Chip: Chipnet

home *** CD-ROM | disk | FTP | other *** search

/ Chip: Chipnet / CHIPNET Aralık 1997.iso / misc / dweb319 / drweb.me < prev next >

Wrap

Text File | 1997-02-14 | 74.4 KB | 1,651 lines

DDDDDDD RRRRRRR WW WWW WW EEEEEEEEE BBBBBBB DDDDDDDD RRRRRRRR WW WWWW WW EEEEEEEEE BBBBBBBB DD DD RR RR WW WW WW WW EE BB BB DD DD RR RR WW WW WW WW EE BB BB DD DD RRRRRRRR WW WW WW WW EEEEEEEEE BBBBBBBB DD DD RRRRRRR WW WW WW WW EEEEEEEEE BBBBBBBB DD DD RR RR WW WW WW WW EE BB BB DD DD RR RR ■■ WW WW WW WW EE BB BB DDDDDDDD RR RR ■■■■ WWWW WWWW EEEEEEEEE BBBBBBBB DDDDDDD RR RR ■■ WWW WWW EEEEEEEEE BBBBBBB A KILLER FOR POLYMORPHIC VIRUSES USER'S GUIDE Version 3.19 Released February 15, 1997. by Igor Daniloff LICENSE AGREEMENT Dr. Web anti-virus program is distributed "AS IS" without warranty of any kind, either expressed or implied. The entire risk as to the quality and performance of the program lies with the user. Should the program prove defective, the designer or his authorized distributor or dealers bear no responsibility. If you have an illegal copy of Dr. Web Registered users and ... virus designers may skip this paragraph. Dr. Web Anti-virus program is a commercial software product. If you have found it helpful and want to use it in your everyday computer sessions - please, procure a licensed copy and register it. The value of information in your computer is incomparable to the cost of Dr. Web program! Dr. Web Anti-virus Package includes the following files: ┌────────────┬────────┬─────────────────────────────────────────┐ │ File │ Size │ Description │ ├────────────┼────────┼─────────────────────────────────────────┤ │HISTORY.WEB │ - │ Brief history of Dr. Web program │ │VIRTABLE.WEB│ 204730 │ Catalogue of viruses recognized and │ │ │ │ killed by Dr. Web │ │VIRLIST.WEB │ - │ Brief description of the viruses known │ │ │ │ to Dr. Web │ ├────────────┼────────┼─────────────────────────────────────────┤ │DRWEB.EXE │ 213490 │ Dr. Web anti-virus program │ │DRWEB.HLP │ 18571 │ Help file in English │ │DRWEB.ICO │ 766 │ Icon file for MS-Windows │ │DRWEB.INI │ 1024 │ Dr. Web configuration file │ │DRWEB.ME │ 76210 │ User's guide │ │DRWEB.PGP │ 294 │ Dr. Web validation signature │ │WEBymmdd.vvv│ nnn │ Add-on file to the virus database │ └────────────┴────────┴─────────────────────────────────────────┘ REMARK. Dr. Web package may also contain one or more add-on files. How to append add-on files to the Dr. Web program is described in Section 1.4 The UPDATE item. C O N T E N T S OVERVIEW What is Doctor Web? 1. RUNNING DR. WEB IN INTERACTIVE MODE 1.1 The DR. WEB menu 1.2 The TEST menu 1.3 The SETUP menu 1.4 The UPDATE item 1.5 The HELP menu 1.6 Speedkeys 2. RUNNING DR. WEB FROM ITS COMMAND LINE 2.1 List of command options and their purpose 2.2 Running Dr. Web in batch mode REFERENCES O V E R V I E W What is Doctor Web? Dr. Web searches the memory and disks for viruses known to it and eradicates them. It can also conduct a heuristic analysis of files and system areas for detecting new and unknown viruses. It is a good idea to have Dr. Web on a write-protected bootable diskette for testing your machine. Prior to making this copy, it is quite important that the computer is started from a clean bootable system diskette. First, install Dr. Web in your machine. For this, create a directory named DRWEB in drive C:, log on to this directory, and finally copy all files from the installation diskette to this directory. Dr. Web can be run either in interactive or batch mode. Batch mode is particularly convenient for automatically running Dr. Web from the AUTOEXEC.BAT file every time the computer is started. How to run Dr. Web from the AUTOEXEC.BAT file and the command options will be described latter. Now we describe the interactive mode. 1. RUNNING DR. WEB IN INTERACTIVE MODE To start Dr. Web in interactive mode, at the DOS prompt type the command drweb and press <Enter>. In case you rename the DRWEB.EXE file (to hide it from resident viruses capable of attacking Dr. Web), the DRWEB.INI file (if it is used in operation) must also be renamed to the same name as DRWEB.EXE without altering the extension INI; for example, if DRWEB.EXE is renamed as ANTIVIR.EXE, then DRWEB.INI must be renamed as ANTIVIR.INI. On starting the program, the screen displays the main menu: Dr.Web Test Setup Update [F1] Help █████████████████████████████████████████████████████████████████ █╔═════════════════════ Scanning progress ═════════════════════╗█ █║ ║█ Fig. 1. Dr. Web's main menu Using the menu items and commands, you can configure the program to suit your preferences, choose various program modes, update your Dr. Web by appending add-on files to the main virus database, and get on-line help on various topics. ═══════════╦═════════════════════════════════════════════════════ Menu item ║ Purpose ═══════════╬═════════════════════════════════════════════════════ Dr.Web ║ The commands in this menu are used to display ║ information about the program version, to shell ║ to DOS screen, and to end a Dr. Web session. ───────────╫───────────────────────────────────────────────────── Test ║ The commands in this menu are used to test and ║ cure the machine, and to display the report of ║ the current scanning session. ───────────╫───────────────────────────────────────────────────── Setup ║ The commands in this menu are used to customize ║ the operation of Dr. Web to suit your preferences. ───────────╫───────────────────────────────────────────────────── Update ║ This command is used to append add-on files to ║ the main virus database of the program. ───────────╫───────────────────────────────────────────────────── [F1] Help ║ displays on-line help on various topics. ═══════════╩═════════════════════════════════════════════════════ Press [F10] or <Space> to activate the menu bar. Then, using the left and right arrow keys, move to the desired menu item and press <Enter> to pull down its menu. Finally, move to the desired command in the menu with the up and down arrow keys, and press <Enter> to execute the command. A mouse can also be used to run Dr. Web. First, place the mouse cursor on the desired menu item and click the left button to drop down its menu. Then click the name of the command you want to execute. One letter in the names of the menu items is highlighted. To pull down the submenu of a menu item, while holding down <Alt>, press the corresponding highlighted letter. For example, to pull down the menu of DR. WEB item, while holding down <Alt>, press the letter D. The same procedure is used to choose a command from drop-down menus. 1.1 The DR. WEB menu contains three commands: DOS SHELL, ABOUT..., and EXIT. Dr.Web Test Setup Update [F1] Help ┌──────────────┐█████████████████████████████████████████████████ │ Dos shell │═══════════Scanning progress ══════════════════╗█ │ About... │ ║█ │ Exit Alt-X │ ║█ └──────────────┘ Fig. 2. Dr. Web menu The DOS SHELL command Choosing this command, you can temporarily exit from the current Dr. Web session for shelling to the DOS screen: ┌─────────────────────────────────────────────────────┐ │ Type EXIT to return to Dr. Web... │ │ │ │ Microsoft(R) MS-DOS(R) Version 6.20 │ │ (C)Copyright Microsoft Corp 1981-1993. │ │ │ │ │ │ C:\WEB> │ └─────────────────────────────────────────────────────┘ Fig. 3. DOS screen You can use this command, for example, to copy and rename infected files, to create a backup copy of valuable files, etc. After you are done with your DOS session, type EXIT and press <Enter> to return the Dr. Web main menu window. Note. Never use this command to end a Dr. Web session, because the program resides in the memory and thus occupies some memory space. The ABOUT... command Choosing this command, you can view the version number of the Dr. Web in your machine. If your version is two-month obsolete, you will be prompted to update the program, because an outdated version will not detect and eradicate the viruses written in this two-month intervening period. But, running in heuristic analysis mode, you can detect new and unknown viruses and eradicate them by appending appropriate add-on files to the main virus database of your outdated version. See Section 1.4 The UPDATE item. The EXIT command Choosing this command, you end a Dr. Web session. You can also end a session, pressing the speedkey combination <Alt+X>. 