The Toolkit Front panel consists of six buttons which provide quick access to the main functions of the Toolkit. The top three buttons scan drives A, B and C for known viruses using FindVirus. The "Check for changes" button runs ViVerify to check for changes to files which may be caused by unknown viruses.
The Virus
Encyclopaedia button gives access to an up-to-date database of viruses which the Toolkit detects. The Exit button closes down the Toolkit.
Menu
File Menu:
Load
Configuration
Save
Configuration
Shred
Exit
Back
Load Configuration:
The Toolkit can store any options and parameters that you have chosen in a configuration file. You can have more than one configuration file, but the Toolkit automatically loads the file TOOLKIT.INI when it starts up.
"Load Configuration" reads the settings from a configuration file into the Toolkit. Configuration files can be generated using the Save
Configuration option. 6
Load Configuration can be found under the File
Menu.
Save Configuration:
Saves the current Toolkit settings in a configuration file so that they can be loaded again later. Configuration files usually have the extension .INI and the Toolkit will automatically load the file TOOLKIT.INI when it starts up. If you wish to change the default settings of the Toolkit, you should save your settings in a file with this name.
A previously saved configuration can be reloaded using the Load
Configuration option. Reloading TOOLKIT.INI cancels any changes to the Toolkit settings you may have made since running it. 5
Save Configuration can be found under the File
Menu
Shred:
Shred overwrites a file four times with a series of characters, and then deletes it. This ensures that the original contents of the file are not retrievable. Deleting a file without using Shred means that the file could be Undeleted and the contents of the file recovered.
When FindVirus repairs a file infected with a virus, or deletes a file infected with a virus, it overwrites the virus first. Shred is provided in case you want to do this yourself. (
Shred can be found under the File
Menu
Exit:
Exits from the Toolkit. Any changes to the Toolkit settings you have made will be lost, unless you do a Save
Configuration first. '
Exit can be found under the File
Menu
Scan Menu:
Find
known
virus
Check
changes
Memory
check
Certify
Back
Find Known Virus:
"Find known virus" runs FindVirus, which is used to check for known viruses. It can be used to check incoming files and diskettes on a Sheepdip computer and is also used as part of a clean-up operation to repair
files.
FindVirus knows how to find existing viruses and, if upgraded regularly, it can be used for routinely scanning the hard disk. It is extremely fast, and so suitable for being used every day.
VirusGuard is a TSR version of FindVirus which scans files for viruses as they are executed. A Test
file can be prepared to simulate the effect of a virus on the programs.
FindVirus can be executed by pressing one of the buttons on the Front
Panel or by selecting "Find known virus" under the Scan
Menu. The menu option gives access the the Options and Advanced
Options dialogs. U
To detect the activity of new viruses, use ViVerify or its TSR equivalent, Certify.
Find Known Virus - Options:
Allows the options for FindVirus to be changed.
Report to file: Selecting this box causes FindVirus to generate a report in a file called FINDVIRU.REP. The name of this file can be changed from the advanced options menu. [
Report to printer: Selecting this box causes FindVirus to echo its output to the printer. x
Drives: Select the drives you wish to have scanned for viruses. Re-select a highlighted drive to de-select that drive. (
Local: Selects all local fixed drives. &
Network: Selects all network drives. (
Clear: De-selects all selected drives.
Multiple floppy disks: Selecting this box allows FindVirus(DOS) to process multiple floppy disks by pressing a key after each new disk is inserted. 1
Advanced: Accesses the advanced
options dialog. 9
See also: using
dialogs
keyboard and Scan
Menu
Find Known Virus - Advanced Options:
Allows infrequently used options for FindVirus to be changed. The "Back" button returns to the Options dialog.
What to Check:
Executable files: FindVirus always scans executable files unless it is told not to.
Data files also: FindVirus can scan data files in addition to executables. This is only usually necessary if you are dealing with an outbreak of a virus - there is no need to do this in a routine scan.
Boot sector: Network drives do not have a boot
sector. FindVirus cannot detect all networks so this scan should be disabled if problems are experienced.
Partition: A few drives do not have a partition
sector. FindVirus should handle this, but just in case, the partition scan can be disabled. Partition scans are only performed if Boot scans are enabled. $
Check for mutants: FindVirus searches for unique sequences of bytes in each scanned file. Selecting "check for mutants" allows for subtle changes in the normal signature of a virus in case the virus is slightly corrupted. Selecting this option can lead to a slight increase in false alarms. h
Subdirectory: You can tell FindVirus to just check one subdirectory (and any subdirectories below it).
Output options:
Show EICAR identifiers: EICAR identifiers are a standard method of labelling viruses. Most viruses have are known by several different names which can make identification difficult. EICAR identifiers are much less ambiguous.
Beep on each virus: FindVirus will beep at the end of a scan if it finds a virus. Selecting this option causes it to beep each time a virus is found.
Network message on virus: This option causes FindVirus to send a Novell network message when it find a virus. The destination and content of the message can be chosen in the Network
Options dialog. W
Report: The default report file is FINDVIRU.REP. You can choose a different filename. $
Command Line/Additional options:
Additional options which are not covered by the FindVirus dialogs can be entered here. In the DOS version of the Toolkit, the command line also contains the arguments which would be required to run FindVirus from the DOS prompt with the same options as selected in the dialogs. ,
See also: using
dialogs
keyboard
Check for changes:
"Check for changes" runs ViVerify, which is used to detect changes to files. It calculates a fingerprint (or checksum) for every file in its file list and compares them with a file of previously calculated fingerprints, warning of any differences.
A virus must copy itself to an executable file in order to ensure that it is run and can thus copy itself. Therefore, it must change executable code stored on disk, such as the boot or partition sector code, device drivers, .COM, .EXE or overlay files.
