WDR Computer Club Digital 1998 January

home *** CD-ROM | disk | FTP | other *** search

/ WDR Computer Club Digital 1998 January / CC980102.BIN / VIRUS / DRWEB / DRWEB.ME < prev next >

Wrap

Text File | 1997-10-27 | 88KB | 1,856 lines

DDDDDDD RRRRRRR WW WWW WW EEEEEEEEE BBBBBBB DDDDDDDD RRRRRRRR WW WWWW WW EEEEEEEEE BBBBBBBB DD DD RR RR WW WW WW WW EE BB BB DD DD RR RR WW WW WW WW EE BB BB DD DD RRRRRRRR WW WW WW WW EEEEEEEEE BBBBBBBB DD DD RRRRRRR WW WW WW WW EEEEEEEEE BBBBBBBB DD DD RR RR WW WW WW WW EE BB BB DD DD RR RR ■■ WW WW WW WW EE BB BB DDDDDDDD RR RR ■■■■ WWWW WWWW EEEEEEEEE BBBBBBBB DDDDDDD RR RR ■■ WWW WWW EEEEEEEEE BBBBBBB A KILLER FOR POLYMORPHIC VIRUSES USER'S GUIDE Version 3.26 Released October 28, 1997. by Igor Daniloff LICENSE AGREEMENT Dr. Web anti-virus program is distributed "AS IS" without warranty of any kind, either expressed or implied. The entire risk as to the quality and performance of the program lies with the user. Should the program prove defective, the designer or his authorized distributor or dealers bear no responsibility. If you have an illegal copy of Dr. Web Registered users and ... virus designers may skip this paragraph. Dr. Web Anti-virus program is a commercial software product. If you have found it helpful and want to use it in your everyday computer sessions - please, procure a licensed copy and register it. The value of information in your computer is incomparable to the cost of Dr. Web program! Dr. Web Anti-virus Package includes the following files: ┌────────────┬────────┬─────────────────────────────────────────┐ │ File │ Size │ Description │ ├────────────┼────────┼─────────────────────────────────────────┤ │HISTORY.WEB │ - │ Brief history of Dr. Web program │ │VIRTABLE.WEB│ 281318 │ Catalogue of viruses recognized and │ │ │ │ killed by Dr. Web │ │VIRLIST.WEB │ - │ Brief description of the viruses known │ │ │ │ to Dr. Web │ ├────────────┼────────┼─────────────────────────────────────────┤ │DRWEB.EXE │ 255700 │ Dr. Web anti-virus program │ │DRWEB.HLP │ 18638 │ Help file in English │ │DRWEB.ICO │ 766 │ Icon file for MS-Windows │ │DRWEB.INI │ 1024 │ Dr. Web configuration file │ │DRWEB.ME │ 88451 │ User's guide │ │DRWEB.PGP │ 294 │ Dr. Web validation signature │ │WEBymmdd.vvv│ nnn │ Add-on file to the virus database │ └────────────┴────────┴─────────────────────────────────────────┘ REMARK. Dr. Web package may also contain one or more add-on files. How to append add-on files to the Dr. Web program is described in Section 1.4 The UPDATE item. C O N T E N T S OVERVIEW What is Doctor Web? 1. RUNNING DR. WEB IN INTERACTIVE MODE 1.1 The DR. WEB menu 1.2 The TEST menu 1.3 The SETUP menu 1.4 The UPDATE item 1.5 The HELP menu 1.6 Speedkeys 2. RUNNING DR. WEB FROM ITS COMMAND LINE 2.1 List of command options and their purpose 2.2 Running Dr. Web in batch mode REFERENCES O V E R V I E W What is Doctor Web? Dr. Web searches the memory and disks for viruses known to it and eradicates them. It can also conduct a heuristic analysis of files and system areas for detecting new and unknown viruses. It is a good idea to have Dr. Web on a write-protected bootable diskette for testing your machine. Prior to making this copy, it is quite important that the computer is started from a clean bootable system diskette. In case you rename the DRWEB.EXE file (to hide it from resident viruses capable of attacking Dr. Web), the DRWEB.INI file (if it is used in operation) must also be renamed to the same name as DRWEB.EXE without altering the extension INI; for example, if DRWEB.EXE is renamed as ANTIVIR.EXE, then DRWEB.INI must be renamed as ANTIVIR.INI. First, install Dr. Web in your machine. For this, create a directory named DRWEB in drive C, log on to this directory, and finally copy all files from the installation diskette to this directory. Dr. Web can be run either in interactive or batch mode. Batch mode is particularly convenient for automatically running Dr. Web from the AUTOEXEC.BAT file every time the computer is started. How to run Dr. Web from the AUTOEXEC.BAT file and the command options will be described latter. Now we describe the interactive mode. 1. RUNNING DR. WEB IN INTERACTIVE MODE To start Dr. Web in interactive mode, at the DOS prompt type the command drweb and press <Enter>. On starting the program, the screen displays the main menu: Dr.Web Test Setup Update [F1] Help █████████████████████████████████████████████████████████████████ █╔═════════════════════ Scanning progress ═════════════════════╗█ █║ ║█ Fig.1. Dr. Web's main menu Using the menu items and commands, you can configure the program to suit your preferences, choose various program modes, update your Dr. Web by appending add-on files to the main virus database, and get on-line help on various topics. ═══════════╦═════════════════════════════════════════════════════ Menu item ║ Purpose ═══════════╬═════════════════════════════════════════════════════ Dr.Web ║ The commands in this menu are used to display ║ information about the program version, to shell ║ to DOS screen, and to end a Dr. Web session. ───────────╫───────────────────────────────────────────────────── Test ║ The commands in this menu are used to test and ║ cure the machine, and to display the report of ║ the current scanning session. ───────────╫───────────────────────────────────────────────────── Setup ║ The commands in this menu are used to customize ║ the operation of Dr. Web to suit your preferences. ───────────╫───────────────────────────────────────────────────── Update ║ This command is used to append add-on files to ║ the main virus database of the program. ───────────╫───────────────────────────────────────────────────── [F1] Help ║ displays on-line help on various topics. ═══════════╩═════════════════════════════════════════════════════ You may navigate through the menu with the keyboard or mouse. To pull the menu of an item on the menu bar or to execute a command in the menu, point to the item and click the left mouse button. To access any item on the menu bar, first press <F10> or the spacebar to activate the menu. Then using the <Left> or <Right> keys, you may move over the menu bar. To pull down the menu of an item on the menu bar, choose the item and press <Enter>. One letter in the name of every menu item is highlighted or displayed with contrasting intensity. To open the menu of an item on the menu bar or to execute a command in any menu panel, while keeping <Alt> pressed down, press the appropriate highlighted letter in the name of the menu. For example, the letter D is highlighted in the name of the menu item Dr.Web. To open the menu of this item, press <Alt+D>. Depending on the command chosen from the menu panels, the screen displays dialog panels for customizing the interface, specifing the scan modes, appending additional virus databases, etc. These panels contain controls - text fields, command buttons, check boxes, and option buttons. One of the controls in every dialog panel by default is selected, i.e., highlighted. You can straight away work with this control (enter text in the text field, change the status of the option button, execute the command button) from your keyboard. To select a different control, press <Tab> once or repeatedly until the desired control is selected, or point to the desired control and click the mouse left button. Pressing <Shift+Tab>, you may select one control after another in the reverse order. The check boxes and option buttons in a dialog panel may be grouped together. On pressing <Tab>, you can only select the first button in a group. To select any other button within a group, use the <Up> and <Down> keys. In certain operation modes and configuration settings, certain controls may be grayed, i.e., they are disabled for the time being. Table below gives brief information on each type of controls. ═══════════════╦═════════════════════════════════════════════════ Control ║ Description ═══════════════╬═════════════════════════════════════════════════ Text field ║ You may enter new text or edit the already ║ existing text. ───────────────╫───────────────────────────────────────────────── Check box ║ Check boxes are delimited by a pair of square ║ brackets []. A check box may be enabled [X] or ║ disabled [ ]. To change the status of a check ║ box, either click the box, or select the box and ║ then press the spacebar. ───────────────╫───────────────────────────────────────────────── Option button ║ Option buttons are delimited by a pair of round ║ brackets (). Only one of the option buttons ║ within a group can be chosen at a time. A thick ║ circle within the round brackets means that the ║ option is selected. To enable an option button ║ within a group, click the button or move to the ║ desired button with arrow keys and press the ║ spacebar. ───────────────╫───────────────────────────────────────────────── Command button ║ To execute a command button, either click the ║ button or select the button and press <Enter>. ═══════════════╩═════════════════════════════════════════════════ Most of the dialog panels for configuring the settings of Dr. Web and displaying messages contain the command buttons OK, CANCEL, and HELP. The OK button will accept the settings specified in the panel, or start scanning and curing procedures, confirm the inquiry in the panel, etc. The CANCEL button will close the panel with executing any command. To close a panel without executing any command, you may also press <Esc> or click the down arrowhead [] at the top left corner of the panel. Click HELP to open the help window on the currently opened panel. The dialog panel for customizing the parameter settings and operation modes of Dr. Web contain a SAVE button for writing the modified settings to the initiation file (DRWEB.INI) so that Dr. Web is started automatically with the new configuration settings in subsequent sessions. The confirmation panel that ascertains the intention of the user for implementing an operation usually contains YES and NO buttons. Click YES to confirm the inquiry, and NO to close the panel without executing any command. 