home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
t
/
tbavu503.zip
/
INTRO.DOC
next >
Wrap
Text File
|
1992-12-29
|
46KB
|
1,440 lines
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Table of Contents
1. COPYRIGHT, LICENCES AND DISCLAIMER................ 2
1.1. Copyright................................... 2
1.2. Distribution and usage...................... 2
1.3. Disclaimer.................................. 3
1.4. Trademarks.................................. 3
1.5. Registration................................ 3
1.6. The registration key........................ 4
2. INTRODUCTION TO THUNDERBYTE ANTI VIRUS............ 5
2.1. An overview................................. 5
2.1.1. Signature scanning.................... 5
2.1.2. Algorithmic virus recognition......... 5
2.1.3. Integrity checking.................... 5
2.1.4. Heuristic analysis.................... 5
2.1.5. High speed............................ 5
2.1.6. A reconstructive cleaner.............. 5
2.1.7. A heuristic cleaner................... 6
2.1.8. Resident signature scanner............ 6
2.1.9. Resident integrity checker............ 6
2.1.10. Bootsector immunizer................. 6
2.1.11. MBR/CMOS maintenance................. 6
2.1.12. Memory guard......................... 6
2.1.13. Disk guard........................... 6
2.1.14. File guard........................... 6
2.1.15. Network support...................... 6
2.2. TbSetup..................................... 7
2.3. TbScan...................................... 7
2.4. TbDriver.................................... 7
2.5. TbScanX..................................... 7
2.6. TbCheck..................................... 8
2.7. TbMem....................................... 8
2.8. TbDisk...................................... 8
2.9. TbFile...................................... 8
2.10. TbClean.................................... 8
2.11. TbUtil..................................... 8
2.12. Compatibility.............................. 9
2.13. MS Windows................................. 9
3. EXAMPLE SETUPS................................... 11
3.1. Initial installation....................... 11
3.2. Creation of a recovery diskette............ 11
3.3. Prevention of illegal software............. 12
3.4. Prevention of viruses...................... 12
3.5. Detection of viruses....................... 13
3.6. A full protected system.................... 13
3.7. Protection against employees............... 14
3.8. System maintenance......................... 14
3.9. Recovering from viruses.................... 15
Page i
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
4. MISCELLANEOUS INFORMATION........................ 16
4.1. Who are we?................................ 16
4.2. Updates.................................... 16
4.3. Distribution of the signature file......... 16
4.4. Language support........................... 17
4.5. Thanks..................................... 17
5. A VIRUS, NOW WHAT?............................... 18
5.1. Prevention................................. 18
5.2. Confirmation............................... 18
5.3. Identification............................. 19
5.4. Don't Panic................................ 19
5.5. Global recovering.......................... 20
6. NAMES AND ADDRESSES.............................. 21
6.1. Contacting the author...................... 21
6.2. ESaSS B.V.................................. 21
6.3. TBAV registration/support sites............ 21
6.4. Recommended magazines and organizations.... 21
Page ii
Page 1
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
1. COPYRIGHT, LICENCES AND DISCLAIMER
1.1. Copyright
All Thunderbyte Anti-Virus utilities are copyright 1989-1992
Thunderbyte B.V.. All rights reserved. The diskettes provided
with the Thunderbyte Anti-Virus utilities are not copy protected.
This does not imply that they can be freely copied in unlimited
quantities. The Thunderbyte Anti-Virus utilities are protected by
copyright law, which applies to computer software as well.
1.2. Distribution and usage
The Thunderbyte Anti-Virus utilities and the accompanying
documentation are SHAREWARE. You are hereby granted a licence by
Thunderbyte B.V. to distribute the evaluation copy of the software
and its documentation, subject to the following conditions:
1. The evaluation package of the Thunderbyte Anti-Virus utilities
may be distributed freely without charge in evaluation form only.
2. The evaluation package of the Thunderbyte Anti-Virus utilities
may not be sold or licensed. Neither may a fee be charged for
its use. If a fee is charged in connection with the Thunderbyte
Anti-Virus utilities at all, it should only cover the cost of
copying or distribution. UNDER NO CIRCUMSTANCES should payment
of such fees be understood to constitute legal ownership.
