home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HomeWare 14
/
HOMEWARE14.bin
/
virus
/
virx29.arj
/
VIREXPC.DOC
< prev
next >
Wrap
Text File
|
1993-07-08
|
58KB
|
1,363 lines
VIREX FOR THE PC
DATAWATCH CORPORATION
TRIANGLE SOFTWARE DIVISION
TABLE OF CONTENTS
=================
CHAPTER 1 : HOW TO CONTACT DATAWATCH
CHAPTER 2 : DOWNLOADING PRODUCT UPDATES FROM THE DATAGATE BBS
CHAPTER 3 : VIREX FOR THE PC OVERVIEW
CHAPTER 4 : INSTALLING VIREX FOR THE PC
CHAPTER 5 : USING THE VPCSCAN PROGRAM
CHAPTER 6 : USING THE VIREX TSR
CHAPTER 7 : USING VIREX FOR THE PC IN A NETWORK ENVIRONMENT
CHAPTER 8 : USING VIREX FOR THE PC IN A WINDOWS ENVIRONMENT
CHAPTER 9 : SAFE COMPUTING PRACTICES
CHAPTER 10 : REMOVING A BOOT SECTOR VIRUS
APPENDIX A : THE EXTERNAL VIRUS SIGNATURE FILE
C H A P T E R 1 :
HOW TO CONTACT DATAWATCH
If you find a new virus, it is important that we learn about it, so that
we can update Virex for the PC to provide treatment for it. You can reach
Datawatch at:
Datawatch Corporation
Triangle Software Division
P.O. Box 51489
Durham, NC, 27717
Telephone: (919)490-1277
Fax: (919)490-6672
You can contact Datawatch on the following services:
AppleLink DATAWATCH
CompuServe 73407, 1751
America Online VIREX1 & DWTECH
Genie DATAWATCH
DataGate BBS 919-419-1602 (8-N-1)
INTERNET vpctech@datawatch.com
Please indicate a daytime telephone number where you can be
reached. For technical assistance, or if you find a new virus, please
contact us. Technical support requires a valid registration number.
C H A P T E R 2 :
DOWNLOADING PRODUCT UPDATES FROM THE DATAGATE BBS
You can download Virex for the PC updates from from our dial-in service
called DataGate. DataGate is a BBS (Bulletin Board Service) and you may
dial into it by using any communications program on your PC and a modem.
Set up your communications program for 8 data bits, no parity, 1
stop bit and ANSI or TTY emulation. DataGate supports speeds from 300 to
14,400 bps.
DataGate's primary purpose is support to YOU. As soon as you enter the
board you can find answers to your technical questions in our Questions
and Answers Bulletin area, download product updates and new
programs, and much more.
In addition to Datawatch customer support, DataGate also has many DOS,
Windows and other utility files available for download. To download the
latest version of Virex for the PC, type the following at the Main Menu:
d VIRX??.ZIP <Enter>
Select your download protocol and the download process will begin.
Help is always available by typing: H <Enter> where ever you get
stuck and need assistance.
Your comments and suggestions on the service that this BBS provides
are always welcome, and we look forward to reading your
suggestions. You may leave us a message by typing C <Enter> at
the Main Menu, outlining your ideas.
PLEASE REMEMBER THAT VIREX FOR THE PC IS NOT FREEWARE! You can purchase and
register this software directly through Datawatch or or you may obtain it from
any authorized retailer.
C H A P T E R 3 :
VIREX FOR THE PC OVERVIEW
The two programs of the Virex for the PC package that provide comprehensive
protection against viruses are VPCScan and Virex.
VPCScan:
Identifying Known Viruses and Repairing Files
VPCScan (VPCSCAN.EXE), is a utility program that scans files and memory for
known viruses. VPCScan recognizes the code signatures of known PC viruses and
alerts the user if it finds one.
Repairing Files
VPCScan repairs files infected by common viruses. If VPCScan has
a disinfector for a virus that it finds, it will offer to repair the infected
file. If it has no disinfector, it will offer to delete the infected file.
Though VPCScan does not have disinfectors for all of the viruses it
can detect, the viruses it can disinfect are estimated to cause the majority of
the infections in PC software.
Inoculation Feature
VPCScan also repairs files with its inoculate feature. The inoculate
feature can disinfect all known boot sector viruses and almost all file
infectors, as well as many unknown viruses.
Virex:
Efficient, Continuous Monitoring of the PC System
Virex (VIREX.COM) is a terminate and stay resident (TSR) program that
provides continuous virus protection. Virex alerts the user:
1: when an attempt is made to run a program that is infected
with a known virus.
2: when an attempt is made to run a program that has had a
change to its unique checksum signature.
These two features provide efficient protection against unknown
viruses by checksum monitoring, and against known viruses by scanning
programs on execution. This virus protection uses less than 1KB of
RAM memory.
C H A P T E R 4 :
INSTALLING VIREX FOR THE PC
The installation procedure places VPCScan and the VIREX.COM
TSR on your hard drive, and automatically creates your Inoculation set.
You need not install Virex for the PC if you wish only to use VPCScan, as
this application can be used from any drive, directory or floppy.
Installation procedure
You should install Virex for the PC on a virus free system. Prior to
installing Virex for the PC, scan your existing files for known viruses
with VPCScan. (See Chapter 5 for detailed instructions on how to use
the VPCScan program.)
1: Have the Virex for the PC files uncompressed and available on a clean
write protected diskette.
2: Boot your machine from a clean, write protected system floppy disk.
(THIS IS VERY IMPORTANT!!!)
Change to floppy drive where you will insert the Virex for the PC
diskette (e.g., type A: and press RETURN)
3: Scan all hard drives for known viruses with VPCScan.
