home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
BBS Toolkit
/
BBS Toolkit.iso
/
gt_power
/
nby126.zip
/
NBY.DOC
< prev
next >
Wrap
Text File
|
1991-02-10
|
48KB
|
1,019 lines
+-----------------------------------------------------------------------+
| [NBY] (NOT BORN YESTERDAY) Trojan Subterfuge ver. 2.78 |
| Copyright (C) 1991 by cALMER Utilities [All Rights Reserved] |
|361 Somerville Road Hornsby Heights Sydney Australia [612] (02) 4821715|
+-----------------------------------------------------------------------+
Purpose: Detect damage done by Trojan Horses , viruses and
other electronic poisons and take action accordingly.
IMPORTANT: YOU -----> M U S T <----- READ
THIS DOCUMENTATION TO UNDERSTAND VIRUS
PROTECTION METHODS FOR YOUR COMPUTER.
If you are in an office, take the phone
off the hook now, if at home, grab a
cuppa and sit down and READ ON !!!!
Also take a look at VIRUS.DOC !
QUICK INTRODUCTION:
NBY PROVIDES COMPLETE PROTECTION AGAINST ANY
VIRAL ATTACK IF USED PROPERLY. First time you
run it, NBY will take an image of the systems
files. On all subsequent runs it will compare the
image against the present situation and warn you
if there where any changes. If NBY is attacked
by a virus, it will warn you thereof.
Once installed, you can scan any drive or directory
for viruses as follows:
NBY \*.OVL \*.LIB C:\DEVELOP\*.COM
This would search the entire hard disk for
*.ovl files,
*.lib files as well as any COM files in directory
DEVELOP and below on drive C:
NOW READ ON PLEASE.
FILES:
NBY.EXE the anti-virus program
NBY.CRC Data file containing list for daily check-up
NBY.DOC your looking at it
NBYUPD.DOC latest info of viruses recognised by NBY.
NBY.UPD NBY Virus signature update file.
This file can be downloaded free of charge from cALMER 1,
the cALMER Utilities Bulletin board on (02) 482-1716,
24 hours. This file is automatically processed by NBY
if found in same directory as NBY is called from and will
dissapear once you have re-run NBY.
NBY.VIR NBY Virus signature file as supplied on master disk.
xxx.SIG NBY Virus signature file where xxx = the name you gave NBY.
This is a hidden file and is not visible with the normal
DOS dir command.
NBY.MSG NOT SUPPLIED ! Generate this ASCII file to instruct
your staff on what to do in case of a
virus attack. Use Autoedit or other
standard ASCII editor to generate the
file.
DEL_VIRUS.BAT This batch file gets generated when NBY finds viruses
in executable files. In that event, you'll have the
option of deleting the files immediately or, at a
later stage. THE ONLY SAFE THING TO DO IS TO DELETE
INFECTED EXECUTABLE FILES !
REGISTER.DOC Registration information
README.!!! Important info not contained in this file
* * * * * * IMPORTANT NOTICE FOR CORPORATE NBY USERS * * * * * * *
* *
* As of Series 116, there has been a major change in one area *
* of the virus detection mechanism providing additional safe- *
* guards against a new breed of viruses which are not detected *
* by standard virus detection. It is imperative that you up- *
* grade ALL installations of NBY on all computers to ensure *
* that they are protected to the fullest. *
* *
* It is strongly recommended that you install NBY with the *
* optional NBY.MSG file installed to maintain complete control *
* of all your computers. *
* *
* Several users reported that staff simply disabled NBY in *
* autoexec.bat after warning bells. Using NBY.MSG files *
* will help you to overcome that problem. *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Features: * Automatically checks all relevant systems areas every
time it is run.
* Direct interface to F A S T - NBY. In conjunction with
F A S T - NBY automatically scans any additions to your
hard disk, even if you forgot to do so yourself.
* Customised messages in case of infection.
* May be installed for Shez file compression utility
* Once a day, checks any given file on any drive as
nominated in a data file.
* Optionally checks any file on hard disk, floppies or
network drive for known viruses.
* Generates a rescue disk in case of catastrophic
attack or failure. (register version only).
* Self protected against viral attack.
* Works on networks. Works under PC DOS, MS DOS, DR DOS,
PC MOS, Unix, OS/2,
Double DOS, 4DOS.