1.2 The TEST menu contains five commands: TEST MEMORY, SCAN, CURE, STATICTICS, and REPORT for searching and removing viruses, and viewing the statistics of the current session and the report of the current and previous scanning sessions. Dr.Web Test Setup Update [F1] Help ████████┌────────────────┐███████████████████████████████████████ ██╔═════│ Test memory │══ Scanning progress ═══════════════╗██ ██║ │ Scan F5 │ ║██ ██║ │ Cure Ctrl-F5 │ ║██ ██║ │ Statistics │ ║██ ██║ │ Report │ ║██ ██║ └────────────────┘ Fig. 4. Test menu The TEST MEMORY command Choosing this command, you can test the memory for viruses at any time. If an unknown virus is detected in the memory, Dr.Web warns you as follows: Memory (F900:0350) may be infected by resident virus! On detecting a known virus in the memory, Dr. Web prints its name on the screen: Memory (F900:0350) infected with Eddie.1800 - eradicated! In most cases, Dr. Web kills the known viruses in memory. In case there is a virus in the memory, start the computer from a bootable diskette containing the Dr. Web and Virus Hunter programs, and clean the computer for viruses. Sometimes, Dr. Web may warn for virus in the memory, while retesting the memory after killing a virus. The SCAN command Choosing this command, you can test the machine for viruses. Or simply press the speedkey <F5> to start scanning for viruses. Immediately, the screen displays a SCAN PATH panel. To close this panel, either press <Esc> or point and click the down arrow [] at the top left corner of the panel. ╔═[]═════════ Scan path ═════════════╗ ║ ┌───────────────────────────┬─┐ ║ ║ │* ││ ║ ║ └───────────────────────────┴─┘ ║ ║ [X] including subdirectories ║ ║ ║ ║ Ok ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════╝ Fig. 5. Scan path panel In the text field containing an asterisk, type the full pathnames of the files you want to test. You can also use wildcard characters in file specifications, directory path, and drive name letter. Here are few examples of specifying the scan path: ═══════════════╦═════════════════════════════════════════════════ Scan path ║ Description ═══════════════╬═════════════════════════════════════════════════ * or *: ║ scan all logical drives in the hard disk ───────────────╫───────────────────────────────────────────────── C: ║ scan all files in drive C: ───────────────╫───────────────────────────────────────────────── C:\DOS ║ scan all files in the directory C:\DOS C:\DOS\* ║ C:\DOS\*.* ║ ───────────────╫───────────────────────────────────────────────── C:\DOS\FILE.* ║ scan all files of the name FILE with any ║ extension in the directory C:\DOS ───────────────╫───────────────────────────────────────────────── C:\DOS\*.EXE ║ scan all files having the extension EXE in the ║ directory C:\DOS ═══════════════╩═════════════════════════════════════════════════ NOTE. If you use a wildcard character * in drive specification, only the logical drives in the hard disk of the machine will be scanned; virtual drives created by the DOS SUBST command, CD-ROM drives, and network drives will not be tested. You can also specify several files located in different directories, separating the entries by an intervening white space; for example, to scan all files in the directories A:, C:\DOS, C:\UTIL\PROG, and D:\WINDOWS, in the text field type A: C:\DOS C:\UTIL\PROG D:\WINDOWS By default, Dr. Web checks the files not only in directories, but also in subdirectories. If you do not want to scan the subdirectories, you can tell Dr. Web to skip the subdirectories by deselecting the INCLUDING SUBDIRECTORIES option box. After typing the scan path, choose or click the OK button to start scanning. To close the box without executing the scan command, choose or click the CANCEL button. On choosing the OK button, the screen displays in the SCANNING PROGRESS window the names of files scanned, the name of the virus after the filename of infected files, the name of the achiever program after the filenames of packed files. ╔═══════════════════ Scanning progress ══════════════╗ ║ Searching for viruses in drive A: ║ ║ BOOT SECTOR infected by Form ║ ║ A:\FORMAT.COM infected by Tiny.129 ║ ║ A:\VIRUS.COM infected by Fy.338 ║ ║ A:\SMARTDRV.EXE infected by Tchechen.1912 ║ ║ A:\FTW1.COM packed by PKLITE ║ ║ A:\C-639.COM infected by Hizhnak.639 ║ ║ A:\AINEXT.EXE infected by RDA.Fighter.7408 ║ ║ A:\COMMAND.COM infected by Ox.475 ║ ║ Scanning report for drive A: ║ ║ Scanned: files, programs, and sectors - 9 ║ ║ detected: viruses and infected programs - 7 ║ ║ Scanned time: 00:00:17 ║ ╚════════════════════════════════════════════════════╝ Fig. 6. Report on detected viruses After the completion of scanning a drive, you get a scanning report: ╔═[]════════════════════════════════════════════════╗ ║ Scanning report for drive D: ║ ║ Scanned: files, programs and sectors - 67 ║ ║ Detected: viruses and infected programs - 9 ║ ║ including in archived files - 3 ║ ║ posible virus modifications - 1 ║ ║ files suspected for infection - 5 ║ ║ including archived files - 4 ║ ║ Scanned time: 00:00:43 ║ ╚════════════════════════════════════════════════════╝ Fig. 7. Scanning report panel This panel is displayed only if you have selected the REPORT FOR EACH DRIVE box in the DESKTOP panel of the DESKTOP... command. If this box is deselected, the scanning report is appended at the bottom of the SCANNING PROGRESS window. In both cases, information about virus modifications, suspected files, and archived files are printed only if the corresponding counters are greater than 0. In the example above, Dr. Web detected the viruses Form, Tiny.129, Fy.338, Tchechen.1912, Hizhnak.639, RDA.Fighter.7408, and Ox.475. After the completion of the scanning mission, you can cure the infected files in the machine. The CURE command To remove the viruses detected by Dr. Web in a scanning session, choose this command or press its speedkey combination <Ctrl+F5>. The screen will then display a CURE PATH panel: ╔═[]═════════ Cure path ═════════════╗ ║ ┌───────────────────────────┬─┐ ║ ║ │* ││ ║ ║ └───────────────────────────┴─┘ ║ ║ [ ] including subdirectories ║ ║ ║ ║ Ok ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════╝ Fig. 8. Cure path panel Type the full pathname of the files to be cured and then choose OK. The conventions for typing the specifications in this text field are the same as those described for the text field in the SCAN PATH panel of the SCAN command. Prior to curing infected files, it is good idea to copy them on a separate diskette. Change the extension of copied infected files so that you may not accidentally run any infected program from the diskette. For example, if MSD.EXE is infected, rename it as MSD.EX or MSD.VIR. Infected files may be needed in subsequent virus analysis. The CURE command initiates Dr. Web to handle infected files differently (for curing, deleting, or renaming files) depending on your choice in the INFECTED FILES field of the OPTIONS panel. In the course of operating files their names are printed in an on-screen panel as follows: ╔══════════════════ Scanning progress ═══════════════╗ ║ Searching for viruses in drive A: ║ ║ BOOT SECTOR infected by Form - cured! ║ ║ A:\FORMAT.COM infected by Tiny.129 - cured! ║ ║ A:\FORMAT.COM packed by PKLITE ║ ║ A:\VIRUS.COM infected by Fy.338 - cured! ║ ║ A:\SMARTDRV.EXE infected by Tchechen.1912 - cured! ║ ║ A:\FTW1.COM packed by PKLITE ║ ║ A:\C-639.COM infected by Hizhnak.639 - cured! ║ ║ A:\AINEXT.EXE infected by RDA.Fighter.7408 - cured!