Unlike FindVirus, which scans for specific viruses, ViVerify is checking for modifications to files that should not be modified. As a result, it does not need constant upgrading to keep up with new viruses.
Certify is a TSR version of ViVerify which uses a quicker, and slightly less secure, checksum algorithm to test files for integrity as they are executed.
ViVerify can be executed by pressing the "Check for changes" button on the Front
panel or by selecting the same option under the Scan
Menu. The menu option gives access to the Options and Advanced
Options dialogs.
Check for changes - Options:
Allows the options for ViVerify to be changed.
Report to file: Selecting this box causes ViVerify to generate a report in a file called VIVERIFY.REP. The name of this file can be changed from the advanced options menu. Z
Report to printer: Selecting this box causes ViVerify to echo its output to the printer.
Create file list: This is the first stage in creating a file of fingerprints. After the file list is created, it can be edited to exclude files from the fingerprinting process.
Compute fingerprints: This generates a fingerprint file with entries for every file in the file list. The algorithm used to generate these fingerprints can be changed in the advanced options dialog.
Verify fingerprints: This is the option that should be run every day. It recomputes the fingerprints for files and checks them against those stored in the fingerprint file.
Drives: Select the drives you wish to have scanned for executables and/or checksummed. Re-select a highlighted drive to de-select that drive. (
Local: Selects all local fixed drives. &
Network: Selects all network drives. (
Clear: De-selects all selected drives.
Keyword: This word is used to create a fingerprint algorithm that is unique to you, and is different from that used by anyone else. This makes it impossible for a virus author to reverse engineer your algorithm. 9
See also: using
dialogs
keyboard and Scan
Menu
Check for changes - Advanced Options:
Allows infrequently used options for ViVerify to be changed. The "Back" button returns to the Options dialog.
What to check:
Boot sector: Network drives do not have a boot
sector. ViVerify cannot detect all networks so this scan should be disabled if problems are experienced.
Partition: A few drives do not have a partition
sector. ViVerify should handle this, but just in case, the partition scan can be disabled. Partition scans are only performed if Boot scans are enabled. {
Check list: The list of files generated by ViVerify is called FILES.VVL, by default. You can choose a different filename.
Exclude list: Instead of deleting files from the file list, it is possible to specify a file containing a list of up to 50 files to exclude from the file list. By default, this is called EXCLUDE.VVX but a different name can be chosen. Filenames in the exclude file which do not have a pathname will be excluded wherever they occur on the drive. Files which are known to change should be excluded - for example, if you are developing a program and compile it repeatedly to an executable file. v
Fingerprints: The fingerprints are normally kept in a file called FINGERP.VVF. You can choose a different file name.
Output options:
Beep on each change: Selecting this option causes ViVerify to beep every time it finds a change. Usually, ViVerify does not beep. W
Report: The default report file is VIVERIFY.REP. You can choose a different filename.
Algorithm: ViVerify provides a choice of algorithms which provide a varying balance between security and speed. This section allows you to choose the algorithm that best suits your needs. "
Command Line/Additional options:
Additional options which are not covered by the ViVerify dialogs can be entered here. In the DOS version of the Toolkit, the command line also contains the arguments which would be required to run ViVerify from the DOS prompt with the same options as selected in the dialogs. ,
See also: using
dialogs
keyboard
ViVerify Algorithms:
ViVerify has four main algorithms which can be chosen from the Advanced
Options dialog:
1.Sizes: extremely fast, but there are a few viruses that leave the file size unchanged after infection. This option gives you speed, but at the expense of losing some security. Q
2.Checksum: the next fastest, and probably secure enough for most applications.
3.CCITT CRC: not much slower than checksum. It uses a CCITT standard algorithm and is very secure, sufficient for all but the most stringent requirements.
4.DES (Data Encryption Standard): extremely slow, and should only be used by people whose company rules require them to use it. E
The Checksum, CCITT and DES algorithms can be speeded up using the
following options:
Turbo mode: Checksums only the first and last 4 kb of each file. This means that very large files do not take a very long time to process, without losing any significant security. It is very difficult for File
Viruses to avoid changing the beginning or end of a file. -
Every ? byte: It is not strictly necessary to checksum every byte - if every 5th byte (for example) is checked, it would be very difficult for any virus to leave the checksummed bytes intact while changing the others. Checksumming every 5th (or 9th) byte makes the checksumming faster for all files.
Check Memory:
The DOS Toolkit checks memory for known stealth, common, and fast-spreading viruses using GUARDMEM.COM. It is run automatically on the start-up the Toolkit and any of the Toolkit programs. This option is provided should you wish to repeat the check for any reason. The Windows Toolkit provides a similar facility. /
Check Memory can be found under the Scan
Menu
Certify:
Certify is a memory
resident
program that checks for changes to executable files in a similar manner to ViVerify. H
It has two parts: a program, CERT.EXE, to calculate a checksum for each file and a memory resident part, CERTIFY.COM, which will prevent a program from running unless it has a valid checksum. A virus infection will invalidate the checksum. New or altered files will also have an invalid checksum and are barred from execution. Z
The Certify option in the Toolkit calculates the checksums for use with the Certify TSR.
To use Certify you must place the command CERTIFY in your AUTOEXEC. BAT file so that Certify becomes memory resident. Please see the manual for details of CERTIFY options. J
Selecting Certify under the Scan
Menu gives access to the Certify
Dialog
Certify Dialog:
Allows the options for Certify checksumming to be changed. F
Files: Selects a single file to be checksummed for use with Certify.