UPGRADE HISTORY:
Version 3.03 Series 126, first release version incorporating virus
signature file.
Version 3.00 ß-copies for new virus signature data file testing.
Version 2.79 The 'Serious Error' message has been changed to:
'ROM MISMATCH ERROR ! PLEASE SUPRESS NBY ROM LOCK VIA CA-STAT'
If it appears when you run NBY for the second time on the
same PC, include 'NONBYROM' in the CA-STAT environment variable.
Registered users can do this by running the cALMER Installation
program and changing the default setup.
Version 2.78 Fixed BUG which generated an error during rescue-disk
generation.
Version 2.77 Interface to F A S T - NBY.
NBY /FAST will grab F A S T - NBYs data files and auto-
matically check any program which has been modified as
well as any new programs added to your system since the
last running of F A S T - NBY.
This should be used in conjunction with the TODAY program
and take the following format: (See TODAY.DOC)
echo please stand by while scanning system
fastnby /silent
if errorlevel 1 NBY /FAST
Other changes include new viruses and modifications to
self-test.
Version 2.68 to 2.77 where inhouse and ß-test versions only,
they where never released to public.
Version 2.68
Version 2.63 to 2.67 where internal versions only,
they where never released. Version 2.68, Series 123
brings the following changes and problem fixes:
a) Several users reported that NBY complained
about a "Serious Error" immediately it was
being re-run. This was due to reading problems
on certain types of machines. It can now be
suppressed via NONBYROM in CA-Stat.
b) Several Commercial software packages have appeared
on the market which modify the file creation date
of command.com. Naturally, NBY complained. This
can now be allowed via ALLOWCT in CA-Stat.
c) Floppy-based only installations had a problem in
that NBY did not check the boot-sector of the
floppy disks. This has been corrected.
d) Several users requested the ability to bypass the
generation of a rescue disk. This is now possible
if upgrading via NORESCUE in ca-stat.
e) NBY now allows you to print a listing of files
before they are deleted, for easier re-installing
of affected programs.
f) NBY did NOT use the NBY.MSG file when it found
viruses, only when system files got attacked.
It now uses the file in both circumstances.
g) NBY will now test itself if it has been attacked
by a virus so that you know which virus is active
in your system. As there are some viruses which
will attack any file read, NBY only allows self-
testing, i.e. no other files can be tested with
a corrupted or attacked NBY.
Version 2.67 (internal) Self-Test if Attacked
Version 2.66 (internal) Disable ROM Locking
Version 2.65 (internal) NO Rescue Disk generation
Version 2.64 (internal) Additional viruses
Version 2.63 (internal) Boot sector checking on floppies-only systems
Version 2.62 Additional internal (undocumented) safety checks.
Version 2.61 Recognises 1022 and STAF virus
Version 2.60 Removed the Halloechen Virus detection due to errors in
reporting the presence of this virus.
Version 2.59 Added another 44 New Viruses and their substrains to the list
of viruses covered. There has been a huge increase in viral
activities in Australia over the last few weeks and, luckily,
I received copies of most of them. (Wed 06. Jun 1990).
CA-STAT=NOHARD Ability to tell those inferiour machines
without any hard disks which report to NBY any figure
between two and 43, that there really is no hard disk
present. You must set this environment variable if NBY
request you to run NBY from the hard disk during initial
running of the program and you do not have a hard disk.
(Add "set ca-stat=NOHARD" without quotation marks to your
autoexec.bat file).
Version 2.58 TimeOut feature for Sysops:
Running a bulletin board involves, amongst thousands
of hours of slave labour, the exciting task of finding
viruses which people upload onto my computer. (I encourage
people to do so.) The problem was that four the last couple
of days, at 4:00am, I had to get up and hit a key as NBY
complained loudly every time it found a virus. I have
now implemented for NBY to do this automatically in
registered versions via the CA-STAT environment variable:
CA-STAT=SILENCE: A special variable designed for
SYSOPS of Bulletin Boards. This values is effective only in
registered versions of NBY. You specify the times
where you want virus warnings and any other changes
warnings by NBY to be processed automatically. It
takes the following form:
CA-STAT=SILENCE:23:45-06:30-02
Meaning that between 23:45am and 06:30am there will be
a two-second delay, then NBY will answer the questions
for you automatically by hitting a key automatically.