║ ║ A:\COMMAND.COM infected by Ox.475 - cured! ║ ║ Scanning report for drive A: ║ ║ Scanned: files, programs and sectors - 9 ║ ║ Detected: viruses and infected programs - 7 ║ ║ Cured: files and boot sectors - 7 ║ ║ Scanned time: 00:00:43 ║ ╚════════════════════════════════════════════════════╝ Fig. 9. List of restored files While curing a disk for boot viruses which Dr. Web detected in a scanning mission, you may get a warning message: ╔══[]════════════════════════════════════════════════╗ ║ Boot sector may not be cured properly! ║ ║ Continue curing? ║ ║ ║ ║ Ok ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig. 10. Incorrect restoration message You get this warning when Dr. Web does not find the original master boot record or the boot sector in the area where the virus ought to have hidden them. This happens if the virus is a plagiarism of some well-known virus and saves the actual boot sectors in an area different from where its original virus saves, or if the computer is infected with several boot viruses such that one virus is superimposed on another. In such cases the "head" of the second virus is found in the sector where the first virus ought to have saved the master boot record. Dr. Web does not immediately analyze the hidden boot sector for other viruses in it; therefore, this message is displayed whenever the boot sector that Dr. Web found does not agree with the original boot sector. If you press <Enter> to continue curing, Dr. Web kills the viruses known to it one by one. When the disk is infected with several boot viruses, the boot sector may be lost if different viruses hide the boot sector in the same sector or if several resident viruses infect the boot sectors repeatedly. In such cases, the machine, as a rule but not necessarily, hangs up on booting from the infected drive. Dr. Web conducts 10 cycles to cure the viruses one after another. Therefore it is advisable to stop curing in such cases and restore the system areas by MS DOS tools. To restore the system areas, boot the machine from a clean bootable system diskette and use the command SYS C: or the command FDISK /MBR. Important! while restoring the boot sectors by MS DOS tools, some data on the hard disk may be lost; particularly if the virus has encoded a part of the disk sectors. Therefore, call computer analyst for help. The STATISTICS command Upon the completion of a scanning mission, you can view the statistics of the current mission results by choosing the STATISTICS command, which displays an on-screen statistics panel similar to the panel shown in Fig. 7 with a separate report for each drive scanned. The REPORT command If you want to save the results of scanning missions, you must tell Dr. Web to create a scanning report file. For this, see the OPTIONS and PATHS... commands of the SETUP menu. At the end of every scanning session, Dr. Web appends the results of the current session in the report file containing the results of previous scanning sessions. This file can be opened for viewing by choosing the REPORT command from the TEST menu. The report panel looks somewhat as follows: ╔═[]══════════════════════════════════════════════════╗ ║ Dr. Web, version 3.16 (1996 Oct 14), ░ ║ ║ Copyright (c) by Igor Daniloff, 1992-96 ║ ║ Scanning Report dated 1996 Oct 14 22:58:44 ░ ║ ║ Command line: ░ ║ ║ ──────────────────────────────────────── ░ ║ ║ No viruses found in memory ░ ║ ║ ──────────────────────────────────────── ░ ║ ║ Searching for viruses in disk C: ░ ║ ║ C:\FOXBIND.EXE immunized by CPAV ░ ║ ║ C:\EXE\LZH.EXE immunized by CPAV ░ ║ ║ C:\FD\FD.EXE packed by PKLITE ░ ║ ║ C:\FD\FDNC.EXE packed by PKLITE ░ ║ ║ Abort scanning? ░ ║ ║ Yes ░ ║ ║ Test interrupted by user! ░ ║ ║ Scanning report for drive C: ░ ║ ║ Scanned: files, programs and sectors - 191 ░ ║ ║ Detected: viruses and infected programs - 0 ║ ║ Scanned time: 00:00:50 ░ ║ ╚══════════════════════════════════════════════════════╝ Fig. 11. Scanning report file It is a simple text file and can be opened and edited, using any ASCII text editor. By default, scanning results are saved in a REPORT.WEB file which is created in the directory where drweb.exe is installed. It can be given any name and extension, and located anywhere you like (see The SETUP menu). 1.3 The SETUP menu Using the commands in the SETUP menu, you can customize the operation of Dr. Web to suit your preferences. On choosing this item, its menu has three commands: DESKTOP.., OPTIONS..., and PATHS... . Dr.Web Test Setup Update [F1] Help ██████████████┌───────────────┐█████████████████████████████████ ██╔═══════════│ Desktop... │═ Scanning progress ═══════════╗█ ██║ │ Options... F9 │ ║█ ██║ │ Paths ... │ ║█ ██║ └───────────────┘ Fig. 12. Setup menu The DESKTOP... command To customize the way in which Dr. Web screen is displayed, choose the DESKTOP command to open the DESKTOP dialog panel: ╔═[]═════════════════════ Desktop ════════════════════╗ ║ ┌ Screen mode ─────────────────┐ ┌ Language ─────┐ ║ ║ │ [X] Expanding windows │ │ ( ) Russion │ ║ ║ │ [X] Mouse support │ │ () English │ ║ ║ │ [ ] Load screen font │ └───────────────┘ ║ ║ │ [X] Beep │ ┌ Color scheme ─┐ ║ ║ │ [ ] Autosave setup │ │ () Color 1 │ ║ ║ └──────────────────────────────┘ │ ( ) Color 2 │ ║ ║ ┌ Additional preferences ──────┐ │ ( ) Color 3 │ ║ ║ │ [ ] "Snow" prevention │ │ ( ) Color 4 │ ║ ║ │ [ ] Screen output via BIOS │ │ ( ) Mono 1 │ ║ ║ │ [ ] Print "Ok" after filename│ │ ( ) Mono 2 │ ║ ║ │ [X] Print packer name │ └───────────────┘ ║ ║ │ [ ] Report for each drive │ ┌ Screen height ┐ ║ ║ │ [ ] Test one floppy only │ │ () 25 lines │ ║ ║ └──────────────────────────────┘ │ ( ) 30 lines │ ║ ║ Ok ▄ Save ▄ │ ( ) 45 lines │ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ └───────────────┘ ║ ║ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚══════════════════════════════════════════════════════╝ Fig. 13. Desktop dialog panel This panel has five groups of fields SCREEN MODE, ADDITIONAL PREFERENCES, LANGUAGE, COLOR SCHEME, and SCREEN HEIGHT (each containing a few check boxes or option buttons), and four command buttons OK, SAVE, CANCEL, and HELP. After setting your choices for the check boxes and option buttons, choose the SAVE button to write your preferences in the DRWEB.INI file so that Dr. Web may start the subsequent sessions with your operation preferences. If the AUTOSAVE SETUP box is checked, there is no need to save your settings; Dr. Web will automatically save them on choosing the OK button. The SAVE command button is also present in the other dialog panels of the SETUP menu. After setting the preferences for the fields in this panel, either choose the OK button to bring the new settings into effect or the CANCEL button to cancel them in case you change your decision. The purpose of each field in this panel is described below. * The SCREEN MODE field contains the following check boxes. ═════════════════╦════════════════════════════════════════════════ EXPANDING WINDOWS║ If this check box is selected, the superimposed ║ pop-up panels in the course of a session will ║ expand smoothly and gradually. To speed up the ║ operation of the program, deselect this box. ─────────────────╫──────────────────────────────────────────────── MOUSE SUPPORT ║ If this check box is selected, you can use ║ your mouse in scanning sessions to choose the ║ menu items, to select check and option boxes, ║ choose command buttons, etc. If Dr. Web ║ conflicts with the nonconventional mouse driver ║ in your system, deselect this box. ─────────────────╫──────────────────────────────────────────────── LOAD SCREEN FONT ║ If this box is selected, Dr. Web loads its own ║ screen fonts for displaying text information ║ Use this option, if your Dr. Web is a ║ customized version