The World of Computer Software

home *** CD-ROM | disk | FTP | other *** search

/ The World of Computer Software / World_Of_Computer_Software-02-387-Vol-3of3.iso / n / nem_110.zip / NEMDOC.ENG < prev next >

Wrap

Text File | 1993-03-13 | 99KB | 1,993 lines

==================================================================== NEMESIS v 1.10 (c) 1992, Christian Sy & Robert Hoerner ==================================================================== CONTENT : General Overview How does NEMESIS work How to start NEMESIS Commandline-parameters of NEMESIS NEMESIS warnings (DOS-Level) NEMESIS warnings (Sector-Level) Technical remarks explanation of keys to press Appendix (false alarms & incompatibilities ) Explanation of terms ==================================================================== Read the file REGISTER.DOC, too ! NEMESIS is shareware not freeware or in the public domain. If you are using it for longer then the trial period you HAVE to register or to delete it. It is cheap ! Think about the lot of work it contains. ==================================================================== ==================================================================== General overview ==================================================================== REQUIREMENTS: ------------- - IBM XT or AT or compatible - DOS 3.3 or higher (tested it with: PC-DOS 3.3, MS-DOS 5.00, 4DOS 3.0/4.0, DR-DOS 5.00,6.0) - at least 64 KB free memory to start NEMESIS - uses 0 Byte conventional memory, if you have XMS and enough (min. 4KB) free upper memory - uses 4 kB normal memory for resident NEMESIS if you have EMS, but no (not enough) free upper memory - uses 38 kB normal memory for resident NEMESIS if neither XMS nor EMS - 32 KB EMS / one EMS-handle for extended-learning-mode - sector-level protection (see below) needs (1 KB EMS per 1 MB HD-space) + (32 KB EMS * Number of your physically available drives, networkdrives excluded) - it needs 3 EMS-handles per DOS-drive (only harddrives) - EMS 4.0 for EMS-functions required. Use EMSTEST.COM to check it out. - two harddisks are supported. ==================================================================== Features : ---------- - ability to create a flexible sector-image of specified files and to prevent infection nearly completely. - ability to protect even files on SUBSTed, ASSIGNed and JOINed drives on the level of sectors ! NEMESIS is the first program worldwide that is able to do this. - protects your directories from being destroyed - protects your FAT from being killed (not with SMARTDRV). - warns if protected files are to be created / deleted / changed - ability to run (!) almost completely in EMS, wasting a minimum of conventional memory - ability to load itself high, wasting not a single byte in conventional memory. - ability to learn about "good" programs. - doesn't need and doesn't use any scanstrings, this means you don't need an update every two weeks - multiple languages available. - delivers an EMS emulator. More info on that see in EMS40.DOC - contains an EMSTEST-utility. ==================================================================== Pre-defined filenames : ----------------------- All the following files will be searched in the NEMESIS start-directory. NEMESIS.BIN : This file contains (nearly) all messages, that NEMESIS can give. NEMESIS.EXT : This file contains all extensions, that you want to be protected in addition to the pre-defined extensions (see later). NEMESIS.FIL : If you deny a write to a protected file and did not give the parameter "NOSAVE" , then NEMESIS will redirect what should have been written into the file NEMESIS.FIL. NOTE : Since this file may contain viruses ( after they have been disabled !) a scanner may find virus-signatures there. There is no danger at all, since NO VIRUS can infect from NEMESIS.FIL. NEMESIS.OVA : Contains data that NEMESIS needs to remember after learning. It is no "overlay", but protected by its pseudo overlay-extension. NEMESIS.CFG : This file contains your preferred commandline, that you wish to give to NEMESIS. If you normally want to start NEMESIS with "EMS" "FAT=OFF" then you could insert these parameters in the file NEMESIS.CFG. Type it exactly, as you would type it at the DOS-prompt. Use ONE line only ! NEMESIS will first read your actually typed commandline, analyse it, and then it will read the file NEMESIS.CFG. If NEMESIS.CFG contains FAT=OFF, e.g., and you type "NEMESIS FAT=ON" then "FAT=OFF" will be active, since the NEMESIS.CFG will be read later (and will overrun your "FAT=ON"). ==================================================================== How does NEMESIS work ==================================================================== NEMESIS works on two levels : ----------------------------- First (conventional) level is : ------------------------------- if a file which has a protected extension is opened (e.g. "COMMAND.COM" has the extension "COM", which is protected) it will be noticed by NEMESIS. NEMESIS will then act like you have configured it, protecting this file from being changed without an "OK" from you. Second level is : ----------------- Protection of those clusters which belong to files with protected extensions. This means : your HD does not know anything about files, it just contains tracks and sectors. Your DOS however gives you access to files, not to sectors. So, if you are starting any program, e.g. COMMAND.COM, your DOS has to check which sectors on which tracks in which sequence contain the file COMMAND.COM, then it reads these sectors one after the other into memory and executes, what they contain (in our example, it starts COMMAND.COM and you will see a new DOS-prompt). See later : "technical remarks". You can access the sectors of COMMAND.COM with NU.EXE or PCTOOLS.EXE or any other sector accessing utility. What we have implemented (we are the first worldwide..) is : we are checking which sectors are owned by files with protected extensions and if there is any write-access onto one of these sectors, NEMESIS will act. The cluster-level protection, however, does only work, if you have enough expanded memory. ==================================================================== How to start NEMESIS : ==================================================================== Just type "NEMESIS" at the DOS-prompt and wait. NEMESIS will first create a number that allows to test, whether NEMESIS is infected or damaged. NEMESIS will then read the first sector of NEMESIS and checks whether NEMESIS' disk-image has been changed. NEMESIS will then check, wether NEMESIS is already loaded. If so, it skips the following step. If started from diskdrive, this step will be skipped, too. Otherwise : NEMESIS will create one COM and one EXE file. Both files will be re-read after creation to check whether you have already an active virus in memory, then both files will be executed for the same reason (no execution if NEMESIS runs from a network drive). If everything seems to be ok, both will be deleted. If NEMESIS detects, that at least ONE of theses files have been modified, they will NOT be deleted, but you will get a message like "Your system is already infected. Have a look into the file <blabla>". This file exists in the root-directory of NEMESIS' startdrive. NEMESIS then looks what resources you computer has, which DOS-version you have and so on, reads the commandline, reads NEMESIS.CFG and if everything seems to be o.k., especially if you have enough EMS for NEMESIS' data it will perform a scanning for clusters which are owned by protected files. This will look like this : (note : "scanning" here has nothing to do with "virus-scanning" !) ------------------------------------------------------------------------------ NEMESIS 1.10 (english/unreg.), (c) 1992 Christian Sy & Robert Hoerner Unregistered evaluation copy ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Protected files in drive EXE,COM,SYS,OV?,BIN ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Scanning partition C: , please wait... SYSTEM ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ total EMS in KB is : 7360 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ free EMS is KB is : 4672 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ used EMS in KB is : 0 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ------------------------------------------------------------------------------ or like this : ------------------------------------------------------------------------------ NEMESIS 1.10 (english/unreg.), (c) 1992 Christian Sy & Robert Hoerner Unregistered evaluation copy ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Protected files in drive EXE,COM,SYS,OV?,BIN ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Scanning partition C: , please wait... SYSTEM ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ total EMS in KB is : 7360 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ free EMS is KB is : 4672 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ used EMS in KB is : 0 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ No cluster level protection possible on drive D:. Reason : drive is controlled by SSTOR. ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ------------------------------------------------------------------------------ Since compressed drives are not protected, you will be informed. Then you will see a screen, that contains the current status of resident NEMESIS and you can go on with your work : ------------------------------------------------------------------------------ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ NEMESIS 1.10 installed ... ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Copyright 1992,1993 by Christian Sy & Robert Hoerner ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Status of resident NEMESIS Resident NEMESIS is currently ON WAIT for keypress is ON used DOS-memory : 512 Byte SAVE instead of WRITE is ON used upper memory : 4000 Byte warning on FAT-writes are ON (CODE) EMS-memory : 35478 Byte INVALID calls allowed is ON (DATA) EMS-memory : 336 KB warning if bootsector changed is ON used EMS-handles : 14 WATCH interrupts is ON ------------------------------- STEALTH-MODE (using EMS) is ON MS-DOS/PC-DOS : 5.0 watching sectors directly is ON Processor : 80386 initializing memory was OFF allow TBSCANs special feature is OFF ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Protected files in drive C:,D:,E:,F:, EXE,COM,SYS,OV?,BIN Problem to read absolute sectors in upper memory ! Requesting low memory for buffering. C:\NEMESIS 14:07> ------------------------------------------------------------------------------ Maybe "STEALTH-MODE" and "watching sectors" is "OFF" at your screen. Then you have no (or not enough) EMS or you gave the parameters "NOEMS" and/or "NOFAT" to NEMESIS (see : "parameters"). The right side of your screen will contain other values, too. These values are dependent on your actual configuration, your harddisk-size, the amount of executables on your harddisk and so on. "Used DOS-memory" means the amount of conventional memory, that NEMESIS uses. The above picture is made from my computer, I have EMS and XMS installed, so NEMESIS did load itself high and wasted 0 Byte of conventional memory. Instead it used 4000 byte of "upper memory" above 640 K, but below 1 MB. But since I have a Busmaster-DMA-controller build in, NEMESIS has to request a 512-byte buffer for direct sector-access. It resides in DOS-memory. Without this I would not have any protection against destruction of directories. Since I have EMS NEMESIS swapped itself into expanded memory, using 33673 byte of it (it used 49152 Byte, since you can request expanded memory only in pieces of 16384 byte) for its code. It needed 1 EMS-handle for this. NEMESIS has scanned my harddisk, I have sector-level protection. So NEMESIS used 12 handles of EMS for its data (drive C: to F:, each one needs 3 handles). These 12 handles contain 336 KB expanded memory. One more handle is used for learning. So NEMESIS needs 14 handles. The other data is given for debug purposes. Maybe NEMESIS acts "strange" or doesn't work at all. Then most probably one of its internal switches is fault. This maybe the version of DOS or others. It doesn't tell every switch but if one of the above data is wrong then please : drop a note to Robert Hoerner, adress below. --------------------------------------------------------------------- What you can see is the current status of NEMESIS. If you wish to change anything : do it. NEMESIS detects NEMESIS in memory and will not go resident twice but give the new status to the resident NEMESIS. ------------------------------------------------------------------------------ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ NEMESIS-parameters are : ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ON/OFF : Switches NEMESIS "ON" or "OFF" QUIT : Removes NEMESIS completely from memory ADD : add new extensions to protect TBSCAN=ON/TBSCAN=OFF : (not) allow TBSCAN-special feature (be careful ...) WAIT/NOWAIT : (no) wait for keypress on decisions FAT=ON/FAT=OFF : (no) warnings an writings to FAT WATCH/NOWATCH : do (not) watch for changes of interrupts SAVE/NOSAVE : on rejected write-accesses : (no) save instead of write FACE/NOFACE : show (no) activity face on screen BOOT=ON/BOOT=OFF : (no) warnings, if bootsector is written INVALID/NOINVALID: (not) allow invalid calls to DOS SHA=,SW=,CO1=,CO2=,CO3=,CO4=,CO5=,CO6=,CO7= : set colors The following parameters are valid only at startup : LOW : NEMESIS should NOT loadhi itself EMS/NOEMS : do (not) use EMS for code NOFAT : should (or can) not use EMS for cluster-level protection INIT : initialize memory on startup BATCH : switch NEMESIS on and off without asking ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ C:\NEMESIS 14:08> ------------------------------------------------------------------------------ ==================================================================== Commandline-parameters of NEMESIS : ==================================================================== Simply type "NEMESIS ?" at the DOS-prompt to see all parameters. You can type the commands when starting NEMESIS and at any time later. ==================================================================== ON/OFF : Switches NEMESIS "ON" or "OFF" ==================================================================== You can switch NEMESIS OFF and ON whenever you wish it. NEMESIS works resident and watches every access to your HD and watches many calls to your DOS. This cannot be done without affecting the performance of your system. So, if you are sure not to be in danger of viruses you can temporarily switch NEMESIS OFF and then switch it on again. ==================================================================== ADD : add new extensions to protect ==================================================================== You can add new protected extensions whenever you wish it. Create a textfile "NEMESIS.EXT" containing the extensions you wish to be protected. e.g. "PIFDBFLOGBAT" and so on. Do not write the quotes, just write the extensions themselves without spaces. Each extensions may contain the "?" wildcard(s) and must be 3 chars. This means "FI?" is valid, "F*" is NOT valid. "???" is valid and will result in protecting ALL files : WE DO NOT RECOMMEND THIS ! You would be warned on every write-acces to any file (textfiles, tmp-files and and and....). You can add up to 24 extensions. NEMESIS will re-scan your harddisk then. ==================================================================== WAIT/NOWAIT : (no) wait for keypress on decisions ==================================================================== Normally NEMESIS will open a window and ask you how to act. If you are sure that every write-access to files with protected extensions should be rejected, you can give the parameter "NOWAIT" to NEMESIS. Then you will never be asked, any writeaccess to any protected file will be rejected. Use this with care ! There are some executables that write to themselves, if you reconfigure them (TURBO-Pascal, Q-Edit, Wordstar, and many others, too). If NEMESIS rejects this write-request your new configuration is lost. ==================================================================== FAT=ON/FAT=OFF : (no) warnings on writings to FAT' ==================================================================== Since some (useful) programs are writing directly to your FAT (file allocation table) without "going trough DOS", NEMESIS will give warnings that may be (and in theses cases : ARE) false alarms. To disable this warning temorarily simply type "NEMESIS FAT=OFF". You can switch the warnings on again typing "NEMESIS FAT=ON". If you are using SMARTDRV from Microsoft (r) then this switch is internally forced to FAT=OFF. ==================================================================== WATCH/NOWATCH : do (not) watch for changes of interrupts ==================================================================== Most viri catch some interrupts to be sure, that they can work. (see "technical remarks" ). For example : if you type "NEMESIS" at the DOS-prompt a call to interrupt 21h will be performed, containing the text "NEMESIS". This call will be received by your DOS, that loads NEMESIS.COM from your HD and starts it. If there is any other program, that you have started and that has "catched" interrupt 21h (e.g. DOSEDIT) this program will "hear" the call too and can react. DOSEDIT will not react on THIS call, but most virusses WILL. NEMESIS can notice any catching of some interrupts that are "interesting" for viruses. If one of these has been catched it will give you a warning and you can decide, what to do. ==================================================================== BOOT=ON/BOOT=OFF : (no) warnings, if bootsector is written ==================================================================== Normally the first bootsector of each harddisk is protected as a special system-sector. If you give "BOOT=ON" as a parameter, then each bootsector on every partition is protected. Normally these sectors should never be written to. If you have small partitions (normally with less than 10 MB) some diskeditors will write into these sectors. Then you can disable the warnings by calling NEMESIS with parameter BOOT=OFF. ==================================================================== SAVE/NOSAVE : on rejected write-accesses : (no) save instead of write ==================================================================== Since NEMESIS can reject any write-access you might be interested in WHAT should have been written. It could be a virus as well as your actual configuration (see above). If you tell NEMESIS to "SAVE" , then a file "NEMESIS.FIL" will be created, where this (rejected) data will be written into. ==================================================================== INVALID/NOINVALID: (not) allow invalid calls of DOS-interrupt 21h ==================================================================== Some viruses have a simple way to detect themselves im memory : they perform a call to interrupt 21h and listen to the "answer". There are some known "calls" and "answers". NEMESIS can watch for these calls. However : a lot of these calls are used by network-software, too. So : if you are running NEMESIS on a network, these calls normally will be calls from the network itself, and you will get very often false "virus"-alarms. On computers without any network these calls normally are "invalid", that means DOS does not know the "answer". NEMESIS does. ==================================================================== TBSCAN=ON/TBSCAN=OFF : (not) allow TBSCANs special feature ==================================================================== TBSCAN is a very fast virus scanner, written by Frans Veldman, Netherlands. Since version 3.0 it uses a special feature to increase its performance : it swaps the dos-internal entry into your hard-disk ROM , so it can directly access your harddisk. Since this is typical for some "advanced" viruses, too, we first decided NOT to allow this swapping. TBSCAN, however, is