By now you would have noticed that the time must be in
military (24 hour) format, no spaces area allowed !
This feature should only be used by SYSOPs. Naturally,
any other values for CA-STAT remain unaffected.
See CA-STAT.DOC
Version 2.57 Changed Initial Checking mechanism.
Now recognises Toshiba DOS and Mitsubishi DOS
Version 2.56 12 Tricks virus detection midified
Version 2.55 Recognises DiskKiller, Ohio virus
Version 2.54 Recognises 9 additional viruses
Version 2.53
So, I added a feature into NBY whereby
NBY writes a program (batch file) so you can automatically erase
all files containing a virus which have been found anywhere on
the disk. This can be done immediately or at a later stage.
Note: It is IMPERATIVE that you run the "Del_Virus" program to
ensure that ALL programs requiring removal are removed. You
should tell NBY to do it immediately. The batch file will then
start instantly. At the end of the batch file is a command for
the batch file to erase itself. This gets some implementations
of DOS somewhat confused. It does not like the batch program to
erase itself and says "Batch File Missing". Just ignore the
message, the program finished anyway.
Also, to make it easier in a "TODAY" datafile for any given
day of the week, you can now add as many parameters as can
fit on the command line. As an example, you can say:
NBY \*.OVL \*.LIB C:\DEVELOP\*.COM D:\LOTUS\*.EXE D:\LOTUS\*.COM
.... to check for all .ovl files and .lib files, all .com
files on drive C: in directory DEVELOP and so on.
Anyway, 2:30am, (Wed 23. May 1990) the next series (119) is
released, and, hopefully, E_C_46 (RK) is on its way out.
Version 2.52
Late on Tuesday, 22. May 1990, afternoon I received two virus-
infected Diskettes with three different viruses on. The first
had the "Den Zuk" (also called the "Search") virus together
with the "Ohio" virus. Unfortunately, both where residing on
the Boot-sector of the floppy. As I had not seen either of
these two viruses I had hoped that NBY(118) would identify the
"Den Zuk" properly, which it did. I had never seen the "Ohio"
virus, nor did I have any technical information on it, other
than that it was a boot virus. The other disk contained a
virus which was not recognised by any anti-virus programs and,
in an uncontrolled environment, could spread very quickly on a
system or presumably network. Therefore, I put priority on this
virus and wrote the detection algorithm into NBY. After testing
the floppy disk with the new version of NBY which worked, I then
did an entire systems test. And it turned up in quite a few
places to my surprise ! I called it "E_C_46 (RK)" which is an
in-house disk reference number. No need to give these beast an
exotic name as the Americans do....
Version 2.51 bug fix:
NBY 2.50 produced a run-time error in some circum-
stances while processing CRC file, clobbering that
file. If this has happened to you, there would
have been a back-up file left in the directory,
called nby.bak (whatever you renamed nby to).
This bug is now fixed after a second attempt !
Version 2.50 After collecting run-time error reports over the past few
months and having found out what causes which error, NBY
now captures most errors and reports on them.
There is now an indicator showing that work is in progress,
Useful when checking rather large files.
When redirecting output to printer or file, output is
also echoed to the screen.
Version 2.32 .. 2.49 in-house versions implementations only. Although
these version numbers exist amongst some users, the changes
implemented in them are only internal re-writes of the
program to make it more efficient, but, from an operators
point of view, there is no visible difference..
Version 2.32 Recognises 100 Year virus carrier.
Version 2.31 Some whacko has actually gone and patched the Marijuana
Virus, presumably in order to avoid detection. 2.31
recognises (and removes) this version.
Version 2.30 Recognise 12 Tricks virus and Trojan program
By the descriptions given to me, this is the most severe
virus out there yet. However, NBY would have picked up
infestation. It now recognises the virus dropping
programs.
Version 2.29 Recognise Wyse computer anomaly
Version 2.28 Additional information kept in system image
Version 2.27 Some types of AT's showed an intermittent anomaly
of not displaying "system appears to be safe" message.
After weeks of hunting, I finally got one of those
computers and the problem is now fixed.
Version 2.26 Implementation for floppy-disk only computers, i.e.
no hard disks.
Version 2.25 Allow insertion of own messages for operator.
Version 2.24 More informative error-message during initial
installation.
Version 2.19 Now searches subdirectories and boot sector
when scanning programs identified from command line.
