home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
RBBS in a Box Volume 1 #2
/
RBBS_vol1_no2.iso
/
add2
/
chkup32.zip
/
CHECKUP.DOC
< prev
next >
Wrap
Text File
|
1989-04-20
|
88KB
|
2,707 lines
Rich Levin's CHECKUP (tm)
Virus Detection System
Version 3.2
For the IBM PC, XT, AT, PS/2 and IBM-compatible computers
Released April 20, 1989
Copyright (c) 1988 Richard B. Levin
All Rights Reserved
╓─────────────────────────────────┐
║ Give your files a CHECKUP! (tm) │
╚═════════════════════════════════╛
"Please Distribute This Program Far and Wide"
═════════════════
Table of Contents
═════════════════
DEDICATION.................................................3
IMPORTANT NOTICE...........................................3
CONSUMER ALERT.............................................3
WHAT THE CRITICS SAY.......................................4
CHECKUP'S ARCHIVE CONTENTS.................................4
NEW FEATURES...............................................5
PROGRAM INFO...............................................5
COPYRIGHT NOTICE...........................................6
OWNER REGISTRATION.........................................7
CORPORATE AND GOVERNMENT USERS.........................7
PRIVATE USERS..........................................7
DISTRIBUTION POLICY....................................7
UPGRADE POLICY.........................................7
REGISTRATION FORM..........................................8
REGISTRATION FEE AND PLEDGE FOR NON-PRIVATE USERS.....11
WAIVER OF REGISTRATION FEE . . . FOR PRIVATE USERS....12
NOTE TO USERS OF MS-DOS...................................13
THE PROBLEM DEFINED.......................................13
THE TROUBLE WITH ANTI-VIRUS SOFTWARE......................14
COMMERCIAL SOLUTIONS (or "Hey--what a market!").......14
VACCINES..............................................14
ANTIDOTES.............................................16
FILE COMPARISON UTILITIES.............................17
DISK-MAPPERS..........................................17
ANTI-VIRUS TSRs.......................................18
HOW CHECKUP WORKS.........................................19
RUNNING CHECKUP...........................................20
CREATING A CLEAN CHECKUP FLOPPY DISK..................21
CHECKUP'S CHECKUP.BAT/AUTOEXEC.BAT FILE...............23
CHECKUP'S ERRORLEVELS.................................24
CHECKUP'S .XUP FILES..................................25
CHECKUP'S ALTERNATE OUTPUT FILE EXTENSIONS............25
THE CHECKUP.LOG FILE..................................26
RUN-TIME MESSAGES AND EXPLANATIONS....................27
ERROR CODES AND EXPLANATIONS..........................28
FATAL ERRORS..........................................30
ADVANTAGES OF USING CHECKUP...............................31
KNOWN INCOMPATIBILITIES WITH OTHER ANTI-VIRUS PROGRAMS....32
A COLLECTION OF ANTI-VIRUS AND ANTI-TROJAN TECHNIQUES.....32
DIAGNOSING AN INFECTED COMPUTER...........................35
COMMENTARY................................................36
CHECKUP'S RELEASE HISTORY.................................37
1
Computer virus: A program that adapts other programs to carry
and propagate a copy of itself.
2
"The only truly secure system is one that is powered off, cast in
a block of concrete and sealed in a lead-lined room with armed
guards--and even then I have my doubts."
Eugene H. Spafford
3
══════════
DEDICATION
══════════
This program is dedicated to those users who continue to
prove the honor system is alive and well, and living in
shareware.
════════════════
IMPORTANT NOTICE
════════════════
Users are urged to read this document before running
CHECKUP. (Users of previous versions of CHECKUP please note:
the CHECKUP program, invocation syntax, .XUP file formats and
documentation have been substantially revised.)
══════════════
CONSUMER ALERT
══════════════
This Is The Original CHECKUP (tm) Program
Not To Be Confused With Other Programs Of The Same Name
If It's Not User-Supported Software By Rich Levin
It's Not The Original CHECKUP (tm) Virus Detection System
CHECKUP has become one of the world's leading virus
detection systems for IBM PC-class microcomputers. It is used by
government agencies in the USA, Canada, Europe and Australia;
hospitals and scientific research laboratories, colleges and
universities, member companies of the Forbes and Fortune 500s,
BBS SysOps and individual users everywhere. It's likely that
CHECKUP runs on more systems world-wide than all other anti-virus
systems combined.
4
════════════════════
WHAT THE CRITICS SAY
════════════════════
"... I've looked at all the shareware virus-protection programs,
hoping to find one to present on the COMPUTE!'s PC Magazine disk.
Rich Levin's CHECKUP is the one I have chosen."
George Campbell
"Best of the Boards"
COMPUTE!'s PC Magazine
"... a sophisticated variation of the checksum method . . . very
difficult for a virus to evade."
Ernest Perez
Computer Systems Consultant
Chicago-Sun Times
Link-Up Magazine
"CHECKUP is one of several excellent shareware answers to viral
protection."
Ralph Roberts
"Computer Viruses"
A COMPUTE! book
══════════════════════════
CHECKUP'S ARCHIVE CONTENTS
══════════════════════════
The CHECKUP archive contains the following files:
CHECKUP.BAT - sample CHECKUP batch file
CHECKUP.DOC - this file
MIS.BAT - alternate CHECKUP batch file for MISes
README.DOC - may or may not be present
REGISTER.DOC - CHECKUP owner registration form
CHECKUP.EXE - CHECKUP program
5
════════════
NEW FEATURES
════════════
1. Documentation revised.
2. Wildcard (* and ?) filespecs accepted.
3. Table-driven CRC and encryption algorithms added.
4. Format of .XUP files updated. (CHECKUP automatically
converts old .XUP files to the new format.)
5. LOG/TMP environment variable for log file path added.
6. Color video output added for users of color monitors.
7. Seven command-line options added: /C[OLOR], /D[EBUG],
/L[OCK], /M[ONO], /N[OLOG], /R[EPLACE] and /S[HIFT].
8. Drive-without-pathspec bug fixed.
9. /N[OLOG] bug fixed.