Type: VPCSCAN <drive>\ -L
For example: VPCSCAN C:\ D:\ -L to scan the entire C: and D: drives
Once you have scanned and disinfected all of the files on your hard drives,
restart your computer by switching if off, waiting 10 seconds, and then
switching it on again to make sure that viruses in memory have been
eliminated. Do not simply press CTRL-ALT-DEL to reboot. Some viruses have
the ability to survive this type of reboot.
Running the Install program
Use the batch file Install program to install Virex for the PC. The
installation procedure creates the inoculation set and copies the necessary
programs to a \VPC directory on your C: drive. The Install program will
install only to a C: drive.
To install Virex for the PC:
1: Place a working copy of all Virex for the PC files that were downloaded
onto a diskette or into a temporary directory.
2: Change to the install drive or to the directory containing the Virex
for the PC files
e.g. A: <return> if you have the information on a diskette in
the A: drive.
or
CD\TEMP <return> to change to the directory \TEMP on your
current drive
3: Type INSTALL and press the RETURN key
The Install program automatically creates the \VPC directory on the C:
drive and copies all the needed file into it. If an old version of Virex
for the PC exists in C:\VPC, it will rename the old program names to *.OLD. If
files named *.OLD already exist, they will be deleted.
Once the Install program has finished copying files to C:\VPC it creates your
Inoculation set. The Inoculation set consists of two files that contain
valuable information about your hard drive and is used to restore information to
your hard drive in the event of a crash as a result of a virus. We STRONGLY
suggest copying these files to an emergency diskette, and then keeping that
diskette in a safe, accessible place. Please see the section "Making an
Emergency Diskette" in Chapter 5.
If you have additional hard drives (D:, E:, etc.), those drives should be
included in your inoculation set. To create an inoculation set for all drives:
1: Change to the \VPC directory on your C: drive by typing CD\VPC then
pressing the RETURN key when you are at the C: prompt.
2: Use VPCScan to create your inoculation set by typing:
VPCSCAN <drive1>\ <drive2>\ -I+
e.g. VPCSCAN C:\ D:\ E:\ -I+
assuming you have a C: D: & E: drive
If you intend to use the VIREX.COM TSR, there is an additional step
necessary to complete the installation.
Creating your VIREX.COM protection file.
The protection file used by the Virex TSR provides continous monitoring
of your machine against viruses. To create your protection file:
1: Change to the \VPC directory on your C: drive by typing CD\VPC then
pressing the RETURN key when you are at the C: prompt.
2: Use VPCScan to create the protection file for all drives by typing:
VPCSCAN <drive1>\ <drive2>\ -V+
e.g. VPCSCAN C:\ D:\ E:\ -V+
assuming you have a C: D: & E: drive
This procedure will scan and checksum the files on your drives and create the
VIREX.DAT file in C:\VPC. Once created, VIREX.COM will address this file as a
checksum base and monitor your drive for changes. This feature enables Virex to
diagnose an infection from an unknown virus.
Manual Installation
You can also install Virex for the PC manually by doing the following:
1. You must install to the C: drive. Create a directory on your C: drive
named "VPC" (you must use this name).
2. Copy VPCSCAN.EXE and VIREX.COM to the VPC directory. You may also copy
the document files if you wish.
3. Create an inoculation set using -I+, and then create a protection file
using -V+, as described above and in Chapter 5. You should create these
sets for as many hard drives as you have (D:, E:, etc.).
IMPORTANT: Both VIREX.COM and VPCSCAN.EXE must remain in the \VPC directory to
function properly together. You may rename the VIREX.COM file to another name
with a .COM extension, but VPCSCAN.EXE must not be renamed.
Loading VIREX.COM
You can load VIREX from the command line by typing: C:\VPC\Virex <return>
Alternatively, you can have VIREX automatically start up whenever you turn
on your computer. To do this you will need to be familiar with a command line
editor such as DOS's EDLIN or EDIT. If in doubt, consult your DOS manual.
1: Change to the root directory of C: drive.
e.g CD\ RETURN at the C: prompt
2: Edit the AUTOEXEC.BAT file using your editor and add the following
lines towards the end of the file, but before any shell or user
interface, such as Windows.
C:\VPC\VIREX.COM
3: Save your changes to the AUTOEXEC.BAT and exit the editor.
4: Restart your computer
C H A P T E R 5 :
USING THE VPCSCAN PROGRAM
The Virex for the PC Install program copies the VPCScan program to
the \VPC directory on your C: drive. You can also copy this file to any
location using the DOS COPY command.
Scanning Existing Files for Known Viruses
To scan a file for the existence of known viruses:
1. Make the drive onto which you have copied VPCScan is the
current drive by typing <drive>: and pressing the RETURN key (for
example, if you copied VPCScan to the C: drive, type C: <return>).
2. Change to the directory where VPCScan is located by typing
CD\<directory> and pressing RETURN (e.g., CD \VPC <return>).
3. Type VPCScan <drive>:<path\file name>, where
<drive>:<path\file name> indicates the drive, directory path, and
name of the file to be scanned (for example, VPCScan
C:GAMES\TOPSHELF.COM would scan the "TOPSHELF" file in the
"GAMES" directory on the "C:" drive). DOS wild card characters are
valid
4. Press the RETURN key.
If VPCScan finds a known virus it will alert the user and display the options
listed below. If you are attached to a Novell network and VPCScan finds a
known virus, it will send an alert to the network console and alert the user,
providing the following options:
1. Disinfect - attempt to remove the virus from the original file
(if VPCScan knows how to disinfect files infected by this particular
virus)
2. Remove - erase the infected file
3. Ignore - leave the file as is
WARNING: A FILE BECOMES IRREVERSIBLY ALTERED DURING REPAIR AND ON OCCASION
CAN BE DAMAGED! Therefore, we strongly recommend that before attempting to
repair a file that VPCScan has identified as infected, you make a backup of
that file onto a floppy disk.