Can now be added to latest version of SHEZ for fast
and extensive scanning of files via <Alt-z> in SHEZ.
Now reports viruses by other common names and checks
for several signatures per virus in order to attempt
to detect new strains.
Version 2.19 through 2.23 ß-test releases to attempt to overcome
NEC problems. Getting there but still not 100%.
Version 2.18 Adjusted to overcome DR-DOS bug, additional viruses
covered. Now works under PC DOS, MS DOS, PC-MOS,
DR DOS, Double DOS, OS/2.
Early versions of DR DOS do NOT work with hidden,
read/only CONFIG.SYS and AUTOEXEC.BAT. In that case,
use confedit/autoedit to change. See relevant
documentation.
Version 2.17 Two Additional (undocumented) Safety Checks.
Version 2.16 Renamed NBY.DAT to NBY.CRC to avoid potential conflicts
if NBY run from DOS or Root directories. Thanks to
Chris Halliday for finding/reporting the problem.
It appears that last time I edited this file, a few
paragraphs where stuck in the holding buffer and
never made it back into the intended spot while
others where in the wrong area. The confusion should
now be gone.
Version 2.15 Works under DR DOS
Version 2.14 Check Files nominated from Command line
Version 2.13 Check files contained in data file nby.crc
Version 2.12 Encrypted virus signatures to avoid detection by other
programs.
Version 2.11 More Viruses covered
Version 2.10 Pakistani Virus Detection incorporated
Version 2.09 Copes with SpeedStor Disk Drivers
Version 2.08 1701 Virus Detection incorporated
Version 2.07 Improved self-protection
Version 2.06 Locked Keyboard to force PowerOff after certain virus
detection
Version 2.05 More stringent testing and faster algorithm.
Version 2.04 additional virus detection.
Version 2.03 Antidote against Marijuana virus
Note: My sincere thanks and appreciation to Chris Freeman of
Chisholm Institute of Technology for providing vital information
needed to incorporate latest features.
Version 2.02 Additional (undocumented) Safety Checks and warnings
incorporated.
Version 2.01 Auto-generation of Rescue disk (licensed versions only)
Version 2.00 Self-Protecting version
Version 1.01 works on large DOS partitioned disks and DOS 4.00+.
Version 1.00 did not work with large partitioned disks or DOS 4.00+
GENERAL INFORMATION
Numerous people have requested more information on individual
viruses, some wondering if it is worth getting rid of viruses as some do
not appear to do any apparent damage. Basically, the answer is always
"Yes, it is worth getting rid of them" Even if only for peace of
mind. Most viruses I have received over the past few month attack
one or more of the sections covered with NBY. All of them have been
put on my system by me without backing it up first, other than
running LazyBack first, just in case. In all instances, NBY has
recovered my system. Basically, I have come to the conclusion that
the twirps writing these programs are a lot less clever than they
would like the world to think they are. As I do not want to encourage
potential twirps, I do not provide detailed technical information on
NBY or individual viruses via this medium. Anyone finding a virus on
their system is always welcome to call me during normal hours.
Normal hours does NOT include 2.00 am! (see readme.!!!)
| And now for the sad part: (!)
|
| Computer viruses attacking .exe files should never have been
| possible. You see, every .exe file carries a checksum with it which
| gets calculated by the linker at time of linking the program. The
| idea was that DOS, when loading an exe file would first check the
| values against the check-sum and refuse to run if there was a
| discrepancy. Alas, from DOS 1.00 to current versions, DOS has never
| bothered to check, at least none of the versions of DOS that have
| ever been released to the public. Naturally, since DOS ignores it,
| some third-party linkers ignore the check-sum too which makes it just
| about impossible to implement the feature now. Thus, any anti-virus
| software checking the check-sum, which would be as easy as ABC, has no
| change of detecting illegal changes to programs.....
SPECIAL FEATURES:
The registered version automatically restores the systems if found to be
corrupted, and generates a floppy rescue disk.
SPECIAL REQUIREMENTS:
* NBY needs ~ 120K of hard disk space on its first run.
* Your Config.sys must contain the statement
Files = 20 (or higher)
Note: NBY does NOT check or alter config.sys !
****** If you are booting from a floppy after detecting
problems, make sure that the floppy disk contains config.sys
with the files = 20 included !