10. ERRORLEVEL reporting added.
11. CHECKUP.BAT file updated.
12. MIS.BAT file added.
════════════
PROGRAM INFO
════════════
Program: Rich Levin's CHECKUP Version 3.2
Compiled: April 20, 1989
Function: Detects file size and incremental CRC changes
Class: PC/MS-DOS compatible virus detection program
Price: $25.00 per copy/per computer (Free to private users)
Editors: Norton Editor v.1.3C (1)
Trace: Rich Levin's ADDLINE v.2.1 (2)
Compiler: Microsoft BASIC v.6.0 (3)
Math LIB: Alternate (/FPA)
Externals: ProBas v.3.0, Mr_OBJ ß (4)(5)
Linker: Microsoft Segmented-Executable Linker v.5.01.20
Author: Richard B. Levin
Address: P.O. Box 14546, Phila., PA 19115
Telephone: (215) 333-8274
BBS: The Mother Board @ (215) 333-8275 (300/1200/2400)
(1) Available from Peter Norton Computing, (800) 365-1010
(2) Available from Rich Levin, (215) 333-8274
(3) Available from Microsoft Corporation, (206) 882-8080
(4) Available from Hammerly Computer Services, (301) 953-2191*
(5) Available from Scott Russell, (215) 873-9769
6
* The predecessor of ProBas, AdvBas v.9a, is available for
downloading on the Mother Board BBS. We recommend ProBAS.
ßeta testers: Bengt Lindblad
Katherine Margolis
Keith "Can it take input from LPT1?" Russell
Scott Russell
Documentation - Author: Richard B. Levin
Proofreader: Carol Levin
Editor (through v.2.4): Katherine Margolis
Production consultant: John Ellard
Principal distribution points: The Mother Board BBS
CompuServe's IBMNET
GEnie's IBM & BBS RTs
CHECKUP is published by Richard B. Levin
9405 Bustleton Ave.
P.O. Box 14546
Phila., PA 19115
Lab: (215) 333-8274
BBS: (215) 333-8275
The latest version of CHECKUP is available for downloading
on the Mother Board BBS. Support is also available direct from
Rich Levin. Please leave a message on our answering machine if
we are unable to answer your call personally. We return long
distance calls collect.
════════════════
COPYRIGHT NOTICE
════════════════
The name "CHECKUP" and the CHECKUP program, documentation,
CHECKUP-created input and output files, visual displays,
interface, look and feel (hereinafter referred to as "the CHECKUP
system") are copyright (c) and trademark (tm) 1988 Richard B.
Levin (hereinafter referred to as "the author"), all rights
reserved.
The author reserves the right to make changes to the CHECKUP
system at any time without prior notice. The CHECKUP system is
provided to the user "as is" without warranty of any kind, either
express or implied. No part of the CHECKUP system may be
reproduced without the written permission of the author.
The CHECKUP system is protected by United States Copyright
Law (Title 17 United States Code). Unauthorized modification,
reproduction, duplication, transfer or sales may result in
imprisonment of up to one year and fines of up to $10,000.00 (17
USC 506). Copyright infringers may also be subject to civil
liability. The Federal Bureau of Investigation investigates
allegations of criminal copyright infringement.
7
══════════════════
OWNER REGISTRATION
══════════════════
──────────────────────────────
CORPORATE AND GOVERNMENT USERS
──────────────────────────────
For-profit, non-profit and not-for-profit corporations,
governmental offices and agencies, and private individuals using
CHECKUP within these classifications are required to register
their ownership of the CHECKUP system with the author. Every
registration must be accompanied by a registration fee of $25.00
for each computer running the CHECKUP system. Registered owners
must submit an additional registration form and fee whenever the
CHECKUP system is installed on an unregistered computer.
─────────────
PRIVATE USERS
─────────────
Private users of CHECKUP are required to register their
ownership of the CHECKUP system with the author but are not
required to remit the $25.00 registration fee. Donations are
accepted (and encouraged).
───────────────────
DISTRIBUTION POLICY
───────────────────
Users are permitted to distribute the CHECKUP system to
other users when the following conditions are met:
* The CHECKUP system must be distributed in its
entirety, as originally produced by the author.
* No part of the CHECKUP system may be altered,
added to, removed, re-archived or modified in any
way whatsoever.
FAILURE TO COMPLY WITH THE ABOVE TERMS AND CONDITIONS IS A
VIOLATION OF UNITED STATES COPYRIGHT LAW.
──────────────
UPGRADE POLICY
──────────────
The latest edition of CHECKUP is stored on the Mother Board
BBS (215-333-8275) in the "Software by Rich Levin" area and may
be downloaded at any time. Upgrades are also regularly posted to
the IBMNET Forum on the CompuServe Information Service (GO
IBMNET) and the IBM and BBS RoundTables (RTs) on the General
Electric Network for Information Exchange (GEnie).
8
Tear Here - - - - - - - - - - - - - - - - - - - - - - - - - - - -
═════════════════
REGISTRATION FORM
═════════════════
USERS ARE REQUIRED BY LAW TO COMPLETE AND RETURN THIS FORM WITHIN
TEN DAYS OF ACQUIRING THE CHECKUP SYSTEM
Print, complete and mail to: Richard B. Levin
CHECKUP Version 3.2 Registration
P.O. Box 14546
Phila., PA 19115
Please have checks and money orders drawn on a U.S bank
or financial institution and made payable to "Richard
B. Levin."
Purchase orders are accepted on a net terms basis, with
approved credit and a minimum initial purchase of
$500.00. Orders are shipped insured, freight collect.
Quantity pricing, site licenses, tax I.D. and Social
Security numbers are available on request.
Prices subject to change without notice.
IMPORTANT: Please do not type or computer-print
your responses to the registration
questionnaire. If necessary, use
additional sheets of paper to complete
this form.
Date of registration:
_________________________________________________________________
Registered owner's name:
_________________________________________________________________
Title:
_________________________________________________________________
Department:
_________________________________________________________________
9
Company:
_________________________________________________________________
Address:
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
City, State and Zip:
_________________________________________________________________
Home telephone number: ( ) -
Work telephone number: ( ) -
Why do you use CHECKUP?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
What feature(s) do you like most about CHECKUP?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
What feature(s) do you like least about CHECKUP?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
10
What feature(s) would you most like to see in CHECKUP that are
not there now?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
Have you used anti-virus or virus detection software before?
[ ] Yes [ ] No
Please list the name(s) of the anti-virus or virus detection
software you have used if you answered YES to the previous
question:
_________________________________________________________________
How much have you spent on viral defense systems?
_________________________________________________________________
How much do you think a virus detection system should cost and
why?
_________________________________________________________________
How did you hear about CHECKUP?
_________________________________________________________________
How did you acquire your copy(s) of CHECKUP?
_________________________________________________________________
Do you own or use any other software by Rich Levin?
[ ] Yes [ ] No
Please list the name(s) of the program(s) you own or use if you
answered YES to the previous question:
_________________________________________________________________
11
Do you own or have access to a modem?
[ ] Yes [ ] No
Please list the name brand and baud rate of the modem(s) you own
or use if you answered YES to the previous question:
_________________________________________________________________
─────────────────────────────────────────────────
REGISTRATION FEE AND PLEDGE FOR NON-PRIVATE USERS
─────────────────────────────────────────────────
Please enclose your check or money order (drawn on a U.S.
bank or financial institution and made payable to "Richard B.
