Chip 1996 April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 1996 April / CHIP 1996 aprilis (CD06).zip / CHIP_CD06.ISO / sac / avir / vit200.exe / VIT.DOC < prev next >

Wrap

Text File | 1995-08-14 | 16KB | 587 lines

VIRUS TRAP ( VIT ) ------------------ Version 2.00 Copyright (C) Dvinyaninov,IIq/1992-1995 All rights reserved. Ekaterinburg 1995 1. What is the Questtion ................................ 1 2. Program Logic ........................................ 2 3. Hardware/Software Requirment ......................... 4 4. FAST RUN ............................................. 5 5. Return Codes ......................................... 5 6. IF VIRUS DETECT ...................................... 6 7. Keys ................................................. 7 8. VIT Interrupts ....................................... 11 9. Used Software ........................................ 12 10. History ............................................. 13 11. Utility ............................................. 13 Copyright (C) Dvinyaninov,IIq/1992-1995 All rights reserved. - 1 - 1. What is the Question ----------------------- Viruses abundance and increasing hard disk cappacity and their informations require more early diagnose of virus appearence. Press publishes washings for those programs promote for necessity and spreading of them. Author proposed his software solution. ------------ Most evidence solution of virus detection is to set virus on file or disk. Attempts with hard disk is risk and bustle. Attempts with floppy disk is unconvenient and slowly. It is remain make memory disk. MS DOS, DR DOS, PC DOS allow to do memory disk ( in standard, expanded or extended memory ), but there are static disk. More, if there is small memory machine, then memory is critical resourse and nobody do not make static disk. The only solution is dynamic memory disk and his using as viruses bait. This is memory disk and disk changes may be direct viewing by memory changes, not by disk access. SO I TEST IS SYSTEM INFECTED, BUT NOT IS HARD DISK INFECTED. - 2 - 2. Program Logic ---------------- Dynamic memory disk consist from two files optional driver VIT.DRV and main program VIT.EXE and do follow: 1). Driver VIT.DRV loading at system boot by CONFIG.SYS instruction. This driver get drive identificator and system tables space. Driver don't get memory and don't execute any driver commands, except init. Any commands ( except init at boot time ) return error code. 2). Main program VIT.EXE run by you, when you want to detect virus reproduction. This program : - get memory blocks for memory disk, - make file structure in memory block, - if you use /NC key, program find COMMAND.COM and write to memory disk, - make pattern files in memory disk ( files PAT_COM.COM, PAT_CE9.COM, PAT_EXE.EXE, PAT_EE9.EXE ), - if used key /DRV, find driver VIT.DRV, reset driver entry points to his entry points and assign memory disk as logical disk, - if used key /DYN, VIT.DRV don't used at all and VIT.EXE fully change system tables for make dynamic drive, - if used key /NC, replace COMSPEC enviroment variable ( COMMAND.COM path and file name ), - if used key /NC, VIT.EXE run pattern programs via loading second COMMAND.COM, otherwise VIT.EXE run pattern programs without second COMMAND.COM copy. Also run DIR command, - at last logical dynamic memory disk compare with compare control sums. Control sums calculated for BOOT, FAT, DIR and data areas ( 4 control sums ). Majority viruses ( but not all ) infects this disk files and may be detect, - if control sums is different, then program consider, that it is virus. Current program version inform about changing areas and return bad code on program exit, - 3 - - if program find disk changes, you will receice message and PAUSE, so on you may POWER OFF you computer in this moment, - at end memory disk deassigned, driver entry points rest at initial state or rest system tables, memory freeding and main program VIT.EXE ended. Return code reflects error reasons. Week points : - COMMAND.COM file may be infect. Use key /NC and point filename for pure copy COMMAND.COM. It may be any filename, program rename file to COMMAND.COM. Rename make in memory block, not by disk access. - not any viruses infects my pattern disk, COM and EXE files on him. Some viruses stand on boot areas floppy and hard disks. Some viruses require definite bound program length or definite pattern at entry pattern. This extension not at this program version, I must to be note, it is not correct save memory disk copy on hard disk ( instead of memory ), if you use violated file structure on hard disk. - 4 - 3. Hardware/Software Requirment ------------------------------- Computer is IBM PC. DOS is MS DOS ( >= 3.30 ), DR DOS ( >= 5.0 ), NW DOS ( 7.0 ). Memory ( dynamic RUN ) is 240 Kbyte from main memory 640 Kbyte. Static memory for driver is 2 Kbyte, for TSR starter is 1 Kbyte. Restriction for dynamic drive capacity is 31 Kbyte. Terminal output is Int 10h and output don't redirected to file. VIT don't check own length and control sum. VIT in case : - key /DYN change system tables and insert addition driver and addition device, so must be corresponing of virtual and real memory, - key /DRV change diver code, so driver memory require corresponding of virtual and real memory. VCPI - VIT detect VCPI, but don't any use. DPMI - VIT detect 2 sign : - set, - active. If DPMI is active, then virtual memory and real memory differs, so VIT write message error and stop. DESQVIEW - VIT don't test. WINDOWS - VIT work. OS/2 ( OS/2 DOSBOX ) - VIT don't work. VIT detect active DPMI, DESQVIEW and OS/2 and write error message and correct stop. If you try you may use key /!UND, but result not guaranted. VIT version 2.00 is FOUR YEARS AGO PROGRAM, distributed as Shareware, with updates : - english documentation, - delete software protection, - without detected bugs ( program run in memory and any bug don't change or violate file structure of any other drive ), - add DYNAMIC ( key /DYN ) - drive capacity is restrict and default is 31 Kbyte, - key /NC don't work because COMMAND.COM length now is big, but all program logic work with this key. IF YOU HAVE QUESTIONS ABOUT MAKE : - big drive capacity and use key /NC, - use XMS memory, - use DPMI. and etc. THERE IS NO PROBLEM, BUT THIS VERSION IS FOUR YEARS AGO VERSION, DISTRIBUTED AS SHAREWARE. - 5 - 4. FAST RUN ----------- FOR MS DOS Insert in CONFIG.SYS line : ---------- [HI]DEVICE=<path VIT.DRV>\vit.drv Insert in AUTOEXEC.BAT line : <path VIT.EXE>\VIT.EXE /TSR /DRV /FAST FOR DR DOS / NW DOS Insert in AUTOEXEC.BAT line : ------------------- <path VIT.EXE>\VIT.EXE /TSR /DYN /FAST This set automatic running VIT.EXE. FOR WINDOWS including VIT.EXE by setting VIT.ICO and VIT.PIF ----------- in WINDOWS setting. Now I don't no how make automatic running in Windows and you require manual run. 5. Return Codes --------------- Code is 0 - Ok. Program make tests and not detect viruses. 1 - Error in parameters. 