Note: THE RESCUE DISK GENERATE BY NBY CONTAINS CONFIG.SYS.
Use CONFEDIT.EXE to edit your config.sys file.
* NBY can not operate on a Read-Only Hard disk drive if that drive is also
the boot-drive.
* REGISTERED VERSION: NBY requires a formatted, systemised low-density
floppy disk. If you are using extended disk drivers in your
config.sys, you MUST modify the file config.sys on the rescue
disk to contain the relevant driver also. You should, for
safety sake, copy the relevant device drivers onto your floppy
disk as well.
GENERAL NOTES ABOUT NBY:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! !
! !
! ONCE YOU HAVE RUN NBY ON YOUR COMPUTER, YOU CAN NOT, REPEAT !
! =========================================================== !
! !
! !
! !
! NOT, COPY THAT PROGRAM AND RUN IT ON ANOTHER COMPUTER. IF !
! =========================================================== !
! !
! !
! !
! YOU DO THIS, IT WILL TELL YOU THAT THE SYSTEM MAY HAVE BEEN !
! =========================================================== !
! !
! !
! !
! DAMAGED. If you attempt to do that, NBY will tell you that you !
! ======== made a SERIOUS ERROR ! !
! !
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NBY caters for a wide range of non-standard disk drivers,
alas, not all of them. If your driver is not recognised,
NBY will say "disk is not bootable" and fail to proceed.
In that case, you should do the following:
Keep NBY in your autoexec.bat. As it is protected against
virus attack, you can assume that if it runs in any form,
your computer is not the victim of any parasitic virus,
i.e. a virus which attacks executable files. Contact the
author BY MAIL and supply the following:
a) A fully formatted and systemised diskette
Use the DOS "format /s" command (see below)
b) A copy of SIPLUS printout or report file.
"SIPLUS >SIPLUS.INF" will generate a report
file called SIPLUS.INF
d) Copies of AUTOEXEC.BAT and CONFIG.SYS
c) Your master disk of the utilities.
d) Description of the Hardware, i.e. Brand name
etc.
NBY does NOT suppress any run-time errors. Under normal
circumstances, there are no errors. If an error (abortive)
occurs, something is wrong with your system or there are
disk drivers installed which do not adhere to standard
practices. Due to the nature in which NBY works, I have
decided to let run-time errors through rather than trapping
them. It is the only way I can ensure that I get to know
about them.
Please inform the author of the error-number and
error-address given and possibly the history that led
to the event.
A printout of Siplus's reports would assist greatly.
See SIPLUS for electronic addresses or send in mail please.
The only error-numbers I'm NOT interested in are:
# 4 (files = 20 missing in config.sys)
# 102 (most likely disk FULL)
# 150 (disk write-protected)
# 152 (drive not ready: most likely hard-ware error if
it occurs on a hard disk)
HOW TO RUN NBY:
To evade viral injection to NBY itself, you must first
rename NBY.EXE to another name. This is so that those pea-brains
out there can't simply look for NBY.EXE and screw it up. The
program could not care less what name it is, as long as it ends
in '.exe'. As of version 2.13, you must also rename the
nby.crc file to the same name.
The easiest way to this is as follows: From DOS command
line key in:
copy nby.* myname.*<Enter> ; whatever name you
; choose.
myname<Enter> ; and run the
; program.
If upgrading from an earlier version, use the same name as
you had before. This way you do not need to change your
autoexec.bat file.
NBY BEHAVES DIFFERENTLY WHEN BEING RUN THE FIRST TIME AS
OPPOSED TO ANY OTHER TIME.
FIRST TIME RUNNING:
The first time you run it, you must be logged onto your boot drive. This
is generally drive C:, after that it can be run from any disk.
If you damned well know that the drive you are logged onto
is the boot drive and NBY tells you that the disk is not
bootable, you should stop cursing me and, when you calmed
down, get in touch with me.
REGISTERED VERSION: You must have a 360K or 720K formatted and systemised
disk ready. An image of your system will be copied to the
floppy for later rescue services. Follow screen
instructions.