Levin") in the amount of $25.00 for each copy of CHECKUP
installed on an unregistered computer.
Total number of
unregistered computers
running CHECKUP........[# ]
X $25.00 each =
────────────────
Amount enclosed.........[$ ]
════════════════
The undersigned hereby pledges to do his/her best to insure
that registration forms (and fees, if applicable) are submitted
to the author whenever the CHECKUP system is installed on
unregistered computers.
Date: __________________________________________________________
Signature: _____________________________________________________
Attest: ________________________________________________________
12
───────────────────────────────────────────────────────
WAIVER OF REGISTRATION FEE AND PLEDGE FOR PRIVATE USERS
───────────────────────────────────────────────────────
The undersigned hereby certifies that he/she is using
CHECKUP in the home on his/her personal computer(s) and that said
computer(s) are not used on behalf of any for-profit, non-profit
and not-for-profit corporations, or governmental offices or
agencies.
The undersigned pledges to do his/her best to insure that
registration forms (and fees, if applicable) are submitted to the
author whenever the CHECKUP system is installed on unregistered
computers.
Date: __________________________________________________________
Signature: _____________________________________________________
Attest: ________________________________________________________
Tear Here - - - - - - - - - - - - - - - - - - - - - - - - - - - -
13
═══════════════════════
NOTE TO USERS OF MS-DOS
═══════════════════════
The files IO.SYS and MSDOS.SYS are the MS-DOS equivalents to
PC-DOS' IBMBIO.COM and IBMDOS.COM.
═══════════════════
THE PROBLEM DEFINED
═══════════════════
Computer programs disguised as "normal" applications that
intentionally destroy data--without users commanding them to do
so--are popularly called "bombs" or "Trojan horses." Bombs
"explode" on users who do not know or care to follow the proper
precautions for evaluating software (procedures outlined later in
this document). Bombs can have disastrous effects: erased
files, scrambled directories and reformatted disks are but some
of the documented results. Because they self-destruct (they run
on the systems they destroy), bombs have limited run-time lives.
Like bombs, computer viruses are delivered by
harmless-looking Trojan carriers that "blow up." Unlike bombs,
which detonate immediately when run, viruses pursue a more
sinister plan: replication and data transmutation. Programmed
to reproduce and spread in secret, viruses strive to extend their
run-time lives. They convert normal programs into Trojan
carriers in the process, creating infected messengers that
penetrate other computers as files are shared. The reproductive
cycle continues until the number of diseased files reaches
epidemic proportions.
To track their activities, viruses place marker-bytes
("v-markers") in files during initial infections. When
uninfected files cannot be found, hosts are assumed to be
thoroughly contaminated. Viruses then embark on the final phase
of their covert operations: data tampering and destruction.
They may begin by simply toying with users, printing taunting
messages on the screen or causing abnormal system behavior.
Eventually, however, most viruses go for the jugular and damage
disk-based data. Once infections are discovered, countless
offspring have probably been spawned and, if all went according
to plan, back-up data and multiple computers have been infected.
Eradication can be a time-consuming and complicated process, with
relapses occurring long after systems appear to be cleansed.
14
Well-written computer viruses are difficult to detect using
modern file management and anti-Trojan techniques. They are
ingenious yet simple programs, polluting systems by inserting
themselves into, appending onto or creating shells around benign
programs' executable files. Expertly engineered viruses will not
change file date or time stamps, nor will they alter attributes,
sizes or checksums. Converting the attributes of potential viral
targets (such as COMMAND.COM, IBMBIO.COM or IBMDOS.COM) to
"read-only" may prevent inadequately designed viruses from
infecting them. Most viruses, however, can check file
attributes, reset them if necessary, infect, and then return the
attributes to their original state. As you will learn in the
following chapters, there are no sure-fire ways to prevent
viruses from infecting systems. The solution, then, is to
isolate and eradicate infections immediately after they occur
using virus detection software stored off-line.
════════════════════════════════════
THE TROUBLE WITH ANTI-VIRUS SOFTWARE
════════════════════════════════════
Many public domain, shareware and commercial utilities
designed to combat viruses have appeared since the first big
virus scare in early 1988. Some observations on them follow.
───────────────────────────────────────────────
COMMERCIAL SOLUTIONS (or "Hey--what a market!")
───────────────────────────────────────────────
The commercial products we've seen available for virus
detection and prevention are overpriced, over-hyped and
underpowered, providing none of the benefits their shareware
counterparts do not provide for less money. All are marketed
using "the fear factor"--the exploitation of under-educated
users.
──────────
"VACCINES"
──────────
Quite a few commercial packages claim to provide a software
"antigen" or "vaccine" that, when "injected" into executable
files, "inoculates" them to prevent infections. Unfortunately,
the implicit comparisons between anti-virus programs and
biological vaccines is misleading--just so much marketing
rhetoric.
15
What software vaccines actually do is append small
anti-virus programs and data (usually consisting of file
checksums or CRCs) to target executable files. The target files
are modified so that, when run, control is passed first to the
appended anti-virus programs. The anti-virus programs compare
the files' present states to their appended data. When
comparisons are successful, control is returned to the target
files, which (if all goes well) begin their normal operations.
When comparisons fail, users are alerted and (hopefully)
appropriate actions are taken. Some of the shortcomings and
complications associated with software vaccines are:
* "Vaccinated" programs take longer to load because
appended anti-virus code and data increases
overhead.
* Large amounts of disk space can be consumed as
program file sizes grow ever-larger with appended
anti-virus code and data.
* Data and overlay files cannot be protected;
vaccines must be attached to executable files.
* Some vaccines cannot protect .COM files because
they (the vaccines) try to modify .EXE headers.
.COM files do not have .EXE headers.
* Many vaccines cannot protect packed .EXE files.
(Packed files have been compressed during
programming's LINK process to conserve disk space;
they expand in-memory when run. CHECKUP.EXE is an
example of a packed .EXE file.)
* False alarms are generated when self-modifying
programs (like Borland's SideKick) update internal
data areas. To prevent false alarms, users are
forced to remove and re-install vaccines before,
and after, self-modifying programs are used--a
cumbersome process at best.
* For programmers, source code modifications are
often misinterpreted as viral alterations.
* There are no guarantees that modifications to
executable files (like the appending of anti-virus
code and data) will not adversely affect their
operation.
* The virus-like behavior of vaccines can cause
conflicts with other viral defense systems.
* A virus can detect the modification of target
files and simply delete the anti-virus code and
data.
16
Vaccines operate in a fashion fundamentally similar to
viruses, although they do not reproduce without authorization or
purposely damage files. Most users would be extremely
uncomfortable injecting a virus, antigen or otherwise, into their
executable files, especially when safer, less drastic
alternatives are available.