....... To scan a directory, specify <drive>:<path>. For example,
VPCScan C:\GAMES
....... To scan a disk, specify <drive>:\. For example, VPCScan B:\
....... To scan multiple disks specify <drive>:\ <drive>:\. For example,
VPCScan C:\ D:\ E:\
VPCScan scans from the current directory down. It only
scans the entire disk if you start from the root directory or if you
specify <drive>:\. For example, VPCScan C:\.
Once you have scanned and disinfected all of the files on your hard
disk, restart your computer by switching it off, waiting ten seconds,
and then switching it on again (do not simply press CTRL-ALT-DEL to
reboot) to make sure that viruses in memory have been eliminated.
Reports
When VPCScan has finished examining your files for the presence of
known viruses it generates a report that details the results of its
examination. It indicates how many directories and files were
examined, how many files were found infected, how many files were
repaired, and how many files were deleted. It also indicates which
files were infected, and what viruses were found in those files.
The report can be sent to a printer or redirected to a file.
VPCScan Options
VPCScan has additional features that control how scanning is
conducted. These options are executed from the command line:
VPCSCAN <drive>: -<options> (for example, VPCSCAN C:\ -M).
1. -L [LONG scan], scans the entire contents of a file. In its
usual operation, VPCScan limits its search to the areas
of a file that are most likely to be infected. The more
thorough search, however, takes more time.
2. -M [Disable MEMORY check], prevents VPCSCAN from searching
the system MEMORY of the computer for the presence of
viruses. This is a time saving feature.
3. -X [Scans first meg of memory], scans the entire first megabyte
of memory. Normally, VPCScan limits memory scanning to the
first 640K of memory that is accessible to DOS. Although
unlikely, a virus could infect the memory between 640K and
1 megabyte.
4. -A [ALL scan], instructs VPCScan to scan ALL file types,
including non-executable files such as text or spreadsheet
files. In its normal operation, VPCScan only searches
executable files (*.EXE, *.COM, *.SYS, and *.OV?). Viruses
can only cause damage when they are in executable files or
have infected a disk's boot sector. By using the -A option,
however, you can be sure that there are no known viruses in
any files on your computer. When the -A option is not specified
and VPCScan is instructed to scan a directory containing only
data files, it will return the message 0 files scanned. This
means that it did not find any executable files.
5. -O [DIR only scan], scans the specified directory ONLY and does
not examine any sub-directories.
6. -F [Single floppy scan], instructs VPCScan to scan a single floppy
disk. After VPCScan completes a scan of a floppy disk, the user
will be asked whether he/she wants to scan additional diskettes
The request to scan additional disks can be turned off with -F.
This feature is useful when operating VPCScan in batch
mode to scan a single disk.
7. -# [Virus list], lists all the viruses that VPCScan is currently
capable of detecting. Repair capability is noted by the term
"disinfector" in parentheses next to the virus name. To print
the virus listing type: VPCSCAN C:\ -#>PRN.
8. -R [Scan log], creates an audit file, named VPCSCAN.LOG, which
lists all VPCScan alerts and responses. This is to be used in
used in combination with the batch mode described below. You
may also specify a filename for the log by typing
-R<filename> <return> (e.g., VPCSCAN -Rvirus <return> creates a
file named VIRUS.LOG). The default log file is named
VPCSCAN.LOG.
9. -T [Warning disable], turns off the warning message that this
version scanner is more than 6 months old.
10. -!R [Registration], allows you to create personal registration file
with information provided by Datawatch after you have purchased
Virex for the PC. This will disable the screens that indicate
an unregistered copy. [See REGISTER.DOC]
11. -I(+) [Inoculate], creates or verifies an inoculation set and is
described fully under the section "The Inoculate Feature" in
this chapter.
12. -V(+) [Checksum Data], creates or verifies the file necessary for the
VIREX.COM TSR to monitor checksum changes. See "Creating a New
Protection File" and "The Checksum Verify Feature" in this
chapter.
13. -!N [Console alert disable], turns off the virus warning messages
that are sent to the Novell console whenever a virus is found.
To further customize scanning, the preceding options can be combined. For
example, to perform a long scan of the files in the current directory, type
VPCSCAN C:\ -O -L. The exception to this rule is that -V and -I cannot be used
together; they must be used individually. Note that there must be a space
between option codes.
Batch-mode Operation
When scanning a disk, VPCScan will alert the user every time a
virus is found, present several options (for example, Disinfect the file,
Remove the file, or Ignore the warning), and wait for a response.
VPCScan can also be operated in a batch mode, i.e., non-interactively. VPCScan
can be instructed to respond automatically to virus warnings in a predetermined
way during scanning. This feature is useful for system administrators who are
scanning large hard disks and do not want to be interrupted every time a virus
is discovered. Users who want to scan their computer at startup will also find
this feature useful. An optional audit trail provides a log of the viruses
found and action taken.
The VPCScan batch mode is executed from the command line:
VPCSCAN C:\ -B<option> For example, VPCSCAN C:\ -BI.
1. -BD [Batch Disinfect], DISINFECT all files that are infected by
viruses. If VPCScan can not repair a virus, it IGNORES the
warning.
2. -BR [Batch Remove], REMOVE (delete) all files that are infected by
viruses.
3. -BI [Batch Ignore], VPCScan will scan a volume, but will not delete
or repair files infected with viruses. The warning message and
infection will be IGNORED.
4. -BM [Batch renaMe], VPCScan will add a .VIR extension to the file
name of all infected files. With the .VIR extension, infected
files can be easily identified.
5. -E [Errorlevels], this switch will direct VPCScan to return an
errorlevel of 0 if and only if the system was completely
tested and no viruses were detected. Otherwise, a non-zero
error level will return. An error condition will return a
non-zero error level as well.
The batch mode is best used with a log file which will record all virus
warnings and the designated action taken. The report can then be
reviewed at the user's convenience. To operate VPCScan with an
audit trail, combine the following with the options above: -R<filename>
(e.g., VPCScan C:\ -BM -Rvirus.log). With only -R specified, the
default filename is VPCSCAN.LOG.