THAT DISK MUST BE PRODUCED (I.E. FORMATTED & SYSTEMISED) ON
THE COMPUTER IT IS GOING TO BE USED ON. THIS MEANS THAT
YOU CAN NOT PRODUCE A BATCH OF SYSTEMISED, FORMATTED DISKS
ON ONE COMPUTER AND THEN USE THEM ON DIFFERENT ONES. NBY
ATTEMPTS TO DETECT YOUR ATTEMPTS TO CHEAT BUT AN NOT ALWAYS
GUARANTEE SUCCESS. AS THE RESCUE DISK WILL CONTAIN VITAL
INFORMATION USED TO RESTORE YOUR SYSTEM AFTER A POSSIBLE
FAILURE, IT IS I M P E R A T I V E THAT YOU FOLLOW THE
INSTRUCTIONS PRECISELY.
Use the CALMER installation program to format and systemise
the rescue disk if you are unsure how to go about it.
You can not run NBY from a network drive the first time you
run it. If the station is purely a terminal without hard
disk, there is no point in running / installing NBY. If
you have a hard disk on the terminal, you MUST SET THE
TERMINAL INTO LOCAL MODE before performing initial installation
of NBY.
CHECKING SYSTEMS FILES
NBY is not a TSR program (terminate and stay resident).
Therefore, to check the system you must run it. Put it in your
AUTOEXEC.BAT file so that the system is being checked every time
you start the computer.
AUTOEXEC.BAT file so that the system is being checked every time
Run it after you have run another program which you suspect.
The first time every day you run NBY, it will do a systems
check as well as check all files nominated in NBY.crc. As
supplied, NBY.crc contains:
c:\config.sys
c:\autoexec.bat
c:\calmer\tct.com
c:\calmer\tctoff.com
c:\calmer\tcton.com
c:\calmer\emptykbd.com
c:\calmer\screen.com
c:\calmer\tct.com
c:\calmer\formfeed.com
c:\calmer\prinfool.com
c:\calmer\move.com
c:\calmer\cursor.com
c:\calmer\nocursor.com
As viruses become cleverer, they become harder to detect.
One specific virus for example will attack all command
files but leave command.com alone. It is therefore a good
idea to leave a few commonly used ".com" files in the above list.
You can add as many file names you wish to this file.
Note: No wildcards are allowed in this file. Full path
name must be supplied. A CRC number gets calculated and
written against each file, thus no wildcards. All Calmer
Utilities *.exe Programs automatically check themselves against
viral protection, so there is no need to include them.
From DOS, key in "autoedit nby.crc<Enter>" to change that
file. Naturally, "nby.crc" should be changed to whatever
name you decided on.
Once NBY has run, the data file will contain a CRC number
against every file name. If adding new files, leave the
CRC numbers alone.
If a program in the list of files has been attacked by a
virus, the data file will contain a note against the
file.
IF YOU WISH TO CHECK THE FILES IN THE LIST MORE THAN ONCE
A DAY, use the following:
nby /DoIt<Enter>. This will check the system and the
files in the data file.
CHECKING OTHER FILES
NBY will check any file you wish for known viruses.
If you receive a floppy disk which you suspect you
should do the following:
Bootpast<Enter> ; make floppy bootable and eliminate
; any possible virus on boot sector.
NBY a:*.* ; check all files on drive a: (Again,
; NBY is changed to whatever name you
; choose);
Note: NBY accepts wild-cards in this mode and will scan
all subdirectories following the starting directory.
NBY A: scans all files on a:
NBY A:\UTIL scans all files on a: in util
directory or, if a file
called util exists, scans
that one.
NBY A:\*.EXE checks all exe files on A
See 'MONDAY.DAT' for a sample
on how to use this on a
weekly basis.
| SYSTEMS WITHOUT HARD DISKS:
|
| If you use NBY on a floppy-only computer, you will only be able
| to perform scanning of other floppies with it. I.e., it will
| not generate a rescue disk for you nor will it take a systems
| image and compare it every time you run the program.
|
UPGRADING DOS OR SYSTEM:
Now and then, you'll upgrade your system or reformat your hard
disk for some reason or other. Naturally, the next time you run
NBY, it will warn you of a change having taken place. Simply
copy NBY.EXE to the filename you use normally and rerun it. NBY
will then go ahead and gather the new systems information.
IN THE EVENT OF FAILURE:
NBY does NOT trap any error codes, as mentioned
above. If you do get a 'RUNTIME ERROR', the only certain thing is
that something is wrong. In that instance you will have to rely
on technical information, and as luck has it, I do not provide
that. Follow these instructions: If near a phone and if during
reasonable hours (9.00am to 9.00pm Sydney time) ring me NOW. If
not near phone or no answer on +61-02-476-2252, take note of
error number, what directory you where in and call me later.