─────────
ANTIDOTES
─────────
Certain anti-virus vendors claim their utilities can remove
viruses or repair files damaged by a virus. Perhaps so; a far
more reliable method, however, is to restore infected files from
certified back-up copies. Other vendors boldly demonstrate their
programs' "amazing" abilities to restore "virus-deleted" data
from reformatted, repartitioned hard disks. The truth is they
are merely restoring back-up copies of a disk's critical
information: the boot sectors, File Allocation Tables, disk
directories and partition data.
Most users are blissfully unaware that reformatting and
repartitioning hard disks does not delete user data; instead, it
marks allocated disk space as "unused." By replacing disk "road
maps" with accurate back-ups, user data appears to be
miraculously resurrected. As with software vaccines,
format-recovery programs have significant drawbacks:
* If the back-up data is not current, the
information it replaces will be out of date--an
inaccuracy that leads to further data loss.
* Format recovery programs cannot reconstruct data
erased by low-level or destructive high-level
reformatting. (Low-level formatting is employed
by most hard disk controller manufacturers;
destructive formatting is a feature of AT&T's and
Compaq Computer's DOS' and perhaps other OEM DOS
versions.)
* If new data has been written to a disk after it
has been reformatted, deleted data cannot be
reliably recovered.
Once again, it is safer (and more reliable) to restore files
from certified back-up copies. There are no substitutes for
regularly scheduled back-ups.
17
─────────────────────────
FILE COMPARISON UTILITIES
─────────────────────────
This category of anti-virus offerings compares two
mirror-image copies of a target file specification. There are
several problems with this technique:
* The same level of protection is achieved using any
file-comparison utility, including those provided
with DOS.
* A a mirror-image of every compared file must be
stored on another disk or directory, a waste of
valuable disk space.
* Viruses can check disk directories for duplicate
files and infect both copies of a target filespec.
* Most file comparison utilities designed
specifically for virus detection prevent users
from comparing anything more than a system's
start-up files. All other files, including user
data, remain unprotected.
──────────────
"DISK-MAPPERS"
──────────────
Disk-mappers (also known as "picture takers,"
"finger-printers" and "signature checkers") maintain data files
consisting of coded images of entire disks. Disk-mappers notify
users when changes are encountered between target disks and their
coded images. Here again, the solution fails to provide a
suitable defense against viruses:
* Disk-mappers' output files can occupy vast amounts
of disk space, increasing in direct proportion to
the number of files being tracked.
* Time consuming maintenance of disk-mapper data
files is generally required. As the state of the
target disk evolves, entries must be updated,
deleted and purged.
* Disk-mappers can be complex to operate because
they must support many data-file maintenance
options.
* Disk-mappers customarily update data files at
system start-up, increasing boot time.
* Viruses can detect, modify and delete disk-mapper
data files.
18
* Some disk-mapping programs convert files
(including raw data) to read-only status, thereby
assuring conflicts with other applications.
* Several disk mapping schemes rely on
memory-resident modules to intercept DOS commands
in order to provide last-minute checks of programs
about to run. Problems with this approach are
discussed in the next section.
───────────────
ANTI-VIRUS TSRs
───────────────
Programs that terminate and stay RAM-resident after loading
are commonly referred to as "TSRs." Anti-virus programs
employing this technology typically monitor disk writes that are
directed to selected files. There are many problems with this
methodology:
* Some computer configurations respond poorly to
particular groupings of TSR programs--they crash,
lock-up or simply behave abnormally.
* Anti-virus TSRs often consume considerable
portions of limited available RAM space.
* False alarms occur frequently, triggered by normal
disk activity that's misinterpreted.
* Most anti-virus TSRs allow a limited number of
files to be monitored, leaving other files--user
data included--unprotected.
* System performance decreases as each BIOS- or
DOS-driven disk write is intercepted for
processing by anti-virus TSRs.
* Viruses can directly manipulate disk controller
hardware to bypass interception by anti-virus
TSRs.
* Anti-virus TSRs can be easily detected by viruses,
which is not surprising, since TSRs are always
evident in RAM. Viruses can disable or remove
TSRs and for this reason alone, anti-virus TSRs
provide users with a false sense of security.
19
A final point, relevant to all anti-virus systems: viruses
have complete control of PC system resources at the moment of
infection. Anti-virus programs renamed and stored in hidden
subdirectories, write-protected hard disks; hidden, read-only and
vaccinated files, file comparison utilities, disk maps, TSR
programs, device drivers, you name it--all are subject to the
scrutiny of viruses as they examine their hosts. Obviously,
then, anti-virus systems stored on non-removable media, relying
on support files stored on non-removable media or residing in
memory are themselves subject to infection.
═════════════════
HOW CHECKUP WORKS
═════════════════
CHECKUP detects viral infections by comparing target file
sizes, incremental cyclic redundancy checks (CRCs) and total file
CRCs to previously stored baseline values. CHECKUP examines
files by dissecting them into randomly sized blocks of data,
using a dynamic block size allocation process that allows files
as small as one byte to be accurately checked. CHECKUP then
scans and compares every byte of the target files on a
block-by-block basis. If the recorded file sizes, any of the
block CRC comparisons or the CRC totals do not match, CHECKUP
alerts the user that the target files have been altered.
CHECKUP's incremental block CRC technique is superior to
simply calculating files sum-of-the-bytes and comparing checksum
totals. Future viruses may be able to compute checksums prior to
infections, pad their viral code with characters that maintain
checksum integrity and then infect. Even more alarming is the
knowledge that viruses can effortlessly exchange bytes within
data files--a potent destruction of data ordinary checksum
programs cannot detect. (For example, the checksum of both 1 + 2
and 2 + 1 is 3, yet the order of operators [the numbers 1 and 2]
are different.) This kind of viral activity would defeat other
checksum calculation programs, but not CHECKUP.
We believe it is impossible for a virus to maintain an
accurate intra-file (inter-block) CRC. This is especially true
when the checked block size varies from one byte to near total
file size, when the method for calculating the CRC is unknown and
when the results encrypted. To survive CHECKUP's scrutiny, a
virus would need to know the block size, the exact calculation
entry point, the CRC algorithm and the encryption key CHECKUP
used. The virus would then have the difficult--if not
impossible--task of padding its code with dummy characters, since
adjustments would have to occur every hundred few bytes. Even if
a virus were able to achieve this high degree of adaptability, it
would nevertheless be unable to operate in such an internally
scrambled condition.
20
═══════════════
RUNNING CHECKUP
═══════════════
Launch syntax is:
[d:][path]CHECKUP [d:][path]filename[.ext] [/options]
Where:
* [d:] specifies the letter of the drive that
contains the CHECKUP program file.