2 - PROGRAM MAKE TESTS AND FIND VIRUS. PROGRAM ALWAYS PAUSE. - 6 - 6. IF VIRUS DETECT ------------------ If VIT detect virus, it is try to write disk dump as file into current catalog with name 'VIT.DM2'. Next, if not used key /NOTERR, VIT stop computer. But 32-bit use of computer ( as EMM386 ) don't stop computer. I am sorry, this is four years ago program ... But Pause you will receive in any case. Next : 1.You may try to run all antiviruses to find VIRUS SIGNATURE in file 'VIT.DM2'. If SIGNATURE is found you may to run this antivirus on you hard disk. If SIGNATURE not found see 2. OR 2.You may send file 'VIT.DM2' to virus center and wait answer. !!! VIRUS MAY KILL VIT.EXE. I DON'T PRESERVE THIS SITUATION. - 7 - 7. Keys ------- Keys VIT.EXE running : VIT [/?] [/HELP] [/H] [/!TR] [/!UND] [/0] [/BOOT{1,2}] [/BOOT={1,2}] [/CE9=ce9] [/COM=com] [/CS] [/CYC=c1:[c2:[c3]]] [/D] [/DE=de] [/DRV] [/DYN] [/EE9=ee9] [/EXE=exe] [/ENG] [/FAST] [/FAT{1,2}] [/FAT={1,2}] [/HD=hh] [/KBYTE=kk] [/L] [/MED=med] [/NC[=file]] [/NIP] [/NERR] [/NOTERR] [/NMSG] [/NSND] [/OEM] [/ON] [/OF[F] [/PAGE0] [/PAR=file] [/PB[AT]=file] [/PC[OM]=file] [/PE[XE]=file] [/RRPAT=File,NewExt] [/ROI=XX[,YY]] [/RBI=XX[,YY]] [/RVI=XX[,YY]] [/RUS] [/S] [/SEC=ss] [/SND] [/SPC=spc] [/SIL] [/ST] [/TRK=tt] [/TSR] /?, /HELP, /H - View KEYS. /0 - Zero virtual disk data secs. /BOOT - Case NOSYSTEM BOOT. 0 - System boot filled by zero. 1 - System boot is message 'Nonsystem disk' 2 - System boot is as Windows. /CE9/COM - PATTERN FILES SIZES. /COM - simple .COM file varying length /CE9 - simple .COM file varying length with command JMP ( 0E9h ) at begin /CYC - cycle by pattern size. VIT into cycle make disk, make patterns 2 .COM files and 2 .EXE files, make run and check. /D - SAVE DISK IMAGES IN FILES. This key require keys /NIP and any of key /PCOM or /PEXE. VIT save disk image before execution in file 'VIT.DM1', run external pattern file and save disk image in file 'VIT.DM2'. Path for this file is current directory, not VIT directory. - 8 - /DRV - Use DRIVER from CONFIG.SYS. Method of busy drive letter and drive access ( old method and it is standard for DOS, but require edit CONFIG.SYS ) /DYN - Use DYNAMIC MAKED DRIVER. New method of busy drive letter and drive access. This method is very easy for use. The virus explorer is dangerous. The only free machine, that i have, has DR DOS and this new key used only for DR DOS. /EE9/EXE - PATTERN FILES SIZES. /EXE - simple .EXE file varying length /EE9 - simple .EXE file varying length with command JMP ( 0E9h ) at begin /ENG - ENGLISH MESSAGES - DEFAULT /FAST - FASTER EXEC ( WITHOUT DIR ). VIT make disk, calculate CRC, run all files and check crc. If key don't use VIT check crc after every run and also use command DIR at common end. /FAT2 - make second copy of FAT - DEFAULT. /NC - GET COMMAND.COM COPY ( WITH RENAME ). use second copy COMMAND.COM. Find it, put on memory disk and point at run. If there is not file atgument, program use COMMAND.COM, pointed by enviroment variable COMSPEC ( it may be infect ). If file argument is use, program find this file, put it on memory disk and rename as COMMAND.COM. In any case of this key enviroment variable COMSPEC reset to memory disk COMMAND.COM. This option is work ok, but big size of last DOS is greater than size of disk ( = 31 Kbyte ). This is four years ago program ... COMMAND.COM SIZE VER ORIGINAL PACKED ( PKLITE 1.15 ) ------------------------------------------------------ MS DOS 3.30 25.308 17.073 4.01 37.557 25.904 5.0b 