Subdirectory: Selects a single subdirectory (and all directories below it) to be checksummed for use with Certify. By default, only executable files will be checksummed.
Drives: Selects drive(s) to be checksummed for use with Certify. By default only executable files will be checksummed. Re-select a highlighted drive to de-select that drive. (
Local: Selects all local fixed drives. &
Network: Selects all network drives. (
Clear: De-selects all selected drives. :
Keyword: This word is used to create a checksum algorithm that is unique to you, and is different from that used by anyone else. This makes it impossible for a virus author to reverse engineer your algorithm. This keyword must be included in the command line which is used to install the Certify TSR into memory.
Repair Menu:
File
Repair
Boot
Repair
Partition
Repair
Back
File Repair:
In the majority of cases FindVirus can reverse the damage to executable files caused by a virus infection. FindVirus removes the virus code from each infected file and restores the file to its original state. The virus code is then overwritten with zeroes to ensure that it is completely removed.
Where a virus has caused irreparable damage, FindVirus gives you the option to rename the file (so that it cannot be run accidentally), or delete the file. The file is overwritten with zeroes before it is deleted to ensure that it cannot be Undeleted.
Selecting File Repair under the Repair
Menu gives access to the File
Repair
Dialog. For detailed instructions on repairing infected files, see Removing
Virus
Infected
File
File Repair - Options:
Allows the options for file
repair to be changed.
This dialog is almost identical to the FindVirus
Options dialog except for an additional set of radio buttons which determine how FindVirus treats files which it cannot repair - usually as a result of an infection by an overwriting
virus. x
Rename infected files: causes FindVirus to rename unrepairable .EXE files to .VXE and unrepairable .COM files to .VOM.
Delete infected files: causes FindVirus to delete unrepairable files and overwrite them with zeroes to ensure that they cannot be Undeleted. c
For detailed instructions on repairing infected files, see Removing
Virus
Infected
File ;
See also: using
dialogs
keyboard and Repair
Menu
Boot Sector Repair:
Many viruses place part of their code in a location on a floppy or hard disk called the boot
sector. The code in this location is some of the first executed when your PC starts up. Infecting this area allows a virus to install itself in memory before DOS has loaded.
Boot Repair removes the virus code from a floppy boot sector by replacing it with clean code. See Removing
Virus
Disk for information on cleaning the boot sector of hard disks.
Selecting Boot Repair under the Repair
Menu gives access to the Boot Repair dialog. To use it, select the drive letter of the floppy drive containing the infected disk, and then the capacity of the disk.
If you choose the wrong capacity, the Toolkit will warn you and ask if you wish to proceed. A disk with the wrong type of boot sector will appear to have no files on it. Don't worry - clean it again, but this time with the correct capacity selected, and the files will reappear.
To avoid this problem, you can select the "Automatic disk type detection" checkbox. When the Clean button is pressed the Toolkit will detect the type of floppy in the selected drive and place an appropriate clean boot sector on it.
Multiple floppy disks: Selecting this box allows the DOS Toolkit to process multiple floppy disks by pressing a key after each new disk is inserted. To clean multiple floppy disks under Windows simply keep pressing the Clean button. y
For detailed instructions on repairing floppy boot sectors, see Removing
Virus
Sector
Floppy
Disk. ;
See also: using
dialogs
keyboard and Repair
Menu
Partition Sector Repair:
Viruses can place part of their code in a location on a hard disk called the partition
sector (also known as the master boot sector). The code in this location is some of the first executed when your PC starts up. Infecting this area allows a virus to install itself in memory before DOS has loaded.
Partition Repair removes the virus code from a partition sector by replacing it with clean code. Some viruses actually move the old partition sector elsewhere on the disk when they replace it with their own code. Partition repair can search for this old partition and replace it. 0
The Toolkit can replace the partition sector on physical device 128, which is usually the first hard disk drive on a system. If your machine boots from a second or other physical drive (for example, some Tandon Pac devices are device number 130 and 131) then you must run CleanPart from the DOS prompt. E
Windows is a multi-tasking system which is almost always run from a hard disk. It would be dangerous to attempt to repair a hard disk while Windows and any other tasks which may be running are still using it. Therefore, the Windows Toolkit will instruct you to Cold
Boot from a clean DOS disk and then use the DOS Toolkit. k
For detailed instructions on repairing partition sectors, see Removing
Virus
Partition
Sector. ;
See also: using
dialogs
keyboard and Repair
Menu
Advanced Menu:
Inspect
Inspect
Inspect
Memory
Virus
Encyclopaedia
Schedule
Back
Inspect Disk:
Inspect Disk examines a diskette or hard disk using low level access methods (BIOS interrupt 13h). Interpretation of the contents of disk sectors takes experience and a few disks should be examined, along with a guide to disk formats, in order to gain an understanding of the layout of a normal disk. S&S International can provide Data Recovery Seminars which deal not only with the low level structure of disks but also how to repair or recover data from the disks when they go wrong. The rest of this topic assumes that you are familiar with the low level structure of disks. f
The three buttons on the left allow different physical devices to be viewed. Drives A and B refer to physical devices 0 and 1, and the Hard Disk is the first valid device with a number greater than 127. If you have more than one device above 127, the additional devices can be selected by pressing the Advanced button and using the Advanced
Options dialog.
The Cylinder, Head and Sector scrollbars can be used to navigate around the disk. Alternatively, in the DOS version, the required values can be entered directly into the input lines above each scrollbar. The numbers to the right of each scrollbar indicate the maximum allowed for each value. These maximum values are read from the BIOS when Inspect Disk is started but can be changed from the Advanced Options dialog, if required. The physical sectory number (PSN) is displayed above the contents of the sector. w
The display mode can be changed between an ASCII dump and a Hexadecimal format by pressing the relevant button (or by typing Alt-M in the DOS version). The DOS version also allows anti-stealth to be switched on and off so that you can see the effect of a virus' stealth mechanisms. Pressing the Print button gives a printout in whatever format is currently being displayed.
