Cure_Method ADDRESS Cure_Page FILE Cure_Addr_A 03 Cure_Addr_B 01 Cure_Offset 00 2.4.5. The Link of the Special Procedures (Pro version) ──────────────────────────────────────────────────────────────────── The special procedures that are attached to the records in the antiviral database. They are used for detection and removing the difficult viruses that use nonstandard infection methods or the self-encryption algorithms. The special procedures may be written on C, assembler and other languages that support C standard of the calling subroutines. Turbo or Borland C compilers are recommended. You can attach the special procedures to the records of the antiviral database after compiling it to the object module. The attached code would be reading from database and linked with the main program -V.EXE during loading the database. On scanning the main program would use these procedures as well as the own internal subroutines. We recommend the SMALL model for compiling the source modules if there is no static data into, and the HUGE model if the static data presents. The using of TINY model is disabled. For example, the compiling FILENAME.C to FILENAME.OBJ with Borland C carry out with the command: bcc -mh -c -K filename.c The standard names of the procedures ──────────────────────────────────── One or two procedures with standard names (like 'main' in C) must be present in the linked module. There are three standard names: decode() {procedure body} // the decryption procedure cure() {procedure body} // the removing procedure jmp() {procedure body} // the procedure for detecting the entry point The names 'decode' and 'cure' can be used together or separately in FILE and SECTOR records. In TSR records can be used 'cure' procedure only. In JMP records can be used 'jmp' procedure only. The using of the external names ─────────────────────────────── The special procedures can use the external procedures and data. Before access to this names it's needed to describe those names as external. The names which are defined in main program can be accessed from any special procedure. The access to the external names that are defined in other linked module is available if the record with the definition is placed BEFORE the record with the call to the external name. Correct example: Record Cascade-1701: define Decode_Cascade(...) {...} call Decode_Cascade(...) Record Cascade-1704: call Decode_Cascade(...) Incorrect example: Record Cascade-1701: call Decode_Cascade(...) Record Cascade-1704: define Decode_Cascade(...) {...} call Decode_Cascade(...) Names of external constant, data and functions (defined in DLINK.H) you can find in APPENDIX D. 2.5. Help System ──────────────────────────────────────────────────────────────────── Context sensitive Help is available any time except scanning by pressing F1. Effects demonstration ═════════════════════ Some of the viruses call the sound or video effects. These effects are extracted from the virus bodies and included into the effect demonstration database. It needs to press Alt-D in the Help windows for call the demonstration, if this demonstration presents. To exit from demonstration it needs to press ESC. List of help topics with demo effects attached placed in APPENDIX C. Some of viruses or the families of viruses call several effects. In this case it needs to press SPACE key to see or hear next demonstration. It needs to press the SPACE key for accelerate the moving some of the demonstration, for example, for demonstration of the letters falling by "Cascade" viruses. Attention! Some of the viruses cause not dangerous changes of the system parameters while executing effects, for example, the timer value, the value of some ports, etc. This can cause the incorrect executing of the next effects. The demonstration of some video effects can be executed correct under certain conditions, for example, on VGA or HERCULES monitor only. The executing of this demonstration on the wrong type of adapter can cause the hang-up of the computer. Recommended VGA adapter for executing the video demonstrations. 