1.1 The DR. WEB menu contains three commands: DOS SHELL, ABOUT, and EXIT. Dr.Web Test Setup Update [F1] Help ┌──────────────┐█████████████████████████████████████████████████ │ Dos shell │══════════ Scanning progress ══════════════════╗█ │ About... │ ║█ │ Exit Alt-X │ ║█ └──────────────┘ Fig.2. Dr.Web menu The DOS SHELL command Choosing this command, you can temporarily exit from the current Dr. Web session for shelling to the DOS screen: ┌──────────────────────────────────────────────────┐ │ Type EXIT to return to Dr. Web... │ │ │ │ Microsoft(R) Windows 95 │ │ (C) Copyright Microsoft Corp 1981-1995. │ │ │ │ C:\DRWEB> │ └──────────────────────────────────────────────────┘ Fig.3. DOS screen You can use this command, for example, to copy and rename infected files, to create a backup copy of valuable files, etc. After you are done with your DOS session, type EXIT and press <Enter> to return the Dr. Web main menu window. NOTE. Never use this command to end a Dr. Web session, because the program resides in the memory and thus occupies some memory space. The ABOUT command Choosing this command, you can view the version number and relevant information about the designer of Dr. Web. If your version is two-month obsolete, this panel will remind you that your version is outdated and prompt you to update the program, because new viruses might have appeared since the release of your version. To remove these new viruses, you require the latest version or appropriate add-on virus database files. For details on appending add-on files to your program, refer to Section 1.4 The UPDATE item. When run in the heuristic analysis mode, even an outdated version of Dr. Web will effectively detect new viruses. The EXIT command Choosing this command, you end a Dr. Web session. You can also end a session, pressing the speedkey combination <Alt+X> or <Alt+F4>. 1.2 The TEST menu contains five commands: TEST MEMORY, SCAN, CURE, STATICTICS, and REPORT for searching and removing viruses, and viewing the statistics of the current session and the report of the current and previous scanning sessions. Dr.Web Test Setup Update [F1] Help ████████┌────────────────┐███████████████████████████████████████ ██╔═════│ Test memory │══ Scanning progress ═══════════════╗██ ██║ │ Scan F5 │ ║██ ██║ │ Cure Ctrl-F5 │ ║██ ██║ │ Statistics │ ║██ ██║ │ Report │ ║██ ██║ └────────────────┘ Fig.4. Test menu The TEST MEMORY command Choosing this command, you can test the memory for viruses at any time. If an unknown virus is detected in the memory, Dr.Web warns you as follows: Memory (F900:0350) may be infected by RESIDENT VIRUS! On detecting a known virus in the memory, Dr. Web prints its name on the screen: Memory (F900:0350) infected with Eddie.1800 - eradicated! In most cases, Dr. Web kills the known viruses in memory. In case there is a virus in the memory, start the computer from a bootable diskette containing the Dr. Web program, and clean the computer for viruses. Sometimes, Dr. Web may warn for virus in the memory, while retesting the memory after killing a virus. The SCAN command Choosing this command, you can test the machine for viruses. Or simply press the speedkey <F5> to start scanning for viruses. Immediately, the screen displays a SCAN PATH panel. ╔═[]════════════ Scan path ═════════════════╗ ║ ┌────────────────────────────────┬─┐ ║ ║ │* ││ ║ ║ └────────────────────────────────┴─┘ ║ ║ [X] including subdirectories ║ ║ ║ ║ Ok ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════╝ Fig.5. Scan path panel In the text field containing an asterisk, type the full pathnames of the files you want to test. You can also use wildcard characters in file specifications, directory path, and drive name letter. Here are few examples of specifying the scan path: ═══════════════╦═════════════════════════════════════════════════ Scan path ║ Description ═══════════════╬═════════════════════════════════════════════════ * or *: ║ scan all logical drives in the hard disk ───────────────╫───────────────────────────────────────────────── C: ║ scan all files in drive C ───────────────╫───────────────────────────────────────────────── C:\DOS ║ scan all files in the directory C:\DOS C:\DOS\* ║ C:\DOS\*.* ║ ───────────────╫───────────────────────────────────────────────── C:\DOS\FILE.* ║ scan all files of the name FILE with any ║ extension in the directory C:\DOS ───────────────╫───────────────────────────────────────────────── C:\DOS\*.EXE ║ scan all files having the extension EXE in the ║ directory C:\DOS ═══════════════╩═════════════════════════════════════════════════ NOTE. If you use a wildcard character "*" in drive specification, only the logical drives in the hard disk of the machine will be scanned; virtual drives created by the DOS SUBST command, CD-ROM drives, and network drives will not be tested. You can also specify several files located in different directories, separating the entries by an intervening white space; for example, to scan all files in the drive A, the directories C:\DOS, C:\UTIL\PROG, and D:\WINDOWS, in the text field type A: C:\DOS C:\UTIL\PROG D:\WINDOWS By default, Dr. Web checks the files not only in directories, but also in subdirectories. If you do not want to scan the subdirectories, you can tell Dr. Web to skip the subdirectories by deselecting the INCLUDING SUBDIRECTORIES option box. If you click the down arrowhead [] at the top left corner of the SCAN PATH panel, or press the down arrow key while the cursor is located in the text field, a history panel is opened, showing the pathnames specified for scanning in previous sessions. You may select any pathname from this list with arrow keys. This is particularly useful if you regularly scan the same directories - there is no need to type the pathname every time, just select the appropriate pathname from the history panel. After typing the scan path, choose or click the OK button to start scanning. To close the box without executing the scan command, choose or click the CANCEL button. On choosing the OK button, the screen displays in the SCANNING PROGRESS window the names of files scanned, the name of the virus after the filename of infected files, the name of the achiever program after the filenames of packed files. ╔═══════════════════ Scanning progress ═══════════════════╗ ║ Searching for viruses and infected programs in drive A: ║ ║ BOOT SECTOR infected by Form ║ ║ A:\FORMAT.COM infected by Tiny.129 ║ ║ A:\VIRUS.COM infected by Fy.338 ║ ║ A:\SMARTDRV.EXE infected by Tchechen.1912 ║ ║ A:\FTW1.COM packed by PKLITE ║ ║ A:\C-639.COM infected by Hizhnak.639 ║ ║ A:\AINEXT.EXE infected by RDA.Fighter.7408 ║ ║ A:\COMMAND.COM infected by Ox.475 ║ ║ Scanning report for drive A: ║ ║ Scanned : files, programs, and sectors - 9 ║ ║ detected: viruses and infected programs - 7 ║ ║ Scanned time: 00:00:07 ║ ╚═════════════════════════════════════════════════════════╝ Fig.6. Report on detected viruses After the completion of scanning a drive, you get a scanning report: ╔═[]═════════════════════════════════════════════╗ ║ Scanning report for drive A: ║ ║ Scanned : files, programs and sectors - 25 ║ ║ Detected: viruses and infected programs - 7 ║ ║ including in archived files - 5 ║ ║ posible virus modifications - 1 ║ ║ files suspected for infection - 2 ║ ║ including archived files - 2 ║ ║ Scanned time: 00:00:21 ║ ║ Ok ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════╝ Fig.7. Scanning report panel This panel is displayed only if you have selected the REPORT FOR EACH DRIVE box in the DESKTOP panel of the DESKTOP command. If this box is deselected, the scanning report is appended at the bottom of the SCANNING PROGRESS window. In both cases, information about virus modifications, suspected files, and archived files are printed only if the corresponding counters are greater than 0. In the example above, Dr. Web detected the viruses Form, Tiny.129, Fy.338, Tchechen.1912, Hizhnak.639, RDA.Fighter.7408, and