On a hard disk, the partition
sector can be found at cylinder 0, head 0, sector 1 and the first DOS boot
sector is usually at cylinder 0, head 1, sector 1. On a floppy diskette, cylinder 0, head 0, sector 1 is the boot sector.
Inspect disk - advanced options:
This dialog allows the device number and device geometry used by Inspect
Disk to be changed.
You can specify the physical device number. 0 is the A drive, 1 is the B drive (even if you have ASSIGNed them differently). 128 is the first hard disk, and 129 is the second physical hard disk. Some devices, such as Tandon Pacs, can be physical devices 130 and 131. g
You can also force the disk inspector to use a number of cylinders, heads and sectors to be other than the BIOS default, by typing in new values. The BIOS Default button restores these to the values that the stored by the BIOS. A similar dialog appears when Inspect Disk encounters an unusual floppy disk, allowing you to enter its physical characteristics. +
See also: using
dialogs
keyboard
Inspect File:
Inspect File examines the contents of a file without changing it. The display mode can be changed between an ASCII dump and a Hexadecimal format by pressing the relevant button (or by typing Alt-M in the DOS version).
The ASCII dump is intentionally unformatted. This allows characters which would usually be hidden from the user to be viewed. A
Selecting the Open File button allows you to view another file.
If Print is selected it will ask whether to print just what is displayed on the screen, or the whole file. An option is available to print in Hexadecimal or ASCII format. =
See also: using
dialogs
keyboard and Advanced
Menu
Inspect Memory:
Inspect Memory examines the first megabyte of memory in the computer. In common with the other inspection facilities, it is possible to view in Hexadecimal or ASCII dump modes and to print out what is being viewed. The numbers on the left hand side of the display refer to the paragraph number of the line of memory being viewed. A paragraph is defined as 16 bytes.
Windows runs in protected mode. In order to look at memory, the Toolkit has to switch to Real mode. This disables the memory management features of 286 and higher processors, which can limit access to memory. Afterwards, Windows is allowed to resume control. =
See also: using
dialogs
keyboard and Advanced
Menu
Virus Encyclopaedia:
The Toolkit Manual gives considerable detail on about 300 viruses, including all the ones that users are likely to encounter. However, there are several times as many viruses in existence and in order to document these the Toolkit uses an electronic format. D
For each virus, the Encyclopaedia gives the following information: u
How common is it?
How infectious is it?
How much damage does it do?
What is infected, and how much do files grow by?
What memory resident capabilities does it have?
Does it use stealth?
Is it encrypted?
Is it polymorphic?
What other effect does it have?
What other names are used for this virus?
How many variants are there?
Can it be repaired by the Toolkit?
On the right of the dialog there is a list of the viruses. A virus can be selected from the list by clicking on it with the mouse. Keyboard users can move the selection bar using the cursor keys. If a virus has a number of similar variants, their names can be displayed by pressing the Variants button.
Below the virus list there is a search box. As a virus name is entered in the box the Encyclopaedia performs an incremental search through its database. Often it is unnecessary to type the full name before the Encyclopaedia finds the correct entry. d
Pressing the Repair button gives instructions on handling and removing different types of viruses.
See also: Advanced
Menu
Schedule:
This facility is present only in the Windows Toolkit and allows you to tell the Toolkit to run a check
known
viruses or a check
changes at a set time (for example, during a lunch break). A scheduling facility is available with the DOS Toolkit using the DEFERBAT and DEFERKEY memory resident programs. Please see the manual for further details.
The scheduler runs these functions with their default options. The programs may be run minimised and, in the case of FindVirus, it can also be made to automatically repair any viruses it detects. o
Selecting View Schedule displays the current schedule. This displays the time of the next scheduled activity. G
See also: Scheduling
FindVirus, Scheduling
ViVerify and Advanced
Menu
Scheduling FindVirus:
This facility is only available in the Windows Toolkit. A scheduling facility is available with the DOS Toolkit using the DEFERBAT and DEFERKEY memory resident programs. Please see the manual for further details. V
FindVirus can be scheduled to run at a set time, without requiring user interaction. _
The time you wish to scan for viruses should be entered in the "Run FindVirus at.." edit box.
FindVirus can be scheduled to either detect or repair any viruses. There is also the option to run FindVirus minimized. If this option is selected FindVirus will scan for viruses as an icon, only maximizing at the end of its run.
To accept the schedule press Launch. The Schedule application will then minimize to an icon at the bottom of the screen, waiting for the right time before running FindVirus.
See also: Schedule
Scheduling ViVerify:
This facility is only available in the Windows Toolkit. A scheduling facility is available with the DOS Toolkit using the DEFERBAT and DEFERKEY memory resident programs. Please see the manual for further details. U
ViVerify can be scheduled to run at a set time, without requiring user interaction. ]
The time you wish to run the program should be entered in the "Run ViVerify at.." edit box.
There is an option to run ViVerify minimized. If this option is selected ViVerify will check for changes as an icon, only maximizing at the end of its run.
To accept the schedule press Launch. The Schedule application will then minimize to an icon at the bottom of the screen, waiting for the right time before running ViVerify.
See also: Schedule
Network Menu:
Send
Message
Options...