3. The evaluation package of the Thunderbyte Anti-Virus utilities
must be presented in its complete form. It is not allowed to
distribute the program and its documentation files separately.
4. Neither the software nor its documentation may be amended or
altered in any way.
5. By granting you the right to distribute the evaluation copy of
the Thunderbyte Anti-Virus utilities, you do not become the
owner of these utilities in any form.
6. Thunderbyte B.V. accepts no responsibility in case the program
malfunctions or does not function at all.
7. Thunderbyte B.V. can never be held responsible for damage,
directly or indirectly resulting from the use of the Thunderbyte
Anti-Virus utilities.
8. Using the Thunderbyte Anti-Virus utilities means that you agree
to these conditions.
Any other use, distribution or representation of the Thunderbyte
Page 2
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Anti-Virus utilities is expressly forbidden without the written
permission of Thunderbyte B.V.
1.3. Disclaimer
Neither Thunderbyte B.V. nor anyone else who has been involved in
the creation, production or delivery of the Thunderbyte Anti-Virus
utilities or the documentation grants any warranties in respect to
the contents of the software or the documentation and each
specifically disclaims any implied warranties of merchantability or
fitness for any purpose. Thunderbyte B.V. reserves the right to
revise the software and the documentation and to make changes from
time to time in the contents without obligation to notify any
person.
1.4. Trademarks.
The Thunderbyte Anti-Virus utilities are registered trademarks of
Thunderbyte B.V.. All other product names mentioned are
acknowledged to be the marks of their producing companies.
1.5. Registration.
THIS IS NOT FREE SOFTWARE! If you paid a 'public domain' vendor for
this program, you paid for the service of copying the program, and
not for the program itself. Proceeds from such transactions would
never reach the makers of this product. You may evaluate this
product, but if you decide to make use of it, you should register
your copy.
To register: fill out one of the REGISTER.* files and return it to a
Thunderbyte registration site. You will find a list of registration
sites in the file AGENTS.DOC.
We offer several inducements to you for registering. First of all,
you are entitled to support for the Thunderbyte Anti-Virus
utilities, which can be quite valuable at times.
Some very enhanced features (like the TbScan option 'extract') are
only available to registered users. Once you have become a
registered user, these advanced options will be made available
to you.
Once you have become a registered user of the Thunderbyte Anti-
Virus utilities all future upgrades will be free.
Your regisrations allow us to enhance our products and to keep them
up to date!
Page 3
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
1.6. The registration key
Registered users receive the information and instructions to
generate their TBAV.KEY. The key file will contain important
information such as the licence number and the name of the
licensee.
The key file TBAV.KEY is NOT to be sold or transferred in any way.
The Thunderbyte Anti-Virus utilities do search for the key file in
the current directory. If they do not find it there, they search
the same directory where the program file itself resides.
If the key file is corrupt or invalid, the Thunderbyte Anti-Virus
utilities continue without error message although your version of
the Thunderbyte Anti-Virus utilities will then be treated as a
SHAREWARE version. If your key is only valid for some of the
Thunderbyte Anti-Virus utilities, the other utilities will ignore
it when run.
Users who have already registered and possess a valid TbScan.Key
should rename the key to TBAV.KEY.
Although you are allowed to evaluate the Thunderbyte Anti-Virus
utilities for a reasonable period of time, it is ILLEGAL to use
them in combination with a key, produced without authorization of
Thunderbyte B.V. or ESaSS B.V., or generated by any software not
distributed by Thunderbyte B.V. or ESaSS B.V..
Page 4
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
2. INTRODUCTION TO THUNDERBYTE ANTI VIRUS
2.1. An overview
What is Thunderbyte Anti-Virus? Thunderbyte Anti-Virus (TBAV) is a
toolkit designed to protect against, and recover from computer
viruses.
There are already many anti-virus packages, so you may wonder what
is so special about these utilities. Here is a quick overview. Note
that this overview is not complete, it just highlights a few of the
many remarkable features.
2.1.1. Signature scanning
The signatures used by this package are not just created by us
as the vendor. Many independant researchers contribute to the
signature list we use. The signature file is in ASCII and can
be updated by yourself in case of emergency.
2.1.2. Algorithmic virus recognition.
Algorithmic virus recognition through the use of AVR modules.