a good scanner, so we give the responsibilty to you : by default this feature is NOT ALLOWED. Starting TBSCAN will result in aborting it by NEMESIS. You have to call NEMESIS with "TBSCAN=ON" , then TBSCAN is allowed to swap. Read the note below about CALIBRATE. * BE CAREFUL * A virus is allowed to swap, too !!! Since NEMESIS cannot decide if a virus swaps or if TBSCAN swaps... You should call NEMESIS again at once after running TBSCAN with "TBSCAN=OFF". ==================================================================== FACE / NOFACE : do (not) activity-indicator ==================================================================== If you give NEMESIS the command NOFACE it will not display the indicator, otherwise it will. It is always shown, if NEMESIS works. ==================================================================== ==================================================================== The following parameters are valid only at startup : ==================================================================== ==================================================================== LOW : NEMESIS should not loadhi itself. ==================================================================== From version 0.97 on NEMESIS is able to loadhi itself. Since version 1.10 it doesn't allow you to use the LOADHIGH-command from DOS, since in most cases it will make problems. (see note about "loadhi"). If NEMESIS loads itself high, it will start in conventional memory, copying all parts, that will be needed, high, no byte more than this. If you have no expanded memory, but enough upper memory, it will load itself completely (35 KB) high. If you have EMS and did not say "NOEMS" it will only need 4000 Byte upper memory. So if you have a little "hole" in upper memory, LOADHIGH would not be able to load NEMESIS high. NEMESIS itself IS able to do it. However, if you want to prevent NEMESIS from using upper memory, give "LOW" as paramter at startup, and it will not loadhi itself. ==================================================================== EMS/NOEMS : do (not) use EMS for its code ==================================================================== NEMESIS can work in normal DOS-RAM, in UPPER MEMORY or in EMS-MEMORY. Since an anti-virus-program has to be secure from changes, that viruses could make in the resident portion, the best is to start NEMESIS without one of these parameters. If you have at least 48kB free EMS then NEMESIS's code will reside there, unreachable for any other program (especially for viruses). If you do not have EMS then NEMESIS will install itself in normal DOS-RAM or , if you have XMS, it will LOADHI itself into upper memory. If you have no (or not enough) EMS this switch will internally be switched "OFF". See the notes about EMM.SYS, EMM386 and SMARTDRV.EXE ! ==================================================================== NOFAT : should (or can) not use EMS for cluster-level protection ==================================================================== The same problem as above : You have no or not enough EMS and you are telling this to NEMESIS at startup. However, you do not need to tell this to NEMESIS, since it checks for enough EMS during its initialization. You can use this switch to switch off Cluster-level-protection, if you like to. ==================================================================== BATCH : allow "OFF" ,"ON" and "QUIT" without request of any keypress (BATCH) ==================================================================== This switch replaces "SYSOP". "SYSOP" is removed. Be careful with this parameter. Giving it at startup allows to switch NEMESIS ON and OFF from a normal batchfile. Since version 1.10 it is allowed to remove NEMESIS with "BATCH". A virus, that would first create such a file, then executes it, is _not_ impossible. However, on automatic running systems like BBSes it's necessary to switch NEMESIS "OFF" sometimes. In earlier versions of NEMESIS it allowed to create and delete protected files. This has been changed, since NEMESIS can learn into file. See note about "learning" below. BE CAREFUL WITH THIS PARAMETER ! IT IS A SECURITY HOLE ! We include a little NEMTEST.COM, that gives an ERRORLEVEL 0, if NEMESIS is present and an ERRORLEVEL 1 if not. You can use this NEMTEST in your batches. ==================================================================== INIT : initialize memory on startup (** CHANGED **) ==================================================================== There are some new viruses that search for enough "free" bytes in your memory (usually in this part, where your DOS resides) and copy themselves to these regions. NEMESIS can prevent this by searching for these "infectable" memory-regions and making them useless for these viruses. With INIT it also searches for orphan interrupts and sets them to iret. INT 68h to INT╥Gr╬╘xcluded! ==================================================================== QUIT : remove NEMESIS completely from memory. ==================================================================== It removes NEMESIS completely from memory. This can make problems : If you loaded any TSR after NEMESIS, which hooks one of these interrupts : 8,9,13,20,21,26,27,28,2F,30,40,67, (all hex) then it *may* crash your computer. It surely *will* crash it, if the TSR "calls far" one of these interrupts *and* if the TSR is triggered by an interrupt, that is not in this list. It will *not* crash, if it performs an "int xy". It will be unlinked, however, if it handles one of these interrupts. If you gave BATCH as a command at startup, then you will not be asked, if it is ok to remove NEMESIS : it will de-install at once. ==================================================================== SHA=,SW=,CO1=,CO2=,CO3=,CO4=,CO5=,CO6=,CO7= : set colors ==================================================================== The following parameters are always valid and can be inserted into NEMESIS.CFG. Changes will not be given to resident NEMESIS. -------------- Use NEMCFG.EXE (part of NEMESIS-package) to install the colors. -------------- SHA=z set shadow-caracter (default SHA=░ ) SW=xy set shadow-color (default SW=0F : white on black) CO1=xy set background color 1 (default CO1=1F : white on blue) CO2=xy set status color 1 (default CO2=1E : yellow on blue) CO3=xy set textcolor 1 (default CO3=70 : black on white) CO4=xy set warning color 1 (default CO4=4B : yellow on red) CO5=xy set warning color 2 (default CO5=4F : white on red) CO6=xy set status color 2 (default CO6=1B : bright blue on blue) CO7=xy set info color 1 (default CO7=71 : blue on white) "xy" has to be set as HEX-value with always two valid digits : x always means the background-color (X = 0..F allowed) y always means the foreground-color (Y = 0..F allowed) The file MONO.CFG contains a commandline for users of monocrom monitors, the file COLOR.CFG contains the default colors. You have to rename (or insert) these CFG-files to NEMESIS.CFG to make them work. NOTE : ====== - CO2=2 is invalid : two digits required - CO2=4G is invalid : G is not a valid number (only 0..F allowed) - CO3=44 is invalid : would be invisible (red text on red background) Setting "x" to a value greater then 7 results in blinking text with a color of "x-8". Setting "y" to a value greater then 7 results in lighted color (not blinking). You can use the follwing table to find your colors. The first line means the valid code for "x" and "y", the second line means the resulting color (remember the note about blinking text) : ------------------------------------------------------------------ 0 1 2 3 black blue green cyan ------------------------------------------------------------------ 4 5 6 7 red magenta brown lightgrey ------------------------------------------------------------------ 8 9 A B darkgrey lightblue lightgreen lightcyan ------------------------------------------------------------------ C D E F lightred lightmagenta yellow white ------------------------------------------------------------------ xy of 37 means "lightgrey on cyan" (x is 3 and y is 7) xy of 5F means "white on magenta" (x is 5 and y is F) xy of 9F means "blinking white on blue", because x is greater then 8 and "x-8" is 1, this means "blue". ----------------------------------------------------------------- Again : use NEMCFG.EXE to install your own colors. Otherwise you will damage your health. ----------------------------------------------------------------- ====================================================================== NEW : Learning into file. ====================================================================== This feature needs 32 KB expanded memory. If you have no EMS, it will be disabled. Since you normally are using the same programs that cause warnings, but could be learned as "good" programs, we added the feature to learn into a file. NEMESIS stores the NAME and EXTENSION of the calling program (for example ARJ.EXE) as well as it can be reconstructed, the offset, where the call came from and a number, that identifies the region in memory, where the call came from. So, if you have caused NEMESIS to learn an adress, you (hopefully) will really never again been asked, - EXCEPT there will be a change in the programs code-region (*), and - EXECPT the call comes from a different offset and - EXCEPT the program has been renamed. Up to 1724 positions can be learned. If you have no EMS, NEMESIS can learn up to 80 positions anyway. But they are lost, if you remove NEMESIS from memory and have again to be learned the next time you start it. NEMESIS "learns" the adress of the calling code (1234:5678 for example) and will never ask you again, if an action comes from this specific point of your memory. Your COMMAND.COM normally resides at the same adress in memory. If you DEL some protected files, NEMESIS will warn you. You can tell NEMESIS to LEARN this adress as a "good" adress and you will never be warned again if you DEL something. Maybe you are starting a know "good" terminate-stay-resident program. NEMESIS will ask for your "ok". Let it learn, that