Ox.475. After the completion of the scanning mission, you can cure the infected files in the machine. The CURE command To remove the viruses detected by Dr. Web in a scanning session, choose this command or press its speedkey combination <Ctrl+F5>. The screen will then display a CURE PATH panel: ╔═[]════════════ Cure path ═════════════════╗ ║ ┌────────────────────────────────┬─┐ ║ ║ │* ││ ║ ║ └────────────────────────────────┴─┘ ║ ║ [X] including subdirectories ║ ║ ║ ║ Ok ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════╝ Fig.8. Cure path panel Type the full pathname of the files to be cured and then choose OK. The conventions for typing the specifications in this text field are the same as those described for the text field in the SCAN PATH panel of the SCAN command. Prior to curing infected files, it is good idea to copy them on a separate diskette. Change the extension of copied infected files so that you may not accidentally run any infected program from the diskette. For example, if MSD.EXE is infected, rename it as MSD.EX or MSD.VIR. Infected files may be needed in subsequent virus analysis. The CURE command initiates Dr. Web to handle infected files differently (for curing, deleting, or renaming files) depending on your choice in the INFECTED FILES field of the OPTIONS panel. In the course of handling files their names are printed in an on-screen panel as follows: ╔══════════════════ Scanning progress ════════════════════╗ ║ Searching for viruses and infected programs in drive A: ║ ║ BOOT SECTOR infected by Form - cured! ║ ║ A:\FORMAT.COM infected by Tiny.129 - cured! ║ ║ A:\FORMAT.COM packed by PKLITE ║ ║ A:\VIRUS.COM infected by Fy.338 - cured! ║ ║ A:\SMARTDRV.EXE infected by Tchechen.1912 - cured! ║ ║ A:\FTW1.COM packed by PKLITE ║ ║ A:\C-639.COM infected by Hizhnak.639 - cured! ║ ║ A:\AINEXT.EXE infected by RDA.Fighter.7408 - cured! ║ ║ A:\COMMAND.COM infected by Ox.475 - cured! ║ ║ Scanning report for drive A: ║ ║ Scanned : files, programs and sectors - 9 ║ ║ Detected: viruses and infected programs - 7 ║ ║ Cured: files and boot sectors - 7 ║ ║ Scanned time: 00:00:15 ║ ╚═════════════════════════════════════════════════════════╝ Fig.9. List of restored files While curing a disk for boot viruses which Dr. Web detected in a scanning mission, you may get a warning message: ╔══[]════════════════════════════════════════════════╗ ║ Boot sector may not be cured properly! ║ ║ Continue curing? ║ ║ ║ ║ Ok ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig.10. Incorrect restoration message You get this warning when Dr. Web does not find the original master boot record or the boot sector in the area where the virus ought to have hidden them. This happens if the virus is a plagiarism of some well-known virus and saves the actual boot sectors in an area different from where its original virus saves, or if the computer is infected with several boot viruses such that one virus is superimposed on another. In such cases the "head" of the second virus is found in the sector where the first virus ought to have saved the master boot record. Dr. Web does not immediately analyze the hidden boot sector for other viruses in it; therefore, this message is displayed whenever the boot sector that Dr. Web found does not agree with the original boot sector. If you press <Enter> to continue curing, Dr. Web kills the viruses known to it one by one. When the disk is infected with several boot viruses, the boot sector may be lost if different viruses hide the boot sector in the same sector or if several resident viruses infect the boot sectors repeatedly. In such cases, the machine, as a rule but not necessarily, hangs up on booting from the infected drive. Dr. Web conducts 10 cycles to cure the viruses one after another. Therefore it is advisable to stop curing in such cases and restore the system areas by MS DOS tools. To restore the system areas, boot the machine from a clean bootable system diskette and use the command SYS C: or the command FDISK /MBR. IMPORTANT! While restoring the boot sectors by MS DOS tools, some data on the hard disk may be lost; particularly if the virus has encoded a part of the disk sectors. Therefore, call computer analyst for help. The STATISTICS command Upon the completion of a scanning mission, you can view the statistics of the current mission results by choosing the STATISTICS command, which displays an on-screen statistics panel similar to the panel shown in Fig.7 with a separate report for each drive scanned. ╔═[]══════════════════════════════════════════════╗ ║ Scanning report for drive C: ║ Scanned : files, programs and sectors - 120 ░ ║ Detected: viruses and infected programs - 0 ░ ║ Scanned time: 00:01:07 ░ ║ ░ ║ Scanning report for drive D: ░ ║ Scanned : files, programs and sectors - 51 ░ ║ Detected: viruses and infected programs - 1 ░ ║ Scanned time: 00:00:23 ╚══════════════════════════════════════════════════╝ Fig.11. Statictics panel The REPORT command If you want to save the results of scanning missions, you must tell Dr. Web to create a scanning report file. For this, see the OPTIONS and PATHS commands of the SETUP menu. At the end of every scanning session, Dr. Web appends the results of the current session in the report file containing the results of previous scanning sessions. This file can be opened for viewing by choosing the REPORT command from the TEST menu. The report panel looks somewhat as follows: ╔═[]════════════════════════════════════════════════════╗ ║ Dr. Web, version 3.21 (1997 Apr 29), ║ Copyright (c) by Igor Daniloff, 1992-97 ░ ║ Scanning Report dated 1997 May 30 22:58:44 ░ ║ Command line: ░ ║ ──────────────────────────────────────── ░ ║ No viruses found in memory ░ ║ Add-on file WEB70529.321: ░ ║ Add-on file appended to program virus base. ░ ║ Added new virus descriptions - 50 ░ ║ Searching for viruses and infected programs in disk C: ░ ║ Scanning report for drive C: ░ ║ Scanned : files, programs and sectors - 120 ░ ║ Detected: viruses and infected programs - 0 ░ ║ Scanned time: 00:01:07 ╚════════════════════════════════════════════════════════╝ Fig.12. Scanning report file It is a simple text file and can be opened and edited, using any ASCII text editor. By default, scanning results are saved in a REPORT.WEB file which is created in the directory where drweb.exe is installed. It can be given any name and extension, and located anywhere you like (see The SETUP menu). 1.3 The SETUP menu Using the commands in the SETUP menu, you can customize the operation of Dr. Web to suit your preferences. On choosing this item, its menu has three commands: DESKTOP, OPTIONS, and PATHS. Dr.Web Test Setup Update [F1] Help ██████████████┌───────────────┐█████████████████████████████████ ██╔═══════════│ Desktop... │═ Scanning progress ═══════════╗█ ██║ │ Options... F9 │ ║█ ██║ │ Paths... │ ║█ ██║ └───────────────┘ Fig.13. Setup menu The DESKTOP command To customize the way in which Dr. Web screen is displayed, choose the DESKTOP command to open the DESKTOP dialog panel: ╔═[]════════════════════ Desktop ═══════════════════╗ ║ ┌ Screen mode ─────────────────┐ ┌ Language ─────┐ ║ ║ │ [X] Expanding windows │ │ ( ) Russian │ ║ ║ │ [X] Mouse support │ │ () English │ ║ ║ │ [ ] Load screen font │ └───────────────┘ ║ ║ │ [X] Beep │ ┌ Color scheme ─┐ ║ ║ │ [ ] Autosave setup │ │ () Color 1 │ ║ ║ └──────────────────────────────┘ │ ( ) Color 2 │ ║ ║ ┌ Additional preferences ──────┐ │ ( ) Color 3 │ ║ ║ │ [ ] "Snow" prevention │ │ ( ) Color 4 │ ║ ║ │ [ ] Screen output via BIOS │ │ ( ) Mono 1 │ ║ ║ │ [ ] Print "Ok" after filename│ │ ( ) Mono 2 │ ║ ║ │ [X] Print packer name │ └───────────────┘ ║ ║ │ [ ] Report for each drive │ ┌ Screen height ┐ ║ ║ │ [ ] Test one floppy only │ │ () 25 lines │ ║ ║ └──────────────────────────────┘ │ ( ) 30 lines │ ║ ║ Ok ▄ Save ▄ │ ( ) 45 lines │ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ └───────────────┘ ║ ║ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════════╝ Fig.14. Desktop dialog panel This panel has five groups of fields SCREEN MODE, ADDITIONAL PREFERENCES, LANGUAGE, COLOR SCHEME, and SCREEN HEIGHT (each containing a few check boxes or option buttons), and four command buttons OK, SAVE, CANCEL, and HELP. After setting your choices for the check boxes and option buttons, choose the SAVE button to write your preferences in the DRWEB.INI file so that Dr. Web may start the subsequent sessions with your operation preferences. If the AUTOSAVE SETUP box is checked, there is no need to save your settings; Dr. Web will automatically save them on choosing the OK button. The SAVE command button is also present in the other dialog panels of the SETUP menu. After setting the preferences for the fields in this panel, either choose the OK button to bring the new settings into effect or the CANCEL button to cancel them in case you change your decision. The purpose of each field in this panel is described below. * The SCREEN MODE field contains the following check