2.6. Scan messages ──────────────────────────────────────────────────────────────────── : virus NAME detected. Virus NAME is detected in this file/sector. For remove that virus you must run scan in CURE mode. Cure (Ctrl+F9). : virus NAME cured. Virus NAME is removed from this file/sector, TSR part is removed from the memory. It is not necessary to reboot the computer after the session with - V.EXE if presence of a virus in RAM was reported, but recommended for security. : virus NAME cure failed. This file/sector is infected with the virus incorrectly and curing can destroy this file/sector. This message appears if the file/sector is placed on write protect disk also. : virus NAME cure skipped. The curing of the file/sector is skipped by user. : virus NAME cure cancelled. The curing of the file/sector is cancelled by user. : file killed This file destroyed by the virus. : virus ? warning. The combination of the instructions that could possibly belong to a new unknown virus has been found. These messages can be pointed to not infected files/sectors/memory often. These messages are not confirm that this object is really infected by the virus. It's need be careful if: - the popular files are listed as 'warning': the DOS utilities, the files from the well-known environment like a Norton Commander, XTree etc. - the files which not been listed as 'warning' yesterday, but are listed today. - if a lot of the files listed with similar "tail" - the length from entry point to the file till the file end. The 'warning' messages are disabled by default. See Setup. : virus NAME warning. (TAIL) The combination of instructions that could possibly belong to the known virus 'NAME' has been found. These messages are pointing to files/sectors those are infected by new modification of the old virus often. : EXE file but COM extension. The format of the file and the file name extension are different. : pseudobad cluster NUMBER The normal cluster marked as corrupted has been found on disk. These messages are displaying when the drive infected by the Boot-virus or the drive has the bad sectors. : I/O error. The disk is write protected or the file is read-only and the switch 'Cure read only' is disabled in the Setup. : no free memory. The low of memory. The testing is impossible. It's needed about 512K of free memory for 'Antiviral Toolkit Pro' (you can use DOS utility MEM for checking the free memory size). : trace warning at xxxx:xxxx Interrupt 13h or/and 21h handler(s) contains "virus-like" instruction. This message is a first signal of virus infection often. In some cases this message displayed when the some uninfected programs are present in the memory, for example the popular utility RELEASE. If the 'trace warning' displayed it is need to find out the program that causes this message. It's needed to analyze the memory map at the address where the message pointed. Next method is to comment by the REM instruction different commands in the files AUTOEXEC.BAT and CONFIG.SYS, while the message appears. Attention! Some of the resident viruses stop the tracing. They reset or hang-up the computer while tracing. It is need be careful because if the computer hangs up while tracing it can indicate that the memory resident virus presents in the RAM. : Buffers warning: Config.sys:N1, really:N2 This is a message displayed during analysis of the number of system buffers. You should be careful if the number of system buffers and the number of buffers of CONFIG.SYS file are different because the virus can hit the DOS system areas. ──────────────────────────────────────────────────────────────────── 3. Antiviral resident monitor -D ──────────────────────────────────────────────────────────────────── The monitor -D.COM is a memory resident 'lie detector' allowing to detect all suspicious actions of the computer. Using -D.COM it is possible to stop spreading of a computer virus on the earliest stage. Apart from this the monitor may be helpful when you work with programs suspicious for presence of a virus or a "trojan horse" and develop memory resident programs. The detector lets to monitor the computer memory allocation (window "Memory map" in the main menu of the monitor), and, by this way allow to detect memory-resident viruses in due time. Using the menu of the monitor it is possible to choose which possible suspicious situations the monitor should respond to. The main -D functions are: - detection of the infected files and disk sectors; - control for the changing and renaming of executable programs (.COM- and .EXE-files); - control for the writing to disk at absolute address and disk formatting; - control for the