it's "OK" and you will never be asked again. Starting DESQview will result in a "hang" with NEMESIS in memory. The first time you are telling NEMESIS that you are about to start DV, it will be learned, too. (*) for example : TURBO.EXE from Borland sets its relocated datasegment within the checked window. So you will be warned each time, when TURBO.EXE is loaded into a different memory-region. ====================================================================== EDITOVA Utility for editing NEMESIS.OVA ====================================================================== This is for registered users ONLY. It can be downloaded from our support-bbs's. It allows to edit NEMESIS.OVA using a normal editor. Problems as with TURBO.EXE can be solved using this utility. ====================================================================== NEMESIS is resident. ====================================================================== Suddenly a line appears "press any key for informations". Ok, you press any key (NUMLOCK or SHIFT is not valid [was a joke]). A window will be opened explaining the situation. There are several messages, that can be displayed and the window will look like this : ------------------------------------------------------------------------------ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Attempt to create a protected file : <filename.ext> <-this should be created Request comes from : 1234:5678 <-adress of caller <other filename.ext> <-name of calling program ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Do you allow it ? ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ <Y>es : allowed <N>o : not allowed <D>eny : alway "N"o , until program ends <G>o : alway "Y"es , until program ends <A>bort : abort program immediately <L>earn : always allow this program <T>ry : fails, if file already exists ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ------------------------------------------------------------------------------ What happened ? Someone (probably YOU) has tried to write to a protected file. Maybe you have copied some programs from one path to an other. Then a new file has to be created, with the same (protected) name. If this is the case : type "y" to allow it one time, or "g" to allow it until your program ends. On the DOS-prompt "g" is accepted, too. If you are sure, that in the given situation it is always allowed to create the file, you can tell it NEMESIS pressing the "L"-key. ** Handle with care ** If you are sure, that you did not want to create the file, you can type either "n" or "d". If you feel nervous, since you know that there are viruses on your computer, you can "a"bort, too. "A"bort at once brings you to the DOS-prompt. Any previous work, that is not saved will be lost. If you have edited a textfile and not saved the new content, it will be lost. If you are reconfiguring a program, that writes the new configuration into itself : it will be lost. Again : HANDLE WITH CARE, but no need to be nervous ! If you type "n" then the file will neither be created nor can be written into this (nonexisting) file. If you type "t" then DOS tries to create the file. If the file already exists, this create will fail. If it does not exist yet, it will be created and you will not be asked about this file again. ==================================================================== Back to the "keys" : ==================================================================== "Y" means : allow the current action ONE TIME ONLY and then ask again. "N" means : deny the current action ONE TIME ONLY and then ask again. "G" means : allow everthing until the current program ends. "END" means, you left the program. Shelling to DOS and returning to the program is handled as "program has ended and is restarted again". You will be asked again. "D" means : deny everything until the current program ends. "END" means the same as above. "L" means : remember the current adress. If any (!) action comes again from this given adress then let it pass, do not ask, but allow the action. "A" means : abort immediately. Abort the current program and return to the executing shell (DOS or Norton Commander, e.g.). The current program will be terminated. "T" means : try to create the file. If it exists : fail, else make a new one. ==================================================================== TECHNICAL REMARKS ==================================================================== NEMESIS is a very complex program. In order to handle it properly, you should understand at least a bit, what it does and how it works. Basically, NEMESIS can be divided into two parts: The DOS-level-protection and the BIOS-level-protection. This means : On the one hand there's code which watches DOS-calls and warns you if protected FILES are to be changed, deleted, renamed and so on... This was already explained above and is quasi a standard feature among resident anti-virus programs. The other main part of NEMESIS works in the deep, if there are no strange (viral) activities on your system, you should never get in touch with it. It works this way: NEMESIS scans the whole harddisk and creates a sector-image of the protected files. Any (ANY) BIOS-level write access is analysed whether its destination is a protected file. If so, you get a warning. NEMESIS is the first program which implements this idea seriously in a program, so there are not much experiences which could have helped to reduce the number of false alarms. Let us show you the dilemma by a simple example: One feature of NEMESIS is to detect FAT-writes which don't come from DOS. Usually this should not happen, but maybe it does. There are some programs which use some 'backdoors', which bypass DOS sometimes, so you get an alarm and think: 'stupid soft, what is going on ?' That's why we implemented all features optionally, which means you can disable it (in the above case with parameter FAT=OFF), if you use regularly software which bypasses the DOS-file-system (in the appendix you can find a list of programs which may cause false alarms). SMARTDRV of microsoft-corporation is such a "bypassing"-software.. Therefore you have NOT FAT-PROTECTION with SMARTDRV ! ==================================================================== THE SECTOR-LEVEL-WARNINGS IN DETAIL ==================================================================== --------------------------------------------------------------------- 'Attention !! Somebody is trying to manipulate the FAT directly !' --------------------------------------------------------------------- This was already mentioned in the above example. If your software uses some 'dirty tricks', you may get such a warning. How can you tell this from a real alarm ? Difficult question. Probably the best is: let the write pass through (it is dangerous to disable it ! You should have good reasons to do it), exit the current program as fast as possible and do a 'chkdsk' over your partitions. If everything is fine and you use the program which caused the warning frequently, disable the FAT-protection with FAT=OFF if the warnings disturb you. If you find lost or crosslinked clusters with 'chkdsk', you know there was something wrong...my experience: put a program like 'mirror' (which saves your current FAT in a file) in your autoexec. If your FAT gets destroyed, you can recover all data since the last run of mirror by writing the file back onto the FAT ! Possible other reasons for false alarms: - you use a cache-program with staged-write enabled. If so, disable NEMESIS's feature to protect the FAT - you are running a program like compress or speeddisk which reorgranizes your file-structure. In this case, press 'G' to disable NEMESIS until the current program finished --------------------------------------------------------------------- 'Attempt to write to a sector which belongs to a protected file !!' --------------------------------------------------------------------- This should theoretically never occur ! It means DOS was bypassed and someone tries to write directly to a protected sector. Possible reasons: - you got a very intelligent virus which tries to infect files this way - NEMESIS got confused because you changed your file-structure heavily (deleted/added executable files). NEMESIS should handle such changes properly, but this was no easy code (there is no bugfree soft, as you know) -------------------------------------------------------------------- " Attempt to change the dir-entry of <filename.ext> directly !" -------------------------------------------------------------------- This is the first line of a message, that shows you, that a directory entry should be changed DIRECTLY. The kind of change will be displayed in a second line : -------------------------------------------------------------------- " kind of change : !! destroy directory !! " -------------------------------------------------------------------- If the first byte of a dir-entry will be set to 0 (byte 0), then DOS will stop reading thid directory at this position. Each entry, that may follow, will never be read. The directory is destroyed. Give your "ok" only, if you want to remove a directory. -------------------------------------------------------------------- " kind of change : DELETE /" " kind of change : RENAME /" " kind of change : SIZE /" " kind of change : DATE/TIME /" -------------------------------------------------------------------- Changeing the date/time of a file will always be allowed by NEMESIS. Maybe you have a virus, that marks files as "infected" this way. Maybe there is no virus at all. The change of this data doesn't matter. -------------------------------------------------------------------- "kind of change : CLUSTER /" "kind of change : RESERVED AREA /" -------------------------------------------------------------------- Another critical warning. Possible reasons: - you are running a file-reorganizing program - you got an intelligent virus like DIR-2 which changes the first cluster of executable files to itself. My advice: press Y and watch the displayed numbers