* [path] specifies the path name that contains the
CHECKUP program file.
* CHECKUP is the run-time name of the CHECKUP.EXE
program file.
* [d:][path]filename[.ext] specifies the drive, path
and target file name(s) that you want CHECKUP to
process.
* [/options] are one or more of CHECKUP's
command-line parameters (note that only the switch
character ("/") and first letter of the option(s)
selected is required):
/C[OLOR] Override auto-attributes and use
color
/D[EBUG] Print verbose error messages
/L[OCK] Lock-up system when file
modifications are detected
/M[ONO] Override auto-attributes and use
monochrome
/N[OLOG] Suppress output of CHECKUP.LOG file
/R[EPLACE] Use replacement extension (.COM
becomes .XOM)
/S[HIFT] Use shifted extension (.COM becomes
.XCO)
Notes:
* If a drive letter is not specified, the default
drive is assumed.
* If a path name is not specified, the default
directory is assumed.
* The global file name characters * and ? may be
used to specify target files.
21
* If CHECKUP is stored in the current directory or
in a directory specified by the PATH environment
variable, the drive letter and path name preceding
the CHECKUP file name become optional.
Examples:
* To check COMMAND.COM on the logged default drive
in the logged default directory, the launch syntax
would be:
CHECKUP COMMAND.COM
* To check all of the .COM files on the logged
default drive in the logged default directory, the
launch syntax would be:
CHECKUP *.COM
* To check FOO.EXE (a very popular program) on the
C: drive in the \PLOP\PLOP\FIZZ\FIZZ directory,
the launch syntax would be:
CHECKUP C:\PLOP\PLOP\FIZZ\FIZZ\FOO.EXE
* To check all of the .EXE files on the C: drive in
the \PLOP\PLOP\FIZZ\FIZZ directory, the launch
syntax would be:
CHECKUP C:\PLOP\PLOP\FIZZ\FIZZ\*.EXE
CHECKUP accepts all legal DOS path and file names. Running
CHECKUP without command-line parameters causes the correct
invocation syntax to be displayed.
Launch CHECKUP for each file or group of files you want to
process. CHECKUP may be launched as many times as necessary.
────────────────────────────────────
CREATING A CLEAN CHECKUP FLOPPY DISK
────────────────────────────────────
We suggest that CHECKUP be run by an AUTOEXEC.BAT file
residing on a "clean" floppy disk. This ensures that files are
checked by a pure copy of CHECKUP loaded by uninfected system
files. It also guarantees that the .XUP files CHECKUP generates
will not be illegitimately altered.
The following steps explain how to create a clean CHECKUP
floppy disk using an IBM PC-compatible with 2 floppy disk drives
and a hard disk. Experienced users can adapt these steps to
accommodate different configurations:
1. Turn off your computer. Remove all floppy disks.
Wait 60 seconds.
22
2. Insert a factory master copy of DOS into drive A.
Close the disk drive door, then turn your computer
on.
3. After your computer has completed the start-up
process, insert a NEW, never used, unformatted
floppy disk into drive B. Close the disk drive
door.
4. Enter the command:
FORMAT B: /S
(The /S switch causes the FORMAT command to
transfer DOS' system files to the disk in drive B,
making it boot-able.)
5. After the floppy disk in drive B has been
formatted and the system files transferred, copy
CHECKUP.BAT and CHECKUP.EXE to the floppy disk in
the B drive.
6. After CHECKUP.BAT and CHECKUP.EXE have been copied
to the floppy disk in the B drive, enter the
following commands:
B:
REN CHECKUP.BAT AUTOEXEC.BAT
COPY CON CONFIG.SYS
BUFFERS = 33
7. Press F6, then press ENTER.
8. Remove the factory master DOS disk from drive A.
Replace it with the factory master of your
favorite ASCII editor.
9. Run your ASCII editor and edit the AUTOEXEC.BAT
file on drive B to reflect the files you want
CHECKUP to process. Confirm that the drive and
path names of the target files and .XUP files
match exactly.
10. After you have finished editing the AUTOEXEC.BAT
file on drive B, remove the factory master of your
ASCII editor from drive A. Replace it with the
clean CHECKUP floppy disk you just created on
drive B (leaving CHECKUP in drive A and drive B
empty).
11. Press and hold the Ctrl+Alt+Del keys to re-boot
your computer. CHECKUP will process the files
specified in the AUTOEXEC.BAT file, copy the .XUP
files back to the A drive and delete duplicate
.XUP files from the target disk.
23
12. After CHECKUP's AUTOEXEC.BAT file has completed
its run, remove the clean CHECKUP floppy disk from
drive A and store it in a cool, dry place.
13. Press and hold the Ctrl+Alt+Del keys to re-boot
your computer.
Use the clean CHECKUP floppy disk to boot your computer
whenever you check files again.
Remember that all viruses, no matter how sophisticated,
share the same, simple weakness: they cannot affect programs or
data unless they have access to them. By storing CHECKUP, the
CHECKUP AUTOEXEC.BAT file and the .XUP files on a clean,
boot-able floppy disk, and by using that disk *ONLY* to boot and
run CHECKUP (and for *NO* other operations), you are isolating
your CHECKUP system files which ensures their reliable operation.
───────────────────────────────────────
CHECKUP'S CHECKUP.BAT/AUTOEXEC.BAT FILE
───────────────────────────────────────
An example of the suggested CHECKUP AUTOEXEC.BAT file for a
hard disk drive system follows. This file will automatically run
CHECKUP, check one of four ERRORLEVELs returned by CHECKUP and
back-up .XUP files as they are created. It is included in the
CHECKUP archive file (under the name of CHECKUP.BAT) and may be
edited as necessary:
REM Rich Levin's CHECKUP.BAT (tm)
REM Copyright (c) 1988 Richard B. Levin
REM All Rights Reserved
REM
REM This batch file maintains clean copies of CHECKUP and .XUP
REM files. Rename to AUTOEXEC.BAT and store on a clean floppy
REM disk.
REM
REM Set the system date and time:
REM
DATE
TIME
REM
REM Make sure we're on the root directory of the hard disk
REM (substitute the disk drive letter of your choice):
REM
C:
CD \
REM
REM Copy CHECKUP and .XUP files from the A: drive to the hard
REM disk:
REM
COPY A:\CHECKUP.EXE
COPY A:\IBMBIO.XUP
COPY A:\IBMDOS.XUP
COPY A:\COMMAND.XUP
COPY A:\FOO.XUP C:\PLOP\PLOP\FIZZ\FIZZ
24
REM
REM Check files and resulting ERRORLEVEL. An ERRORLEVEL of 1 or
REM higher indicates CHECKUP terminated abnormally. (CHECKUP
REM supports four ERRORLEVELs; see CHECKUP.DOC for details.) In
REM this example, system execution is halted by PAUSE-ing after
REM a non-zero ERRORLEVEL is encountered. You may want take
REM different action(s) based on specific ERRORLEVELs.