boxes. ═════════════════╦════════════════════════════════════════════════ EXPANDING WINDOWS║ If this check box is selected, the superimposed ║ pop-up panels in the course of a session will ║ expand smoothly and gradually. To speed up the ║ operation of the program, deselect this box. ─────────────────╫──────────────────────────────────────────────── MOUSE SUPPORT ║ If this check box is selected, you can use ║ your mouse in scanning sessions to choose the ║ menu items, to select check and option boxes, ║ choose command buttons, etc. If Dr. Web ║ conflicts with the nonconventional mouse driver ║ in your system, deselect this box. ─────────────────╫──────────────────────────────────────────────── LOAD SCREEN FONT ║ If this box is selected, Dr. Web loads its own ║ screen fonts for displaying text information ║ Use this option, if your Dr. Web is a ║ customized version with no support of national ║ characters for your monitor. ─────────────────╫──────────────────────────────────────────────── BEEP ║ If this check box is selected, Dr. Web will ║ beep on detecting a virus. ─────────────────╫──────────────────────────────────────────────── AUTOSAVE SETUP ║ If this check box is selected, the settings you ║ specify in option panels will be saved ║ automatically in the Dr. Web initiation file on ║ closing the panel without the need for choosing ║ the SAVE button in the panel. ═════════════════╩════════════════════════════════════════════════ * The ADDITIONAL PREFERENCES field contains the following check boxes. ═════════════════╦════════════════════════════════════════════════ SNOW PREVENTION ║ This check box is to be selected only if output ║ to the screen is done via BIOS (see the next ║ item). Select this box if snow appears on a CGA ║ monitor. ─────────────────╫──────────────────────────────────────────────── SCREEN OUTPUT VIA║ Dr. Web prints messages on the screen directly BIOS ║ via BIOS. If this box is deselected, Dr. Web ║ will dump messages to videomemory and this ║ speeds up the operation. If your videoadapter ║ is not compatible with CGA, EGA, or VGA ║ adapters, check this box. ─────────────────╫──────────────────────────────────────────────── PRINT "OK" AFTER ║ In a scanning mission, if Dr. Web finds that a FILENAME ║ file is not infected, it prints the letters ║ "Ok" after the name of this file in the ║ scanning progress window. If you do not wish ║ to clutter the screen with superfluous messages, ║ deselect this box. ─────────────────╫──────────────────────────────────────────────── PRINT PACKER NAME║ If you have selected the CHECK PACKED, CHECK ║ ARCHIVES, or CHECK E-MAIL boxes in the FILES ║ field (see command options /UP, /AR ¿ /ML) in ║ the panel displayed on choosing the OPTIONS ║ command from the SETUP menu, Dr.Web will print ║ the name of the packer, achiever, or the ║ encoder in the scanning progress window. ║ Deselect this box to keep the screen ║ uncluttered. You may also suppress the printing ║ of the names of these programs individually ║ with the command options /UPN, /ARN, /MLN, ║ respectively. ─────────────────╫──────────────────────────────────────────────── REPORT FOR EACH ║ If this check box is selected, Dr. Web will DRIVE ║ create a report separately for each drive ║ scanned. ─────────────────╫──────────────────────────────────────────────── TEST ONE FLOPPY ║ If this check box is selected, Dr. Web will ONLY ║ check only one floppy diskette and will not ║ promt you to insert another diskette for ║ checking. Deselect this box whenever you want ║ to scan several floppy diskettes in a session. ═════════════════╩════════════════════════════════════════════════ * The LANGUAGE field is present in the DESKTOP panel only in bilingual customized versions of Dr. Web. In this case, this field contains two option buttons for specifying your choice between the alternative languages. This field is not present in single-language versions. * The COLOR SCHEME field contains six option buttons for choosing a color scheme for displaying information on the screen: ═════════╦═══════════════════════════════════════════════════════ Color 1 ║ The default color scheme of Dr. Web program. ─────────╫─────────────────────────────────────────────────────── Color 2 ║ This scheme is drawn from TurboVision program. ─────────╫─────────────────────────────────────────────────────── Color 3 ║ This scheme is drawn from Norton Utilities. ─────────╫─────────────────────────────────────────────────────── Color 4 ║ This scheme is drawn from ADinf program. ─────────╫─────────────────────────────────────────────────────── Mono 1, ║ Both these schemes display the message in white Mono 2 ║ against black background. Choose the scheme best ║ suited for your monitor. ═════════╩═══════════════════════════════════════════════════════ * The SCREEN HEIGHT field contains three option buttons to adjust the full vertical size of screen to a height of 25, 30, or 45 lines. Choose a button to suit your convenience. The OPTIONS command On choosing this command from the drop-down menu of the SETUP item of the main menu, you get a panel containing a few choices for customizing the operation modes of Dr. Web program. You may also press <F9> to pop up this panel directly. ╔═[]═══════════════════ Options ════════════════════╗ ║ ┌ Main settings ─────────┐ ┌ Files ─────────────┐ ║ ║ │ [X] Memory test │ │ [X] Check packed │ ║ ║ │ [X] Boot sector test │ │ [X] Check archives │ ║ ║ │ [X] Heuristic analysis │ │ [ ] Check E-mail │ ║ ║ │ [X] Check TSR viruses │ │ [ ] Delete damaged │ ║ ║ └────────────────────────┘ │ [ ] Prompt for cure│ ║ ║ ┌ Heuristic level ───────┐ └────────────────────┘ ║ ║ │ () Minimal │ ┌ Memory range ──────┐ ║ ║ │ ( ) "Paranoid" │ │ ( ) 640 Kb │ ║ ║ └────────────────────────┘ │ () 1088 Kb │ ║ ║ ┌ Infected files ────────┐ └────────────────────┘ ║ ║ │ () Cure │ ┌ Report file ───────┐ ║ ║ │ ( ) Delete │ │ ( ) Don't create │ ║ ║ │ ( ) Rename │ │ ( ) Overwrite │ ║ ║ └────────────────────────┘ │ () Append │ ║ ║ └────────────────────┘ ║ ║ Ok ▄ Save ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════════╝ Fig.15. Operation options dialog panel This panel contains six fields MAIN SETTINGS, HEURISTIC LEVEL, INFECTED FILES, FILES, MEMORY RANGE, and REPORT FILE for setting the way in which you wish Dr. Web to scan your machine and four command buttons: OK, SAVE, CANCEL, and HELP. * The MAIN SETTINGS field The check boxes in this field define the areas that are to be scanned in every session. Check all boxes in this field for greater reliability of virus protection. The MEMORY TEST box If this box is selected, the memory in your computer will be scanned for active viruses on starting the program. By default, Dr. Web restricts the memory test to the conventional memory, i.e., the first 640 Kb. In a computer with more than 640Kb memory, you can additionally tell Dr. Web to scan the high memory area and upper memory blocks. If the 1088 Kb option button under the MEMORY RANGE field is selected, all memory range accessible in real operation will be tested, i.e., the first 1088 Kb that include the high memory area and upper memory blocks. If you have extended memory in the computer for loading resident programs and operation system modules, select the 1088 Kb option button in the MEMORY RANGE field. The BOOT SECTOR TEST box tells Dr. Web to scan the master boot record of the hard disk and the boot sectors of drives and diskettes. If this box is deselected, Dr. Web will detect the boot viruses in the boot sectors of diskettes and hard disks. The HEURISTIC ANALYSIS box A powerful tool incorporated in Dr. Web is the heuristic analysis of files and boot sectors. If this box is selected, Dr. Web will detect new and hithertounknown viruses. In this mode, Dr. Web analyzes the code of all suspicious programs and determines whether their codes are capable of executing functions characteristic of viruses. On detecting a suspicious program, Dr. Web warns that the program is possibly infected with some unknown virus (COM.Virus, EXE.Virus, COM.EXE.Virus, COM.TSR.Virus, EXE.TSR.Virus, COM.EXE.TSR.Virus, MACRO.Virus, or BOOT.Virus). The terms used to describe unknown viruses have the following meaning: ═══════╦═════════════════════════════════════════════ Term ║ Meaning ═══════╬═════════════════════════════════════════════ COM ║ The virus infects COM files. EXE ║ The virus infects EXE files. TSR ║ The virus is memory resident. MACRO ║ The virus infects WinWord documents. BOOT ║ The virus infects boot sectors of disks. CRYPT ║ The virus code is encrypted or polymorphic. ═══════╩═════════════════════════════════════════════ Use also the HEURISTIC LEVEL field to specify the analysis level. This fieldhas two option buttons MINIMAL, "PARANOID". When no level is specified, Doctor Web defaults to the minimal level. In a test conducted with 10,000 different viruses, Dr. Web showed unknown virus detection efficiency of 87% under the minimal level, and 89-91% under the maximal level. The following is a list of a few examples of the warning messages which Dr. Web displays in the scanning progress window on detecting suspicious files while running under heuristic analysis mode: D:\GAMES\DOOM\NCA.EXE possibly infected with EXE.CRYPT.Virus D:\GAMES\ENGL\README.EXE possibly infected with EXE.TSR.Virus D:\GAMES\ENGL\LM.EXE possibly infected with COM.EXE.TSR.CRYPT.Virus C:\WORDS\NORMAL.DOT possibly infected with MACRO.Virus In the "paranoid" mode, Dr. Web additionally checks the suspicious settings of file date stamps. Certain viruses set unreal values to file creation time and date as an infection label or flag; for example, seconds in file creation time may be set to 62 or the year to 2000! On detecting a file with a strange date stamp, Dr. Web prints a warning in the scanning progress window as follows: D:\DOD.COM strange date stamp 2031 ??? 