The Inoculate Feature
The VPCScan inoculate feature provides a powerful new way to
repair files and boot sector/partition tables that have been infected
by viruses.
Inoculate works by building two special files that protect your
computer from possible future virus attacks. Because the VPCScan
inoculate feature works with both of these files, the name "inoculation
set" will be used to describe them both.
Building and Updating the Inoculation Set
To have the powerful protection provided by the inoculation feature
you must first generate the inoculation set. The install program
generates the INOC.VRX file, which is the inoculation information about
all of the executable files on your C: drive and the CRITICAL.VRX file,
which records important boot and directory information about your C: drive.
To create or update the complete inoculation set add <drive>:\ and
-I+<filename> to the VPCScan command line. For example:
VPCScan C:\ -I+
VPCScan C:\ -I+myinoc.vrx
If no <filename> is specified VPCScan uses the default inoculate
filename,INOC.VRX, otherwise <filename> refers to the inoculation file that
you wish to create or update. The CRITICAL.VRX file cannot be
created with a different name.
NOTE: We recommend that you use the default name, INOC.VRX, because that name
is recognized by the checksum verify feature (-V, described below), allowing
VPCScan simultaneously to update both your inoculation and protection file when
it discovers a checksum mismatch.
If you have additional hard drives (D:, E:, etc.), those drives should be
included in your inoculation set. To create an inoculation set for all drives:
1: Change to the \VPC directory on your C: drive by typing CD\VPC then
pressing the RETURN key when you are at the C: prompt.
2: Use VPCScan to create your inoculation set by typing:
VPCSCAN <drive1>\ <drive2>\ -I+
e.g. VPCSCAN C:\ D:\ E:\ -I+
assuming you have a C: D: & E: drive
The -I+ option is also used to update your current inoculate file. This
means that VPCScan will add all new executable files to your
inoculation set and will alert you to changes in your existing
inoculation information. If VPCScan finds a file with a changed
checksum the following message will be displayed:
There has been a change in the signature of file:
<filename>
Press U to update the inoculation file with the new signature,
R to attempt to repair the file, or <ESC> to continue
Choosing U from this menu will update the inoculate file and
continue the scan. If you suspect that the file was modified by a
virus then use the R command to repair the file. After choosing the
repair option you will see the following box if VPCScan can
successfully repair the file:
The modified program can successfully be repaired.
Press Y to complete repair, or N to leave the
modified file in place.
If you choose Y the file will be repaired and the scan will continue.
If you choose N you will be returned to the previous box with only
the Update and Ignore options available. If VPCScan cannot repair
the file you will see this message box, explaining why VPCScan could
not repair the file:
The file could not be repaired. This may be because of an update
to a new version, configuration information has been stored within
the executable image of the program being examined, or the file is
infected with a new and sophisticated virus.
Press any key to continue.
After displaying this box VPCScan will return you to the previous
message box with only the Update and Ignore options available. You should
replace this file with a fresh copy, if possible.
The CRITICAL.VRX File
The CRITICAL.VRX file provides protection against boot sector
viruses. Boot sector viruses replace the boot sector and/or the
partition table of your hard drive. By copying these important parts
of your hard drive VPCScan can easily remove any virus that might
infect your hard drive by restoring the data that you copied prior to infection
by the virus. Because boot sectors and partition tables very rarely change this
type of protection is very effective.
WARNING: You must update your inoculation set whenever you alter your
partition information or upgrade to a new DOS version for this protection
to be effective.
The CRITICAL.VRX file also saves your CMOS information because
viruses can potentially damage it. This function does not work on XT
systems because they do not have CMOS. You should rebuild your
inoculation file if you alter any CMOS information other than the date
and time.
To update your CRITICAL.VRX file, simply recreate the inoculation set using.
the -I+ option described above.
The INOC.VRX File
This file stores the inoculation information about your executable files.
It saves the first 32 bytes of the file along with the length and
certain checksum information about the file. With this information
VPCScan can successfully repair almost all infections from both known and
unknown viruses.
Using Inoculate on Files
You should update your inoculation file on a regular basis and perform scans at
frequent intervals for the best protection. If VPCScan or Virex reports that you
have a possible virus infection, then you may need to use the inoculation
feature's repair capability.
To repair files using the inoculate feature, follow the normal procedure for a
scan (on a file, directory, or disk) but add the -I command switch. If you have
chosen an alternative name for your inoculation file, enter -I<filename> on the
VPCScan command line. For example:
VPCScan C:\DOS -Ivirex.ino
In this mode, VPCScan will alert you at each virus infection and will
provide the standard options of Disinfect, Remove, or Ignore. The
difference in this case is that the Disinfect option will use inoculate if
there is no disinfector available. If you choose Disinfect, VPCScan will
attempt the repair of the file. If it can successfully repair the file you
will get the following message:
The infected program can be successfully disinfected.
Press Y to complete disinfection, or N to leave the
infected file in place.
If you choose Y the file will be restored to its pre-infection form. In
certain situations it may be impossible for VPCScan to rebuild the
file; see the Limitations of Inoculate below for more information. If
VPCScan cannot repair the file the following message will be
displayed:
The infected program could not successfully be disinfected.
Generally, this is because the virus infecting the program
uses sophisticated techniques to make such disinfections unlikely
Press any key to continue.
VPCScan will then return you to the previous message box with only
the Remove and Ignore options available.
IMPORTANT NOTE!!!
We strongly recommend that you use the -I switch regularly! With this option
enabled, Virex can disinfect many more viruses than without it.
Limitations of Inoculate
The inoculate feature is known to be ineffective against two types of
viruses. The first is what is called an overwriting virus. An
overwriting virus overwrites the first several bytes of the infected
file with its viral code, as opposed to inserting it in front of the real
program's code. If the virus overwrites more than the first 32 bytes
of the file, inoculate cannot repair it. Overwriting viruses are
rare. Inoculate also does not work against viruses that use a complex
technique to insert themselves into several areas of the infected program's
code. Zero Hunt is one of the few viruses that does this.