(The reasons why the run time errors are not trapped is because I
want to know every conceivable problem viruses could cause in
order to upgrade NBY.)
Your computer can fail for a myriad of reasons. The first thing to keep in
mind in the event of failure is NOT TO PANIC ! Most users have a
tendency to do a low level format. This is understandable but
totally unnecessary in any virus infestation case. Keep in mind
that a virus will only reside in a given area on your disk, not
all over it. After all. Some viruses, like the Marijuana virus,
remove drive D, E etc, and all you have left is Drive C plus
floppies.
It is therefore IMPERATIVE that you adhere the following rules:
KEEP YOUR MAIN UTILITIES ON DRIVE C
KEEP YOUR DOS AND SYSTEMS FILES ON DRIVE C
KEEP YOUR DOS AND SYSTEMS FILES ON A FLOPPY TOO !!!!
i.e., any files mentioned in config.sys should reside on drive C,
command.com should be on drive C etc., everything should be
backed up on bootable floppies....
Extended device drivers which set-up drives D etc generally DO NOT ADHERE
TO STANDARD practices. Therefore, generic disk utilities can not
interpret the information correctly unless that driver is also
on the floppy.
Run SIPLUS from Drive C. If the partition table contains any 'unknown's,
chances are that recovery will not be possible with standard
utilities if the need arises.
IF DISK DOES NOT BOOT AFTER RESTORING VIA RESCUE DISK:
Under certain circumstances it could be possible that the hard disk will
"hang" after restoration and NBY will tell you that the systems
appears to be save. This could be the case for instance if you
had more than one virus nibbling around. In that event, put your
DOS utilities disk in Drive A, log onto drive A and give the
command "SYS C:". This will attempt to restore the systems
files. If the message "System transferred" appears, you should
be okay. On the other hand, if the message "No Room for systems
files" appears, you have two choices: a) Back-up your entire
hard disk, then re-format it, or, b), give me a call and I will
try to guide you through... (No promises of success though)
TROUBLE:
When NBY detects any tampering with your systems files, it will
warn you thereof. Normally, this it the time to start to panic.
As a licensed user, there is no need to worry, but a non-
registered user will have to restore the system manually. In
that case, NBY has no control over what event took place. NBY
assumes next time you are running NBY is once again the first
time. It will re-read the system status and check the
information against that data from then on. Registered users can
simply follow the screen, answer yes to "do you want automatic
recovery" and go on with their lives. 2 minutes and your system
is as it was before.
INSERTING CUSTOMISED MESSAGES FOR OPERATORS:
Corporations with unlimited registration have two inherent problems
after a virus attack:
a) The operator will not know what to do when the alarm goes off
b) The operator will not necessarily have access to the rescue disk
To overcome these problems, I have implemented the ability to
display customised messages in case of attacks. This system
is only available for registered users:
Create a file called "NBY.MSG". Naturally, rename it to whatever
you have renamed NBY to. The file must reside in the same
directory as the program is in. If the file is not present,
normal NBY messages and directives will appear. DO NOT COPY
THIS FILE ONTO YOUR RESCUE DISK AS IT INHIBITS AUTOMATIC
RECOVERY !
This file can be as long as you like, there will be a pause
after every screen full. The last screen should be 2 lines
shorter since NBY displays its own message at the end. The
file must be a standard ASCII file (use Autoedit to generate
it).
If the last line in the file contains the word "lock", the
computer will be locked and must be reset with a hardware
reset.
Sample NBY.MSG:
:: ::
:: Your computer has been infected by a virus. ::
:: ::
:: Please call ::
:: ::
:: Joe Blow ::
:: Systems Support Analyst ::
:: Internal Phone Number 1234 ::
:: ::
:: Or ::
:: ::
:: Sandy Fly ::
:: MIS Manager ::
:: Internal Phone Number 4321 ::
:: ::
:: ::
:: DO NOT SWITCH YOUR COMPUTER OFF, WAIT FOR FURTHER INSTRUCTIONS ::
:: ::
:: this computer is now locked up ! ::
NBY should be run from the autoexec.bat file. I recently
heard of a user with about 100 computers, all of them
protected by NBY. The other day, NBY found a virus and
made a lot of noise which upset some people. Therefore,
in the MIS manager's absence, some clever user sent an
inter-office memo to all staff to remove NBY from the
autoexec.bat file for the time being, until the problem is
fixed and it no longer screams.