with no support of national ║ characters for your monitor. ─────────────────╫──────────────────────────────────────────────── BEEP ║ If this check box is selected, Dr. Web will ║ beep on detecting a virus. ─────────────────╫──────────────────────────────────────────────── AUTOSAVE SETUP ║ If this check box is selected, the settings you ║ specify in option panels will be saved ║ automatically in the Dr. Web initiation file on ║ closing the panel without the need for choosing ║ the SAVE button in the panel. ═════════════════╩════════════════════════════════════════════════ * The ADDITIONAL PREFERENCES field contains the following check boxes. ═════════════════╦════════════════════════════════════════════════ SNOW PREVENTION ║ This check box is to be selected only if output ║ to the screen is done via BIOS (see the next ║ item). Select this box if snow appears on a CGA ║ monitor. ─────────────────╫──────────────────────────────────────────────── SCREEN OUTPUT VIA║ Dr. Web prints messages on the screen directly BIOS ║ via BIOS. If this box is deselected, Dr. Web ║ will dump messages to videomemory and this ║ speeds up the operation. If your videoadapter ║ is not compatible with CGA, EGA, or VGA ║ adapters, check this box. ─────────────────╫──────────────────────────────────────────────── PRINT "OK" AFTER ║ In a scanning mission, if Dr. Web finds that a FILENAME ║ file is not infected, it prints the letters ║ "Ok" after the name of this file in the ║ scanning progress window. If you do not wish ║ to clutter the screen with superfluous messages, ║ deselect this box. ─────────────────╫──────────────────────────────────────────────── PRINT PACKER NAME║ If you have selected the CHECK PACKED box in ║ the FILES field in the panel displayed on ║ choosing the OPTIONS command from the SETUP ║ menu, Dr. Web will print the name of the ║ achiever (DIET, LZEXE, PKLITE, etc.) after the ║ file name in the scanning progress window when ║ this box is checked. You may deselect this box ║ to keep the screen uncluttered. ─────────────────╫──────────────────────────────────────────────── REPORT FOR EACH ║ If this check box is selected, Dr. Web will DRIVE ║ create a report separately for each drive ║ scanned. ─────────────────╫──────────────────────────────────────────────── TEST ONE FLOPPY ║ If this check box is selected, Dr. Web will ONLY ║ check only one floppy diskette and will not ║ promt you to insert another diskette for ║ checking. Deselect this box whenever you want ║ to scan several floppy diskettes in a session. ═════════════════╩════════════════════════════════════════════════ * The LANGUAGE field is present in the DESKTOP panel only in bilingual customized versions of Dr. Web. In this case, this field contains two option buttons for specifying your choice between the alternative languages. This field is not present in single-language versions. * The COLOR SCHEME field contains six option buttons for choosing a color scheme for displaying information on the screen: ═════════╦═══════════════════════════════════════════════════════ Color 1 ║ The default color scheme of Dr. Web program. ─────────╫─────────────────────────────────────────────────────── Color 2 ║ This scheme is drawn from TurboVision program. ─────────╫─────────────────────────────────────────────────────── Color 3 ║ This scheme is drawn from Norton Utilities. ─────────╫─────────────────────────────────────────────────────── Color 4 ║ This scheme is drawn from ADinf program. ─────────╫─────────────────────────────────────────────────────── Mono 1 ║ Both these schemes display the message in white Mono 2 ║ against black background. Choose the scheme best ║ suited for your monitor. ═════════╩═══════════════════════════════════════════════════════ * The SCREEN HEIGHT field contains three option buttons to adjust the full vertical size of screen to a height of 25, 30, or 45 lines. Choose a button to suit your convenience. The OPTIONS... command On choosing this command from the drop-down menu of the SETUP item of the main menu, you get a panel containing a few choices for customizing the operation modes of Dr. Web program. You may also press <F9> to pop up this panel directly. ╔═[]═══════════════════ Options ════════════════════╗ ║ ┌ Main settings ─────────┐ ┌ Files ─────────────┐ ║ ║ │ [X] Memory test │ │ [X] Check packed │ ║ ║ │ [X] Boot sector test │ │ [X] Check archives │ ║ ║ │ [X] Heuristic analysis │ │ [ ] Delete damaged │ ║ ║ │ [X] Check TSR viruses │ │ [ ] Prompt for cure│ ║ ║ └────────────────────────┘ └────────────────────┘ ║ ║ ┌ Heuristic level ───────┐ ┌ Memory range ──────┐ ║ ║ │ () Minimal │ │ ( ) 640 Kb │ ║ ║ │ ( ) "Paranoid" │ │ () 1088 Kb │ ║ ║ └────────────────────────┘ └────────────────────┘ ║ ║ ┌ Infected files ────────┐ ┌ Report file ───────┐ ║ ║ │ () Cure │ │ ( ) Don't create │ ║ ║ │ ( ) Delete │ │ ( ) Overwrite │ ║ ║ │ ( ) Rename │ │ () Append │ ║ ║ └────────────────────────┘ └────────────────────┘ ║ ║ Ok ▄ Save ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════════╝ Fig. 14. Operation options dialog panel This panel contains six fields MAIN SETTINGS, HEURISTIC LEVEL, INFECTED FILES, FILES, MEMORY RANGE, and REPORT FILE for setting the way in which you wish Dr. Web to scan your machine and four command buttons: OK, SAVE, CANCEL, and HELP. * The MAIN SETTINGS field The check boxes in this field define the areas that are to be scanned in every session. Check all boxes in this field for greater reliability of virus protection. The MEMORY TEST box If this box is selected, the memory in your computer will be scanned for active viruses on starting the program. By default, Dr. Web restricts the memory test to the conventional memory, i.e., the first 640 Kb. In a computer with more than 640Kb memory, you can additionally tell Dr. Web to scan the high memory area and upper memory blocks. If the 1088 Kb option button under the MEMORY RANGE field is selected, all memory range accessible in real operation will be tested, i.e., the first 1088 Kb that include the high memory area and upper memory blocks. If you have extended memory in the computer for loading resident programs and operation system modules, select the 1088 Kb option button in the MEMORY RANGE field. The BOOT SECTOR TEST box tells Dr. Web to scan the master boot record of the hard disk and the boot sectors of drives and diskettes. If this box is deselected, Dr. Web will detect the boot viruses in the boot sectors of diskettes and hard disks. The HEURISTIC ANALYSIS box A powerful tool incorporated in Dr. Web is the heuristic analysis of files and boot sectors. If this box is selected, Dr. Web will detect new and hithertounknown viruses. In this mode, Dr. Web analyzes the code of all suspicious programs and determines whether their codes are capable of executing functions characteristic of viruses. On detecting a suspicious program, Dr. Web warns that the program is possibly infected with some unknown virus (COM.Virus, EXE.Virus, COM.EXE.Virus, COM.TSR.Virus, EXE.TSR.Virus, COM.EXE.TSR.Virus, MACRO.Virus, or BOOT.Virus). The terms used to describe unknown viruses have the following meaning: ═══════╦═════════════════════════════════════════════ Term ║ Meaning ═══════╬═════════════════════════════════════════════ COM ║ The virus infects COM files. ───────╫───────────────────────────────────────────── EXE ║ The virus infects EXE files. ───────╫───────────────────────────────────────────── TSR ║ The virus is memory resident. ───────╫───────────────────────────────────────────── MACRO ║ The virus infects WinWord documents. ───────╫───────────────────────────────────────────── BOOT ║ The virus infects boot sectors of disks. ───────╫───────────────────────────────────────────── CRYPT ║ The virus code is encrypted or polymorphic. ═══════╩═════════════════════════════════════════════ See also the HEURISTIC LEVEL field. The