appearance of resident programs; - control for some dangerous DOS functions. Apart from this -D.COM controls RAM allocation and status of some DOS system areas. On "suspicious" behavior of the computer, -D.COM displays a warning message (a window containing detailed information appears on the screen) and waits for the command allowing or prohibiting intended action. Complete list of the displayed messages is giving bellow. The main menu is calling by pressing both keys Alt and '-' at the same time, to quit it press ESC key. On calling the menu two windows appear on the screen: mode setting window and memory map window. ╔═════════════════╦══════════════════╤═════════════════╤═══════════╗ ║Access to files √║ Total: 640 K │ ROM BIOS: 640 K │DOS: 640 K ║ ║Memory check √╠════╤════╤═══════╤╧═══════════╤═════╧═══════════╣ ║Format sector √║MCB │PSP │ Size │ Owner │ Hooked vectors ║ ║Write to sector √╟────┼────┼───────┼────────────┼─────────────────╢ ║Dangerous calls √║0A49│0A49│ 2,368│COMMAND.COM │2E ║ ║Virus check √║0ADE│0000│ 64│ free │ ║ ║Registers √║0AE3│0A49│ 256│COMMAND.COM │ ║ ║Remove -D ║0AF4│0B00│ 176│RTSR.COM │ ║ ╚═════════════════╣0B00│0B00│ 1,536│RTSR.COM │ ║ ░░░░░░░░░░░░░░░░░░║0B61│0B6D│ 176│PRN2FILE.EXE│ ║ ░░░░░░░░░░░░░░░░░░║0B6D│0B6D│ 75,104│PRN2FILE.EXE│08 17 28 ED F0 F6║ ░░░░░░░░░░░░░░░░░░║ │ │ │ │FF ║ ░░░░░░░░░░░░░░░░░░║1DC4│1DD0│ 176│-D.COM │ ║ ░░░░░░░░░░░░░░░░░░║1DD0│1DD0│ 57,888│-D.COM │09 13 1B 20 21 22║ ░░░░░░░░░░░░░░░░░░║ │ │ │ │2A 2F 40 EE ║ ░░░░░░░░░░░░░░░░░░║2BF3│2BFE│ 160│NC.EXE │ ║ ░░░░░░░░░░░░░░░░░░║2BFE│2BFE│ 12,896│NC.EXE │ ║ ░░░░░░░░░░░░░░░░░░║2F25│2F31│ 176│NCMAIN.EXE │ ║ ░░░░░░░░░░░░░░░░░░║2F31│2F31│179,744│NCMAIN.EXE │24 30 ║ ░░░░░░░░░░░░░░░░░░║5B13│0000│282,304│ free │FE ║ ░░░░░░░░░░░░░░░░░░║A000│ - │ 98,304│EGA memory │ ║ ░░░░░░░░░░░░░░░░░░║B800│ - │ 32,768│CGA memory │ ║ ░░░░░░░░░░░░░░░░░░╚════╧════╧═══════╧════════════╧═════════════════╝ The mode setting window displays information about detection modes corresponding to suspicious operations, and is used for their resetting (ENTER or RETURN keys). To switch off or switch on the modes you could rerun -D.COM. The monitor finds in the computer memory its copy loaded earlier and passes to it the arguments specified in the command line: 3.1. -D command line options ──────────────────────────────────────────────────────────────────── The format of calling -D.COM from DOS prompt or BAT-file is: C:>-D [arguments list] Possible arguments: -A - disable control for the accessing to executable files -M - disable memory checking -F - disable control for formatting -W - disable control for absolute disk writing -R - disable registers window -D - disable control for the dangerous calls -V - disable virus detection If the arguments list is empty then all the modes are switched on. For example, on initializing the monitor by the string C:>-D -A -F -R all modes will be activated except the control for the executable files and control for the disk formatting. The register window is closed. C:>-D -V It the '-V' argument presents then the antiviral database is not loading into the memory and the monitor occupies low part of memory, but activate this feature later you can only by reload of the -D. 3.2. -D messages ──────────────────────────────────────────────────────────────────── "Suspicious" situations and the -D monitor messages list ════════════════════════════════════════════════════════ Monitor -D displays the warning message and waits for the command allowing or cancel the access to this file or sector when the virus detected into the file or disk sector. On "suspicious" behavior of the computer, -D.COM displays a warning message (a window containing detailed information appears on the screen) and waits for the command allowing or prohibiting intended action. Complete list of the messages is giving below. ┌────────────────────────────┐ │ PROGRAM_NAME │ │ warning message │ │ │ │ [ OK ] [ Cancel ] [ Free ] │ └────────────────────────────┘ After receiving one of the messages listed below it is necessary either to allow (OK) or disallow (Cancel) the operation that the message has been referred to. It's possible to disable the control for this function (Free). On receiving the permission, the computer will continue execution of the operation. On forbidding the operation -D.COM display error message (e.g., "file not found", "disk is