TbScan can detect polymorphic viruses very easily by use of the
easy to update external AVR modules.
2.1.3. Integrity checking.
TbScan performs an integrity check automatically, and it does
not have the false alarm rate other integrity checkers have.
The goal is to detect viruses and not to detect configuration
changes!
2.1.4. Heuristic analysis.
TbScan is the world's first scanner that incorporates heuristic
analysis in a normal scan session. Heuristic analysis is a
technique that makes it possible to detect about 90% of all
viruses by searching for suspicious instruction sequences
rather than using any signature. This is possible because
TbScan contains a real disassembler and code analyzer.
2.1.5. High speed.
In a normal scan session, TbScan is faster than any other
scanner, even with signature scanning, integrity checking and
heuristic analysis fully enabled!
2.1.6. A reconstructive cleaner.
A reconstructive cleaner that removes viruses by using the
Page 5
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
integrity check information for a guaranteed 100% restoration.
2.1.7. A heuristic cleaner.
The worlds first heuristic cleaner! Heuristic cleaning is a
technique that makes it possible to remove even unknown
viruses, without any information about the virus and without
any information about the original file! Literally, the cleaner
removes the unknown from the unknown! The success rate of this
unknown virus remover is 80%, which even beats conventional
cleaners that require predefined virus information.
2.1.8. Resident signature scanner.
A resident signature scanner that can swap itself into
expanded, XMS, or high memory, using only 1Kb of conventional
memory!
2.1.9. Resident integrity checker.
A resident integrity checker for higher protection. It is fast
and consumes only 600 bytes of memory.
2.1.10. Bootsector immunizer.
The TbUtil program can install a new master boot record which
has some unique virus detection capabilities, without becoming
resident in memory!
2.1.11. MBR/CMOS maintenance.
Master boot record, bootsector, and CMOS; save, restore and
checking facilities.
2.1.12. Memory guard.
A memory guard program that detects viruses and prevents them
from going resident in memory.
2.1.13. Disk guard.
A disk guard program that detects viruses and prevents them
from overwriting and formatting the disk.
2.1.14. File guard.
A file guard program that detects viruses and prevents them
from infecting programs.
2.1.15. Network support.
Most other resident anti-virus products offer you the choice to
Page 6
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
invoke them before the network is loaded and losing the
protection after the logon procedure, or to invoke the anti-
virus software AFTER the logon to the network, resulting in a
partially unprotected system. The Thunderbyte Anti-Virus
utilities recognize the network software and take appropriate
actions to ensure their functionality.
2.2. TbSetup
TbSetup is a program that collects information from all software
found on your system. The information will be put in files named
Anti-Vir.Dat. The information maintained in these files can be used
for integrity checking, program validation, and to clean infected
files.
2.3. TbScan
TbScan is one of the fastest (and at this moment the fastest)
virus scanner available. Besides its blazing speed it has many
configuration options, it can detect mutants of viruses, it can
bypass stealth type viruses, etc.
The most remarkable feature is the ability of TbScan to disassemble
files. This makes it possible to detect suspicious instruction
sequences and to detect yet unknown viruses. TbScan can detect 95%
of the viruses without any information like signatures or checksum
files! This generic detection is named heuristic analysis.
Another feature of TbScan is the integrity checking it performs
when it finds the Anti-Vir.Dat files generated by TbSetup.
2.4. TbDriver
TbDriver is a memory resident utility. This driver is needed by the
resident TBAV utilities. It takes care for the pop-up window, the
language support, the network support, the MS-Windows support, etc.
2.5. TbScanX
TbScanX is the memory resident version of TbScan. This signature
scanner remains resident in memory and automatically scans those
files which are being executed, copied, de-archived, downloaded,
etc.
TbScanX performs even faster than TbScan, and does not require much
memory. It is even possible to reduce the memory requirements of
TbScanX to zero (!) as TbScanX can make use of unused parts of your
video memory.
Page 7
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
2.6. TbCheck
TbCheck is a memory resident integrity checker. This program
remains resident in memory and checks automatically every file just
before it is being executed. TbCheck uses a very fast integrity
checking method and it consumes only 400 bytes of memory. It can be
configured to reject files with incorrect checksums, and/or to
reject files that do not have a corresponding Anti-Vir.Dat record.