Using CRITICAL.VRX
There are three ways to restore the information in CRITICAL.VRX
to your hard drive. [When using any of these options <filename>
may not be necessary because VPCScan defaults to using CRITICAL.VRX. <filename>
is only necessary if you have changed the name of your CRITICAL.VRX file.]
In all cases, <drive>: specifies the drive to which you want to
restore the information.
1. If you wish to restore only your master boot sector specify <drive>:
and -P<filename> on the VPCScan command line. For example:
VPCScan C: -P or
VPCScan C: -Pmaster.vrx
2. If you wish to restore your master boot record and your
partition table use <drive>: and -PA<filename> on the VPCScan command
line. For example:
VPCScan D: -PA or
VPCScan D: -PAmaster.vrx
3. If you must restore your CMOS information, specify <drive>: and
-PC<filename> on the VPCScan command line. For example:
VPCScan C: -PC or
VPCScan C: -PCmaster.vrx
Making an Emergency Disk
Viruses can do so much damage to your hard drive that you cannot
even boot from the drive. If this happens, VPCScan can help you
correct the problems if you have made an emergency disk in advance. To make
an emergency disk, follow this procedure:
1. Change to your Virex for the PC directory by typing CD
<drive>:<path> and RETURN. For example:
CD C:\VPC
2. Format a floppy disk and make it a DOS bootable disk. For
example:
FORMAT A: /S
3. Copy VPCScan to the newly formatted floppy disk. For example:
COPY VPCScan.EXE A:
4. Copy your inoculation set (both CRITICAL.VRX & INOC.VRX) to the
floppy disk. For example:
COPY *.VRX A:
5. Write-protect and label your new emergency disk.
You have now created an emergency disk that can be invaluable if your computer
becomes infected by a virus. This emergency disk will not help you, however, if
you have made a many changes to your hard drive between the time you made your
emergency disk and a virus attack. Therefore, it is necessary to update the
inoculation set on your emergency disk regularly.
Updating Your Emergency Disk
You should update your emergency disk everytime you update your
inoculate file. To update your emergency disk:
1. Temporarily remove the write-protection on the floppy disk.
2. Copy your updated inoculation set (both CRITICAL.VRX & INOC.VRX) to
the floppy disk.
COPY *.VRX A:
3. Write-protect the emergency disk again.
We recommend that you perform this disk update procedure whenever
you update your inoculation set.
WARNING: Do not update your emergency disk if your system is
infected by a virus. Make sure the virus is eliminated before
updating the emergency disk or you will risk infecting it.
Using Your Emergency Disk
To use the emergency disk:
1. Insert your emergency disk in the A: drive.
2. Turn your computer off, wait 10 seconds, and turn your
computer back on.
3. You can now safely repair your computer using the copy of
VPCScan that is on your emergency disk. See the instructions above
about VPCScan to disinfect your computer.
The Checksum Verify Feature
The VIREX.DAT is the protection file that contains the checksums which
VIREX.COM uses to monitor your system for known and unknown viruses. If
you periodically want to verify all of these checksums, you can use VPCScan's
checksum verify feature. Using -V will check the VIREX.DAT protection file:
VPCScan -V <return>
If you want to verify an individual file, you can specify the file in the normal
manner and add -V:
VPCScan C:\<filename> -V <return>
If a known virus infection is found you will be alerted and given the
same options as in a normal scan. If a file with a changed checksum
is found that does not contain a known virus, you will see the
following screen:
Signature mismatch between Protection File signature and:
<filename>
Press 'U' to update signature, 'I' to ignore
Pressing U will update the file's checksum in the protection file.
Pressing I will ignore the file's changed checksum and continue
scanning. If you suspect the file may be infected by an unknown
virus we recommend choosing I for Ignore and then deleting the
file using DOS.
If you have also created an inoculation set, using the default name of INOC.VRX,
the checksum verify feature will work in conjunction with it. In this case, the
-V option will check both the VIREX.DAT and the INOC.VRX files to verify that
the checksum signature is correct. If it finds a mismatch, you will see the
following screen:
Signature mismatch between:
<filename>
and Protection File and Ioculation File signatures.
Press 'B' to update both signatures, 'R' to repair, 'I' to ignore
Pressing B will update the file's checksum in both the protection file and the
inoculation file. Pressing R will repair the file using inoculation
information. Pressing I will ignore the file's changed checksum and
continue scanning.
Creating a New Protection File
VPCScan will also allow you to create a completely new protection
file. This file is generated with only checksum information in it.
To create a new VIREX.DAT file, type:
1: Change to the \VPC directory on your C: drive by typing CD\VPC then
pressing the RETURN key when you are at the C: prompt.
2: Use VPCScan to create the protection file for all drives by typing:
VPCSCAN <drive1>\ <drive2>\ -V+
e.g. VPCSCAN C:\ D:\ E:\ -V+
assuming you have a C: D: & E: drive
This procedure will scan and checksum the files on your drives and create a new
VIREX.DAT file in C:\VPC. Once created, VIREX.COM will address this file as a
checksum base and monitor your drive for changes. This feature enables Virex to
diagnose an infection from an unknown virus.
C H A P T E R 6 :
USING THE VIREX TSR
Virex is a terminate and stay resident (TSR) program that provides
continuous protection against both known and unknown viruses.
Virex protects against known viruses by checking programs when
they are executed for the viral signatures of known viruses. Virex
protects against unknown viruses by monitoring the checksum
signature of a program each time it is run and verifying it against the
recorded checksum contained in the VIREX.DAT file.
Virex Options
Virex, with no command line options, defaults to disk swapping
mode. This means that Virex keeps its checksum file and its virus
signature information on disk until it is needed. This allows Virex to
occupy less than 1KB of RAM memory.