CHECK TSR VIRUSES box Many resident viruses infect a file when it opened for reading or writing. This is helpful in detecting an active virus, because the file size increases after opening (if there is a virus in it). If the CHECK TSR VIRUS box is selected, Dr. Web will check the changes in the size (if any) of files at the time of executing the seek and open commands. File size check also reveals active stealth viruses which hide their presence in the files they have infected. Once activated, a stealth virus stays resident in the memory and manipulates the size find operations. If any program calls for the size of an infected file, the stealth virus residing in the file returns the clean file size in order to conceal the increased size. If the CHECK TSR VIRUSES box is selected, on detecting a virus Dr. Web may warn: ╔══[]════════════════════════════════════════════════╗ ║ C:\DOS\COMMAND.COM ║ ║ WARNING! On opening this file, its size ║ ║ changed by +800 bytes! Memory may contain ║ ║ an ACTIVE RESIDENT VIRUS! ║ ║ Continue scanning? ║ ║ ║ ║ Ok ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig. 15. Warning message for an active resident virus to alert you that the file had one size before opening for reading and a different size after opening. Possibly, some unknown resident virus, which infected the file, might have been residing in the memory at the time of opening this file by the DOS open command. In this case, the file size increases. The file size may also decrease if the memory contains a "stealth" virus, which tries to hide its presence in the file being scanned. In either case, it is a good idea to stop Dr. Web, reboot your computer from a clean write-protected bootable diskette containing the Dr. Web program and scan the suspected files with Dr. Web once again. * The HEURISTIC LEVEL field has two option buttons MINIMAL, "PARANOID" for specifying the analysis level. When no level is specified, Doctor Web defaults to the minimal level. In a test conducted with 10,000 different viruses, Dr. Web showed unknown virus detection efficiency of 87% under the minimal level, and 89-91% under the maximal level. The following is a list of a few examples of the warning messages which Dr. Web displays in the scanning progress window on detecting suspicious files while running under heuristic analysis mode: D:\GAMES\DOOM\NCA.EXE possible infected with EXE.CRYPT.Virus D:\GAMES\ENGL\README.EXE possible infected with EXE.TSR.Virus D:\GAMES\ENGL\LM.EXE possible infected with COM.EXE.TSR.CRYPT.Virus C:\WORDS\NORMAL.DOT possible infected with MACRO.Virus In the "paranoid" mode, Dr. Web additionally checks the suspicious settings of file date stamps. Certain viruses set unreal values to file creation time and date as an infection label or flag; for example, seconds in file creation time may be set to 62 or the year to 2000!. On detecting a file with a strange date stamp, Dr. Web prints a warning in the scanning progress window as follows: D:\DOD.COM strange date stamp 2031 ??? 31 25:60:00 In the heuristic analysis mode, Dr. Web may generate FALSE ALARMS! The higher the analysis level, the greater the possibility of false alarms. Such a possibility is particularly great in "paranoid" analysis level. As a rule, false alarms are generated in testing a program under heuristic analysis mode, if the program uses file open and file write operations, particularly if the program is TSR. IMPORTANT! Always test the program you get hold of for the first time under the heuristic analisys to avoid infection of your machine. Handle the programs with special care which Dr. Web suspects as "possibly" infected. Dr. Web takes longer time to scan a machine under heuristic analysis mode. * The INFECTED FILES field contains three option buttons CURE, DELETE, and RENAME, of which only one can be active at a time. The first two option buttons CURE and DELETE are self-explanatory and need no further comments. If you select the third button, RENAME, then the infected files will be renamed: the filename will be same as the original filename, but the letter V will be substituted for the first letter in the extension; for example, the filename extensions COM and EXE will be changed as VOM and VXE, respectively. Prior to handling an infected file, Dr. Web will ascertain your permission if you have selected the PROMPT FOR CURE box in the FILES field: ╔══[]══════════════ B:\FORMAT.COM ═══════════════════╗ ║ This file is infected with Tiny.129 ║ ║ Rename it? ║ ║ ║ ║ Yes ▄ No ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig. 16. Inquiry for renaming a file * The FILES field contains four check boxes with which you can opt for checking packed files and archives, delete damaged files, and tell Dr. Web to ascertain your intention prior to handling an infected file. The CHECK PACKED box If this box is selected, Dr. Web will test the files that are packed with DIET, LZEXE, PKLITE, EXEPACK, COMPACK compression utilities, the files converted with COMTOEXE, PROTECT, CRYPTCOM, TYNYPROG, as well as the files vaccinated with the Central Point Anti-Virus CPAV program. The packed files are temporarily exploded in some drive and then scanned for viruses. You can specify any drive for creating these temporary files under the text box of the TEMP DRIVE field in the PATHS panel displayed on choosing the PATHS... command from the SETUP menu. NOTE: It is a good idea to specify the fastest drive in your computer as the TEMP drive for temporarily exploding packed files. Furthermore, there must always be enough space in the drive for temporarily exploding the packed files. The CHECK ARCHIVES box To save space on hard and floppy disks, users often make use of archive programs. If an infected program is contained in an archive file, most of the anti-virus utilities, e.g., VIRUS HUNTER, cannot check such a program. Doctor Web can check any file included in an archived file. For this, select the CHECK ARCHIVES box. Dr. Web easily tests the archive files created with ARJ, PKZIP, LHA, RAR, ZOO, ICE, and HA. The DELETE DAMAGED box In certain cases, packed files that are infected and damaged by viruses may not yield to full restoration. If the DELETE DAMAGED box in the FILES field is selected, Dr. Web will automatically delete such files. The PROMPT FOR CURE box If you wish that Dr. Web should ascertain your intention prior to handling infected files (for curing, deleting, or renaming), select the PROMPT FOR CURE box in the FILES field of the OPTIONS panel. Otherwise, infected files will be handled automatically without ascertaining your permission. ╔═[]═══════════════ B:\FORMAT.COM ═══════════════════╗ ║ This file is infected with Tiny.129 ║ ║ Remove the virus from the file? ║ ║ ║ ║ Yes ▄ No ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig. 17. Inquiry for removing a virus * The MEMORY RANGE field See the MEMORY TEST box in the MAIN SETTINGS field. * The REPORT FILE field contains three option buttons DON'T CREATE, OVERWRITE, and APPEND. If you select the DON'T CREATE button, no report file is created at the end of scanning and curing sessions. If you select the OVERWRITE button, at the end of a session the results of the current session will be overwritten on the contents of the report file; so the report file will always contain the results of the last scanning session. If you select the APPEND button, the results of the current scanning session is appended at the end of the report file; so the report file contains the results of all previous scanning sessions since you last cleared up the report file. You can open the report file for viewing by choosing the REPORT command from the TEST menu and edit it with any text editor. By default, the report file is named REPORT.WEB and is created in the directory where Dr. Web is installed. However, you can specify a different name and