Back
Send Message:
If you are linked to a Novell compatible network, you can send a message to anyone who is currently logged on. This would be useful if you want to call for help. Fill in the username of the person you want to send the message to, and type the message into the box. Select the Send button to send the message. H
Of course, this will work only if the recipient is accepting messages. <
See also: using
dialogs
keyboard and Network
Menu
Network options:
The Toolkit automatically sends a message to the network supervisor if it finds a virus. This dialog allows you to disable the message, customise it, or change the recipient. <
See also: using
dialogs
keyboard and Network
Menu
Help Menu:
Index
Using
Keys
Procedures
About
Back
Toolkit Keyboard Commands:
Under Windows a mouse is strongly recommended since Windows was not well designed to be used from the keyboard. Under DOS, a mouse is recommended but all functions can be accessed from the keyboard. ^
In Windows, shortcut keys are underlined. In DOS, they are indicated by reverse video, bright or red characters depending on the screen mode. Shortcut keys can always be used by pressing Alt+ the highlighted letter. Pressing the letter on its own will work if the current dialog item is not an input line or list box which uses the keypress itself. -
Move to next option or option group
Shift+TAB
Move to previous option or option group
Arrow keys
In an option group - move to next option in group
Elsewhere - same as TAB, Shift+TAB
(Option groups are check boxes, radio buttons and anything with a scrollbar.) .
SPACE
Choose the active button or option
Help
Alt or F10
Activate menu bar
Alt+Down
Drop down a ComboBox
Alt+F4
Close program
Enter
Choose the active button
Cancel current dialog
See also: Help
Index:
Boot
sector
repair
Boot
sector
Boot
sector
virus
Certify
Check
changes
Checking
memory
Cold
Damage
Distributors
Dropper
programs
Failed
viruses
File
Allocation
Table
File
virus
repair
File
virus
FindVirus
Generic
Decryption
Engine
Help
Inspect
Inspect
advanced
options
Inspect
Inspect
memory
Joke
programs
Load
configuration
Network
message
Overwriting
viruses
Packager
programs
Partition
sector
Partition
repair
Partition
virus
Police
Polymorphic
virus
Power-off
Protecting
company
Protecting
floppy
Protecting
Protecting
Rules
Save
configuration
Scan
viruses
Schedule
Scheduling
FindVirus
Scheduling
ViVerify
Sheep
computer
Shred
Stealth
viruses
Test
programs
Trojan
programs
Upgrades
Virus
education
Virus
Encyclopaedia
Virus
removal
VirusGuard
ViVerify
Using Help:
Each help topic will have a number of highlighted cross references. The get to the cross referenced topic, select it with a mouse click or use TAB or Shift+TAB to move to it and then press ENTER. Use the scrollbar or up/down arrow keys to scroll through the text. PgUp and PgDn move through the text more rapidly. a
The DOS Toolkit also allows you to use the left/right arrow keys move between cross references.
See also: Help
Credits:
It's always difficult to assign credit for who did what, as in a good team, everybody does parts of everything.
Karen Saunders - Product Manager.
Susan Besser - Overall design and part of the manual.
Howard Chan - Netware programming.
Graham Cluley - Windows programming, and other utilities.
Joy Gregory - Mastering and quality control.
Simona Kanani - Mastering and Quality Control.
Timo Keeley - OS/2 programming, and other utilities.
Iolo Davidson - TSR programming and virus disassemblies.
Dr Paul Lawrence - Scanner and virus disassemblies.
Steve Lewis - Network interface.
Cynthia Milton - The manual.
Barry Neilsen - Data recovery software.
Dr Alan Solomon - Scanner and virus disassemblies.
Damien Wilson - OS/2 programming, and other utilities.
The Virus Lab - Virus disassemblies.
See also: Help
About Viruses:
A virus is a program that copies itself without the knowledge of the computer user. Typically, a virus spreads from one computer to another by adding itself to an existing piece of executable code so that it is executed when its host code is run.
Viruses can be classified by their method of concealment. Some are called stealth viruses because of the way that they hide themselves, or polymorphic because of the way they change themselves to avoid scanners.
The most common classification, however, relates to the sort of executable code which the virus attaches itself to. These are: E
Partition
Viruses
Boot
Viruses
File
Viruses
Overwriting
Viruses
As well as replicating, a virus may carry a Damage routine.
There is also a set of programs that are related to viruses by virtue of their intentions, appearances, or users likely reactions: B
Droppers
Failed
viruses
Packagers
Trojans
Jokes
Test
files
Back
Stealth Viruses:
If a stealth virus is in memory, any program attempting to read the file (or sector) containing the virus is fooled into believing that the virus is not there. The virus in memory filters out its own bytes, and only shows the original bytes to the program. )
There are three ways to deal with this:
1. Cold
Boot from a clean DOS floppy, and make sure that nothing on the hard disk is executed. Run any anti-virus software from floppy disk. Unfortunately, although this method is foolproof, relatively few people are willing to do it.
2. Search for known viruses in memory. All the programs in the Toolkit do this when they are run. Selecting Check
Memory under the Scan
Menu will also search memory.
3. Use advanced programming techniques to penetrate the fog that the virus throws up. The Toolkit uses "Anti-Stealth Methodology" for this.
See also: About
Viruses
Polymorphic Viruses:
A polymorphic virus is one that is encrypted, and the decryptor/loader for the rest of the virus is very variable. With a polymorphic virus, two instances of the virus have no sequence of bytes in common. This makes it more difficult for scanners to detect them. D
The Toolkit uses "Fuzzy Logic" techniques to detect these viruses.
See also: About
Viruses
The Partition and Partition Viruses:
The partition sector is the first sector on a hard disk. It contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The partition sector is also called the "Master Boot Record" (MBR).
When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code.
Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it. However, it is possible to use Inspect
Disk to examine the partition sector. .
Floppy disks do not have a partition sector. 7
See also: Removing
Virus
Partition
Sector.