write protected", etc.) and return to the program witch has called the "suspicious" operation. If the calling program does not check the execution of the operation, then the result of its further work is not predicted. Some operations are executed repeatedly (for example while performing disk formatting or optimization). In that case it is convenient to turn off, for the time being, the corresponding mode, the messages concerning the switched off operation would not be displayed (for example on disk formatting it is expedient to switch off the formatting test mode). To switching off the mode one should call the main menu, answer 'Free' for the monitor request or restart the monitor. 3.2.1. Virus detection ──────────────────────────────────────────────────────────────────── The monitor controls the accessing to executable files and disk sectors and checks these objects for the known viruses. If the virus found the virus then the monitor displays one of the messages: ┌──────────────────────────────┐ ┌──────────────────────────────┐ │ Disk X: │ │ File FILE_NAME │ │ infected by virus VIRUS_NAME │ │ infected by virus VIRUS_NAME │ └──────────────────────────────┘ └──────────────────────────────┘ Attention! The antiviral database records that contain the calls to special subroutines (the LINK field of the database editor contains the text "decode proc") are skipping by the monitor. All the viruses that use the decryption are not detected by the monitor. 3.2.2. Changing and renaming of COM- and EXE-files ──────────────────────────────────────────────────────────────────── These messages will appear during operations that result in changes of COM or EXE files (change of the name, opening for writing, creation of a file). Such actions are taken by practically all viruses (except boot-viruses) on an attempt to infect files. ┌───────────────────────────────┐ │ PROGRAM_NAME │ │ opening for writing FILE_NAME │ └───────────────────────────────┘ ┌────────────────────┐ │ PROGRAM_NAME │ │ creating FILE_NAME │ └────────────────────┘ ┌────────────────────┐ │ PROGRAM_NAME │ │ renaming FILE_NAME │ └────────────────────┘ 3.2.3. Memory and buffers check ──────────────────────────────────────────────────────────────────── Many viruses leave in the computer memory their resident part, some of them use for this purpose DOS interrupts. In this case the message that a program attempts to go memory-resident will be displayed. ┌─────────────────────────────┐ │ PROGRAM_NAME stays resident │ └─────────────────────────────┘ Some of viruses install their resident part into the system buffers by excluding some of the buffers from the buffer list. The monitor checks this and display the message: ┌────────────────────────────────────────┐ │ Number of DOS buffers decreased on xxx │ └────────────────────────────────────────┘ Majority of viruses installs their resident part in the memory area allocated for programs, decreasing by this the size of free memory. The monitor hooks such situations and displays the message: ┌────────────────────────────────┐ │ Free memory decreased on xxx K │ └────────────────────────────────┘ When the mode "Memory check" is switched on, the monitor restores the interrupt vector table after each program is terminated. This blocks majority of memory-resident viruses from spreading, and some viruses will be simply destructed. 3.2.4. Writing to disk at absolute address and formating disk ──────────────────────────────────────────────────────────────────── ┌─────────────────────────────┐ │ PROGRAM_NAME │ │ writing (int xx) on disk X: │ └─────────────────────────────┘ ┌─────────────────────────────┐ │ PROGRAM_NAME │ │ formatting (int xx) disk X: │ └─────────────────────────────┘ These messages inform that the routine "program_name" tries to write on disk one or several sectors using absolute sector addressing on disk, or to format one or several disk sectors. These functions practically are not using by ordinary programs (except of utilities of disk formatting, optimization, and restoring), but are used by some viruses. The use of the 13h, 40h, 26h interrupts is one of the most effective ways of corrupting information on a disk, particularly - Disk Partition Table and File Allocation Table. Attention! In the message about writing onto disk or formatting disk sectors with 13h and 40h interrupts being used, the number of physical disk ('A:' first, 'B:'- second and so on) that is indicated. If the hard disk is divided into several logical disks then in the message the number of PHYSICAL disk is indicated: 'C:', if the first hard disk is being addressed, 'D:' - in case the second hard disk is being addressed. To find out what logical disk is being written to, it is necessary to analyze Disk Partition Tables on all logical disks. 