carefully: the first is the old cluster, the second the new one: if the new one remains the same and there are many alarms, you can be sure that you have a virus like DIR-2. If the numbers differ each time, probably everything is fine (means you have detected a bug in NEMESIS) one remark to the above feature: if you prevent a cluster-change , afterwards it may look as if it was written nevertheless. Don't care, it wasn't. But DOS thinks it was and displays wrong values. After the DOS-buffers are flushed (or the buffers of a cache-program) you will see that the cluster-entries are like before... To go sure I recommend a reboot after you deny such a change ! ---------------------------------------------------------------------- If you get BOTH warnings (first cluster AND reserved field) then your computer is most likely infected with a filesystem-virus (like DIR). In this case, you should RESET your computer at once and reboot from an original, write-protected system-diskette. Do not start any file from your harddisk. Start CHKDSK from this diskette and watch the messages. If there are NONE : No filesystem-virus. If there are a lot of cross-linked files and most of them are linked to the same cluster, then you most surely HAVE such a virus. ---------------------------------------------------------------------- After the above warnings (and if you have denied to write) in most cases the critical error handler of DOS will pop up : "write failure on drive X: (a)bort (r)etry (i)gnore". This is ok. NEMESIS tells DOS that your HD has a bad track.... ---------------------------------------------------------------------- ---------------------------------------------------------------------- For your information NEMESIS will display the current and future directory-entries. For example : If you rename NEMESIS.COM with NU.EXE it will look like this : ------------------------------------------------------------------------------ Attempt to change the dir-entry of NEMESIS.COM directly ! Kind of change : RENAME / CLUSTER / ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Current entry new entry Name : NEMESIS.COM NEMESIS.BOM <name-fields> Attr : Arc Arc <file-attribute> Time : 11.03.42 11.03.42 <file time> Date : 11.03.1993 11.03.1993 <file date> Clus : 4711 4712 <first cluster> Size : 45678 45678 <length of file> Res. : 0000:0000:0000:0000:0000 0000:0000:0000:0000:0000 <reserved> ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Request comes from C:\NORTON\NU.EXE Adress 1234:5678 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Do you allow it ? ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ <Y>es : allowed <N>o : not allowed <D>eny : alway "N"o , until program ends <G>o : alway "Y"es , until program ends <A>bort : abort program immediately <L>earn : always allow this program ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ------------------------------------------------------------------------------ ==================================================================== Messages of transient NEMESIS before reading NEMESIS.BIN ==================================================================== " Performing selftest, please wait" " Performing pre-infection-test, please wait" " Pre-infection-test skipped : running from floppydisk" " pre-infection-test skipped : NEMESIS already resident" " Pre-infection-test skipped : running from network" If you start NEMESIS from diskette it will not perform a pre-infection-test. It takes to much time and can cause problems. Start NEMESIS from harddisk. If you start NEMESIS from a server-harddisk it may cause problems, too. So it will not perform a pre-infection-test from a server-hd. " NEMESIS IS DAMAGED OR INFECTED. ABORTED !" This means that NEMESIS has been changed in any way. If you did not pack it (f.e. with LZEXE) this means : Delete it. It will never run again. Otherwise UNPACK it ! " could not change to NEMESIS-drive " Maybe the drive where you started NEMESIS is JOINed ? It should no longer be a problem, but if so : drop us a note. " NEMESIS : Could not perform selftest." Maybe you started NEMESIS from CD-ROM ? Or from a server-harddisk ? NEMESIS could for any reason not read its first sector from harddisk. " could not read tempfile for pre-infection-test" As described above NEMESIS creates two files, executes them and controls them. For any reason it could not read at least one of these files. " wrong version of NEMESIS in memory. ABORTED !" Since version 1.10 NEMESIS checks for compatibility-problems with older versions of NEMESIS. Delete the old version ! " NEMESIS : cannot install. No free number for multiplex routine." NEMESIS needs one single free number of int 2Fh to exchange data between resident NEMESIS and NEMESIS.COM. " NEMESIS : ALT-key pressed. Abort installation ? <y/n>" If you hold the ALT-key immediately after starting NEMESIS you have the chance to abort it. Type "y" to abort, otherwise it continues. " Unknown DR-DOS version. Aborted." " Unknown DOS or wrong version. " " NEMESIS needs at least DOS 3.3 to run. Aborted." NEMESIS is tested for PC-DOS 3.3,MS-DOS 5.0 and DR-DOS 5.0 and 6.0. If it detects an unknown DOS or DR-DOS it aborts. " DR-DOS with multitasker " " Run NEMESIS only in singletask !" NEMESIS cannot be run in TASKMAX. " Do not use LOADHIGH with NEMESIS !" " It's not necessary but can cause problems." " NEMESIS will load itself high, if ever possible." You typed "LOADHIGH NEMESIS". NEMESIS can load itself high and it does it better then LOADHIGH does. " Don't run NEMESIS with SIDEKICK. Aborted." Sidekick grabs the keyboard and does not give it away anymore. If NEMESIS pops up inside Sidekick it cannot receive any key. See note below about "Sidekick". " NEMESIS cannot run within D'Bridge. Aborted." This message appears if you start NEMESIS while dropping DB to DOS. NEMESIS is a terminate-stay-resident program. Don't start it inside any shell ! " NEMESIS does not run with OS/2 yet.." You started NEMESIS in a DOS-window inside OS/2. Before NEMESIS hangs your window (or even OS/2) it aborts.... " Loading messages from NEMESIS.BIN " " NEMESIS : message-file NEMESIS .BIN not valid / not found. Aborted" NEMESIS.BIN is damaged or does not exist in the same path where NEMESIS is started from. If it is damaged then extract a new copy from your NEMESIS archive. ==================================================================== Messages of transient NEMESIS after reading NEMESIS.BIN ==================================================================== ---------------------------------------------------------------------- "Not enough memory for re-scan !" You started NEMESIS with "ADD" but you have not enough free memory to perform a new scan. Type EXIT to leave the current shell.... ---------------------------------------------------------------------- " FAT-LEVEL-PROTECTION IS 'OFF' NOW ! YOU SHOULD REBOOT AS SOON AS POSSIBLE" You started NEMESIS with "ADD" but you have not enough free memory to perform a new scan. This was not detected before the new scan started. Restart NEMESIS with "ADD" again after freeing memory (type EXIT). ---------------------------------------------------------------------- Before NEMESIS starts its scan for protected files it will search for stacked drives. The following textline will be visible : " Searching compressed drives (Stacker,SSTOR)" If you see this line for longer then a tenth of a second then you probably have a network installed with absolute-sector mode. Wait, everything is alright. During the scan for protected files you probably will see the following message : " No cluster level protection possible on drive " <char follows> " Reason : drive is controlled by" the next line will contain either " SUBST/ASSIGN/JOIN/network or similar." or " SSTOR." See below about SUBST and STACKER. If you see the SUBST line and you have NO network then I, Robert Hoerner, would be interested what DOS you are using... ---------------------------------------------------------------------- " too many partitions on your HD !!! " This message cannot appear but.... Then you would have more then 26 partitions or in other words : NEMESIS contains a bug. Please inform us. ---------------------------------------------------------------------- " No harddisk found.' Then you have either no harddisk or NEMESIS could not find it. You will not have any sector-level-protection except for bootsectors of diskettes. ---------------------------------------------------------------------- " Error writing to EMS." " NEMESIS installing in conventional memory." This means NEMESIS found that the EMS pageframe could not be written directly (in other words : it behaves like ROM). This occurs with some older NEAT-boards and with EMM386 from Microsoft. Try NEMESIS EMS, if it works : put it in NEMESIS.CFG. ---------------------------------------------------------------------- "Not enough EMS (few handles ?) to run NEMESIS in sector-level mode !" "However, the common viruses will still be detected ." You are "out of EMS-memory", but NEMESIS needs to hold its sector-data in EMS. ---------------------------------------------------------------------- " Problem to read absolute sectors in upper memory !" " Requesting low memory for buffering." A part of NEMESIS will reside in upper memory but can not read sectors there. NEMESIS will request 512 byte from normal memory. Without this NEMESIS could not protect your directories. ---------------------------------------------------------------------- " NEMESIS : SERIOUS FAILURE OF YOUR EMS-MANAGER !" " YOU SHOULD REBOOT ** AT ONCE ** !" " THERE IS A REAL DANGER TO LOOSE DATA !" " THIS IS NO JOKE !" NEMESIS cannot update data after a rescan. This comes due an error that occured inside your EMS-manager software. ==================================================================== Messages of resident NEMESIS ==================================================================== "NEMESIS : TRACER REJECTED" NEMESIS is hardcoded NOT to allow tracing of NEMESIS. So if any virus (or any other software) switches to singlestep and traces