REM (Substitute your list of input files here):
REM
CHECKUP *.COM
IF ERRORLEVEL 1 PAUSE
CHECKUP C:\PLOP\PLOP\FIZZ\FIZZ\FOO.EXE
IF ERRORLEVEL 1 PAUSE
REM
REM Copy .XUP files to the clean floppy disk:
REM
COPY C:\*.XUP A:\
COPY C:\PLOP\PLOP\FIZZ\FIZZ\*.XUP A:\
REM
REM Reclaim disk space by deleting CHECKUP-related files from the
REM hard disk:
REM
DEL CHECKUP.EXE
DEL *.XUP
DEL C:\PLOP\PLOP\FIZZ\FIZZ\*.XUP
REM
REM End of CHECKUP.BAT
COMMAND.COM, IBMBIO.COM and IBMDOS.COM should be checked on
a daily basis, as they are the most likely targets of a spreading
virus. Also note that CHECKUP does not require the attributes of
hidden and system files be changed prior to checking. If the
correct file specifications are on the command-line, CHECKUP will
successfully process the files.
─────────────────────
CHECKUP'S ERRORLEVELS
─────────────────────
Upon exiting, CHECKUP returns the following ERRORLEVELs to
DOS. ERRORLEVELs can be tested for and acted upon in any batch
file:
ERRORLEVEL = Condition
───────────────────────────────────────────────────────
0 = Process terminated normally
1 = Input file(s) modified since last check
2 = Fatal error occurred
3 = Cancelled on demand (user aborted)
25
The ERRORLEVEL condition will test positive if CHECKUP
generates an exit code equal to or greater than the ERRORLEVEL
being tested for; this means that ERRORLEVELs must be checked in
descending order to insure accuracy. For example, the following
batch file command executes if the ERRORLEVEL is equal to or
greater than 1:
[ ...
IF ERRORLEVEL 1 [command]
... ]
The following code demonstrates how one command can be
executed for ERRORLEVELs equal to or greater than 2 while a
separate action is reserved for an ERRORLEVEL of 1:
[ ...
IF ERRORLEVEL 2 [command]
IF ERRORLEVEL 1 [command]
... ]
Finally, this code excerpt shows how different commands can
be executed for different ERRORLEVELs:
[ ...
IF ERRORLEVEL 3 [command]
IF ERRORLEVEL 2 [command]
IF ERRORLEVEL 1 [command]
... ]
ERRORLEVEL reporting is provided as a tool to aid in the
control of batch file execution; CHECKUP does not require users
to test ERRORLEVEL conditions.
────────────────────
CHECKUP'S .XUP FILES
────────────────────
The first time a file is checked, CHECKUP creates an .XUP
file in the same directory as the target file. CHECKUP creates
one .XUP for every checked file; access to the .XUP files is
required during future checks. If CHECKUP or any .XUP files are
mysteriously deleted or altered, a CHECKUP-aware virus may have
infiltrated your system. To prevent viruses from gaining control
of CHECKUP's files, use the clean floppy disk/batch file method
described above.
──────────────────────────────────────────
CHECKUP'S ALTERNATE OUTPUT FILE EXTENSIONS
──────────────────────────────────────────
CHECKUP's default output file extension is .XUP. There are
times, however, when use of the .XUP extension causes
complications (when checking sequentially numbered overlay files,
for example). CHECKUP provides two command-line alternatives
designed to resolve filename conflicts: the /R[EPLACE] and
/S[HIFT] commands.
26
1. The /R[EPLACE] command creates output files with
replacement extensions when a /R appears on
CHECKUP's command-line. CHECKUP replaces the
first character of the input file extension with
the letter X:
OVERLAY.001 Input file
OVERLAY.X01 Optional replacement extension
OVERLAY.XUP Normal CHECKUP output file
OVERLAY.002 Input file
OVERLAY.X02 Optional replacement extension
OVERLAY.XUP Normal CHECKUP output file
When checking OVERLAY.002, CHECKUP will attempt to
use OVERLAY.XUP--an incorrect data file since it
contains output information gathered from checking
OVERLAY.001. In this example, an "Input/output
file mismatch" error will occur if the /R switch
is not used.
2. The /S[HIFT] command creates output files with
shifted extensions when a /S appears on CHECKUP's
command-line. CHECKUP replaces the first
character of the input file extension with the
letter X and replaces the second two characters of
the input file extension with the first two
characters (in effect shifting the extension one
character to the right):
COMMAND.COM Input file
COMMAND.XCO Optional shifted extension
COMMAND.XUP Normal CHECKUP output file
────────────────────
THE CHECKUP.LOG FILE
────────────────────
CHECKUP maintains a file named CHECKUP.LOG on the root
directory of the logged disk. CHECKUP.LOG contains detailed
records of CHECKUP's activity. You can view the CHECKUP.LOG file
with any ASCII editor and delete it at any time. The CHECKUP.LOG
file is provided as an informational tool only; CHECKUP does not
require it to run.
You can optionally SET a log file directory. CHECKUP will
store the CHECKUP.LOG file in the directory specified by the LOG
or TMP environment variables. The following command causes
CHECKUP to store the CHECKUP.LOG file in the C:\CANYA\DIGIT
directory:
SET LOG=C:\CANYA\DIGIT
27
CHECKUP looks first for the LOG, then the TMP, environment
variables. If LOG is not found or null, CHECKUP attempts to use
the TMP variable. If TMP is not found or null, CHECKUP will use
the root directory of the default drive. Note that output of the
CHECKUP.LOG file can be suppressed if the /N[OLOG] switch appears
on CHECKUP's command-line.
──────────────────────────────────
RUN-TIME MESSAGES AND EXPLANATIONS
──────────────────────────────────
The following messages are encountered when using CHECKUP:
1. Syntax is . . .
CHECKUP was launched without command-line
parameters.
2. Cancelled on demand
The ESC or C keys were pressed; CHECKUP
discontinued file processing and returned to DOS.
3. Press any key to continue
The SPACE, P, CR or I keys were pressed; CHECKUP
paused processing and displayed this message.
4. CRC checks calculated and logged
CHECKUP processed the input file for the first
time or updated an existing .XUP file to a new
version.
5. File sizes are different
The input file size changed since CHECKUP first
processed it.
6. CRC error on block #
CHECKUP detected changes to the input file
beginning at the specified block number.
7. CRC checks match
The input file has not changed since CHECKUP last
processed it.
8. CHECKUP ALERT
CHECKUP detected file size or CRC changes.