2.7. TbMem
TbMem detects attempts from program to remain resident in memory,
and makes sure that no program can remain resident in memory
without permission. Since most viruses remain resident in memory,
this is a powerfull weapon against all those viruses, known or
unnown. Permission information is maintained in the Anti-Vir.Dat
files.
2.8. TbDisk
TbDisk detects attempts from programs to write directly to disk
(without using DOS), attempts to format, etc., and makes sure that
no malicious program will succeed in destroying your data.
Permission information about the rare programs that write directly
and/or format the disk is maintained in the Anti-Vir.Dat files.
2.9. TbFile
TbFile detects attempts from programs to infect other programs. It
also guards read-only attributes, detects illegal timestamps, etc.
It will make sure that no virus succeeds in infecting programs.
2.10. TbClean
TbClean is a generic file cleaning utility. It uses the
Anti-Vir.Dat files generated by TbSetup to enhance file cleaning
and/or to verify the results. TbClean can however also work without
these files. It disassembles and emulates the infected file and
uses this analysis to reconstruct the original file.
2.11. TbUtil
Some viruses copy themselves onto the partition table of the hard
disk. Unlike bootsector viruses, they are hard to remove. The only
solution would seem to be to low-level format the hard disk and to
create a new partition table.
Page 8
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
TbUtil offers a more convenient alternative to such radical
measures. It makes a back-up of your uninfected partition table
and boot sector. If these get infected in your system, the TbUtil
back-up can be used as a verifying tool and as a means to restore
the original (uninfected) partition table and bootsector without
the need for a disk format. The program can also restore the CMOS
configuration for you.
If a back-up of your partition table is not available, TbUtil will
try to create a new partition table anyway, again avoiding the need
for a low-level format.
Another important feature of TbUtil is that it can be used to
replace the partition table code by new code that offers greater
resistance to viruses. The TbUtil partition code will be executed
before the boot sector gains control, enabling it to check this
sector in a clean environment. The TbUtil partition code performs
a CRC calculation on the boot sector just before control is passed
to it. If the boot sector has been modified the TbUtil partition
code will warn you about this. The TbUtil partition code also
checks the RAM lay-out and informs you whether or not it has been
changed. It carries out these checks each time you boot from your
hard disk.
Note that once the boot sector has been executed unchecked, it is
very difficult to check it afterwards. A virus could have become
resident in memory during boot-up and have hidden its presence.
Once again, TbUtil will offer you a great deal of security here
as it is active BEFORE the boot sector is executed.
Also note that the use of TbUtil is much more convenient than the
traditional strategy of booting from a clean DOS diskette for an
undisturbed inspection of the boot sector.
2.12. Compatibility
The Thunderbyte Anti-Virus utilities are designed to cooperate with
networks, MS-Windows, DR-DOS, etc.
2.13. MS Windows
The Thunderbyte Anti-Virus utilities are Microsoft Windows
compatible. The utilities remain active in every DOS box, without
mixing the operation of the adjacent windows. All TBAV utilities
can also be invoked in a graphics DOS box inside Windows.
What you will not find in the TBAV package are fancy looking
Windows programs. There are several reasons for this omission:
- A Windows scanner never offers additional functionality.
Page 9
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Instead, a Windows scanner requires more system resources,
becomes larger and slower, and performs less reliable. The only
'gain' would be a prettier screen lay-out. If the screen layout
is your major concern, TBAV is not the Anti-Virus package for
you!
- If one of the Windows files gets infected, Windows will most
likely refuse to work and hang the machine. Just in this case
you need a scanner to see what is going on, but you can not use
it anymore!
- To cope with stealth viruses it is required to boot from a
clean DOS diskette before running the scanner. But, ever tried
to boot Windows off a diskette?
TBAV provides fine Windows support, but no nonsense.
Page 10
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
3. EXAMPLE SETUPS
3.1. Initial installation
In the following examples it is assumed that all utilities are
copied in a directory named TBAV. If this is not the case, execute
the following commands:
MD C:\TBAV
COPY *.* C:\TBAV
C:
CD \TBAV
For all example setups it is required that TbSetup has been
executed:
TbSetup C:\
If your system has more hard disks or disk partitions you should
repeat the TbSetup invocation for every drive or partition.