31 25:60:00 In the heuristic analysis mode, Dr. Web may generate FALSE ALARMS! The higher the analysis level, the greater the possibility of false alarms. Such a possibility is particularly great in "paranoid" analysis level. As a rule, false alarms are generated in testing a program under heuristic analysis mode, if the program uses file open and file write operations, particularly if the program is TSR. IMPORTANT! Always test the program you get hold of for the first time under heuristic mode to avoid infection of your machine. Handle the programs with special care which Dr. Web suspects as "possibly" infected. Dr. Web takes longer time to scan a machine under heuristic analysis mode. The CHECK TSR VIRUSES box Many resident viruses infect a file when it is opened for reading or writing. This is helpful in detecting an active virus, because the file size increases after opening (if there is a virus in it). If the CHECK TSR VIRUS box is selected, Dr. Web will check the changes in the size (if any) of files at the time of executing the seek and open commands. File size check also reveals active stealth viruses which hide their presence in the files they have infected. Once activated, a stealth virus stays resident in the memory and manipulates the size find operations. If any program calls for the size of an infected file, the stealth virus residing in the file returns the clean file size in order to conceal the increased size. If the CHECK TSR VIRUSES box is selected, on detecting a virus Dr. Web may warn: ╔══[]════════════════════════════════════════════════╗ ║ ║ ║ C:\DOS\COMMAND.COM ║ ║ WARNING! On opening this file, its size ║ ║ changed by +800 bytes! Memory may contain ║ ║ an ACTIVE RESIDENT VIRUS! ║ ║ Continue scanning? ║ ║ ║ ║ Ok ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig.16. Warning message for an active resident virus to alert you that the file had one size before opening for reading and a different size after opening. Possibly, some unknown resident virus, which infected the file, might have been residing in the memory at the time of opening this file by the DOS open command. In this case, the file size increases. The file size may also decrease if the memory contains a "stealth" virus, which tries to hide its presence in the file being scanned. In either case, it is a good idea to stop Dr. Web, reboot your computer from a clean write-protected bootable diskette containing the Dr. Web program and scan the suspected files with Dr. Web once again. * The HEURISTIC LEVEL field See the HEURISTIC ANALYSIS in the MAIN SETTING field. * The INFECTED FILES field contains three option buttons CURE, DELETE, and RENAME, of which only one can be active at a time. The first two option buttons CURE and DELETE are self-explanatory and need no further comments. If you select the third button, RENAME, then the infected files will be renamed: the filename will be same as the original filename, but the letter V will be substituted for the first letter in the extension; for example, the filename extensions COM and EXE will be changed as VOM and VXE, respectively. Prior to handling an infected file, Dr. Web will ascertain your permission if you have selected the PROMPT FOR CURE box in the FILES field: ╔══[]══════════════ B:\FORMAT.COM ═══════════════════╗ ║ ║ ║ This file is infected with Tiny.129 ║ ║ Rename it? ║ ║ ║ ║ Yes ▄ No ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig.17. Inquiry for renaming a file * The FILES field contains check boxes with which you can opt for checking packed files, delete damaged files, and tell Dr. Web to ascertain your intention prior to handling an infected file. The CHECK PACKED box If this box is selected, Dr. Web will test the files that are packed with DIET, LZEXE, PKLITE, EXEPACK, COMPACK, OPTLINK compression utilities, the files converted with COMTOEXE, PROTECT, CRYPTCOM, TYNYPROG, as well as the files immunized with CPAV, F-XLOCK vaccines. The packed files are temporarily exploded in some drive and then scanned for viruses. You can specify any drive for creating these temporary files under the text box of the TEMP DRIVE field in the PATHS panel displayed on choosing the PATHS command from the SETUP menu. NOTE. It is a good idea to specify the fastest drive in your computer as the TEMP drive for temporarily exploding packed files. Furthermore, there must always be enough space in the drive for temporarily exploding the packed files. The name of used utility is printed in the scanning progress window as well as in the report if the PRINT PACKER NAME box is checked in the panel displayed on choosing the OPTIONS command from the SETUP menu. The CHECK ARCHIVES box To save space on hard and floppy disks, users often make use of archive programs. If an infected program is contained in an archive file, most of the anti-virus utilities cannot check such a program. Dr. Web can check any file included in an archived file. For this, select the CHECK ARCHIVES box. Dr. Web easily tests the archive files created with ARJ, PKZIP, LHA, RAR, ZOO, ICE, and HA. The name of achiever program is printed in the scanning progress window as well as in the report if the PRINT PACKER NAME box is checked in the panel displayed on choosing the OPTIONS command from the SETUP menu. The CHECK E-MAIL box When this box is selected, Doctor Web will search for and scan e-mail files encoded by UUENCODE and MIME utilities. In this mode, Doctor Web will search for files in UUE and MIME format inside every file being scanned and scan the encoded files to the maximum extent. This is a slow process and it is a good idea to use this mode only for checking your e-mail. The name of encoding program is printed in the scanning progress window as well as in the report if the PRINT PACKER NAME box is checked in the panel displayed on choosing the OPTIONS command from the SETUP menu. The DELETE DAMAGED box In certain cases, packed files that are infected and damaged by viruses may not yield to full restoration. If the DELETE DAMAGED box in the FILES field is selected, Dr. Web will automatically delete such files. The PROMPT FOR CURE box If you wish that Dr. Web should ascertain your intention prior to handling infected files (for curing, deleting, or renaming), select the PROMPT FOR CURE box in the FILES field of the OPTIONS panel. Otherwise, infected files will be handled automatically without ascertaining your permission. ╔═[]═══════════════ B:\FORMAT.COM ═══════════════════╗ ║ ║ ║ This file is infected with Tiny.129 ║ ║ Remove the virus from the file? ║ ║ ║ ║ Yes ▄ No ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig.18. Inquiry for removing a virus * The MEMORY RANGE field See the MEMORY TEST box in the MAIN SETTINGS field. * The REPORT FILE field contains three option buttons DON'T CREATE, OVERWRITE, and APPEND. If you select the DON'T CREATE button, no report file is created at the end of scanning and curing sessions. If you select the OVERWRITE button, at the end of a session the results of the current session will be overwritten on the contents of the report file; so the report file will always contain the results of the last scanning session. If you select the APPEND button, the report of the current scanning session is appended at the end of the report file; so the report file contains the results of all previous scanning sessions since you last cleared up the report file. You can open the report file for viewing by choosing the REPORT command from the TEST menu and edit it with any text editor. By default, the report file is named REPORT.WEB and is created in the directory where Dr. Web is installed. However, you can specify a different name and location (see the REPORT FILE NAME field under the PATHS command). The PATHS command On choosing this command, you get a panel containing text fields for specifying certain pathnames and option buttons for choosing the type of files to be tested: ╔═[]═══════════════════ Paths ═══════════════════════╗ ║ ┌ Add-on search pattern ┐ ┌ Report file name ─────┐ ║ ║ │ WEB?????.3?? │ │ REPORT.WEB │ ║ ║ └───────────────────────┘ └───────────────────────┘ ║ ║ ┌ File type ────────────┐ ║ ║ ┌ Add-on pathname ──────┐ │ ( ) All files │ ║ ║ │ │ │ () Programs │ ║ ║ └───────────────────────┘ │ ( ) User defined │ ║ ║ │ └ *.EXE *.COM *.SYS │ ║ ║ ┌ Temp drive ┐ └───────────────────────┘ ║ ║ │ C: │ Ok ▄ Cancel ▄ ║ ║ └────────────┘ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ║ Save ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig.19. Paths dialog panel * The ADD-ON SEARCH PATTERN field In the text box of this field, type the names of add-on files that are to be appended to your main virus database. You can use wildcard characters in typing the filename. * The ADD-ON PATHNAME field In the text box of this field, type the path of the directory where add-on files exist. All add-on files matching the specifications typed in add-on search pattern and add-on pathname fields that are compatible with the version of Dr. Web will be automatically appended to the main virus database on choosing the OK command button. You can also append add-on files to the main virus database with the help of the UPDATE item in the main menu. * The TEMP DRIVE field In the text box of this field, type the name letter of the drive where you want Dr. Web to create temporary files. This drive must not be READ ONLY drive. Dr. Web temporarily explodes packed files prior to checking them for viruses. There must be sufficient disk space (500 Kb to 1 Mb) in the drive specified under this field. If there is not sufficient free space in the drive, Dr. Web displays an error message: ╔═[]══════════════ C:\DOS\ATTRIB.EXE ════════════════╗ ║ ║ ║ No space on disk to decompress the file! ║ ║ Continue scanning? ║ ║ ║ ║ Yes ▄ No ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig.20. Insufficient free space warning message If you choose YES, Dr. Web will resume its mission, but skip the packed file from scanning. Therefore, choosing NO, abort the scanning mission, create sufficient free space on the disk, and then start Dr. Web once again. In order to speed up the operation, specify the fastest drive in your system as the temporary drive. It is a good idea to specify RAM disk (if any) as the temporary drive. DOS ramdrive.sys can be conveniently used to create a virtual disk. * The REPORT FILE NAME field In the text box of this field, type the full pathname of the report file where you wish to save the results of scanning missions. By default, it is named report.web and created in the same directory where Dr. Web is installed. Typing a different full pathname, you can change the filename, its extension, the directory, and the drive where it is to be created. * The FILE TYPE field gives three option buttons for specifying the type of files to be tested in scanning. The ALL FILES button tells Dr. Web to scan all files regardless of the file name and extension. The PROGRAMS button tells Dr. Web to scan executable files only, i.e., files of extension COM, EXE, SYS, BAT, DRV, BIN, DLL, BOO, OV?, PRG, VXD, 386, DOC, and DOT. The USER DEFINED button tells Dr. Web to scan only the files specified by the user in the text field under this option box. Press <Tab> to go to the text field, and then type the file specifications, separating the entries by an intervening white space. You can use wildcard characters, "*" and "?", in file specifications. In scanning and curing sessions, Dr. Web always scans files of the type specified in this FILE TYPE field, unless you type a different specification in the SCAN PATH panel displayed on choosing the SCAN command from the TEST menu at the start of a session, i.e., only for the current session the file specifications in the SCAN PATH panel override the file specifications under the FILE TYPE field. 1.4 The UPDATE item in the main menu has no submenu, because it is a command. Its purpose is to upgrade your Dr. Web with the appearance of new viruses. For Dr. Web to cope with the new virus specimens, its database must be upgraded constantly by appending add-on files containing data about the new viruses. Add-on files are released almost once in a week. Registered users can obtain them free of cost from our official dealers. If a virus unknown to DR. WEB has invaded your machine Please, immediately send (for example, by e-mail) a copy of the virus or infected file to DialogueScience, Inc., Moscow, or to the designer of Dr. Web. If you are a registered user, within 48 hours you will receive an add-on file (an external appendix to the main database) to detect and remove the new virus from files and system areas (master boot record, boot sector) of the computer. The add-on files are named as WEBymmdd.vvv, where y denotes the last figure in the current year, mm the number of the month, dd the day of the date of release of an add-on file, vvv the version number (v.vv) of the Dr. Web for which the add-on is designed. For example, web70408.320 means that the add-on file is released on April 08, 1997 for Dr. Web version 3.20. Prior to copying the add-on files to the computer, check that they are compatible with your Dr. Web version. For this, open the add-on file through any text editor: its beginning reads somewhat as follows: New Virus Base Add-on for Anti-Virus Dr. Web version 3.05+, where 3.05+ means that this add-on is designed for Dr. Web version 3.05 and higher. Then, copy it to the directory where drweb.exe is installed. The add-on files can be appended to the main virus database in two different ways. By the first method, the add-on files are automatically appended in a scanning session. For this, open the SETUP menu, choose the PATHS command, and type an appropriate text string in the ADD-ON SEARCH PATTERN and ADD-ON PATH fields. IMPORTANT! The add-on files for Dr. Web version 3.xx are released with the name WEB?????.3??. You can type this text string in the ADD-ON SEARCH PATTERN field. If you have copied the add-on files to the directory where Dr. Web is installed, you may leave the ADD-ON PATH field unfilled. By the second method, you can manually append add-on files located in different directories. For this, choose the UPDATE command from the main menu to pull down its dialog panel: ╔═[]════════ Add-on files ════════════╗ ║ ║ ║ ┌─────────────────────────────┐ ║ ║ │ WEB?????.3?? │ ║ ║ └─────────────────────────────┘ ║ ║ ║ ║ Search ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚══════════════════════════════════════╝ Fig.21. Add-on dialog panel In the text field, type the full pathname or a search pattern for finding and appending the add-on files. Then choose the SEARCH button. If the add-on files are successfully appended, the screen displays a message showing the number of add-on files appended to the database. After purchasing a new upgraded version of Dr. Web capable of independently detecting and removing new viruses without the aid of add-on files, delete all old versions of add-on files as they are no longer needed for the upgraded Dr. Web program. 1.5 The HELP menu Dr. Web's help system is context-sensitive and provides on-line assistance to the user in the current topic on pressing the <F1> key. Alternatively, you may click the [F1] Help box. Using <PgUp> and <PgDn> keys, you can browse through the help window. Press <Esc> to close the help window. 1.6 Speedkeys To speed up the work with the keyboard, you can use the following combinations of keys to implement the commands listed below. ══════════════════╦══════════════════════════════════════════════ Key combination ║ Command executed ══════════════════╬══════════════════════════════════════════════ <Alt+X>,<Alt+F4> ║ Quit Dr. Web. ──────────────────╫────────────────────────────────────────────── <F1> ║ Call on-line help. ──────────────────╫────────────────────────────────────────────── <F5> ║ Scan (files, boot sectors, etc.) for ║ infection. ──────────────────╫────────────────────────────────────────────── <Ctrl+F5> ║ Search for and remove viruses. ──────────────────╫────────────────────────────────────────────── <F9> ║ Display OPTIONS panel for specifying Dr. Web ║ operation settings. ──────────────────╫────────────────────────────────────────────── <F10>,<Spacebar> ║ Initiate the main menu. Thereafter, use right ║ and left arrow keys to move through the menu ║ bar. ──────────────────╫────────────────────────────────────────────── <Tab>,<Shift+Tab>║ Move from one field to another in dialog ║ panels. ──────────────────╫────────────────────────────────────────────── <Esc> ║ Abort scanning mission. Close dialog panels ║ and message panels currently displayed on the ║ screen. This key is inoperate if you ║ specified /NS option in Dr. Web command line. ══════════════════╩══════════════════════════════════════════════ 2. RUNNING DR. WEB FROM ITS COMMAND LINE This section explains how to run Dr. Web with its command line and command options. The syntax of Dr. Web's command line is drweb [<drive>:[<path>]] [<option>] . . . [<option>] The command name and the command options must be separated by an intervening white space. Items shown within square brackets are optional. To include option parameters in the command line, only type the