int 21h, for example, then NEMESIS will abort it. ---------------------------------------------------------------------- "NEMESIS : EMS-FAILURE" NEMESIS detected a serious malfunction of your EMS-software and could not map its code into the pageframe. This message only comes, if NEMESIS uses EMS for its code. Everything is too late now, reboot. ---------------------------------------------------------------------- "Error updating EMS-data" This error occurs if NEMESIS tries to update its data but fails. Your EMS-software is not compatible to EMS 4.0 (it does not fully support function 5700h ,move data from/to EMS ). Try to get another EMS-software and remove NEMESIS. ---------------------------------------------------------------------- "Error reading harddisk" This error occurs if NEMESIS tries to read a sector to detect, wether a directory should be destroyed or not. This error should never be seen. If you see it, try NEMESIS LOW. ---------------------------------------------------------------------- " NEMESIS : my code has been changed !" " Reboot your computer at once !" " Your drives are writeprotected now." This message appears only, if NEMESIS has been changed at runtime (after going resident). It's most likely that you have a virus. ---------------------------------------------------------------------- " Attempt to format harddisk" This warning comes, if DOS was not informed about a format-command. The command will always be rejected. The calling program will be informed that it tried to format a bad track and that it failed. ---------------------------------------------------------------------- " *** WARNING *** " " Attempt to trace int 13h has been rejected. " " The current program has been aborted ! " " Access came from : " <adress inserted> " Some special interrupts has been restored. " " All memory-resident programs, that you have loaded after NEMESIS" " without saving the new state may be unlinked now." You will get this warning with TBSCAN -D and with CALIBRATE. You will get this warning with a lot of viruses, too. Call NEMESIS TBSCAN=ON if the action is ok. ! See note below about CALIBRATE ! ---------------------------------------------------------------------- "numbers of DOS-buffers changed from <old number> to <new number>" " Select : <r>estore, <s>ave, gnore" This is impossible without an external program that gives you new buffers but does not stay in memory, and some new viruses that reside in DOS-BUFFERS (not the same as Modem-Buffers....). !! NOTE : We had no chance to test, wether restoring works or not. !! In theory it works... ---------------------------------------------------------------------- " BIOS-Memory Byte changed from " <old value> " to " <new value> " Select : <r>estore, <s>ave, gnore" This occurs with VIDRAM and some viruses, that go resident without informing DOS, but reducing your system-memory..... ---------------------------------------------------------------------- " Memory Control Block changed : <xxx> byte will be resident" " Select : <r>estore, <s>ave, gnore" This occurs with VIDRAM, any terminate-stay-resident program and some viruses that attempt to be intelligent (cascade is an example). ---------------------------------------------------------------------- "Memory Control Block destroyed." This normally means you have to reboot since your COMMAND.COM cannot be reloaded. NEMESIS gives this message, if the last memory control block (dos-internal data-structure) does neither start with "M" nor with "Z" and only, if you told it to "R"estore the old status after a memory control block has been changed. ---------------------------------------------------------------------- " WARNING ! Your maximum DOS-memory has been reduced ! " " This may be a virus. " " NEMESIS saved data from top-of-memory ( virus ? ) " If NEMESIS detects, that you have few memory after terminating a program then before it will write the data from new top-of-memory to old top-of-memory (normally 640KB) to NEMESIS.FIL for inspecting. If you called NEMESIS with NOSAVE it will not write this data. ---------------------------------------------------------------------- " DOS-startcode has been changed !" " Select : <r>estore, <s>ave, gnore" NEMESIS normally knows the first some byte of your DOS deep inside your computer. I have never seen them changing in the same session ! But there are some "stealth"-viruses that change them. ---------------------------------------------------------------------- " Number of DOS-Stacks has changed " <number follows> " Select : <r>estore, <s>ave, gnore" Without special programs that may give you MORE stacks, this is impossible. If you have FEW stacks then you have a virus. ---------------------------------------------------------------------- "Size of DOS-Stacks has changed. Cannot be restored." Take it as an information. It may be a virus and it may be normal. But most likely it's a virus. ---------------------------------------------------------------------- "DOS-Stacks blocked." " Select : <r>estore, <s>ave, gnore" This is possibly normal. Let NEMESIS restore the blocked stacks. If this message appears often then you might (!) have one of the newest viruses. But again : it is possible without any virus. If your computer "hangs" after unblocking then either you have a virus or NEMESIS has a bug. ---------------------------------------------------------------------- " Attempt to format a track in drive X: DIRECTLY !!" " Attempt to write to a track in drive X: DIRECTLY !!" If you are formatting this drive , say "yes" else say "no". ---------------------------------------------------------------------- " Attempt to modify the bootsector in drive " <char follows> " Attempt to modify the partitionsector in drive " <char follows> This message appears if the bootsector on diskettes or on drive C: should be changed or the masterbootrecord (partitionsector) on drive C: should be changed. This message appears only, if you did NOT allow to format a drive. ---------------------------------------------------------------------- " Attempt to create a protected file : " <filename.ext> " Attempt to modify a protected file : " <filename.ext> " Attempt to delete a protected file : " <filename.ext> " Attempt to replace a protected file : " <filename.ext> " Attempt to rename a protected file : " <filename.ext> See information above. It's at your side to decide what shall happen on your computer. ---------------------------------------------------------------------- " Program uses a DOS-internal handle : " <number follows> DOS uses 5 handles for internal purposes. It is absolutely unusual to use one of them to modify a disk-file. Answer "NO" or "DENY". ---------------------------------------------------------------------- " Resident NEMESIS : FAKE ATTEMPT TO CHANGE MY STATUS RECEIVED !" This message comes only if NEMESIS was called from within any other program except NEMESIS.COM itself *and* this call was made to change the resident NEMESIS' state. Maybe you started an older version of NEMESIS, maybe there is a NEMESIS-virus ? Probably you started an older version of NEMESIS to change the resident NEMESIS. ---------------------------------------------------------------------- " Program tries to set timestamp of file with second higher then 59." Some viruses mark files as "already infected" with setting the second of the last change to 62. NEMESIS will allow this (it's a serum). ---------------------------------------------------------------------- " RESIDENT NEMESIS : EDDIE-2 (DARK AVENGER VIRUS) IS GOING TO GO RESIDENT ! " NEMESIS received an invalid call to DOS that this virus performs. If you did not at the moment start an antivirus-program that possibly performed this call to detect this virus then : HIGH DANGER ! Switch off ! If you start an older version of NEMESIS you may get this warning, too, since NEMESIS performs this call before going resident but ONLY if it did not detect that NEMESIS is already resident. Delete all old versions of NEMESIS ! They contain bugs (as this version surely does) and they are inkompatible with the newer releases. Only use the newest NEMESIS ! ---------------------------------------------------------------------- " NEMESIS does not run with D'Bridge 1.50 " " NEMESIS does not run with Windows (tm). " " NEMESIS does not run with TASKMAX (DR-DOS)." " NEMESIS does not run with DOSSHELL." " NEMESIS does not run with DESQview." " NEMESIS does not run with older versions of NEMESIS." You started one of these programs and NEMESIS informs you about inkompatibilities. Remove NEMESIS bevor starting one of these programs (see below about inkompatibilities). ---------------------------------------------------------------------- " You can not start NEMESIS in a windows-task." " You can not start NEMESIS in a DOSSHELL-task." " You can not start NEMESIS in a DESQview-task." You started NEMESIS while running one of these programs and NEMESIS informs you about inkompatibilities. ---------------------------------------------------------------------- " Program called DOS with Non-DOS argument. Abort ? <Y>es <N>o " You called NEMESIS with "NOINVALID". Many programs call DOS with invalid arguments without being a virus. If you are sure that "this program" never behaved like this, then abort else continue. If you exit this program NEMESIS will check your system and inform you about changes. ---------------------------------------------------------------------- " RESIDENT NEMESIS : I RECEIVED AN INVALID CALL, THAT PROBABLY COMES FROM" You called NEMESIS with "NOINVALID". Many programs call DOS with invalid arguments without being a virus. Some antivirus-programs perform these calls, too, to detect these viruses. NEMESIS itself performs these calls before going resident to detect a pre-infection. The following viruses can be detected if you call NEMESIS with NOINVALID : eddie-2 (dark avenger) virus, tequila virus, dir virus, G-virus, shake virus, invader virus, 699-virus, Plastique virus, Lozinsky virus, 789-virus, terror virus, diamond-a virus, diamond-b virus, dbase virus, flip virus, ontario