The Boot Sector and Boot Sector Viruses:
The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program.
When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and moves the original elsewhere on the disk. $
Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up. .
Use Inspect
Disk to examine the boot sector.
See also: Removing
Virus
Sector
Floppy
Disk and Removing
Virus
Sector
Disk About
Viruses
File Viruses:
File viruses append or insert themselves into executable files, typically .COM and .EXE programs. l
A direct action file virus infects another executable file on disk when its 'host' executable file is run.
An indirect action (or TSR) file virus installs itself into memory when its 'host' is executed, and infects other files when they are subsequently accessed. /
Use Inspect
File to look at suspicious files.
See also: About
Viruses
Overwriting Viruses:
Overwriting viruses overwrite all or part of the original program - as a result, the original program doesn't run. Overwriting viruses are not, therefore, a real problem - they are extremely obvious, and so cannot spread effectively.
See also: About
Viruses
Droppers:
Droppers are programs that have been written to perform some apparently useful job but, while doing so, write a virus out to the disk. In some cases, all that they do is install the virus (or viruses). u
A typical example is a utility that formats a floppy disk, complete with Stoned virus installed on the boot
sector.
See also: About
Viruses
Failed Viruses:
Sometimes a file is found that contains a 'failed virus'. This is the result of either a corrupted 'real' virus or simply a result of bad programming on the part of an aspiring virus writer. The virus does not work - it hangs when run, or fails to infect.
Many viruses have severe bugs that prevent their design goals - some will not reproduce successfully or will fail to perform their intended final actions (such as corrupt the hard disk). /
Many virus authors are very poor programmers.
See also: About
Viruses
Packagers:
Packagers are programs that in some way wrap something around the original program. This could be as an anti-virus precaution, or for file compression. Packagers can mask the existence of a virus inside.
See also: About
Viruses
Trojans and Jokes:
A Trojan is a program that deliberately does unpleasant things, as well as (or instead of) its declared function. They are not capable of spreading themselves and rely on users copying them.
A Joke is a harmless program that does amusing things, perhaps unexpectedly. We include the detection of a few jokes in the Toolkit, where people have found particular jokes that give concern or offence.
See also: About
Viruses
Test files:
Test files, in the context of viruses, are used to test and demonstrate anti-virus software such as FindVirus and VirusGuard. They are not viruses - simply small files that are recognised by the software and cause it to simulate what would happen if it had found a virus. This allows users can see what happens when it is triggered, without needing a live virus.
A test file for FindVirus and VirusGuard can be made by creating a small text file, at least 50 characters long, which has the following sequence of characters at the very beginning:
ZQZXJVBVT
Findvirus will exit with an errorlevel of 2 when it finds this file, and VirusGuard will pop up if an attempt is made to run this file. Note that the test file should have an executable extension (.COM or .EXE) for this to work correctly.
Back
About
Viruses
Virus Protection:
Using
sheepdip
computer
Protecting
floppy
Protecting
Protecting
Protecting
Company
Memory
resident
virus
protection
Back
About
Viruses
Sheepdip:
A sheepdip is a computer used for checking incoming diskettes for viruses. This could be a dedicated machine used for nothing else, or it could simply be one of a few designated machines that are also used for other purposes.
Near to the sheepdip (perhaps pinned to the wall) there should be an explanation of the procedures to be followed in using it.
See also: Virus
Protection
How to protect a floppy disk:
If you want to protect a clean floppy disk against viruses, use the write protect facility. If a diskette is write protected, it cannot be written to by any software, including a virus. The write protection is done by hardware and so cannot be overridden by software. In order to write to a write protected floppy diskette, a special diskette drive is required.
On a 5
" diskette, cover the slot on the side with an opaque tab (these are provided with each box of diskettes). Do not use transparent tape as many disk drives cannot detect it.
In the case of a 3
" diskette, there is a slider in one of the corners of the diskette. Move that slider so that the hole is open.
See also: Virus
Protection
How to protect a hard disk:
It is possible to write protect a hard disk, either in software or in hardware. However, write protecting hard disk generally limits its usefulness too much for most applications. The alternative is to use software to actively detect virus activity. 3
FindVirus finds known viruses and can be run whenever the computer is started up by placing it in the AUTOEXEC.BAT file. However, FindVirus needs upgrading regularly. On a single computer, this is not a problem but if there are a many computers to protect, ViVerify should be considered as an alternative.
ViVerify finds changes in files, partitions and boot
sectors. A virus must make a change in some executable code in order to replicate, and it is this which is detected. ViVerify never needs upgrading although, if new software added to a machine, ViVerify must be informed so that it can be included in its check. Note: ViVerify detects all changes, not just those due to viruses, so any change should be investigated before assuming the worst.
Memory
resident versions of FindVirus and ViVerify are provided in the Toolkit. These are VirusGuard and Certify respectively.
The choice of protection depends largely on the your particular situation and personal taste. In practice, we find that most people use VirusGuard.
See also: Virus
Protection
How to protect a LAN:
Protecting a LAN is a complex task. Not only must the LAN itself be protected but also the individual workstations. The following points should be noted: g
1. A boot sector virus cannot get on to a file server since boot sector viruses do not work that way. u
2. To prevent file viruses from infecting the LAN, make all the executables READONLY, using the network privileges.
3. The important part of the LAN is the data. To protect data from interference viruses must be kept off the workstations. If the user has write access to the data, so does any virus running on their machine. For details on protecting workstations, see How
protect
disk.
4. Once per day, scan the file servers for known viruses by logging in and running FindVirus. ViVerify can be used to protect the LAN from new viruses by running it at the same time.