If working memory is not a constraint or if you do not want the
slight speed degradation that comes with disk swapping, Virex has
other options.
1. -S This option forces Virex to load the virus signature
information into memory. This results in Virex taking up
approximately 17KB of RAM memory.
2. -M This option further disables disk swapping by forcing
Virex to load the checksum file into memory. This option
is only available in conjunction with the -S option. Virex
will occupy 17KB plus the size of your checksum file when
the -S and -M options are enabled.
3. -C In some rare situations, especially involving networks, it
may be necessary to turn off checksum checking completely.
This is necessary if there is a configuration where the user
cannot access the checksum file. To disable checksum checking
add -C to the Virex command line. With the -C option Virex will
scan each program that is executed for known viruses only!
4. -R For Novell network users. If Virex has been automatically
loaded prior to Novell Netware drivers, Virex may be disabled by
the loading of those drivers. Reloading Virex with the -R
switch after Netware drivers are in place will insure that Virex
is resident and providing proper protection.
Starting Virex
VIREX.COM is copied to the \VPC directory by the install program. After
installation, you must create the VIREX.DAT protection file by following the
instructions in Chapter 5, "Creating a New Protection File". Once the protection
file has been created in the \VPC directory, launch VIREX by typing VIREX
enter>. The TSR then loads into memory and provides you with continous
background virus monitoring.
You may wish to edit your autoexec.bat file in your root directory to add the
following line to provide virus protection every time you turn on your PC.
C:\VPC\VIREX.COM <options>
If you attempt to run a program whose checksum signature has
changed, but which is not infected by a known virus, you will see the
following message along with information about the new and stored
checksums for the file:
Program Run Aborted. Checksums do not match.
Access denied.
If you suspect that the program which caused the alert is infected
with an unknown virus, and if you have previously used VPCScan to
create an inoculation file, then you should run VPCScan with the -I
switch to disinfect the file. If you suspect that the
program which caused the alert is infected with an unknown virus,
and if you have not used the VPCScan inoculation feature, you should
delete the suspect file and replace it with an original copy.
If you suspect that the file's checksum has been changed for some
reason other than a viral infection, then you should update the file's
checksum record in the Virex protection file. You can use the
checksum verify feature of VPCScan (-V) to update the protection file.
See Chapter 5 for details on the inoculation and checksum verify features.
If you attempt to run a program that has been infected by a known virus,
you will see the following message and VPCScan will be called by VIREX.COM
in order to address the viral infection:
Program Run Aborted. Viral Infection Found. Running VPCScan.
If VPCScan can disinfect the infected file, it will do so and will offer
you the choice of printing or saving a log of its activities, or simply
exiting VPCScan.
If VPCScan cannot disinfect the file, you will see the following
VPCScan alert message:
Virus Alert!!
<filename>
is infected with <virus name>.
Press R to remove, E to exit without execution.
Press R to remove (erase) the file from the disk. Press E to exit
VPCScan and leave the infected file on disk.
INPORTANT NOTE:
If you previously used VPCScan to create an inoculation file you may be
able to repair the infected file using the VPCScan inoculation feature.
In this case you should press E and run VPCScan using its inoculate feature.
See Chapter 5 for details on the using inoculation feature.
C H A P T E R 7 :
USING VIREX FOR THE PC IN A NETWORK ENVIRONMENT
Virex for the PC is compatible with Novell NetWare, a popular
software product for networking personal computers. In a NetWare
environment, application programs and data files can be stored on a
file server, a dedicated workstation that manages the network. The
server functions as an additional, large hard drive attached to your
PC.
Servers are not immune to computer viruses. An infected file can be
transferred from a personal computer to a file server. If the file is an
executable program, it can infect other PC's when it is executed or downloaded
from the server.
VPCScan is designed to scan Netware server drives for computer
viruses. VPCScan treats a server drive (e.g., F:) like a local hard drive
or floppy disk, subject to the file protection constraints of Netware.
VPCScan only scans files that you have read/open access to. A file
that is read-protected can not be scanned. In addition, VPCScan
only scans files that are NOT in use or that are in use and sharable (i.e.,
more than one user can use the same file simultaneously). A file that
is in use and non-sharable CANNOT be scanned for viruses.
We recommend that you run VPCScan as the NetWare network
supervisor, so that all read-protected files can be scanned. Further,
we recommend that you use VPCScan when everyone is logged off of
the server, so that all non-sharable files can be scanned.
Scanning a Server Drive for Viruses
VPCScan can be operated from a personal computer linked to a
server or, in the case of a non-dedicated server, from the server
itself. The procedure for scanning a server drive is:
1. Make sure that you can access the Netware server drive. You
may need to login to the server or may simply type <server drive>:
(e.g., F:) for access. See the Netware user's guide for more
information.
2. Make the location of VPCScan program the current drive (e.g.,
by typing C: if VPCScan was installed on the C: drive).
3. Type VPCScan <server drive>: (e.g., VPCScan F:) to scan the
server hard drive.
VPCScan will issue a warning message and list the names of any files
that could not be scanned. If a server file is infected with a virus,
VPCScan will display the standard virus warning message and issue
the following options:
1. Disinfect - attempt to remove the virus from the original file, if
VPCScan knows how to disinfect files infected by this particular
virus.
2. Remove - delete the infected file.
3. Ignore - leave the file in its current state.
If an infected file is write-protected by Netware, you will not be able
to repair or delete the file unless you have appropriate network
access to that file.
Scanning Local Drives with VPCScan Installed on the Server
VPCScan can also be operated from the server. You will need to copy
the VPCScan program to the server drive. If you have privileges to copy
files to the server, you can use a standard copy command:
COPY <drive>:VPCScan.EXE <server drive>:*.*
(e.g., COPY C:VPCScan.EXE F:*.*)
See your Netware user's guide for more information about transferring files to a
server.