It is also highly recommended to make a recovery diskette. The
example setups assume you have created such a recovery diskette.
It is also highly recommended to read the manuals of all the TBAV
products. The example setups outlined below are just intended to
give you some ideas about the use of the TBAV utilities, and these
examples are not intended as a full featured protection setup!
3.2. Creation of a recovery diskette
A recovery diskette is required to get rid of any virus in the
future. Without such a diskette, you will never be able to get rid
of any virus! So, take a few minutes to make this diskette now!
Take a new, empty diskette, put it in drive A:, go to your DOS
directory and execute the following commands:
Format A:\ /S
Copy SYS.COM A:
Now return to the TBAV directory:
CD \TBAV
Execute the batch file MakeResc:
MakeResc A:
Now copy any other utilities you think you need in case of an
emergency to the diskette. A tiny editor - to edit Config.Sys
and/or AutoExec.Bat - is also highly recommended.
If your hard disk needs some special device driver to be accessed
Page 11
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
(like a Stackered disk), copy the required device drivers also to
the recovery diskette and install the drivers in the Config.Sys
file on drive A:. Consult the manual of these device drivers for
additional help.
Now execute TbSetup as follows:
TbSetup A:
The diskette is now almost ready. MAKE THE DISK WRITE PROTECTED BY
USING THE WRITE PROTECT TAB! Label the diskette with 'Recovery'.
Now store the diskette into a safe place. Do not use it until you
need it!
3.3. Prevention of illegal software
A lot of companies do not want their users to install or execute
unauthorized software. TBAV can help to prevent this.
Add to the Config.Sys the following lines:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbCheck.Exe secure
Execute TbSetup on the system.
TbSetup C:\
Reboot the system.
Press Ctrl-Alt-Del.
If the user now tries to execute new software - software not
authorized by TbSetup -, TbCheck does not allow these files to be
executed.
3.4. Prevention of viruses
To prevent virusses from doing any harm on your system, execute or
install the following products:
Execute TbUtil to make a backup of the partition table and to
replace the partition code by a partition sector with virus
detection capabilities:
TbUtil immnunize=a:tbutil.dat
Add the following lines to the config.sys file:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbScanX.Exe
Device=C:\TBAV\TbMem.Exe
Device=C:\TBAV\TbFile.Exe
Add the following line to the autoexec.bat file:
C:\TBAV\TbDisk
Page 12
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Reboot the system.
Press Ctrl-Alt-Del.
It is very likely that some of the TBAV utilities display a message
when you boot again. This because some programs that are invoked
perform operations that are monitored by the TBAV utilities. TBAV
has to 'learn' which programs perform these operations. If you
respond with 'Y' everytime, TBAV will remember this for next time,
and it will not bother you again with these messages and questions.
Reboot the system again.
Press Ctrl-Alt-Del.
The TBAV utilities now monitor the system and warn you if something
suspicious - or worse - is going on! They also warn you if a new
file contains a virus. In all situations, viruses are detected
before they can do any harm.
3.5. Detection of viruses
To detect viruses AFTER an infection occured, you can also use the
TBAV utilities.
Add the following lines to the config.sys file:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbCheck.Exe
Add the following line to the autoexec.bat file:
C:\TBAV\TbScan C:\ once
Reboot the system.
Press Ctrl-Alt-Del.
TbCheck will warn you if files have been changed. TbScan is invoked
automatically once a day.
3.6. A full protected system
The best protection is achieved with the following setup.
Execute TbUtil to make a backup of the partition table and to
replace the partition code by a partition sector with virus
detection capabilities:
TbUtil immunize=a:tbutil.dat
Add the following lines to the config.sys file:
Device=C:\TBAV\TbDriver.Exe
Device=C:\TBAV\TbCheck.Exe
Device=C:\TBAV\TbScanX.Exe
Device=C:\TBAV\TbMem.Exe
Page 13
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Device=C:\TBAV\TbFile.Exe
Add the following line to the autoexec.bat file:
C:\TBAV\TbDisk
C:\TBAV\TbScan C:\ once
Reboot the system.
Press Ctrl-Alt-Del.