virus, cascade (170x) virus, UMB-1, One special call is performed by FluShot and VirEx , two excellent virus-scanners and detectors but also by a virus : ---------------------------------------------------------------------- NEMESIS will pop up and ask : "You're running FluShot or VirEx, aren't you ?" " Please answer 'y' or 'n' :" If you type "n" you will see : "Then your computer probably is infected with the 'PSQR/1720'- virus !" ---------------------------------------------------------------------- " NEMESIS can give the 'correct' answer to prevent it from installation, but it's at your side to decide ( best is : ABORT IMMEDIATELY )" NEMESIS can give the correct answer for all the above viruses, so that the virus "thinks" it is already in memory and need not to go "again". If you type "y"es ,allowed, NEMESIS will give this answer and we will see wether it works or not. ---------------------------------------------------------------------- " Program ended, but your system has been changed." The last program terminated without staying resident but some data in your computer has changed : NEMESIS checks for changes in - interrupts that are interesting for viruses - memory-size - memory control blocks - stacks (size and numbers of) - buffers (numbers of) - dos code In almost any cases you can "R"estore the old status, but there are some exceptions : Running D'Bridge 1.39 for example will always result in the above screen, since DB.EXE executes dbmailer.exe (it has another name today, but that's it) and if dbmailer.exe ends NEMESIS pops up. This is because DB.EXE hooks some interrupts. Tell NEMESIS to "i"gnore the changes, wait until DB.EXE has ended and if no further warning occurs, everything is ok. The problem is that NEMESIS does not hold its data on a "per program" base but on a "per computer" base. ---------------------------------------------------------------------- " ATTENTION ! BUFFER TO WRITE HAS BEEN CHANGED !" " THIS IS VERY,VERY CRITICAL ! YOU SHOULD ABORT AT ONCE !" This warning appears if NEMESIS detects any changes in data that should be written to protected files. It appears too, if the order of what should be written, has changed. Sometimes NEMESIS will popup without any changes in the write buffers, this is due some cache-programs like SMARTDRV that write as they like to and change the orders in microsofts special manner... ---------------------------------------------------------------------- " Running SMARTDRV 4.0 from Microsoft can cause trouble with " " NEMESIS resident in memory." You started SMARTDRV.EXE (comes with windows 3.1). Be sure to GET trouble with SMARTDRV.EXE, with or without NEMESIS. See note below about "SMARTDRV". ==================================================================== ERRORLEVELS of NEMESIS ==================================================================== NEMESIS gives several ERRORLEVELS that can be used in batchfiles : 1 : wrong or unknown operating system. 2 : NEMESIS has been highloaded with LOADHI or LOADHIGH 3 : no free number for data-exchange available. Checked int 2fh from 0c0h to 0ffh. 4 : NEMESIS.BIN invalid or not found. 5 : commandline-error or error in NEMESIS.CFG 6 : multishell (windows, desqview etc) detected. 7 : you tried to de-install NEMESIS before it was resident 8 : NEMESIS denies a request for de-install 9 : error reading harddisk during scan for protected files 10 : dos-error during scan for protected files 255 : NEMESIS is damaged or infected ==================================================================== Appendix ==================================================================== 1. Known false alarms ------------------- a) 'Attention ! Somebody is trying to manipulate the FAT directly !!' - The FAT-protection should work without errors with DOS 3.3 and DOS 5.0; with DOS 4.01, there may occur false warnings. Add FAT=OFF in your command-line in this case. b) ' Attempt to modify a protected file ' - Older versions of D'Bridge, a mailer program, change at every start the current Commandline-interpreter (usually command.com) !! 2. incompatibility list, hints, notes. ----------------------------------- INT2F: Some terminate-stay-resident programs are intercepting the multiplex-interrupt 2F in the way that they perform a call to the previous handler first, then do their work and give control back to the original caller. If such a tsr is loaded AFTER NEMESIS it results in that NEMESIS does not accept any commands like "QUIT" or "ADD" any more since NEMESIS performs a strict check wether the caller is allowed to switch NEMESIS or not. It may happen with most "windows aware" tsrs. You have to remove this tsr first or to reboot. You cannot switch NEMESIS "off" or "on" either. What you can do is to call NEMESIS and have a look to the current state. This check is necessary, else any virus could switch NEMESIS "off". KEYB.EXE: If you put NEMESIS into your AUTOEXEC.BAT be sure to put it AFTER KEYB.EXE. Otherwise NEMESIS will pop up, ask you wether you allow KEYB to stay in memory but cannot receive your answer (KEYB grabbed the keyboard). SSTOR : STACKER : NOVELL : Will be detected and partition will not be protected. Sector-image not (yet) supported on non-DOS partitions (Novell e.g.) or compressed partitions (stacker, superstor). Under NOVELL NEMESIS forces internally NOT to initialize memory and NOT to set orphan interrupts to IRET. You may need to give SSTOR.SYS the command "/HIDMA" if NEMESIS resides in expanded memory. Otherwise your computer may reboot, if you are accessing a RAMDISK. ASSIGN,SUBST,JOIN: NEMESIS unASSIGNs, unSUBSTs and unJOINs your harddisk on the fly, while it is performing its selftest and while it is scanning your harddisk for protected files. This is testet for MS-DOS 5.0, PC-DOS 3.3 and DR-DOS 6.0. With other versions of DOS this may not work, then these areas are handled like STACKER-partitions and are not protected. NEMESIS will informed you if this problem occurs. After doing its work NEMESIS will re-ASSIGN re-SUBST and re-JOIN to the former state. SECTORS : Cluster-level-protection works only with standard sector size (512 bytes) CACHE : You use a cache-program with staged-write enabled : then you'll get a lot of false alarms. DISABLE staged-write under any circumstances if you run NEMESIS !! SMARTDRV: Especially with Smartdrv.sys you would get often false alarms like "Attempt to modify the FAT directly.." Therefore NEMESIS forces FAT=OFF if smartdrv is detected. Warning: -------- especially smartdrv 4.0 is very critical as it uses staged-write as default. As one consequence, NEMESIS does not load its code into EMS to avoid the biggest trouble. But this does not solve all problems as smartdrv has its own philosophy about cooperating with other programs : none. This means : nothing can convince smartdrv NOT to flush in a critical moment. So we strongly recommend to disable staged-write, then NEMESIS and Smartdrv may work well together. Hint: if you use smartdrv 4.0 with staged-write and get a message from NEMESIS about direct writes to bootsector or an exe-file, you can either allow it or boot, forbid is not possible as in this case smartdrv comes up and rises a very intelligent question: 'data error, retry (R) ?' The number of choices is left as an exercise... Hint for the Germans: in the actual German version, they forgot to change the hotkey from 'R' to 'W' which did not keep them from printing in German: 'Datenfehler, Wiederholen (W) ?' VIDRAM : From Version 0.99 on it should be no problem for NEMESIS to load itself high even if VIDRAM is "ON". GRAPHIC : Programs using graphics may get problems if there's a NEMESIS-warning. But at least the graphic data of mode 12h (Standard-VGA-graphics mode) is saved and restored, however it is possible that a textline from NEMESIS appears in your graphic. Other graphics modes are restored only partially... SIDEKICK: from Borland Sidekick does not allow NEMESIS to receive keystrokes when it pops up inside Sidekick. The result is a "hang". Therefore NEMESIS tells Sidekick that it is already loaded and aborts if Sidekick is resident. Remove NEMESIS if you need Sidekick, remove Sidekick, if you need NEMESIS. F-Prot: VIRSTOP.EXE (included in F-Prot package) starts its work with switching the cpu into singlestep-mode. NEMESIS is hardcoded not to allow singlestepping through some interrupts interesting for viruses. So VIRSTOP will be aborted nearly at once. If you want to start it, remove NEMESIS from memory. Switching NEMESIS "OFF" is not sufficient. MULTITASKER: (and what is called as...) NEMESIS is written originally as a "normal" program that intercepts some system-calls and notes how your system "looks like" if it is clean. We had much trouble with "multitaskers" and made a lot of changes in NEMESIS to make it "compatible". Our greatest problem at the end was, that NEMESIS makes changes, that all common multitaskers (like windows) let be "global changes", and these changes are absolutely necessary to protect you from virus-infection. This means : even if you start NEMESIS in a "window" and it installs itself as a single (local) task, the major changes, that NEMESIS *has* to make are GLOBAL changes. Therefore we stopped this attempt to unite, what cannot be united. This means especially : DOSSHELL (MS-DOS 5.00) : TASKMAX (DR-DOS): DESQVIEW: WINDOWS : If you like to work with one of these, you have to remove NEMESIS. If one of these is running before you have started NEMESIS, then NEMESIS will not go resident. VM/386: NEMESIS works well under VM/386 (even stealth mode), but you should not use the parameter INIT. BBS-SYSTEMS: Sysops of BBSs should not run NEMESIS in their BBS-task. But if they do so, they can use NEMESIS ONLY, if they give "BATCH" as a parameter ** AT STARTUP ** ! Read what is written above about "BATCH" ! They then have to "train" NEMESIS all their "good adresses" with "L"earning into file or have to switch NEMESIS "OFF" each time, when an action on protected files is ok, if you run "speedisk" in the night, or a user uploads a "VERYGOOD.EXE". Best is, however, NOT