The procedure for scanning a local drive with VPCScan loaded on the
server is:
1. Make sure that you can access the Netware server drive. You
may need to log in to the server or may simply type <server drive>:
(e.g., F:) for access. See the Netware user's guide for more
information.
2. Make the server drive the current drive (e.g., by typing F:)
3. Type VPCScan < drive>: (e.g., VPCScan C:) to scan the local drive
for viruses. Floppy drives and hard drives can be scanned from the
server.
If a file on the hard drive is infected with a virus, VPCScan will
display the standard warning message and options:
1. Disinfect - attempt to remove the virus from the original file, if
VPCScan knows how to disinfect files infected by this particular
virus.
2. Remove - delete the infected file.
3. Ignore - leave the file in its current state.
Sending virus alerts to the Novell Console Screen
If you are attached to a Novell network, run VPCScan locally, and discover a
virus on your local computer, VPCScan will notify both you and the Novell
Netware Console. If you wish to run VPCScan without this feature, use the
"-!N" switch from the command line (e.g. "VPCSCAN -!N")
If you are running Netware 2.x, VPCScan will display the message on the console
screen and write an entry to the file, LOG$MSG.LOG, a netware log file.
If you are running Netware 3.x, VPCScan will only display the "virus found"
message to the console screen. No perminant log of these alerts will be kept
on the server itself.
Virex and the Special Case of the Diskless Workstation or Floppy Only Station
It is possible to operate Virex from a server in a special mode of
operation. Virex evaluates executed files for known viruses
and for checksum changes. For more information about Virex, see
Chapter 6.
If Virex is loaded on the server, you can type <server drive>:Virex -C.
When a file is executed from either the server or the local PC hard
drive, it will be scanned for known viruses.
The -C command switch disables checksum monitoring. Checksum
monitoring must be turned off for Virex to operate properly when
run from the server.
The use of Virex is especially appropriate if you are operating a
diskless workstation in a network. In this configuration, there is no
local hard drive to operate Virex TSR. To realize the virus prevention
benefits, Virex can be operated from the server with checksum monitoring
disabled.
WARNING! If Virex has been automatically loaded prior to Novell Netware
drivers, Virex may be disabled by the loading of those drivers. Reloading Virex
with the -R switch after Netware drivers are in place will insure that Virex
is resident and providing proper protection.
C h a p t e r 8 :
USING VIREX FOR THE PC IN A WINDOWS ENVIRONMENT
Virex for the PC is compatible with Microsoft Windows. It will
operate in the three Windows modes: Real, Standard, and 386
Enhanced. VPCScan and Virex TSR can both be used in a Windows environment. You
should be familiar with Windows before attempting to use Virex with Windows. If
you are new to Windows, we recommend that you operate Virex for the PC in DOS
rather than under Windows.
VPCScan: Scanning and Treating Viruses under Windows
VPCScan can be run from within Windows in several ways. The easiest way
is to use the Windows File Manager. Using the File
Manager, simply double-click on the icon next to VPCScan to execute
it. This will launch VPCScan as an application in DOS mode.
The second way to run VPCScan under Windows is to open a DOS
window by clicking on the DOS icon in the MAIN group. This will
temporarily put you at a DOS prompt and you can run VPCScan just
as if you were in standard DOS mode.
We recommend, however, that you run VPCScan from within DOS.
This will avoid any problems that might result from other tasks
processing in the background under Windows. This is necessary
especially if you are using the checksum verify and inoculate
features of VPCScan.
Preventing Virus Infections Using Virex
The Virex TSR will monitor DOS applications running under Windows
for checksum changes and for viruses. If the checksum of a file has
changed, program execution will be denied. The user will not be
given the option to run the program. If a file is not registered, it will
be automatically scanned for viruses, but will not be added to the
checksum list. If a virus is found, a standard virus warning with
options will be issued. Virex will not evaluate Windows applications
for checksum changes.
C H A P T E R 9 :
SAFE COMPUTING PRACTICES
You can reduce the risk of experiencing problems with a computer
virus by following these guidelines:
> Use software that is obtained from reputable and reliable
sources. In general, commercial software from well-known software
publishing firms should be virus-free.
> Treat public domain and shareware software with caution. Test
the software with the VPCScan program before you use it.
Remember, computer viruses do not have an opportunity to replicate
themselves until you execute the program they have infected.
> There have been instances in which infected commercial
software has been inadvertently shipped to consumers. While this is
an infrequent occurrence, Datawatch recommends that you test all
new commercial software with the VPCScan program before you use
it.
> Start your computer from the hard disk or from a single, write-
protected floppy system disk (to avoid boot sector viruses). Never
boot from an unscanned floppy.
> Never leave diskettes in the diskette drives of your machine during
a restart or cold start to reduce the risk of boot sector viruses.
> All newly acquired software applications should be backed up,
write-protected, and put in a safe place. Always execute your
application programs from backup copies or from fresh copies placed
on your hard disk. This will prevent your original copies from being
contaminated by a virus, and ensure that a fresh copy is always
available should your working copy become damaged.
> Make regular backups of files you have customized, such as
your AUTOEXEC.BAT. This will save you hours of work rebuilding the
system in the event of a virus attack or a hard disk failure.
> Systematically back up your important data files to ensure that
you do not lose important work.
> Be security conscious and promote security awareness
throughout your organization.
By backing up important application and data files, you will limit
your losses in the event of a hard-disk crash, a virus attack, or any
other sudden computer failure.
These safe computing practices will not only help to safeguard your
computer from viruses, but will help prevent the loss of important
data in the event of a catastrophe.
NOTE: You may wish to consult your dealer about useful hardware
and software backup solutions.
C H A P T E R 10 :
REMOVING A BOOT SECTOR VIRUS
If you have purchased Virex for the PC AFTER you being infected by
a boot sector virus or if you cannot recover using the inoculate
feature, then a manual removal might be necessary. If you are using
MS-DOS 5.0 or later, skip to the second section of this chapter.