41.035 27.916 5.0 47.845 30.978 6.0 50.839 32.812 6.22 54.869 35.620 DR DOS 5.0 32.496 22.312 6.0 50.456 38.055 ( ? OVERLAY ) NW DOS 7.0 56.081 41.577 ( ? OVERLAY ) - 9 - /NIP - DO NOT USE INTERNAL PATTERNS. If you want to test system infection on you pattern files, use key /NIP and one of keys /PCOM, /PEXE. VIT make disk, read file from key {/PCOM,/PEXE}, rename extension to {.COM,.EXE} and run this file. /NOTERR /NERR - NOT STOP MACHINE. If you wanted to continue work at any time, use this key. /NSND - NOT USE SOUND AT PATTERN RUN - DEFAULT. /NMSG - ~ /SIL /ON - If TSR part is present, set TSR run ON. /OFF - If TSR part is present, set TSR run OFF. /PAGE0 - Type on CURRENT VIDEO PAGE ( = 0 ). Otherwise VIT switch video page and type on video page1. /PAR=file - Get KEYS from file ( with / ) /PB[AT]/PC[OM]/PE[XE]=file - EXTERNAL PATTERN FILES ( WITH RENAME ) See key /NIP. /RRPAT=file[,ext] - File PATTERN without EXEC ( with EXTENSION RENAME ) VIT only copy this file ( and rename extension if requre in key ) to disk in addition to VIT patterns. /RUS - RUSSIAN MESSAGES. VIT may type part of message in Russian. /S - WORKING EXIT TO SYSTEM. If you use key /NIP and one of keys /PCOM,/PEXE, you may use this key and detail see VIT disk. /SIL - RUN WITHOUT ANY TYPE. If video page switch disturb for you, any type is dissable. In case of virus VIT enable type. /SND - SOUND ON TIMER CHANNEL 2. /ST - Type TSR state ( = ON/OFF ). Check is TSR present and status of TSR. /TSR - Make TSR part of VIT. This is very simple part. It is call VIT.EXE before running YOU program. - 10 - ======= OPTIONS for MANUAL DEFINITION DISK PAR ====== ( for virus explorer ) /DE - FILES IN ROOT DIRECTORY. /OEM - OEM ID ( BOOT Sector ) /MED - Media ID /TRK/HD/SEC OR /KBYTE - FOR LOGICAL DRIVE /SPC - SECTORS PER CLUSTER - 11 - 8. VIT Interrupts ----------------- Int 2f, Fun ( AX ) = 0DD01h If use VIT.DRV or use key /DRV. Int 2f, Fun ( AX ) = 0DD02h If use key /TSR. KEYS for GEN INTERUPTS as RESULT VIT : /ROI=xx[,yy] - Result Ok : Int XX fun YY /RVI=xx[,yy] - Result Virus : Int XX fun YY /RBI=xx[,yy] - Result Bad : Int XX fun YY =~ /RVI - 12 - 9. Used Software ---------------- This software is maked on Sankt-Peterburg compiler WBC version 1.4. This compiler is restricted release of Algol 68, version is old and has bugs. For make self-extracted VIT I use LHarc. LHarc Version 1.12B 04/29/89 Copyright (c) Haruyasu Yoshizaki (Yoshi), 1988-89 Nifty Serve PFF00253 ASCII PCS pcs02846 7. My Distribution Policy 7. For the commercial use of this software, I add the following: a. The entire software made incorporating this program should not be copy protected in the sense that the DISKCOPY program of MS-DOS makes an imperfect copy. b. Every part of the package should print the name "LHarc" and the copyright banner. c. The distribution policy of this software should be printed either in the manual, in the package, or on the disk label. - 13 - 10. History ----------- 1991, Dec - Idea 1992, qI - Check idea on static memory disk. 1992, qII-qIII - DEMO version and his distribution. 1992, qIV - work simple version 1993, 1994, 1995 - new keys and distribution, software technology bugs detect 1995, qII-qIII - english documentation and put into worldwide shape keys /DYN /DRV /ROI /RVI /RBI /BOOT. Idea is rest "know how" and I name this program as "Fund Math Prod". 11. Utility ----------- VIT_VVP.EXE - view video page 0..3 with delay. Exit with pressing any key. This is suitable for view VIT result on page 1.