3.2.5. 'Dangerous' DOS functions call ──────────────────────────────────────────────────────────────────── ┌────────────────┐ │ PROGRAM_NAME │ │ dangerous call │ └────────────────┘ Messages of this kind warn that there is dangerous call to DOS that is not typical for application programs. Dangerous DOS functions are often used by viruses to spread in the system. 3.2.6. The register window ──────────────────────────────────────────────────────────────────── As 'registers' mode is switched on, monitor messages will be accompany by the list of all registers states. ┌────────────────────────────┬───────────────────────────────────┐ │ PROGRAM_NAME │ CS:IP=xxxx:xxxx AX=xxxx CX=xxxx │ │ dangerous call │ SS:SP=xxxx:xxxx BX=xxxx DX=xxxx │ │ │ DS:SI=xxxx:xxxx BP=xxxx │ │ [ OK ] [ Cancel ] [ Free ] │ ES:DI=xxxx:xxxx Flags=xxxx │ └────────────────────────────┴───────────────────────────────────┘ 3.3. Memory map ──────────────────────────────────────────────────────────────────── Memory map contains five columns: the first - segment address of MCB (Memory Control Block); the second - PSP (Program Segment Prefix) segment address, the third - block size in paragraphs (16 bytes) or kilobytes; the fourth - the name of a program occupying the memory block, or the character '?' if there is no name. fifth - interrupt vectors being used. Also are specified: free memory size ──────────────────────────────┐ RAM size, indicated by BIOS ────────────────────┐ │ RAM size ─────────────────────────────┐ │ │ │ │ │ Discrepancy between total memory size ("Total") │ │ │ and the size indicated by ROM BIOS or DOS │ │ │ signals there is a virus in the system often. │ │ │ One should bear in mind, that in some cases │ │ │ this discrepancy is quite legal. │ │ │ ┌────────────────────────┘ │ └──┐ │ ┌──────────┘ │ ╔═════════════════╦════│══════════╤═════│════════════╤═══│═════════╗ ║Access to files √║ Total: 640 K │ ROM BIOS: 640 K │DOS: 637 K ? ║ ║Memory check √╠════╤════╤═════╧═╤════════════╤═══╧═════════════╣ ║Format sector √║MCB │PSP │ Size │ Owner │ Hooked vectors ║ ║Write to sector √╟────┼────┼───────┼────────────┼─────────────────╢ ║Dangerous calls √║0A49│0A49│ 2,368│COMMAND.COM │2E ║ ║Virus check √║0ADE│0000│ 64│ free │ ║ ║Registers √║0AE3│0A49│ 256│COMMAND.COM │ ║ ║Remove -D ║0AF4│0B00│ 176│RTSR.COM │ ║ ╚═════════════════╣0B00│0B00│ 1,536│RTSR.COM │ ║ ░░░░░░░░░░░░░░░░░░║0B61│0B6D│ 176│PRN2FILE.EXE│ ║ ░░░░░░░░░░░░░░░░░░║0B6D│0B6D│ 75,104│PRN2FILE.EXE│08 17 28 ED F0 F6║ ░░░░░░░░░░░░░░░░░░║ │ │ │ │FF ║ ░░░░░░░░░░░░░░░░░░║1DC4│1DD0│ 176│-D.COM │ ║ ░░░░░░░░░░░░░░░░░░║1DD0│1DD0│ 57,888│-D.COM │09 13 1B 20 22 23║ ░░░░░░░░░░░░░░░░░░║ │ │ │ │2F 40 EE ║ ░░░░░░░░░░░░░░░░░░║2BF3│2BFE│ 160│NC.EXE │ ║ ░░░░░░░░░░░░░░░░░░║2BFE│2BFE│ 12,896│NC.EXE │ ║ ░░░░░░░░░░░░░░░░░░║2F25│2F31│ 176│NCMAIN.EXE │ ║ ░░░░░░░░░░░░░░░░░░║2F31│2F31│179,744│NCMAIN.EXE │24 30 31 ║ ░░░░░░░░░░░░░░░░░░║5B13│0000│279,296│ free │FE ║ ░░░░░░░░░░░░░░░░░░║9F44│ - │ 3,008│ ? │1C 21 ────┐ ║ ░░░░░░░░░░░░░░░░░░║A000│ - │ 98,304│EGA memory │ │ ║ ░░░░░░░░░░░░░░░░░░╚════╧════╧═══════╧════════════╧══════════│══════╝ │ File virus "Yankee" ───────┘ ──────────────────────────────────────────────────────────────────── 4. Antiviral utilities -U.COM ──────────────────────────────────────────────────────────────────── Antiviral utilities comprise - dump, disassembler and editor of the system memory, files and disk sectors; - the system memory map; - list of interrupt vectors states; - interrupt tracer and interceptor. The utilities are intended to analyze the computer state if it is infected by a virus that is unknown to the program -V.EXE. The viruses are very useful for checking "purity" of the RAM. -U.COM is invoked either from the command line in non-resident mode or by pressing hot key on the memory-resident mode. The resident part of -U.COM is calling by pressing Alt-'+' or Alt-Ctrl-'+' at the same time. For executing -U.COM in memory resident mode it's needed to set switch /P in the command line: -U /P 4.1. Using antiviral utilities -U ──────────────────────────────────────────────────────────────────── The utilities are calling through the menu 'Utilities' and by pressing the keys: Alt-D Hexadecimal dump of the current object Alt-A Disassembler of the current object Alt-M Memory map Alt-I Interrupts vector map Alt-R CPU window - all the CPU registers The -U interface allows to change the position and the size of all windows except the 'Register' window. The control keys are: F5: Zoom current window Ctrl-F5: Resize/move current window: LEFT, RIGHT, UP, DOWN - move, SHIFT-LEFT, SHIFT-RIGHT, SHIFT-UP, SHIFT-DOWN - resize Alt-F3: Close current window Alt-U: Exit to "Utilities" menu Alt-O: Switch to menu "Object" Alt-S: Switch to menu "Setup" Alt-X, F10: Exit 4.2. Menu "Utilities" -U ─────────────────────────────────────────────────────────────── ┌──────────────────┐ │ Memory map Alt-M │ Call to the memory map │ Interrupts Alt-I │ Call to the interrupt vector table map │ Dump Alt-D │ Call to the dump of the current object │ Disassem Alt-A │ Call to the disassembler of the current object │ Stay TSR │ Stay memory resident, hot key Alt-'+'. │ Remove TSR │ Remove the memory resident utilities from the memory │ Exit Alt-X │ Exit to DOS or to the interrupted program └──────────────────┘ 4.2.1. The memory map -U ─────────────────────────────────────────────────────────────── The memory map consists of six columns that give the following information: ADDRESS - segment address of memory control block (MCB) PSP - segment address of program segment prefix (PSP) Size - block size in paragraphs (16 bytes) or in kilobytes Name - Block owner name (name of a program or system area), if the name is not specified then the character '?' is given Type - memory block type (driver, program, program environment) Hooked vectors - list of interrupts hooked by the interrupt vector block. ╔══ Memory map ════════════════════════════════════════════════════╗ ║ MCB │ PSP│ Size │ Name │ Type │ Hooked Vectors ║ ║113A │2116│ 128│RE.COM │envir │ ║ ║1143 │2286│ 144│GRAB.COM │envir │ ║ ║114D │2467│ 128│-U.COM │envir │ ║ ║1156 │0000│ 1,920│ free │ │ ║ ║11CF │11D8│ 128│HELP.EXE │envir │ ║ ║11D8 │11D8│ 60,032│HELP.EXE │program │08 13 25 26 28 2F ║ ║2081 │0000│ 2,368│ free │ │ ║ ║2116 │2116│ 3,488│RE.COM │program │16 21 27 ║ ╚══════════════════════════════════════════════════════════════════╝ 4.2.2. The interrupt vectors -U ─────────────────────────────────────────────────────────────── This window displays information about interrupt vectors states: number of the interrupt, the vector value in the format "segment:offset", and the name of a program or a memory system area the interrupt vector points to. For interrupts used most often, their functions (purpose) are shown. To move within the window use keys UP, DOWN, HOME, END, PGUP, PGDN. ╔══ Interrupts ════════════════════════════════════════════════════════╗ ║ Int 0D 05D5:009F│TDHDEBUG │IRQ5 - Fixed disk or LPT1 ║ ║ Int 0E 05D5:00B7│TDHDEBUG │IRQ6 - Diskette ║ ║ Int 0F 0070:06F4│IO.SYS │IRQ7 - Printer ║ ║ Int 10 0969:01D1│SP.COM │Video services ║ ║ Int 11 F000:F84D│ROM BIOS │Equipment list ║ ╚═┌──────────────────┐═════════════════════════════════════════════════╝ │ Dump │ Dump from the interrupt address │ Disassembler │ Disassembler from the interrupt address │ Tracer │ Trace this interrupt │ Interceptor │ Intercept this interrupt │ New Value │ Change the value of the Interrupt Vector └──────────────────┘ 4.2.3. Tracer -U ─────────────────────────────────────────────────────────────── Attention! The use of this function might result in unpredictable behavior of the computer! Be careful! The tracer goes along the path (handler) of the specified interrupt and provides the tracing assembler listing. The listing comprises names of programs hooked the specified interrupt, addresses, hexadecimal dump and mnemonics of assembler instructions executed during the tracing process. The tracer is useful for detection of an unknown virus and is able to help to analyze it. Selection of the interrupt to be traced and initial states of the registers is made in the registers menu: ╔══ CPU ════╗ ║ AX 0000 ║ ║ BX A02D ║ ║ CX 0001 ║ ║ DX 04D0 ║ ║ BP B638 ║ ║ SP B62E ║ ║ SI 0091 ║ ║ DI 7100 ║ ║ DS 2467 ║ ║ ES 2467 ║ ║ SS 2467 ║ ║ CS 2467 ║ ║ IP 7D00 ║ ║ FL 7246 ║ ╚═══════════╝ This window is showed also after executing of selected Interrupt. 