information inside the brackets. Do not type the square brackets. The first parameter, <drive>, is the name letter of the drive to be scanned, for example, f: or a:. If you wish to test all logical drives in the hard disk(s) of your system, type the global character "*" in place of the drive name letter. To test the current directory, just type a stop character "." after the command name drweb. To test the files in separate directories, include the <path> to the directories in the command line. Alternatively, you can also type the <path> parameter, using global characters in filenames and extensions. Other parameters define the operation modes of Dr. Web. Many operation modes can also be saved in the initiation file (DRWEB.INI). The settings written in the initiation file can be modified at any time with the SETUP menu. The parameters specified in the command line override the settings saved in the initiation file. The current settings can be modified in any subsequent session by starting Dr. Web in inactive mode. The settings modified in a session can be used for the current session only or written to the initiation file manually with the SAVE button (available in many dialog panels) or with the /SS option, or automatically if the AUTOSAVE SETUP is enabled in the DESKTOP panel (or the /SV option is specified in the command line). The current settings in the initiation file (DRWEB.INI) are used for starting Dr. Web. Initially, the initiation file contains certain default settings. Most of the operation modes can be disabled by including their negative command option in the command line even if they are specified in the initiation file. For example, the default setting for scanning of subdirectories specified in the initiation file can be disabled for the current session by including the /SD- option in the command line. A new command option specification can be written to the initiation file by the /SS command option (save to the initiation file). The /NI command option disregards all settings in the initiation file for starting the current session. Below is a list of command options. The symbols in the Status column have the following meaning: ═══╦═════════════════════════════════════════════════════════════ i ║ The parameter value can be saved in the DRWEB.INI file. ───╫───────────────────────────────────────────────────────────── - ║ The option can be disabled for the current session by ║ including its negative form in the command line. ───╫───────────────────────────────────────────────────────────── x ║ The mode is enabled in the initiation file as a default ║ setting. ═══╩═════════════════════════════════════════════════════════════ 2.1 List of command options and their purpose ════════════╦══════╦═════════════════════════════════════════════ Option ║Status║ Description ════════════╬══════╬═════════════════════════════════════════════ /&<file> ║ ║ use the initiation file named <file>. ────────────╫──────╫───────────────────────────────────────────── /? ║ ║ display help information. ────────────╫──────╫───────────────────────────────────────────── /@[+]<file>║ ║ The integrity checker ADinf generates a list ║ ║ of files that are to be scanned by scanners. ║ ║ Dr. Web will check only the files specified ║ ║ in this list without scanning other files in ║ ║ the machines. Such an information exchange ║ ║ mode greatly speeds up a scanning session. ║ ║ To tell that Dr. Web should check only the ║ ║ files in this information-exchange list, ║ ║ include the /@ option immediately followed ║ ║ by the name of this information-exchange ║ ║ file. By default, Dr. Web checks only those ║ ║ files in this list with filename extensions ║ ║ that are listed in the /AL option ║ ║ description. In order to check all files in ║ ║ the information-exchange list, additionally ║ ║ include the /AL option. ║ ║ After completion of scanning, the ║ ║ information-exchange file will be deleted. ║ ║ But if the plus sign is included, the ║ ║ information-exchange file will not be ║ ║ deleted. ║ ║ For full information on the use of the /@ ║ ║ option, refer to the ADinf User's Guide. ────────────╫──────╫───────────────────────────────────────────── /25 ║ i x ║ adjust the screen vertical size to 25 lines. ────────────╫──────╫───────────────────────────────────────────── /30 ║ i ║ the same for 30 lines. ────────────╫──────╫───────────────────────────────────────────── /45 ║ i ║ the same for 45 lines. ────────────╫──────╫───────────────────────────────────────────── /AL ║ i- ║ scan all files in a given drive (not only ║ ║ files of extension COM, EXE, SYS, BAT, DRV, ║ ║ BIN, DLL, BOO, OV?, PRG, VXD, 386, DOC, or ║ ║ DOT, but also files of all other extensions). ────────────╫──────╫───────────────────────────────────────────── /AR[N][W][T]║ i-x ║ scan all files inside the archives created ║ ║ with ARJ, PKZIP, LHA, RAR, ZOO, ICE, and HA ║ ║ compression utilities. N - don't print the ║ ║ name of archiver after the name of the ║ ║ archived file, W - extract files from ║ ║ archive to the current directory, T - (only ║ ║ with W parameter) extract files to the ║ ║ temporary directory specified with ║ ║ environment variable TEMP or TMP. ────────────╫──────╫───────────────────────────────────────────── /BW[<num>] ║ i ║ print messages in black-and-white display ║ ║ mode. You can type 1 or 2 for <num> that is ║ ║ best suite for your monitor. ────────────╫──────╫───────────────────────────────────────────── /CH ║ ║ disable self-test. ────────────╫──────╫───────────────────────────────────────────── /CL ║ ║ run in command line mode and suppress the ║ ║ dialog interface. ────────────╫──────╫───────────────────────────────────────────── /CO[<num>] ║ i x ║ run in color display mode. You can type 1 to ║ ║ 4 for <num> that is best suited for your ║ ║ monitor. ────────────╫──────╫───────────────────────────────────────────── /CU[D][R][P]║ ║ cure drives and files by removing the ║ ║ viruses found. If the D parameter is ║ ║ included, infected files will be deleted. If ║ ║ the R parameter is included, infected files ║ ║ will be renamed by substituting the letter V ║ ║ for the first letter in the filename ║ ║ extension; for example, the extensions COM ║ ║ and EXE in infected files will be changed as ║ ║ VOM and VXE, respectively. The P parameter ║ ║ tells Dr. Web to prompt the user before ║ ║ curing an infected file. ────────────╫──────╫───────────────────────────────────────────── /DA ║ i- ║ run Dr. Web only once in a day. For this ║ ║ option, the initiation file, DRWEB.INI, ║ ║ containing the date of the last scanning ║ ║ session must be present. This option is ║ ║ useful for starting Dr. Web automatically ║ ║ from the AUTOEXEC.BAT file only once in a ║ ║ day on booting the computer. ────────────╫──────╫───────────────────────────────────────────── /DL ║ i- ║ delete infected files if they do not yield ║ ║ to restoration. ────────────╫──────╫───────────────────────────────────────────── /FN ║ i- ║ load alternative screen fonts for video ║ ║ adapter with no support of national ║ ║ characters for your monitor. Use this option ║ ║ if your Dr. Web is a customized version. ────────────╫──────╫───────────────────────────────────────────── /GO ║ ║ run without stopping for instructions about ║ ║ what to do next, e.g., in case of ║ ║ insufficient disk space for unpacking ║ ║ compressed files, removal of damaged files, ║ ║ self-infection of Dr. Web program by an ║ ║ unknown virus, etc. This mode is very useful ║ ║ for testing e-mail at BBS. ────────────╫──────╫───────────────────────────────────────────── /HA ║ i-x ║ heuristic analysis of files for searching [<level>] ║ ║ hitherto unknown viruses with an optional ║ ║ level parameter: 0 - minimal level, 1 - ║ ║ "paranoid" level. False alarms are possible ║ ║ under the "paranoid" level. If no level ║ ║ parameter is specified, Dr. Web defaults to ║ ║ the minimal level. ────────────╫──────╫───────────────────────────────────────────── /HI ║ i-x ║ scan memory up to 1088 Kb in addition to the ║ ║ conventional memory from 0 to 640 Kb. ────────────╫──────╫───────────────────────────────────────────── /LF[<num>] ║ i- ║ in emergency situations, for example, on ║ ║ detecting a virus, flicker the screen ║ ║ boarder along with beeps. The <number> ║ ║ parameter defines the boarder color. The ║ ║ number must be specified in hex form. You ║ ║ may specify from 1 to F. ────────────╫──────╫───────────────────────────────────────────── /LN ║ i- ║ print messages in the alternative language. ║ ║ Available only in bilingual customized ║ ║ versions. ────────────╫──────╫───────────────────────────────────────────── /ML[N][W] ║ i- ║ check e-mail files encoded by UUENCODE and ║ ║ MIME utilities. The parameter N tells Dr.Web ║ ║ not to print the name of the encoder after ║ ║ the name of the e-mail file. The parameter W ║ ║ will decode the files in e-mail files and ║ ║ save the decoded file in the current ║ ║ directory. ────────────╫──────╫───────────────────────────────────────────── /MS ║ i-x ║ enable mouse