home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WDR Computer Club Digital 1995 August
/
CLUB_0895.BIN
/
antiviru
/
arfav
/
pro-boot.doc
< prev
next >
Wrap
Text File
|
1995-06-25
|
11KB
|
265 lines
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▌ ▐
▌ LOAD.COM ▐
▌ ▐
▌ (PRO-BOOT) ▐
▌ ▐
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Overview and Purpose.....................1
Technical Description....................1
Operating Instructions...................3
Building the PRO-BOOT disk...........3
Using the PRO-BOOT disk..............4
AN IMPORTANT WARNING.....................5
About the Anti-Virus MBR.................5
What Should I Do if I Get a Virus?.......6
This manual and the accompanying software are all copyrighted
(c) 1995 Leonard P. Gragson and Stephen M. Poole,
All Rights Reserved
Revision history: Updated June, 1995.
Page 1
Overview and Purpose
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
LOAD.COM is a utility that builds a special bootable diskette,
the ARF PRO-BOOT diskette, which can be used to install an ARF
Anti-Virus Main Boot Record and partition. This provides the
first line of defense against boot-record viruses. The diskette
can also be used to restore the boot records of your hard drive,
should such a virus ever be suspected.
The easy method of cleanup afforded by the PRO-BOOT disk isn't
dependent on knowing which virus has infected your system. (This
is in keeping with the general philosophy behind all of the ARF
utilities.)
Technical Description
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
To understand how the ARF Anti-Virus partition works, let's take
a brief look at the primary boot process -- ie, what happens when
you first power up your computer.
(Note: All of this assumes that you have a bootable hard drive in
your PC. The following description is for such a system, not for
older, all-floppy systems, which can't use PRO-BOOT anyway.)
This is essentially a two-step process. The Main Boot Record is
loaded into memory first. This is nothing more than a loading
stub and partition table that tells the system where to find DOS
on the hard drive (or OS/2, or UNIX, or whatever system you happen
to be using; we'll just refer to DOS here).
Having found the active boot partition from the MBR, the system
will then begin loading DOS. This is the second stage of the pro-
cess; the System Boot Record (SBR) is loaded next, which begins
initialing the operating system. The other operating system files
are loaded shortly thereafter, and you can begin your day's ses-
sion on the computer.
Page 2
Now: knowing this, if you were a virus writer, you might try to
put your virus code in these boot sectors, wouldn't you? Indeed
you might, and many have! Viruses such as Michelangelo and NATAS
write themselves into the MBR so that they can be loaded even bef-
ore DOS (and most anti-virus software!) ever becomes active.
Other types of system infectors attack the SBR; see VIRUS.DOC for
more information on these viruses. DOS's own SYS program will
suffice to restore the SBR and system files.
The purpose of the ARFAV MBR is to warn you if such a virus does
move into your boot records, and to provide a quick, simple reco-
very method to eliminate the virus.
The ARFAV MBR makes several important checks. First, it checks
the MBR code itself for alteration. It also ensures that the add-
ress of the BIOS disk services (INT 13h) hasn't been altered; and
it checks the size of memory recorded by the BIOS. If it finds a
problem, it alerts the user.
While LOAD.COM is a DOS program, the stuff on the PRO-BOOT disk-
ette and the MBR that are written to the hard drive are NOT. (In
fact, just trying to do a DIRectory of the PRO-BOOT diskette that
we'll create in a moment will probably give you a "general fail-
ure" error.) The PRO-BOOT diskette uses the BIOS to write direct-
ly to the hard drive.
Like most of the ARF utilities, LOAD.COM was written entirely
in assembler for speed and compactness. The resulting disk and
installed partition information is totally automatic, providing
another line of defense against viruses.
Page 3
Operating Instructions
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Step 1: Building the PRO-BOOT Disk
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
You will need a floppy diskette for your PC's bootable floppy
drive -- drive A: on most PCs, and nowdays, typically a 3.5" 1.44
high-density (HD) drive.
A used floppy will serve, but be careful that it's one you don't
care about; all information on it will be destroyed!
Note: Since LOAD.COM writes directly to the floppy without using
DOS, it's a good idea to check that disk with SCANDISK or CHKDSK
before using it. If that disk has bad or marginal sectors on it,
it could fail later on, and standard recovery tools (such as DOS's
RECOVER command) won't help you!
When you start LOAD.COM you will see a message that explains the
program. If you answer "Y" to continue, you will be asked for a
description string. This will help you identify which computer
the PRO-BOOT disk was created for.
This is important because ...
EACH PRO-BOOT DISK IS UNIQUE TO THE COMPUTER THAT IT WAS CREATED
ON! DO NOT USE THE PRO-BOOT DISK BUILT ON YOUR COMPUTER IN SOME-
ONE ELSE'S (or vice-versa); SERIOUS, PERMANENT LOSS OF DATA COULD
RESULT!