If after scanning your hard drive VPCScan finds a boot sector virus,
but does not offer to Disinfect it, follow this procedure to manually
remove the virus.
1. Re-boot your computer from a clean, write-protected DOS disk.
The DOS version on this disk must be the same as the DOS version on
your hard drive.
2. Type DIR SYS.COM to see if this DOS disk has the SYS command
on it. If it does skip to step 4.
3. Insert your other DOS disks until you find the one with the SYS
command on it.
4. Type SYS <drive>: and return (e.g. SYS C:).
If you receive an error from DOS in this process, consult your DOS
manual.
If, after completing the above process and rebooting, VPCScan still shows
your computer to be infected, then the virus has also infected your
partition table. To eliminate this kind of virus you will need to follow
a more complex set of steps.
1. Reboot your computer from a clean, write-protected DOS disk.
The DOS version on this disk must be the same as the DOS version on
your hard drive.
2. Backup your hard drive using the DOS BACKUP command or a
third-party backup utility.
3. Low level format your hard drive. You will need to consult
your hard drive manual or call your manufacturer for the low level
formatting procedure on your hard drive.
4. Run FDISK from your DOS disk and rebuild the hard driveÆs
partition table. (Consult your DOS manual.)
5. Format your hard drive by typing FORMAT <drive>: /S and
return (e.g. FORMAT C: /S).
6. Restore your hard drive using the DOS RESTORE command or a
third-party backup utility.
Because boot sector viruses do not infect files, this method is a
completely safe way to remove the virus from your hard drive.
For MS-DOS 5.0 and later users
There is an undocumented feature in the FDISK utility that is
part of MS-DOS (version 5.0 and later) that can remove most Master
Boot Record viruses (Partition Table and Boot Sector) without loss of
data.
Follow this simple procedure to remove a Master Boot Record virus
without loss of any data:
1. Completely back up the infected machine.
2. Restart your machine with a clean MS-DOS 5.x or above boot
disk in the A:> drive. Make sure that the MS-DOS 5.x or above utility
called FDISK.EXE is on the diskette and that the diskette is write
protected.
3. Once booted directly to the A:> prompt, type: FDISK /MBR <Enter>
Almost immediately, you should return to the A:> prompt.
4. Remove the diskette from the A:> drive and restart the PC.
5. Insert the original, write protected Virex for the PC diskette in
the diskette drive and type: A:VPCSCAN C:\ <Enter> where A: is the
Virex for the PC diskette and C:\ is your primary startup hard
drive. This scan should come up clean of all Master Boot Record
viruses on your hard drive.
A similar feature exists in DRDos 6.0. Consult your DRDos manual for further
information on the FDISK utility.
IMPORTANT NOTE
After a PC becomes infected with a Master Boot Record virus, the
virus may spread by infecting non-write protected diskettes that is
accessed by the infected system. After following the above procedure
and successfully removing the resident virus, make sure that you
scan all diskettes that have been used in this infected machine. Once
you have confirmed that they are clean, write-protect them. NO virus
can bypass this kind of protection.
A P P E N D I X A :
THE EXTERNAL VIRUS SIGNATURE FILE
The external virus signature file is a feature meant only for expert users.
It allows new viruses to be detected, by means of their signatures, without
having to wait for a new release of Virex for the PC. You should be careful;
if you use the external signature file and add a virus signature that we are
already using within our internal virus signature database, Virex will inform
you that it has found a virus in memory. You should contact Datawatch before
using this feature.
The format of the external virus signature file, which must be on
your C: drive, must be in a directory called "\VIREX" and must be called
"VIREX.VIR", is as follows:
<virus-type><space><virus-name><space><ascii-signature-representation>
The <virus-type> indicates whether the virus signature following is for
a "Program" virus or a "Boot" virus. Use 'P' for program viruses and 'B'
for boot sector viruses. You can also use a '#' as a comment line
indicator, if you wish; such flagged lines will be ignored.
The <virus-name> is the name of the virus. It may not contain any spaces or
other whitespace. You might want to use underscores or hyphens instead of
spaces.
The <ascii-signature-representation> is the translation of the hex
signature string into an ASCII form. Each byte is represented by a zero-filled,
right-justified two place sequence: the proper representation of
a hex "0xf" would be "0f"; to represent "0xff", use "ff".
For example, if a new virus called NewVirus, a program type virus, were
to have a signature string of "1 2 3 4 5 6 7 8 9 a b c d e f", its entry
in the external signature file (C:\VIREX\VIREX.VIR) would be:
#A comment line for the NewVirus external signature file example
P NewVirus 0102030405060708090a0b0c0d0e0f
Optionally, you could include both a checksum of these bytes and a "nasty"
indicator. A nasty indicator tells VPCSCAN that the virus signature refers
to a virus that can infect a clean file simply by VPCSCAN examining that
clean file: if such a virus is found in memory, VPCSCAN will not scan further,
and you should reboot with a clean, write-protected DOS floppy before
scanning again. The nasty indicator is simply an exclamation point, "!".
The checksum is a two-byte long unsigned checksum of the signature bytes.
You can use a program such as Sidekick in its hex calculator mode to
determine what this checksum should be. If you choose to use the checksum,
and/or the nasty indicator, they should be placed following the hex signature,
using a <space> between the signature and the checksum/nasty pair. The order of
the checksum/nasty pair is unimportant.
For example:
# Example ZeroCheckSum Virus, nasty, program virus
P ZeroCheckSum 00000000000000000000 0000!
# Alternate example ZeroCheckSum Virus, nasty, program virus
P ZeroCheckSum 00000000000000000000 !0000
# NonNastyZero, program virus
P NonNastyZero 00000000000000000000 0000
# NastyVirus, no checksum, boot sector virus
B NastyVirus 1234567890aabbccdd !
# NastyVirus, checksum, boot sector virus
B NastyVirus 1234567890aabbccdd 04b2!
Please be sure not to use these examples, you might end up with a false
positive!