support. ────────────╫──────╫───────────────────────────────────────────── /MT<time> ║ ║ the latest polymorphic viruses require a ║ ║ long time to decode. By specifying a time in ║ ║ seconds, you limit the time for scanning a ║ ║ file. The default time values for different ║ ║ processors are ║ ║ Pentium - 30 sec ║ ║ 486 - 30 sec ║ ║ 386 - 60 sec ║ ║ 286 - 120 sec ║ ║ 8088 - 240 sec ║ ║ 8086 - 240 sec ║ ║ Double the default time is needed to detect ║ ║ advanced polymorphic viruses. ────────────╫──────╫───────────────────────────────────────────── /NI ║ ║ ignore the settings in the initial file ║ ║ DRWEB.INI. ────────────╫──────╫───────────────────────────────────────────── /NM ║ i ║ don't scan memory for viruses. This option ║ ║ is overriden by the /HI option. ────────────╫──────╫───────────────────────────────────────────── /NR ║ i ║ do not create report file. ────────────╫──────╫───────────────────────────────────────────── /NS ║ ║ disable the use of <Esc> key for aborting a ║ ║ session. ────────────╫──────╫───────────────────────────────────────────── /OK ║ i- ║ print "Ok" after the names of clean files. ────────────╫──────╫───────────────────────────────────────────── /PF ║ i-x ║ display "Scan another diskette?" prompt ║ ║ after checking a diskette. ────────────╫──────╫───────────────────────────────────────────── /QU ║ ║ quit to DOS screen after the completion of ║ ║ test. ────────────╫──────╫───────────────────────────────────────────── /RP[+] ║ i x ║ write the scanning results in the file (by [<file>] ║ ║ default REPORT.WEB in the directory where ║ ║ Dr. Web is installed), <file> is the full ║ ║ pathname of the report file. If the plus ║ ║ sign is included, the report of the current ║ ║ session will be appended at the end of the ║ ║ report file; otherwise the report will be ║ ║ overwritten in the report file. ────────────╫──────╫───────────────────────────────────────────── /RV ║ i-x ║ scan files for active TSR viruses. ────────────╫──────╫───────────────────────────────────────────── /SD ║ i-x ║ include subdirectories in scanning. ────────────╫──────╫───────────────────────────────────────────── /SH<no> ║ ║ the first five figures of the serial number ║ ║ of Sheriff security system (if installed in ║ ║ the computer) so that Dr. Web may run ║ ║ jointly with Sheriff without conflicts. ────────────╫──────╫───────────────────────────────────────────── /SN ║ i- ║ "snow" prevention for CGA adapters. ────────────╫──────╫───────────────────────────────────────────── /SO ║ i-x ║ enable beeps. ────────────╫──────╫───────────────────────────────────────────── /SS ║ ║ save the settings of the current session ║ ║ before exiting (unlike the /SV option, the ║ ║ /SS option is operative only in current ║ ║ session). ────────────╫──────╫───────────────────────────────────────────── /SV ║ i- ║ save the settings of the current session ║ ║ before exiting (unlike the /SS option, the ║ ║ /SV option automatically saves in every ║ ║ session the setting changes in the DRWEB.INI ║ ║ file. This is the equivalent of the AUTOSAVE ║ ║ mode, see the DESKTOP panel of the SETUP ║ ║ menu). ────────────╫──────╫───────────────────────────────────────────── /TB ║ i-x ║ scan boot sectors and master boot record. ────────────╫──────╫───────────────────────────────────────────── /TD<disk>: ║ i ║ drive name letter of the disk for creating ║ ║ temporary files. ────────────╫──────╫───────────────────────────────────────────── /UB ║ i- ║ output to screen via BIOS. ────────────╫──────╫───────────────────────────────────────────── /UP[N][W] ║ i-x ║ scan the files packed by LZEXE, DIET, PKLITE, ║ ║ EXEPACK, COMPACK, OPTLINK, the files ║ ║ converted by COMTOEXE, PROTECT, CRYPTCOM, ║ ║ TINYPROG, and the files vaccinated by CPAV, ║ ║ F-XLOCK. N - don't print the name of ║ ║ compression utility after the name of the ║ ║ packed file, W - restore files and remove ║ ║ the decompressor. Under the /UP option, a ║ ║ packed file is first exploded in a temporary ║ ║ file and then the exploded file is tested. ║ ║ If the W parameter is additionally included, ║ ║ then after testing, the exploded file is ║ ║ overwritten on sthe original file. Thus, an ║ ║ originally packed (vaccinated) file is ║ ║ converted into an exploded (devaccinated) ║ ║ file after testing is completed. This also ║ ║ happens during curing: a packed (vaccinated) ║ ║ file is exploded, tested, cured, and finally ║ ║ saved as an exploded (devaccinated) file. ────────────╫──────╫───────────────────────────────────────────── /WA ║ i- ║ display scan report for every drive. ────────────╫──────╫───────────────────────────────────────────── /WF ║ i-x ║ use Windows 95 long-name convention for ║ ║ files and directories. Windows 95 admits ║ ║ files and directories with names longer than ║ ║ eight characters, including spaces and ║ ║ certain other separators. Dr. Web supports ║ ║ Windows 95 long-name convention and displays ║ ║ the long names of files and directories ║ ║ properly. If this option is disabled, long ║ ║ names are truncated to eight characters ║ ║ according to the DOS convention. ════════════╩══════╩═════════════════════════════════════════════ NOTE. As a rule, the /UPW option is needed only in rare cases, for example, when Dr. Web suspects that an unknown virus may be present in a "packed" file. In such cases, the suspect file can be exploded with the /UPW option for independent in-depth infection analysis. This option is helpful only to system analysts knowledgeable in virus technology. The /UP option is quite adequate for ordinary users in routine checks. After the introduction of the negative form, certain previous command options have lost their usefulness. They are now undocumented and have been retained only for back compatibility. Below is a list of outdated options and their replacements. ════════════════╦═════════════ Outdated option ║ replaced by ════════════════╬═════════════ /MO ║ /MS- /NB ║ /TB- /ND ║ /SD- /OF ║ /PF- /SF ║ /WF- /SI ║ /SO- ════════════════╩═════════════ 2.2 Running Dr. Web in batch mode If you wish to start Dr. Web automatically every time the computer is booted, you must tack the command line of Dr. Web with the options of your choice to your AUTOEXEC.BAT file. Alternatively, you may write a batch file containing the command line with all necessary command options and CALL it from the AUTOEXEC.BAT file. The /CL option, if included in the commandes. line, tells Dr. Web not to use the dialog mode. Dr. Web sets an errorlevel, and this can be used in a batch file to determine to what actions are then to be taken. ════════════╦══════════════════════════════════════════════ ERRORLEVEL ║ Meaning: ════════════╬══════════════════════════════════════════════ 0 ║ viruses not found 1 ║ known viruses detected 2 ║ unknown viruses detected or suspicious files ════════════╩══════════════════════════════════════════════ Below is a sample batch file for starting Dr. Web in batch mode and testing the errorlevel returned. On detecting a virus, the screen would display a cyclic message. drweb C: /CL /NM echo off if errorlevel 2 goto new_vir if errorlevel 1 goto vir goto end :vir echo WARNING! A KNOWN VIRUS DETECTED pause goto vir :new_vir echo WARNING! I SUSPECT THAT AN UNKNOWN VIRUS IS PRESENT IN YOUR MACHINE pause goto new_vir :end REFERENCES DialogueScience, DSAV, and ADinf are registered trademarks of DialogueScience, Inc., Moscow, Russia. Sheriff is a registered trademark of FomSoft, Moscow, Russia. Other names are registered trademarks or trademarks of the respective companies. * * * I express my thanks to Vsevolod Lutovinov for his great contribution in development of the program, Grigory Frolov for his help in preparing the Russian manuscript of this manual. I am especially indebted to Dr. Naidu P.S.V. for translating and revising the Russian manuscript, and for preparing the translation of the internal texts of the program. Musical effects drawn from the polymorphic virus Holms.6161 are incorporated in Dr. Web program. * * * Below is a PGP public key that can be used for verifying the integrity of the Doctor Web program with the help of the signature in the drweb.pgp file. It can also be used to encode the virus specimens when a user wishes to e-mail them to me. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR tCFJZ29yIEEuIERhbmlsb2ZmIDxpZEBzYWxkLnNwYi5zdT6JAJUDBRAugG2cOpoV rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4 lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ oNBx =kuRk -----END PGP PUBLIC KEY BLOCK----- My "fingerprint" of PGP key: C0 56 A6 24 91 99 B5 A1 C7 78 6A 8B D9 6D 8F B0 * * * Dr. Web Anti-Virus Package is available at DialogueScience, Inc., Computing Center of the Russian Academy of Sciences, Office No 103a, House No 40, Vavilov street, 117967, Moscow, Russia. Tel.: (+7-095) 137-0150, 135-6253 Tel./Fax: (+7-095) 938-2970, 938-2855 BBS: (+7-095) 938-2856 (28800/V.34) FidoNet: 2:5020/69 E-mail: antivir@dials.ru FTP-server: ftp.dials.ccas.ru, ftp.dials.ru WWW: http://www.dials.ru, http://www.dials.ccas.ru