A convenient time to perform these tasks would be when the daily backup is made. Virus checking can be made part of the backup procedure under DOS (by including it in a batch file) or under Windows.
See also: Virus
Protection
How to protect a Company:
You must protect the local
disks and the LAN, but the key to a successful anti-virus policy is getting the users to do the right things. /
A Corporate Virus Protection Policy requires: t
Rules: What must be done
Procedures: How to do it
Education: Why it must be done
Tools: What to do it with
See also: Virus
Protection
Rules:
Corporate users should learn one Golden Rule: F
WHEN THE ANTI-VIRUS PROGRAM SAYS YOU HAVE A VIRUS, CALL PC SUPPORT.
The other important rules are: c
1. All incoming diskettes must be checked for viruses.
2. Only authorised software must be run.
"Authorised" might mean that software is acquired through approved channels, or that it is installed by PC Support. However, it must be clearly defined. w
To enable users to obey these rules there must be well defined procedures for carrying out the tasks described above.
See also: Protecting
Company
Procedures:
Give company users a set of procedures to follow.
For example, there will be procedures for checking all incoming floppy disks, using a sheepdip computer. These should describe how to check incoming floppies with the anti-virus software and what to do if a virus is found. ~
There must also be procedures for users to obtain new software, in a controlled way, so that new software can be authorised.
See also: Protecting
Company
Education:
Viruses are not important to most users - getting their job done is the main priority. Education is required to raise virus awareness from zero to an appropriate level. If people understand the damage which viruses can cause, they are more likely to take notice of the Corporate Virus Protection Policy.
See also: Protecting
Company
Tools:
Company users should be provided with the means for carrying out the necessary procedures. ;
One set of anti-virus tools amongst a thousand users is not sufficient. Users will find it awkward and time consuming to track down the tools to carry out the anti-virus procedures. In any case, if the problem only warrants a single set of tools, users will not perceive it as a significant threat to the company. J
A company should always maintain an adequate supply of up-to-date tools.
See also: Protecting
Company
Upgrades:
Upgrades for the virus-specific parts of the Toolkit are available quarterly or monthly (or more often, if necessary), to keep up with the appearance of new viruses.
If a filled-in registration card is returned, the upgrades should arrive automatically. If this does not happen, contact the appropriate Distributor. V
Upgrades of the drivers are also available for download from the S&S Bulletin Board.
In an emergency, it is also possible to get a field-upgrade by fax. Contact your local distributor if you have a problem with a particular virus that your Toolkit version doesn't cover. +
See also: FindVirus, VirusGuard and Tools
Memory Resident (TSR) Anti-virus Programs:
These programs can be installed in memory when the computer starts up, to provide virus protection for the whole time the computer is in operation. However, these programs do take up memory space and can slow down some operations as they perform their functions. There are three kinds of memory resident programs which can be used for dealing with viruses:
The first kind is a memory-resident version of FindVirus which can stop code infected with known viruses from being run, or even copied. In the Toolkit, VirusGuard does this, requiring about 5 kb of memory.
The second kind is a memory resident version of ViVerify, which checks for changes to code which may be cause by a virus. That is what Certify does.
The third kind is a behaviour blocker, which prevents or signals any activity which is suspicious. The problem with this approach is that it is extremely difficult to create a blocker which does not give numerous false alarms. After all, a virus is just a program, so anything a virus can do, can be done by a perfectly legitimate program. Therefore, the Toolkit does not include a behaviour blocker.
See also: Virus
Protection
VirusGuard
This is the program that many people run all the time. If a diskette infected with a Boot
sector
virus is inserted into any drive, then VirusGuard will pop up with an alarm. If an attempt is made to copy or run an infected file, VirusGuard will prevent it, and pop up an alarm.
The alarm message that VirusGuard displays can be cutomised, and speed can be improved by using using the EMS or XMS, if expanded or extended memory is available. It can also be loaded high. For more details on installing VirusGuard and its options, please see the manual. <
If you are running Windows and using VirusGuard you should run the VGPOPUP.EXE program when Windows is started. This allows VirusGuard to display its warning message in a Windows dialog box. If you are using Windows 3.0 you should add VGPOPUP.EXE to the end of the line in WIN.INI which begins "run=". For example: *
run=nwpopup.exe C:\TOOLKIT\VGPOPUP.EXE
If you are running Windows 3.1 or later, you can add VGPOPUP.EXE to the StartUp group. n
VirusGuard cannot be unloaded or switched off by the user, since if the user can disable it, so can a virus. ,
See also: Memory
resident
virus
protection
If you find a virus...
1. Don't panic.
2. Don't be in a hurry.
3. Work systematically. Don't rush.
4. Inform your company, via the usual chain of reporting.
The company should then arrange to:
1. If appropriate, inform the Police
Computer
Crime
Department.
2. Check all the surrounding computers.
3. Check all floppy diskettes that could have become infected.
4. Call S&S, or the local distributor, for technical support, if needed.
5. Review anti-virus policy to try and prevent a recurrence.
Removing
Partition
Virus
Removing
Sector
Virus
Removing
Sector
Virus
Floppy
Removing
Virus
clean
network
virus...
Back
How to Remove a Partition Virus:
1. Cold
Boot from a clean DOS diskette.
2. Run the DOS Toolkit (not Windows).
3. Select Partition
Repair from the Repair menu.
4. Follow the instructions.
From the DOS command line, Partition Repair can be run directly by typing:
CLEANPAR
See also: If
virus...
How to Remove a Boot Virus from a Hard Disk:
1. Cold
Boot from a clean DOS diskette.
2. Type: SYS C: at the DOS prompt. (if C is infected)
The Clean DOS diskette should be the same version of DOS that is on the hard disk. To find out which version is running, type: VER at the DOS prompt. "
See also: If
virus...