It is very likely that some of the TBAV utilities display a message
when you boot again. This because some programs that are invoked
perform operations that are monitored by the TBAV utilities. TBAV
has to 'learn' which programs perform these operations. If you
respond with 'Y' everytime, TBAV will remember this for next time,
and it will not bother you again with these messages and questions.
Reboot the system again.
Press Ctrl-Alt-Del.
The TBAV utilities now monitor the system and warn you if something
suspicious - or worse - is going on! They also warn you if a new
file contains a virus. In all situations, viruses are detected
before they can do any harm. Viruses are also detected after they
are installed on the system for any reason.
3.7. Protection against employees.
Most of the TBAV utilities are interactive. They require
communication with the user if something is going on. In companies
however it may be that the system operator is the only one who
should commnicate with TBAV in case something is going on. All TBAV
utilities support the option 'secure'. If this option is specified,
the TBAV utilities will not ask the user for permission before
allowing dangerous operations: TBAV will always deny all dangerous
and suspicious operations.
3.8. System maintenance.
Unfortunately, a system needs maintenance. This maintenance also
affects the TBAV utilities. The signature file of TbScan needs a
frequent update. You can obtain a new signature file on one of our
support Bulletin Board Systems.
It is likely that you add, update or replace programs on your
system. If you do so, do not forget to use TbSetup to make or
update the fingerprints of these programs!
If you install a new version of DOS, the bootsector will be
changed. If you change the configuration of your disks, the
partition table and/or CMOS configuration will change. You need to
Page 14
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
create a new recovery diskette in these cases.
3.9. Recovering from viruses.
DO NOT MAKE A NEW BACK-UP OF YOUR SYSTEM THAT WILL OVERWRITE AN
ALREADY EXISTING BACK-UP. Make a separate back-up instead and label
it as being infected and unreliable.
When recovering from a virus infection it is important that you
boot from the uninfected, write-protected, recovery diskette. (If
you followed our recommendations, you have a diskette labeled
'recovery').
Do NOT run any program from your hard disk! The virus must be
denied access to your memory while you clean up the system. TbCheck
will warn you if you accidentially try to execute an infected or
unauthorized program of your hard disk.
Run TbScan for an indication about what is wrong. TbScan will
report the virus name if the virus is known, or it will report file
changes in case the virus is unknown.
TbScan C:\ log=lpt1
Also run TbUtil to compare the bootsector, partition code and
CMOS configuration.
TbUtil compare
If the bootsector or partition code contains a virus, you can use
TbUtil to remove the virus from these items:
TbUtil restore
In case of a file virus, restore all executables. TbClean is not
recommended unless you don't have a back-up of the uninfected
executable files. Depending on the kind of virus it might also be
necessary to replace all data files.
Once the system has been cleaned, check all diskettes, back-ups,
etc. One infected diskette can cause you the same trouble all over
again. Therefore we highly recommend you to take measures to
protect your system against re-infections, since there is always
the possibility that you forgot to clean up one of your diskettes.
Use a virus scanner frequently, install a resident scanner (like
TbScanX), or even better, install the Thunderbyte PC Immunizer card.
Page 15
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
4. MISCELLANEOUS INFORMATION
4.1. Who are we?
The Thunderbyte Anti-Virus utilities have been developed by Frans
Veldman, chief executive of the ESaSS and Thunderbyte company.
ESaSS is the company that developed the well-known Thunderbyte
card, the first hardware PC immunizer, and has gained a great
deal of experience with and knowledge of viruses and
assembler-written system software. Of course, we do have a large
collection of viruses to test our products on.
4.2. Updates
The Thunderbyte Anti-Virus utilities are updated often. The updates
will be available on all Thunderbyte support BBSs but also a lot
of other BBSs will have the most recent version of our software
available.
The standard complete release will be named: TBAVxxx.ZIP.
The 'xxx' will be replaced by the three digit version number of the
Thunderbyte Anti-Virus utilities.
To maintain the high reliability of the products, beta releases
are available. They will not be distributed widely, but are just
available on the Thunderbyte support BBS in The Netherlands and in
the USA. They will only contain the files that have been changed.
Beta versions can be recognized because they have a 'B' in the
name: TBAVBxxx.ZIP.
To minimize download costs there will also be upgrade archives
which contain files that have been changed since the previous
official release. They will have a 'U' in their name: TBAVUxxx.ZIP.