location (see the REPORT FILE NAME field under the PATHS... command). The PATHS... command On choosing this command, you get a panel containing text fields for specifying certain pathnames and option buttons for choosing the type of files to be tested: ╔═[]═══════════════════ Paths ═══════════════════════╗ ║ ┌ Add-on search pattern ┐ ┌ Report file name ─────┐ ║ ║ │ WEB?????.3?? │ │ E:\DRWEBE\REPORT.WEB │ ║ ║ └───────────────────────┘ └───────────────────────┘ ║ ║ ┌ Add-on pathname ──────┐ ┌ File type ────────────┐ ║ ║ │ │ │ ( ) All files │ ║ ║ │ │ │ () Programs │ ║ ║ │ │ │ ( ) User defined │ ║ ║ └───────────────────────┘ │ └ *.EXE *.COM *.SYS │ ║ ║ ┌ Temp drive ┐ └───────────────────────┘ ║ ║ │ C: │ Ok ▄ Cancel ▄ ║ ║ └────────────┘ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ║ Save ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig. 18. Paths dialog panel * The ADD-ON SEARCH PATTERN field In the text box of this field, type the names of add-on files that are to be appended to your main virus database. You can use wildcard characters in typing the filename. * The ADD-ON PATHNAME field In the text box of this field, type the path of the directory where add-on files exist. All add-on files matching the specifications typed in add-on search pattern and add-on pathname fields that are compatible with the version of Dr. Web will be automatically appended to the main virus database on choosing the OK command button. You can also append add-on files to the main virus database with the help of the UPDATE item in the main menu. * The TEMP DRIVE field In the text box of this field, type the name letter of the drive where you want Dr. Web to create temporary files. This drive must not be READ ONLY drive. Dr. Web temporarily explodes packed files prior to checking them for viruses. There must be sufficient disk space (500 Kb to 1 Mb) in the drive specified under this field. If there is not sufficient free space in the drive, Dr. Web displays an error message: ╔═[]══════════════ C:\DOS\ATTRIB.EXE ════════════════╗ ║ No space on disk to decompress the file! ║ ║ Continue scanning? ║ ║ ║ ║ Yes ▄ No ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════════════════╝ Fig. 19. Insufficient free space warning message If you choose YES, Dr. Web will resume its mission, but skip the packed file from scanning. Therefore, choosing NO, abort the scanning mission, create sufficient free space on the disk, and then start Dr. Web once again. In order to speed up the operation, specify the fastest drive in your system as the temporary drive. It is a good idea to specify RAM disk (if any) as the temporary drive. DOS ramdrive.sys can be conveniently used to create a virtual disk. * The REPORT FILE NAME field In the text box of this field, type the full pathname of the report file where you wish to save the results of scanning missions. By default, it is named report.web and created in the same directory where Dr. Web is installed. Typing a different full pathname, you can change the filename, its extension, the directory, and the drive where it is to be created. * The FILE TYPE field gives three option buttons for specifying the type of files to be tested in scanning. The ALL FILES button tells Dr. Web to scan all files regardless of the file name and extension. The PROGRAMS button tells Dr. Web to scan executable files only, i.e., files of extension COM, EXE, SYS, BAT, DRV, BIN, DLL, BOO, OV?, DOC, and DOT. The USER DEFINED button tells Dr. Web to scan only the files specified by the user in the text field under this option box. Press <Tab> to go to the text field, and then type the file specifications, separating the entries by an intervening white space. You can use wildcard characters, * and ?, in file specifications. In scanning and curing sessions, Dr. Web always scans files of the type specified in this FILE TYPE field, unless you type a different specification in the SCAN PATH panel displayed on choosing the SCAN command from the TEST menu at the start of a session, i.e., only for the current session the file specifications in the SCAN PATH panel override the file specifications under the FILE TYPE field. 1.4 The UPDATE item in the main menu has no submenu, because it is a command. Its purpose is to upgrade your Dr. Web with the appearance of new viruses. For Dr. Web to cope with the new virus specimens, its database must be upgraded constantly by appending add-on files containing data about the new viruses. Add-on files are released almost once in a week. Registered users can obtain them free of cost from our official dealers. If a virus unknown to DR. WEB has invaded your machine Please, immediately send (for example, by e-mail) a copy of the virus or infected file to DialogueScience, Inc., Moscow, or to the designer of Dr. Web. If you are a registered user, within 48 hours you will receive an add-on file (an external appendix to the main database) to detect and remove the new virus from files and system areas (master boot record, boot sector) of the computer. The add-on files are named as WEBymmdd.vvv, where y denotes the last figure in the current year, mm the number of the month, dd the day of the date of release of an add-on file, vvv the version number (v.vv) of the Dr. Web for which the add-on is designed. For example, web60814.314 means that the add-on file is released on August 14, 1996 for Dr. Web version 3.14. Prior to copying the add-on files to the computer, check that they are compatible with your Dr. Web version. For this, open the add-on file through any text editor: its beginning reads somewhat as follows: New Virus Base Add-on for Anti-Virus Dr. Web version 3.05+, where 3.05+ means that this add-on is designed for Dr. Web version 3.05 and higher. Then, copy it to the directory where drweb.exe is installed. The add-on files can be appended to the main virus database in two different ways. By the first method, the add-on files are automatically appended in a scanning session. For this, open the SETUP menu, choose the PATHS... command, and type an appropriate text string in the ADD-ON SEARCH PATTERN and ADD-ON PATH fields. IMPORTANT! The add-on files for Dr. Web version 3.00 or higher are released with the name WEB?????.3??. You can type this text string in the ADD-ON SEARCH PATTERN field. If you have copied the add-on files to the directory where Dr. Web is installed, you may leave the ADD-ON PATH field unfilled. By the second method, you can manually append add-on files located in different directories. For this, choose the UPDATE command from the main menu to pull down its dialog panel: ╔═[]════════ Add-on files ════════════╗ ║ ║ ║ ┌─────────────────────────────┐ ║ ║ │ E:\DRWEB\WEB?????.3?? │ ║ ║ └─────────────────────────────┘ ║ ║ ║ ║ Search ▄ Cancel ▄ Help ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╚══════════════════════════════════════╝ Fig. 20. Add-on dialog panel In the text field, type the full pathname or a search pattern for finding and appending the add-on files. Then choose the SEARCH button. If the add-on files are successfully appended, the screen display a message showing the number of add-on files appended to the database. ATTENTION! Scan and clean your disks for new viruses with add-on files only by starting the computer from a CLEAN BOOTABLE DISKETTE - Dr. Web does not scan and clean the memory for new viruses. After purchasing a new upgraded version of Dr. Web capable of independently detecting and removing new viruses without the aid of add-on files, delete all old versions of add-on files as they are no longer needed for the upgraded Dr. Web program. 1.5 The HELP menu Dr. Web's help system is context-sensitive and provides on-line assistance to the user in the current topic on pressing the <F1> key. Alternatively, you may click the [F1] Help box. Using <PgUp> and <PgDn> keys, you can browse through the help window. Press <Esc> to close the help window. 