4.2.4. Interceptor -U ─────────────────────────────────────────────────────────────── Attention! The use of this function might result in unpredictable behavior of the computer! Be careful! The interceptor installs into the chain of the selected interrupt and reports every call of this interrupt. Upon interception a window with the number of hooked interrupt and current states of all registers are displayed and the string which pointed by the selected registers (DS:DX by default). █▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀█ █ INT 21 [-U.COM ] █ █─────────────────────────────█ █ Dos service █ █═════════════════════════════█ █ AX 3D02 DI E88A DS 0B6D █ █ BX 033A SI 0037 ES 0B6D █ █ CX 0000 BP 0B6D █ █ DX 8F45 SP 098C SS 934E █ █─────────────────────────────█ █ Flags 0F02 CS:IP 0B6D:50A3 █ █═════════════════════════════█ █ DS:DX [C:\-U.INI ] █ █ Back BA9876543210 [Trace ] █ █ [ OK ] [Cancel] [ Free ] █ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█ The interceptor stores the last 12 interrupt calls and information about them can be displayed by using the "Back" button. The control buttons are: OK - continue interrupt Cancel - set Carry flag and break the interrupt call Free - release the interrupt calls Trace - calls the INT 3 (Debug Breakpoint). This feature used by memory resident debuggers which hook INT 3. In other case this button is the same as the "OK" button. The number of the intercepted interrupt pointing in the "Interrupts" window by pressing the ENTER key on the selected interrupt and the "Interceptor" line of the pop-up menu is displayed. The intercepted interrupt marked by the sign. The resetting the interceptor executed by the same way or by the "Free" button of the "Interceptor" window. 4.3. Menu "Object" -U ─────────────────────────────────────────────────────────────── ┌─────────────────┐ │ Memory │ The system memory │ Logical Sector │ The logical drive sector │ Absolute Sector │ The physical disk │ File │ The file └─────────────────┘ This menu selects the object to analyze. 4.3.1. The hexadecimal memory/file/sector dump -U ─────────────────────────────────────────────────────────────── The memory dump window displays information in hexadecimal form about the file/sector/RAM contents. To select the required section use the keys UP, DOWN, PGUP, PGDN, HOME, END, or indicate the starting address of the section by the keys LEFT, RIGHT, '0'-'9', 'A'-'F'. Key F4 - edit the information displayed. 4.3.2. The disassembler -U ─────────────────────────────────────────────────────────────── Disassembler allows to scan the text of programs loaded into the memory, and is convenient for debugging and analysis of memory resident programs (for example, memory-resident viruses). Selection of a memory area to be disassembled is performed either by pressing the keys LEFT, RIGHT, PGUP, PGDN within the segment, or by indicating the section address using the keys LEFT, RIGHT, '0'-'9', 'A'-'F'. Key F4 - edit the information displayed. 4.4. Menu "Setup" -U ─────────────────────────────────────────────────────────────── ┌─────────────────┐ 25/(43|50) lines screen │ EGA/VGA Alt-F9 │ Address correction │ Addr link │ Save Settings │ Save desktop │ Show status -U │ Get Info Status │ Information about -U │ About │ └─────────────────┘ EGA/VGA: Switch to video mode 25 lines <-> 43/50 lines. Addr Link: Set/reset the correction of the addresses of the different windows. Save desktop: Write the current settings into the file -U.INI. 4.4.1. Get Info Status ─────────────────────────────────────────────────────────────── The Status of the -U program can be one of three: "-U is not TSR" - it means that -U.COM works in the non-resident mode and all the functions of the -U are available, i.e. reading/writing to/from files and sectors, saving the DeskTop e.t.c. "-U is TSR on Int09h" - the call TSR part of -U directly by the hardware keyboard interrupt. It is possible at any time by pressing Alt-"+" combination. It causes immediately calls to -U, but on this mode all the reading/saving files/sectors functions are disabled. "-U is TSR on Int28h" - the call TSR part of -U by using interrupt 28h (Dos Safe Interrupt). It means that the resident portion of -U called on not-dangerous moment and all the functions of reading/saving are available.