The resident Thunderbyte Anti-Virus utilities are also available in
processor optimized formats. These processor optimized versions are
available for registered users only, and they are archived in a
file with a 'X' in the name: TBAVXxxx.ZIP.
4.3. Distribution of the signature file
The signature file (VIRSCAN.DAT) is updated every month. It will be
distributed in an archive called VSIGYY##.ZIP (YY = Year, ## =
release sequence number). Emergency updates are released as files
called ADDNSIGS.DAT which will be distributed as the archive
ASIGYY##.ZIP file.YY = Year, ## = release sequence number). Most
Bulletin Board Systems will get a fresh copy of these two files
within 48 hours after the Master Copy has been updated at Bamestra
BBS. The most recent signature files can also be obtained from any
Page 16
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Thunderbyte support BBS.
4.4. Language support
The Thunderbyte Anti-Virus utilities do support several languages.
The language support files are distributed in archives named
TB<name><version>.ZIP, whereas <name> stands for the two or three
character country code, and version for the version number of TBAV.
A language support file for The Netherlands whould have the name
TBNL500.ZIP (version 5.00). You will find these language files on
most Thunderbyte support BBSes.
4.5. Thanks
The Thunderbyte Anti-Virus utilities would not have evolved to
their current state without the valuable contributions made by a
number of people. Special thanks to:
Jan Terpstra, for maintaining the signature file.
Righard Zwienenberg, for testing TbScan on over 20Mb of viruses.
John Lots, for beta-testing and technical advice.
Eric Richet, for beta-testing.
Stephane Veaux, for beta-testing.
Alan Solomon, for testing and for the discovery of a FCB problem.
Harry Thijssen, for stimulating the scanner speed competition.
Jeff Cook, for revision and correction of the manual.
Fridrik Skulason, for cooperation of heuristic implementation.
Page 17
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
5. A VIRUS, NOW WHAT?
5.1. Prevention
It is always better to be safe now than to be sorry afterwards. You
can prevent an infection by using reliable software only, i.e.
software of which the origins are known.
MAKE SURE YOU HAVE AN UNINFECTED WRITE-PROTECTED BOOTABLE DOS DISK
STORED IN A SAFE PLACE. The disk will be needed in case of
infection. Without an uninfected bootable disk you will never be
able to get rid of any virus! The disk should be write-protected to
make sure it will remain uninfected!
Make sure you use TbSetup to maintain recovery information of all
executable files of your system!
Only boot from your hard disk or from your original DOS diskette.
NEVER use someone else's disk to boot from. Should you have a hard
disk, make certain that you have opened the door to your floppy
drive before resetting or booting your PC.
Use the DOS program ChkDsk frequently (without the /F switch).
ChkDsk is able to detect some viruses because the viruses change
the disk structure in an incorrect manner, causing disk errors in
the process.
Look out for changes in the behaviour of your software or system.
Any change in their behaviour is suspect, unless you know its
cause. Some highly suspicious symptoms are:
- The amount of available memory space has decreased.
- Programs need more time to execute.
- Programs do not operate as they used to, or cause the system
to crash or reboot after some time.
- Data disappears or get damaged.
- The size of one or more programs has increased.
- The screen behaves strangely, or you will find unusual
information displayed there.
- ChkDsk detects many errors.
5.2. Confirmation
Once you think your system may have been infected by a virus, try
to get confirmation. You can get confirmation by using a virus
scanner, or by booting from the uninfected write-protected DOS
diskette and comparing the files on the hard disk to the known
uninfected original copies. DO NOT RUN ANY PROGRAM ON THE HARD DISK
WHILE AND BEFORE PERFORMING THIS TEST TO PREVENT THE VIRUS FROM
GOING RESIDENT IN MEMORY. If the files have not been changed you
Page 18
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
are not dealing with a file virus. However, if they all appear
changed in the same manner, it is very likely that the files have
been infected. The bootsector is more difficult to test. Use the
DOS SYS command to replace the bootsector in case of doubt.
Note that file viruses infect other programs. It is highly unlikely
that you will find a few infected programs on a hard disk used
frequently. If TbScan reports a virus in only 1% of the files on
your hard disk, you should treat it as a false alarm.