If someone you know wants a PRO-BOOT disk, take LOAD.COM over
to their computer and use it again to build a separate, unique
PRO-BOOT diskette for THEIR computer.
Just to make sure you aren't getting ready to overwrite a valuable
diskette, you will be given one more chance to abort after enter-
Page 4
ing the ID string. If you select "Y", LOAD will create the
diskette.
When you're done, remove the diskette from the computer, label it
carefully (include the description string on the label) and write
protect it. Don't wait to do this later, do it now!
If you're using LOAD on multiple computers, it would be a good
idea to choose useful, clear description strings for each PC.
Catalog the description strings and write the description strings
on the diskette labels.
Step 2: Using the PRO-BOOT Disk
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Once you've created the diskette, configure your machine to boot
from that floppy. You may have to temporarily change your CMOS
setup; see your owner's manual. On many machines, you can press
CTRL-ALT-ESC to get into the setup screen; others want you to
press something like CTRL-S during bootup.
Boot from the floppy. You will see an introduction screen, fol-
lowed by a menu. From the menu, you can reinstall your original
partition, install our PRO-BOOT antivirus partition, or install a
"generic" IBM-compatable MBR.
Even though the PRO-BOOT disk isn't a system disk (there's no
operating system files on it), you can also use it to boot your
system with the "Test" options (provided that your hard drive is
accessible). For example, you could select "Test ARF Anti-Virus
Partition" to see what the ARF AV screen looks like. The ARF MBR
would initialize the computer, then hand control off to the normal
boot stuff on the hard drive.
Regardless of which option you select, we DO NOT alter the part-
ition table. We use the partition table that was in effect at the
time that LOAD.COM was used to create the diskette.
Page 5
AN IMPORTANT WARNING
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
IF YOU WANT TO CHANGE THE PARTITIONING OF YOUR HARD DRIVE (OR
CHANGE HARD DRIVES, ETC.), FOLLOW THIS PROCEDURE EXACTLY, OR YOU
COULD LOSE DATA:
1. If you're currently using the ARF Anti-Virus partition, use
the PRO-BOOT disk to restore the ORIGINAL partition info. Don't
use the ARF Anti-Virus partition.
2. Run the partition utility (ex., FDISK) to change your parti-
tion size, etc.
3. When you're done, run LOAD.COM again to create an updated
PRO-BOOT disk with the new partition information.
4. Finally, boot onto the PRO-BOOT disk and re-install the ARF
Anti-Virus partition.
THIS IS VERY IMPORTANT. IF YOU CHANGE YOUR HARD DRIVE'S PARTITION
INFORMATION, YOU COULD LOSE DATA IF YOU USE AN OLD PRO-BOOT DISK
THAT DOESN'T HAVE THE CHANGES ON IT.
About the Anti-Virus MBR
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
If you use our PRO-BOOT anti-virus MBR (and we strongly recommend
that you do), it will clear the screen and change the color to
White/Brown. We did this so that you will get used to seeing it;
if it someday disappears, you'll know something is wrong! Look
for that distinctive screen each time you boot up!
After the screen flashes to brown with white letters, you'll see
the message, "ARF Protect v. 1.0". If anything in the MBR was al-
tered, you will be warned, and asked if you want to continue. If
you answer "N" the machine will be locked up to prevent the possi-
ble spread of a virus.
Page 6
You could then boot from the PRO-BOOT diskette to restore the ori-
ginal partition information (see the next section).
What Should I Do if I Get a Virus?
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
If you DO get a warning, or if the brown/white screen doesn't ap-
pear like it normally does, you may have a boot-sector virus.
In the past, you might have been instructed to determine the pre-
cise identity of the virus; then you would have followed a detail-
ed cleanup method specific to that virus. With our package, it
couldn't be easier.
We've got a quick-and-dirty, step-by-step procedure that you can
follow in HELPME!.DOC; see that. See also "What Do I Do If I Get
A Virus" in INJECT.DOC for specific info on file recovery.
Basically, though, using the PRO-BOOT disk to restore your MBR
will anhiliate any MBR virus. Poof; no more virus. (Yes, it's
that simple.) Even if the virus has moved and/or encrypted the
partition table (ala Monkey), PRO-BOOT has an original copy stored
on the diskette, and can restore your partition information.
Do refer to the other places mentioned here, though. Some MBR
viruses are multi-partite (for example, NATAS; see VIRUS.DOC).
That is, they infect program files as well as the MBR. PRO-BOOT
fixes the MBR, but you should use the SYS program to restore your
boot files, and use INJECT to make sure your program files are OK.