to use NEMESIS on BBS-systems. D'BRIDGE: NEMESIS works well with D'BRIDGE 1.30 and 1.39 but does not work at all with D'BRIDGE 1.50 or 1.51. This is apparently due to changes in Ray Gwinns build-in FOSSIL. Therefore NEMESIS will tell DB 1.50 that it is already loaded and will not go resident, if D'Bridge is active. Remove NEMESIS before starting D'Bridge ! CALIBRATE:part of Norton Utilities. CALIBRATE uses the same technique as TBSCAN to get the BIOS-entry of your harddisk. So starting CALIBRATE with NEMESIS in memory will result in a warning and CALIBRATE will be aborted immediately. Do **NOT** switch NEMESIS to "TBSCAN=ON" but **REMOVE** NEMESIS completely ("NEMESIS QUIT") and reboot your computer if you want to run calibrate ! Otherwise you could LOOSE DATA ! ROMSCAN : We cannot protect you against viruses like "EDDIE", that directly scan for your ROM-entry of INT 13h. But we will solve this problem ! If you are using QEMM with "stealth"-ROMs, then this problem is already solved, NEMESIS will protect you (better : QEMM in conjunction with NEMESIS) EMS.SYS : included with C&T-286-NEAT-mainboards : This utility creates expanded memory (EMS) for NEAT-boards. Due to a bug in this util it is not possible to run NEMESIS from this EMS (tested with such a NEAT-computer), so NEMESIS will switch internally to NOEMS. Don't force NEMESIS to use EMS with parameter "EMS" if you use this driver. NEMESIS will then use EMS for its data (sector-level-protection) but not for its code. But there is one more bug in ems.sys : If NEMESIS updates its internal FAT-structure from DOS-buffers that reside in upper memory then this driver always returns an errorcode that means "ems and conventional memory are overlapping", which is definitely wrong. If you do not load your BUFFERS high everything works fine else start NEMESIS with NOFAT. EMM386.EXE: NEMESIS checks, whether it is possible or not to write into the page-frame. If it is not possible, it switches to NOEMS. With EMM386 you may have to override this by giving "EMS" as a parameter at startup. There will be no problems with EMM386.EXE from Microsoft, but problems with EMM386.SYS of DR-DOS. If DR-DOS resides in the HMA EMM386.SYS reports errors with NEMESIS. Don't use "NEMESIS EMS" in this case. BUSMASTER-DMA-Controller: (like ADAPTEC SCSI-Controller 1542B). NEMESIS may fail to read a sector if it is resident in upper memory. This may be due to a problem with DMA. If Nemesis detects this problem it will request a 512-byte-buffer in normal DOS-memory. There are no further problems. NETWORK with absolute sector-modes : (as Kirschbaum-Link with param. ABS) If NEMESIS checks for stacker it has to perform int 25h with an invalid argument. With these networks it may need up to 5 seconds until the call is ended. (386,20MHz,ArcNet). This is normal, don't worry about a "hang". LOADHI,LOADHIGH : From version 1.10 on NEMESIS does not allow to use an external LOADHI-command to load NEMESIS into upper memory. Instead the screen will be cleared, a message will appear, and NEMESIS stops immediately. NEMESIS loads itself high if ever possible (and if not forbidden by you). STACKS : You may need to insert a "STACKS=9,256" in your config.sys if you load many resident programs. UNDELETE/UNFORMAT/QU.EXE etc If you DELETE a protected file and recover it with UNDELETE or any similar program, it is not further handled as protected on sector-level. This is due the fact that the NEMESIS internal-data has already been updated. It's protected on normal level, however. If you want to get sector-level protection again type NEMESIS ADD. FONTS: Programs, that define their own fonts to display text, will look strange after NEMESIS popped up. RAMFREI:an utility, that allows to remove tsr-programs. It tries to clean your memory after NEMESIS is resident but doesn't find NEMESIS any more. Your computer instead hangs. NEMESIS LOW solves this problem. DOS5.0: If you have "DOS=HIGH,UMB" in your config.sys then about 100 byte will be left in memory after NEMESIS loaded itself high. NEMESIS terminates and reqests 0 byte, but DOS gives it 100. What should we do ? -------------------------------------------------------------------- ==================================================================== Some explanations of terms : ==================================================================== INTERRUPT 21H Our computers all have little chips from INTEL company, that make them work. These chips are called "micro-processors" or CPU (central procesing unit). One feature of these cpus is, that their normal work (e.g. displaying a text on your screen) can be interrupted by software or hardware, causing the chips to save their current work, start and perform another job, and, if this new job has been finished, continue with the prior work at the same point where they have been "interrupted". These "interrupts" are numbered from 0 to 255, or in hex-numbers, from 0 to 0FFh. Interrupt 21h (= INT 21 (hex) = INT 33 (decimal) ) is used by application programs like Word, PcTools and all others, to invoke your DOS (disk operating system), if they want to access their files, to write to the screen, to print and so on. Since DOS gives any program access to any file, it seems clear that it gives viruses access to any file, too. So NEMESIS (as well as VSHIELD, F-PROT, TBSCANX and other resident scanners) has to catch and filter this interrupt, to see, what's going on in your computer. Resident scanners normally look for such functions that execute programs, open files and write to them, scanning the executed files for virus-marks. NEMESIS does not scan at all, but catches 33 functions of INT 21H for file-operations and 18 functions for well-known virus-calls. Yes, virus-calls, because some viruses first perform an individual call to int 21h, before they do anything. Then we will warn you (if you switched this feature "ON" (parameter is "NOINVALID"). INTERRUPT 13H What is said about INTERRUPT 21H is valid for INT 13h, too, but INT 13h is not called for file-operations (or screen-output) but it is the interface between your DOS and your harddisk. When you call INT 21h, you give the name of the file that you want to access. If you call INT 13h, you have to give the sector, track and head you want to acces. INT 13h does not know anything about files. A bootsector-virus, for example, accesses the bootsector of diskettes and harddisks. Since this is _not_ a file, it has to call INT 13h to infect your system. You cannot access the bootsector calling int 21h. FAT (file allocation table) If you type "WIN + return" , then you are calling your command-interpreter, that it should load windows. How can it do this ? It tells DOS "LOAD WIN.COM". How can DOS do this ? DOS looks in the current directory for the name "WIN.COM" Not found. It looks in the "PATH"-directories for WIN.COM. Found. It looks in the directory-entry for the first cluster of this file "WIN.COM" (you cannot see this field, if you type "dir"). Then it looks in the file-allocation-table for the next entry, for the following and so on. The FAT contains the number and sequence of all (!!) your files. If this FAT is damaged, it's like a very large book without an index, and with pages randomly exchanged. You cannot access files, whose FAT-entries are destroyed since nobody knows, where they physically reside on your harddisk. CLUSTER / SECTOR Your harddisk is like a music-disk : it contains songs (= files) but cannot sing. As on music-disks it just contains tracks, where your computer "printed" its files. Since some files are very short, it seemed to be a good idea to divide these tracks into smaller parts. We call these parts "sectors", this means "parts of a circle". So if a small file is saved , maybe it needs 1 or 2 sectors, and not the whole track. That's why you can save 10 or more files on the same track (better said : YOU save files, but DOS saves these files in your harddisk's sectors). A sector contains 512 byte. On diskettes a sector normally is the same as a cluster. If each sector of a 100 MB harddisk would have an entry in the FAT then the FAT would have to contain 100*1024*1024/512 entries. This are 204800 entries. A very large number, and you would need 3 BYTE to display this number. (and you have TWO FATs). Since this is not very intelligent (think about, that most programs need more then 1 sector on your harddisk), it is handled in a special way : 4 or more sectors on your harddisk are numbered as "clusters". Lets take the above example : you have 204800 sectors. Then (if 4 sectors are handled as one cluster) you have 51200 cluster, containing 204800 sectors. To number 51200 clusters you would need 2 byte, so your FAT-size would be 51200*2 byte = 102400 Byte. Two FATS = 204800 byte.You saved 2*(614400-102400) = 1024000 byte. This is an argument for clusters, isn't it ? There are viruses (some Bulgarian..) that randomly write to any clusters, wether they contain data, programs , directories or nothing. They do not call DOS for this (see "INTERRUPT 21H") since DOS can only access files. To protect your files from being corrupted by these viruses it is necessary to protect the clusters of these files directly. ---------------------------------------------------------------------- SMARTDRV,WINDOWS is (tm) of Microsoft VIDRAM,QEMM,DesqVIEW is (tm) of Quaterdeck others are (c) and (tm) of others. ---------------------------------------------------------------------- SPECIAL THANKS to Ralf Brown and his team for the interrupt-list ! ---------------------------------------------------------------------- This documentation as well as the other files included with NEMESIS are subject to change without notice. There is no warranty of completeness and correctness. ---------------------------------------------------------------------- Have fun! And register your copy of NEMESIS soon ! Email-adresses : Robert Hoerner , Fido 2:241/7518 Christian Sy , Fido 2:241/7516.1 Karlsruhe, Germany, January 1993, Robert Hoerner & Christian Sy ----------------------------------------------------------------------