9. System locked
CHECKUP detected changes to an input file and the
/L[OCK] command was specified on the command-line.
28
────────────────────────────
ERROR CODES AND EXPLANATIONS
────────────────────────────
The following error messages may be encountered when using
CHECKUP:
1. Endless loop error
See the explanation of "Loop error," below.
2. Bad file name
Bad file name or number
See the explanation of "Path/File access error,"
below.
3. Device fault
Device timeout
Device unavailable
Disk media error
Disk not ready
Indicates a hardware error (like an open disk
drive door or a bad, non-existent or incorrectly
specified device) or a hardware failure (such as a
damaged disk).
Retry the operation after checking disks, disk
drive doors, printer switches, cables, connections
and related hardware.
4. Device I/O error
An unrecoverable input/output error occurred.
Retry the operation.
5. Disk full
The disk is full.
Retry the operation using another disk or delete
some non-CHECKUP related files from the current
disk.
6. Error in EXE file
Either a portion of the CHECKUP.EXE file is
missing or the file is corrupt.
29
Replace CHECKUP.EXE with a certified clean copy
downloaded direct from one of CHECKUP's principal
distribution points and download the latest
version. Refer to the "PROGRAM INFO" section of
this document for a list of authorized
distribution points or call 215-333-8274 to
purchase a new CHECKUP master disk..
7. File not found
An input filespec does not exist.
Retry the operation using the correct filespec.
8. Input file contains 0 bytes
The input file did not contain data.
Retry the operation using a file that contains
data.
9. Input/output file mismatch
The input file was not the same as the one used to
create the output .XUP file.
Retry the operation using the correct input and
output files.
10. Out of memory
Out of string space
CHECKUP needs more RAM than is available.
Unload TSRs (memory resident utilities like
"SideKick") or buy an expansion card to increase
the amount of RAM.
11. Path/File access error
Path not found
An input file or path does not exist.
Retry the operation using the correct path and
file name.
12. Permission denied
An attempt was made to write to a write-protected
disk or to a locked file in a multi-user
environment.
Retry the operation.
30
13. Too many files
CHECKUP was unable to open the input file.
Try adding the following statement to the
CONFIG.SYS file:
FILES = 25
14. Loop error
See the explanation of "Endless loop error,"
above.
────────────
FATAL ERRORS
────────────
The following error messages should never be encountered.
If they are, they indicate an internal problem with CHECKUP.
Contact us if any of these error messages are displayed more than
once:
RETURN without GOSUB
Out of DATA
Illegal function call
Overflow
Subscript out of range
Division by zero
String formula too complex
No RESUME
RESUME without ERROR
CASE ELSE expected
Variable required
FIELD overflow
Internal error
File not found
Bad file mode
File already open
FIELD statement active
File already exists
Bad record length
Input past end of file
Bad record number
Communication-buffer overflow
Advanced feature unavailable
Rename across disks
Filename initialization error
Unassigned error
Miniaturization unsuccessful
No-new-taxes error
31
═══════════════════════════
ADVANTAGES OF USING CHECKUP
═══════════════════════════
CHECKUP provides numerous advantages over other anti-virus
systems:
* CHECKUP is fast, taking only seconds to check most
files.
* CHECKUP is easy to use. There are no commands or
switches to learn, no maintenance modes, no
unusual installation procedures or other
cumbersome features.
* CHECKUP is 100% compatible with IBM PC-compatible
computers and software.
* CHECKUP is 100% accurate, capable of detecting
changes to any file, regardless of type, size,
attributes or storage location.
* CHECKUP, when used as directed, is 100% secure
from viral infection and alteration.
* CHECKUP never writes to or modifies input files.
* CHECKUP never writes to or modifies sensitive disk
boot sectors, nor does it tamper with File
Allocation Tables or disk directories.
* CHECKUP does not reduce the amount of available
RAM.
* CHECKUP, when used as directed, does not reduce
available disk space.
* CHECKUP provides a relocatable usage log that
tracks file checkups, verifications and changes.
* CHECKUP is user-supported software, allowing users
a full and fair evaluation prior to purchase.
* CHECKUP can be legally shared among users without
fear of promoting software piracy.
* CHECKUP is reasonably priced for non-private users
and is free to private individual users.
* Support for CHECKUP is free and available to all
users, both registered and unregistered.
32
══════════════════════════════════════════════════════
KNOWN INCOMPATIBILITIES WITH OTHER ANTI-VIRUS PROGRAMS
══════════════════════════════════════════════════════
Flu_Shot Plus, an anti-virus TSR program, incorrectly flags
CHECKUP as attempting to write over the input file being checked.
CHK4BOMB, an anti-bomb program, incorrectly identifies CHECKUP as
capable of formatting a hard disk. On the contrary, CHECKUP's
output is restricted to the .XUP files and the CHECKUP.LOG file.
CHECKUP cannot overwrite an input file, format a disk or perform
other destructive actions. However, if you are concerned about
the integrity of your copy of CHECKUP, visit one of CHECKUP's
principal distribution points and download the latest version.
Refer to the "PROGRAM INFO" section of this document for a list
of authorized distribution points.
═════════════════════════════════════════════════════
A COLLECTION OF ANTI-VIRUS AND ANTI-TROJAN TECHNIQUES
═════════════════════════════════════════════════════
By employing the techniques described below, you will
severely limit the ability of Trojan horse programs and computer
viruses to affect your system. We welcome your additions to this
list:
* Run CHECKUP daily, using the clean floppy
disk/batch file method described above.
* Regularly check and log available disk space.
Aggressive viruses decrease storage space as they
spread throughout a system. This activity can be
identified through rigorous monitoring.
The following commands, added to AUTOEXEC.BAT,
will track disk usage:
CD \
DIR >> DIR.LOG
TYPE DIR.LOG > PRN
* Observe the time it takes for programs to
load--infected files take longer. Programs
exhibiting longer than normal load times might be
infected.
* Periodically re-install applications from their
master disks. This overwrites application files
in use and any viruses incubating within them.
* Once a week, use the SYS command to re-install the
system files onto your boot disk(s). This
eliminates viruses lurking in the boot sectors.
33
* Use the DOS "SHELL" command to rename and relocate
COMMAND.COM to a directory other than the root of
your boot disk. Then place a different copy of
COMMAND.COM in the root directory. This may
divert viruses into infecting the decoy copy
instead of your actual command processor. Refer
to your DOS reference manuals for information on
the SHELL command.
* Change executable file attributes to read-only.
Poorly engineered viruses may not be able to alter
read-only files. Executable files are those
ending in a .BAT, .COM or .EXE extension or loaded
in CONFIG.SYS.
Many programs write to their master executable
file when saving configuration information. If
such a file has been converted to read-only, the
read-only attribute must be removed before
re-configuring and reset afterward.