1.6 Speedkeys To speed up the work with the keyboard, you can use the following combinations of keys to implement the commands listed below. ╔════════════════╦══════════════════════════════════════════════╗ ║Key combination ║ Command executed ║ ╠════════════════╬══════════════════════════════════════════════╣ ║<Alt+X>,<Alt+F4>║ Quit Dr. Web. ║ ╟────────────────╫──────────────────────────────────────────────╢ ║<F1> ║ Call on-line help. ║ ╟────────────────╫──────────────────────────────────────────────╢ ║<F5> ║ Scan (files, boot sectors, etc.) for ║ ║ ║ infection. ║ ╟────────────────╫──────────────────────────────────────────────╢ ║<Ctrl+F5> ║ Search for and remove viruses. ║ ╟────────────────╫──────────────────────────────────────────────╢ ║<F9> ║ Display OPTIONS panel for specifying Dr. Web ║ ║ ║ operation settings. ║ ╟────────────────╫──────────────────────────────────────────────╢ ║<F10> ║ Initiate main menu. Thereafter, use right and║ ║ ║ left arrow keys to move through the menu bar.║ ╟────────────────╫──────────────────────────────────────────────╢ ║<Tab> ║ Move from one field to another in dialog ║ ║ ║ panels. ║ ╟────────────────╫──────────────────────────────────────────────╢ ║<Esc> ║ Abort scanning mission. Close dialog panels ║ ║ ║ and message panels currently displayed on the║ ║ ║ screen. This key is inoperate if you ║ ║ ║ specified /NS option in Dr. Web command line.║ ╚════════════════╩══════════════════════════════════════════════╝ 2. RUNNING DR. WEB FROM ITS COMMAND LINE This section explains how to run Dr. Web with its command line and command options. The syntax of Dr. Web's command line is drweb [<drive>:[<path>]] [<option>] . . . [<option>] The command name and the command options must be separated by an intervening white space. Items shown within square brackets are optional. To include option parameters in the command line, only type the information inside the brackets. Do not type the square brackets. The first parameter, <drive>, is the name letter of the drive to be scanned, for example, f: or a:. If you wish to test all logical drives in the hard disk(s) of your system, type the global character "*" in place of the drive name letter. To test the current directory, just type a stop character "." after the command name drweb. To test the files in separate directories, include the <path> to the directories in the command line. Alternatively, you can also type the <path> parameter, using global characters in filenames and extensions. The following is a 2.1 List of command options and their purpose ════════════╦════════════════════════════════════════════════════ Option ║ Description ════════════╬════════════════════════════════════════════════════ /@[+] ║ Integrity checker ADinf generates a list of files <filename>║ that are to be scanned by anti-virus programs. ║ Dr. Web will test only the files specified in ║ this list without checking the other files. This ║ will speed up the scanning session. If the ║ plus sign is included, the list of files will be ║ saved after scanning is completed; otherwise it ║ is deleted. ────────────╫──────────────────────────────────────────────────── /25 ║ adjust the full vertical size of screen to a height ║ of 25 lines. ────────────╫──────────────────────────────────────────────────── /30 ║ the same for 30 lines. ────────────╫──────────────────────────────────────────────────── /45 ║ the same for 45 lines. ────────────╫──────────────────────────────────────────────────── /AL ║ scan all files in a given drive (not only files of ║ extension COM, EXE, SYS, BAT, DRV, BIN, DLL, BOO, ║ OV?, DOC, or DOT, but also files of all other ║ extensions). ────────────╫──────────────────────────────────────────────────── /AR[N][W][T]║ scan all files inside the archives created with ║ ARJ, PKZIP, LHA, RAR, ZOO, ICE, and HA compression ║ utilities. N - don't print the name of archiver ║ after the name of the archived file, W - extract ║ files from archive to the current directory, ║ T - (only with parameter W) extract files to the ║ temporary directory specified with environment ║ variable TEMP or TMP. ────────────╫──────────────────────────────────────────────────── /BW[<num>] ║ print messages in black-and-white display mode. You ║ can type 1 or 2 for <num> that is best suite for ║ your monitor. ────────────╫──────────────────────────────────────────────────── /CH ║ disable self-test. ────────────╫──────────────────────────────────────────────────── /CL ║ run in command line mode and suppress the dialog ║ interface. ────────────╫──────────────────────────────────────────────────── /CO[<num>] ║ run in color display mode. You can type 1 to 4 ║ for <num> that is best suited for your monitor. ────────────╫──────────────────────────────────────────────────── /CU[D][R][P]║ cure drives and files by removing the viruses ║ found. If the D parameter is included, infected ║ files will be deleted. If the R parameter is ║ included, infected files will be renamed by ║ substituting the letter V for the first letter in ║ the filename extension; for example, the extensions ║ COM and EXE in infected files will be changed as ║ VOM and VXE, respectively. The P parameter tells ║ Dr. Web to prompt the user before curing an ║ infected file. ────────────╫──────────────────────────────────────────────────── /DA ║ Run Dr. Web only once in a day. For this option, ║ the initiation file, drweb.ini, containing the date ║ of the last scanning session must be present. This ║ option is useful for starting Dr. Web automatically ║ from the AUTOEXEC.BAT file only once in a day on ║ booting the computer. ────────────╫──────────────────────────────────────────────────── /DL ║ delete infected files if they do not yield to ║ restoration. ────────────╫──────────────────────────────────────────────────── /GO ║ run without stopping for instructions about what to ║ do next, e.g., in case of insufficient disk space ║ for unpacking compressed files, removal of damaged ║ files, self-infection of Dr. Web program by an ║ unknown virus, etc. This mode is very useful for ║ testing e-mail at BBS. ────────────╫──────────────────────────────────────────────────── /HA ║ heuristic analysis of files for searching hitherto [<level>] ║ unknown viruses with an optional level parameter: ║ 0 - minimal level, 1 - "paranoid" level. False ║ alarms are possible under the "paranoid" level. If ║ no level parameter is specified, Dr. Web defaults ║ to the minimal level. ────────────╫──────────────────────────────────────────────────── /HI ║ scan the memory in the range from 0 to 1088 Kb. ────────────╫──────────────────────────────────────────────────── /MO ║ disable mouse support. ────────────╫──────────────────────────────────────────────────── /MT<time> ║ the latest polymorphic viruses require a long time ║ to decode. By specifying a time in seconds, you ║ limit the time for scanning a file. The default ║ time values for different processors are ║ Pentium - 30 sec ║ 486 - 30 sec ║ 386 - 60 sec ║ 286 - 120 sec ║ 8088 - 240 sec ║ 8086 - 240 sec ║ Double the default time is needed to detect ║ advanced polymorphic viruses. ────────────╫──────────────────────────────────────────────────── /NB ║ skip boot sector tests. ────────────╫──────────────────────────────────────────────────── /ND ║ test the files only in the root or the current ║ directory, skipping the subdirectories. ────────────╫──────────────────────────────────────────────────── /NI ║ ignore the settings in the initial file DRWEB.INI. ────────────╫──────────────────────────────────────────────────── /NM ║ skip the memory from virus search. ────────────╫──────────────────────────────────────────────────── /NR ║ do not create report file. ────────────╫──────────────────────────────────────────────────── /NS ║ disable the use of <Esc> key for aborting