Moral of the story:
When NBY screams, there's a reason. If you don't
understand what it is, call someone who does. But,
whatever you do, do NOT ignore it or bypass it.
NBY CAN NOT COPE WITH:
NEC Large disk partition
If you happen to run under a NEC extended disk manager for
large NEC disks on PowerMates, sorry, both SIPLUS and NBY
do not run on them. No idea why. One day, I'll get my
hands on one of them for a couple of hours and may be able
to fix it. Solution: Use standard DOS partitioning of
your hard disk. (It is the extended disk driver that
causes the problem!) Run PARTDISK and select AUTO instead
of LARGE. DO NOT DO THIS WITHOUT HAVING A COMPLETE BACKUP
OF YOUR ENTIRE DISK AS YOU WILL LOOSE ALL INFORMATION !!!!
COMMON VIRUS INFORMATION:
MARIJUANA VIRUS: This virus takes over the boot-sector, partition table &
root directory and controls all disk reads and disk writes. It
does this before you have a change to load any detection
software. It is transposed to you system when you attempt to
boot the computer from an infested floppy disk. Once it is on
your system, all floppies will be infested. You'll lose hard disk
drives above C if you have the virus on your hard disk. It also
grabs 2K of memory. Registered NBY will guide you through step
by step in case of infestation.
Marijuana Virus Location: The virus resides in the Partition Table.
(Absolute Sector 1). A Good copy of the Partition table resides
in Absolute Sector 7. After secondary infestation, the virus will
also reside in the Boot Record (Sector 0). A good copy of the
boot record resides in the root directory.
PAKISTANI VIRUS: (The version I have was written in 1986.) Operation:
Similar to the Marijuana virus, it takes over the boot sector,
disk reads and writes. Infected disks have a VOLUME ID of "(c)
Brain". When the virus is active, it intercepts disk I/O
requests to read the boot sector so that it returns the correct
information, thus you may not necessarily find the virus. (This
info is kept in 3 sectors which are marked as bad sectors on your
disk. If you change the volume name to something else, it will
re-infest the system and take a further 3 sectors. (What a
bloody stupid virus, hey?.)) Any disk-related commands will
activate the virus, i.e. a "dir" command on a floppy will also
put the virus there. It does not appear to attack 1.2M floppies.
It grabs 7K of memory to operate in. The registered NBY will
eradicate the PAKISTANI virus when you boot off the rescue disk.
Due to this virus' behaviour, NBY checks for it's presence only
AFTER generating the rescue disk. Follow NBY's screen
instructions if necessary.
NBY does NOT recover the 3 sectors marked as BAD which
contain the information for the PAKISTANI virus. However,
no harm is done to your system by having these sectors
there.
OTHER VIRUSES:
See below on general virus operation information. If you
receive a disk and or program you suspect to be a virus
carrier or a Trojan and are not sure about it, do the
following:
* Make a disk-copy of the disk (The virus can not spread this
way, as long as you did not attempt to boot off the disk or
run a program on it.) Mark the original and the copy disk
clearly as being suspect. Send the copy to cALMER Utilities
including info on how you obtained it. (This info will be
treated confidentially).
* Inspect the disk by running SIPLUS on it. It will give
you warnings if it carries known viruses, "unknown"s if
* Inspect the disk by running SIPLUS on it. It will give
* Treat the original disk with Bootpast to avoid accidental
infestation of your system.
* Run NBY a:\*.* to check all files.
D I S C L A I M E R
cALMER Utilities hereby disclaims all warranties relating to this
software, whether express or implied, including without limitation any
implied warranties of merchantability or fitness for a particular purpose.
cALMER Utilities will not be liable for any special, incidental,
consequential, indirect or similar damages due to loss of data or any
other reason, even if cALMER Utilities or an agent of cALMER Utilities has
been advised of the possibility of such damages. In no event shall cALMER
Utilities' liability for any damages ever exceed the price paid for the
license to use the software, regardless of the form of the claim. The
person using the software bears all risk as to the quality and performance
of the software.
.end of document nby.doc