There are many utilities that can reset file
attributes, including ATTR.COM, available for
downloading from the PC-Magazine Network on
CompuServe. CompuServe users can "GO PCMAGNET" to
download ATTR.COM. If you own the Norton
Utilities, use Norton's FA.EXE to change file
attributes. To change COMMAND.COM to read-only
using Norton's FA, enter:
FA COMMAND.COM /R+
Some versions of DOS provide an ATTRIB command.
Check your DOS reference manuals for more
information on modifying file attributes.
* Use extreme caution when working with FAT and directory
editors, directory sorters, un-erasers, disk
optimizers, format-recovery systems, file movers and
other low-level DOS utilities. These programs
manipulate critical data--one bug or errant keystroke
can annihilate a disk. DOS shells should be treated
with care as they also handle critical disk
information.
One of the safest bets for low-level disk
management is the Norton Utilities, Advanced
Edition. Among DOS shells, we recommend the
Norton Commander. Both programs are available at
most computer retailers.
* Install a hard disk utility like BOMBSQAD,
DPROTECT, FLU_SHOT PLUS or WPT (Write Protect
Tab). As TSRs, these programs may suffer from the
drawbacks discussed earlier, however, they provide
adequate protection against poorly engineered
bombs and viruses.
34
* Do not run files downloaded from public access
BBSes that do not validate users who upload. If
the SysOp of a board did not contact you directly
(by phone, mail or automatic callback), you can be
certain that other users have not been validated.
(SysOps: If validating users is a burden, a
practical alternative is to validate them after
they upload their first file.)
* Do not run files downloaded from public access
BBSes where the SysOps do not test and approve
files.
* Do not run self-extracting archives unless they
have been tested. Self-extracting archives are a
classic delivery method used by bomb developers.
* Beware of suspicious-looking files. A 128 byte
.COM file that un-archives without documentation
and whose description reads "Great Word Processor"
is suspect.
* Use a binary file-viewing utility (like the one
included in the Norton Commander) to examine
executable code. Look for suspicious comments and
messages embedded in the code.
* Do not run programs unaccompanied by well-written
documentation prepared by the program's author.
* Do not run programs that do not include the name,
address and telephone number(s) of the author
within the documentation or executable(s).
* Call program authors and verify the version
number, time and date stamps, file sizes and
archive contents of files you have received. Ask
authors where you can get certified clean copies
of their programs, then discard the copies you
have and get the certified copies.
* Download shareware from the author's BBS. Most
professional shareware authors provide support
BBSes for their products. You are guaranteed
uncorrupted programs when you download them
directly from their authors.
* Do not use hacked or pirated software. Software
pirates have the skill and the tools needed to
create bombs and viruses. Many reported incidents
of viral infections have been associated with
software piracy. In fact, some of the deadliest
Trojans have been modified copies of well-known
applications.
35
* Back-up your system regularly! No system exists
in a vacuum, nor is any anti-virus or anti-Trojan
technique foolproof. Back-up on a daily, weekly
and monthly basis. When disaster strikes, users
who have regularly backed-up their systems will
have the last laugh (and their data)!
═══════════════════════════════
DIAGNOSING AN INFECTED COMPUTER
═══════════════════════════════
Systems exhibiting any of the following traits should be
checked by an experienced viral diagnostician. If you are unable
to locate a good consultant, call us for advice:
* Computer operations seem sluggish.
* Programs take longer to load.
* Programs access multiple disk drives when loading.
* Programs conduct disk access at unusual times or
with increased frequency.
* Available disk space decreases rapidly.
* The number of bad disk sectors steadily increases.
* Memory maps reveal new TSR programs of unknown
origin.
* Programs behave abnormally or crash without
reason.
* System or application programs encounter errors
where they didn't before.
* System or application programs generate
undocumented messages.
* Files mysteriously disappear.
* Names, extensions, dates, attributes or data
changes on files that have not been modified by
users.
* Data files or directories of unknown origin
appear.
36
══════════
COMMENTARY
══════════
You're scared. Having heard about computer viruses jumping
from computer to computer, you've learned your system could be
next. After all, your friend has a friend who knows someone that
witnessed a virus display "Arf! Arf! Gotcha'!" as it destroyed
data on an office PC. And your local BBSes are bubbling over
with horror stories about bombs, Trojans and viruses, not to
mention countless recommendations for anti-virus products. It
seems every new day brings with it stories of impending
computerized doom, created by evil geniuses with programming
abilities far beyond those you or your associates could ever hope
to achieve, much less do battle against.
Relax! Hysteria over computer viruses comes in waves. The
hysteria is fueled, in large part, by the popular press'
frenzied, poorly researched and consistently inaccurate
reporting. In most of the stories we've seen, quoted viral
"experts" overstate the severity of the problem, then point an
accusing finger at electronic software distribution--what you and
I call BBSing. In truth, the few proven cases of viral
infections have almost always occurred in commercially available
products, in mainframe or minicomputing environments, or have
been associated with physical exchanges of disks--usually with
links to software piracy.
The BBS community can be proud of an excellent record in
keeping its distribution channels free from Trojans, bombs,
worms, viruses and other dangerous software. The very nature of
the BBS medium ensures that news of questionable programs travels
fast throughout a wide audience; this works to protect most users
from harm. Branding user-supported software and its distribution
methods as "dangerous" is unsubstantiated and flatly incorrect.
It's a popular misconception, gleefully endorsed by a chorus of
anti-virus software vendors as they sing their big
lies--frightening tall-tales that drum-up business in a market
that otherwise would fail to exist.
37
Computer crime is not a new story and viruses are simply the
latest plot twist. System managers have always been concerned
about system security, about data integrity and about hardware
protection; viruses are but one element among many to be
considered. Treat the issue of computer viruses as you would
other sensitive matters; that is to say, with measured concern
and diligent research, all the while maintaining a firm grip on
your wallet. Cast a skeptical eye on reports about computer
viruses when they roll across your desk, flood into your mailbox
and pop onto your television screen. Beware of those who try to
sell you (or your company) anti-virus snake oil. Rest assured
that you--and everyone you know--probably will never encounter a
virus, Trojan or bomb, although the manipulative anti-virus
software industry (and the medias' yellow journalists) appears
determined to have you believe otherwise.
═════════════════════════
CHECKUP'S RELEASE HISTORY
═════════════════════════
Version Release Date
─────────────────────────────
1.0 April 1, 1988
2.0 December 18, 1988
3.0 April 12, 1989
3.2 April 20, 1989
38
╓─────────────────────────────────┐
║ Give your files a CHECKUP! (tm) │
╚═════════════════════════════════╛
39
This document was created using Microsoft WORD Version 4.0
- End of CHECKUP.DOC -