a session. ────────────╫──────────────────────────────────────────────────── /OF ║ check only one floppy diskette and do not prompt ║ for another diskette for testing. ────────────╫──────────────────────────────────────────────────── /OK ║ print "Ok" after the names of clean files. ────────────╫──────────────────────────────────────────────────── /QU ║ quit to DOS screen after the completion of test. ────────────╫──────────────────────────────────────────────────── /RP[+] ║ write the scanning results in the file (by default [<file>] ║ REPORT.WEB in the directory where Dr. Web is ║ installed), <file> is the full pathname of ║ the report file. If the plus sign is included, the ║ report of the current session will be appended at ║ the end of the report file; otherwise the report ║ will be overwritten in the report file. ────────────╫──────────────────────────────────────────────────── /RV ║ scan files for active TSR viruses. ────────────╫──────────────────────────────────────────────────── /SD ║ include subdirectories in scanning. ────────────╫──────────────────────────────────────────────────── /SF ║ In Windows 95, for the names of files and ║ directories you can use names longer than 8 ║ characters containind white space and some other ║ separators. While running under Windows 95, Dr. Web ║ recognizes these longer names and prints then ║ appropriately. If you do not want to clutter the ║ screen with longer names, include the /SF option in ║ the command line to truncate the names of files and ║ directories to the DOS 8-character convention. ────────────╫──────────────────────────────────────────────────── /SH<no> ║ the first five figures of the serial number of ║ Sheriff security system (if installed in the ║ computer) so that Dr. Web may run jointly with ║ Sheriff without conflicts. ────────────╫──────────────────────────────────────────────────── /SN ║ "snow" prevention for CGA adapters. ────────────╫──────────────────────────────────────────────────── /SV ║ save the settings of the current session before ║ exiting. ────────────╫──────────────────────────────────────────────────── /TD<disk>: ║ drive name letter of the disk for creating ║ temporary files. ────────────╫──────────────────────────────────────────────────── /UB ║ output to screen via BIOS. ────────────╫──────────────────────────────────────────────────── /UP[N][W] ║ scan the files packed by LZEXE, DIET, PKLITE, ║ EXEPACK, COMPACK, the files converted by COMTOEXE, ║ PROTECT, CRYPTCOM, TINYPROG, and the files ║ vaccinated by CPAV. N - don't print the name of ║ compression utility after the name of the packed ║ file, W - restore files and remove the ║ decompressor. Under the /UP option, a packed file ║ is first exploded in a temporary file and then the ║ exploded file is tested. If the W parameter is ║ additionally included, then after testing, the ║ exploded file is overwritten on sthe original file. ║ Thus, an originally packed (vaccinated) file is ║ converted into an exploded (devaccinated) file ║ after testing is completed. This also happens ║ during curing: a packed (vaccinated) file is ║ exploded, tested, cured, and finally saved as an ║ exploded (devaccinated) file. ────────────╫──────────────────────────────────────────────────── /WA ║ display the statistics after testing a given object. ────────────╫──────────────────────────────────────────────────── /? ║ display help information. ════════════╩════════════════════════════════════════════════════ NOTE. As a rule, the /UPW option is needed only in rare cases, for example, when Dr. Web suspects that an unknown virus may be present in a "packed" file. In such cases, the suspect file can be exploded with the /UPW option for independent in-depth infection analysis. This option is helpful only to system analysts knowledgeable in virus technology. The /UP option is quite adequate for ordinary users in routine checks. If no options are specified in the command line, Dr. Web will scan in the current session as per the specifications in the DRWEB.INI configuration file which must exist in the directory where DRWEB.EXE is installed. If there is no DRWEB.INI file or no options are specified in the command line, Dr. Web will scan the memory in the address range from 0 to 640 Kb, files of extensions COM, EXE, SYS, BIN, DRV, DLL, BOO, OV?, DOC, and DOT, and display the names of files infected with the viruses known to it. 2.2 Running Dr. Web in batch mode If you wish to start Dr. Web automatically every time the computer is booted, you must tack the command line of Dr. Web with the options of your choice to your autoexec.bat file. Alternatively, you may write a batch file containing the command line with all necessary command options and CALL it from the autoexec.bat file. The option /CL, if included in the commandes. line, tells Dr. Web not to use the dialog mode. Dr. Web sets an errorlevel, and this can be used in a batch file to determine to what actions are then to be taken. ────────────┬──────────────────────────────────────────────────── ERRORLEVEL │ Meaning: ────────────┼──────────────────────────────────────────────────── 0 │ viruses not found 1 │ known viruses detected 2 │ unknown viruses detected or suspicious files ────────────┴──────────────────────────────────────────────────── Below is a sample batch file for starting Dr. Web in batch mode and testing the errorlevel returned. On detecting a virus, the screen would display a cyclic message. drweb C: /CL /NM echo off if errorlevel 2 goto new_vir if errorlevel 1 goto vir goto end :vir echo WARNING! A KNOWN VIRUS DETECTED goto vir :new_vir echo WARNING! I SUSPECT THAT AN UNKNOWN VIRUS IS PRESENT IN YOUR MACHINE goto new_vir :end REFERENCES DialogueScience, ADinf and Virus Hunter are registered trademarks of DialogueScience Inc., Moscow, Russia. Sheriff is a registered trademark of FomSoft, Moscow, Russia. Other names are registered trademarks or trademarks of the respective companies. * * * I express my thanks to Grigory Frolov for his help in preparing the Russian manuscript of this manual. I am especially indebted to Dr. Naidu P.S.V. for translating and revising the Russian manuscript, and for preparing the translation of the internal texts of the program. Musical effects drawn from the polymorphic virus Holms.6161 are incorporated in Dr. Web program. Below is a PGP public key that can be used for verifying the integrity of the Doctor Web program with the help of the signature in the drweb.pgp file. It can also be used to encode the virus specimens when a user wishes to e-mail them to me. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR tCFJZ29yIEEuIERhbmlsb2ZmIDxpZEBzYWxkLnNwYi5zdT6JAJUDBRAugG2cOpoV rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4 lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ oNBx =kuRk -----END PGP PUBLIC KEY BLOCK----- My "fingerprint" of PGP key: C0 56 A6 24 91 99 B5 A1 C7 78 6A 8B D9 6D 8F B0 * * * Dr. Web Anti-Virus Package is available at DialogueScience, Inc., Computing Center of the Russian Academy of Sciences, Office No 103a, House No 40, Vavilov street, 117967, Moscow, Russia. Tel.: (+7-095) 137-0150, 135-6253 Tel./Fax: (+7-095) 938-2970, 938-2855 BBS: (+7-095) 939-5239 (14400/V.32bis, 19200/ZyXEL) - subscribers only (+7-095) 939-3705 (28800/V.34, 33600/V.34+) - subscribers only (+7-095) 938-2969 (28800/V.34, 33600/V.34+) - subscribers only (+7-095) 938-2867 (28800/V.34, 33600/V.34+) - subscribers only (+7-095) 938-2856 (28800/V.34) - common access FidoNet: 2:5020/69 2:5020/69.14 (Igor Daniloff) FTP-server: ftp.dials.ccas.ru ftp.kiam1.rssi.ru WWW: http://www.dials.ru http://www.dials.ccas.ru http://www.kiam1.rssi.ru E-mail: antivir@dials.msk.su - Sales and Support Department bob@dials.msk.su - Modem link service id@dials.msk.su - Line for transferring new viruses loz@dials.msk.su - Line for transferring new viruses