If you find a virus, do NOT use your copy of TbScan to check other
machines, unless you have copied it to a write-protected diskette
before the system became infected. Although TbScan performs a
sanity check on invocation, there are some viruses that are able to
fool a self-check, and TbScan might therefore carry such a virus
without detecting it itself.
5.3. Identification
Identify the virus. This is extremely important because if you know
which virus infected your system, you know what the virus must have
done there, and whether or not your data files can still be relied
upon.
You can use a virus scanner to identify a virus. Once you know the
name of the virus you should obtain additional information about
the virus. Log on to our support BBS, consult literature on this
subject, or consult a virus expert.
If the virus only infects executable files you need only replace
executable files. But if the virus swaps some bytes at a random
location of your hard disk each time you execute a program, you
have to replace your data files too, even though you didn't notice
any changes in the data files themselves.
5.4. Don't Panic!
The most important thing to do is NOT TO PANIC! Panicking doesn't
help you, as you need to be calm to deal with the situation
properly. In most cases of virus infection in the past, most of
the damage was done by the operator of the system, not by the virus
itself. Do nothing at all except for identifying the virus and
obtaining information about it. An instant reformat of your hard
disk(s) is the worst thing you can do. Once you know exactly what
the virus does, you can work out a strategy to recover from the
infection.
DO NOT MAKE A NEW BACK-UP OF YOUR SYSTEM THAT WILL OVERWRITE AN
ALREADY EXISTING BACK-UP. Make a separate back-up instead and label
it as being infected and unreliable.
Page 19
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
5.5. Global recovering
When recovering from a virus infection it is important that you
boot from an uninfected write-protected DOS diskette. Do NOT run
any program from your hard disk! The virus must be denied access to
your memory while you clean up the system.
Restore the DOS system and bootsector by using the DOS SYS command.
In case of a file virus, restore all executables. A virus removal
utility is not recommended unless you don't have a back-up of the
uninfected executable files. Depending on the kind of virus it
might also be necessary to replace all data files.
If the system has been infected by a virus that modifies the
partition table it might be necessary to perform a low-level
reformat of your hard disk(s). If you used a utility to back up the
partition table (like TbUtil) it isn't necessary to reformat the
disk(s). TbUtil restores the partition table for you.
Once the system has been cleaned, check all diskettes, back-ups,
etc. One infected diskette can cause you the same trouble all over
again. Therefore we highly recommend you to take measures to
protect your system against re-infections, since there is always
the possibility that you forgot to clean up one of your diskettes.
Use a virus scanner frequently, install a resident scanner (like
TbScanX), or even better, install the Thunderbyte PC Immunizer card.
Page 20
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
6. NAMES AND ADDRESSES
6.1. Contacting the author.
The Thunderbyte Anti-Virus utilities have been written by Frans
Veldman. You can leave messages for him at the Dutch support BBS.
Registered users can also phone for technical support. To register,
see one of the REGISTER.* files.
6.2. ESaSS B.V.
For more information about the Thunderbyte Anti-Virus utilities you
can contact:
ESaSS B.V. Tel: + 31 - 80 - 787 881
P.o. box 1380 Fax: + 31 - 80 - 789 186
6501 BJ Nijmegen Data: + 31 - 85 - 212 395
The Netherlands (2:280/200@fidonet)
6.3. TBAV registration/support sites.
In order to provide the global community with anti-virus coverage
in a timely manner, ESaSS B.V. has established an Agents program to
provide service, sales and support for our products around the
world. You will find all information in the file AGENTS.DOC.
6.4. Recommended magazines and organizations.
Virus Bulletin.
Virus Bulletin Ltd.
21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England.
Tel. +44-235-555139.
International Computer Security Association.
Suite 33
5435 Connecticut Avenue NW
Washington D.C. 20015
Tel. +1-202-364-8252
National Computer Security Association.
227 West Main Street.
Mechanicsburg, PA 17055, United States.
Tel. +1-717-258-1816
Virus News International.
Berkley court, Millstreet, Berkhamsted, Hertfordshire, HP4 2HB,
England.
Tel. +44-442-877877.
Page 21
Thunderbyte Anti Virus. (C) Copyright 1989-1992 Thunderbyte B.V.
Page 22