How to Remove a Boot Virus from a Floppy:
1. Cold
Boot from a clean DOS diskette.
2. Run the Toolkit.
3. Select Boot
Repair from the Repair menu.
4. Choose the drive letter and capacity of diskette.
5. Feed your infected diskettes in one at a time.
6. Follow the instructions.
To clean diskettes of a different size or capacity, run Boot Repair again. If a diskette appears to have no files on it, or the directory appears to be garbage, then it has been cleaned with the wrong capacity. Run Boot Repair again with the correct capacity and the files will reappear.
The DOS version of the Boot Repair includes an option to process multiple floppy disks. This allows a large number of infected floppies to be cleaned quickly. G
From the DOS command line, Boot Repair can be run directly by typing:
CLEANBOO
See also: If
virus...
How to Remove a File Virus:
1. Cold
Boot from a clean DOS diskette.
2. Run the Toolkit.
3. Select File
Repair from the Repair menu.
From the DOS command line, File repair can be run by typing:
FINDVIRU /REPAIR
Any files that FindVirus cannot repair will be renamed from .COM to .VOM, and from .EXE to .VXE, so that they cannot accidentally be run. Alternatively, FindVirus can delete such files if the /DELETE option is specified. "
See also: If
virus...
How to Clean a Network:
Cleaning a network can only be done by someone who has access to all the files on the network.
1. Remove
Viruses
Local
2. Run VirusGuard from the hard disk.
3. Log in to the network.
Try to avoid running any LOGIN script.
4. Clean the network, using File
Repair, or by typing
FINDVIRU /ALLDRIVES /REPAIR
5. Use FindVirus to check that the network is clean
Step 2 means that VirusGuard will prevent any infected files on the server from being executed by any login script. ]
There is a Novell Netware version of the Toolkit available. Please contact us for details. "
See also: If
virus...
If you find a new virus...
If you have .COM or .EXE files that are growing in size, send a sample of the files to your distributor, with a letter explaining the situation. =
If you have some symptoms that you think are a virus, then:
1. Format a floppy disk in the infected computer.
2. Copy any infected files to that floppy.
3. Copy your FORMAT and CHKDSK programs too.
If you include a letter, explaining any symptoms you have encountered, we can often tell you what the problem is, even if it is not a virus. We cannot reply if we receive an anonymous diskette with no return address. If possible, include a fax and phone number as well as an address. "
See also: If
virus...
How to do a Cold (Power-off) Boot:
1. Switch off the computer.
2. Wait for 10 seconds for the power supply to reset.
3. Put a known clean DOS diskette in drive A.
4. Switch the computer back on again.
Make sure that nothing on the diskette runs any software on the hard disk. For example, there might be the command "C:\KEYB ..." in the AUTOEXEC.BAT.
If you do a warm boot, using Ctrl+Alt+Del, that might not reboot the computer. Joshi virus, for example, fakes a reboot if you do a Ctrl+Alt+Del.
Some computers have a reset button which appears to do a cold boot, and some programs can also do a cold boot. However, what really happens when these features are used depends on how the manufacturer implemented them. A power-off boot always clears memory. "
See also: If
virus...
Computer Crime:
Deliberately writing and deliberately spreading a virus is a crime in many countries. In some, there are specific computer crime laws - in others, it is classified as criminal damage. z
In many of these countries, the police are actively seeking to prosecute the criminals who write and distribute viruses.
You can help with this effort. All you have to do is report the crime to the appropriate authority. As each virus author is arrested, all the outbreaks of his virus can be added to the prosecution.
Of course, if no-one complains about his virus, then as far as the law is concerned, he has done no damage, and will suffer no penalty. That is why it is important that you make a formal complaint to the police. `
It is probably a good idea to inform the police department that deals with such things, rather than the local police station. Below is a list of the police officers in various countries that we have found to be seriously interested in a virus author prosecution. If you find more keen police officers, please let us know their name and phone number. ?
Damage is defined as something that you would prefer not to have happened. It is measured by the amount of time it takes to reverse the damage.
Trivial damage happens when all you have to do is get rid of the virus. There may be some audio or visual effect; often there is no effect at all.
Minor damage occurs when you have to replace some or all of your executable files from clean backups, or by re-installing. Remember to run FindVirus again afterwards.
Moderate damage is done when a virus trashes the hard disk, scrambles the FAT, or low level formats the drive. This is recoverable from your last backup. If you take backups every day you lose, on average, half a day's work.
Major damage is done by a virus that gradually corrupts data files, so that you are unaware of what is happening. When you discover the problem, these corrupted files are also backed up, and you might have to restore a very old backup to get valid data.
Severe damage is done by a virus that gradually corrupts data files, but you cannot see the corruption (there is no simple way of knowing whether the data is good or bad). And, of course, your backups have the same problem.
Unlimited damage is done by a virus that gives a third party access to your network, by stealing the supervisor password. The damage is then done by the third party, who has control of the network. 1
See also: Virus
Encyclopaedia and About
Viruses
File Allocation Table:
The FAT is the area on the disk that contains the information about what part of the disk belongs to which file. If the FAT is zeroed or corrupted, then the hard disk is like the pages of a book, without any binding, in a random order, and no page numbers. U
A number of viruses zero, overwrite, or (much worse) make small changes to the FAT.
See also: Damage
Distributors:
The Toolkit is available from a number of sources. If your country does not appear on this list, please contact S&S International in the UK. 0
Argentina
Australia
Austria
Bahrain
Belgium
Brazil
Brunei
Canada
Chile
Colombia
Czechoslovakia
Denmark
Finland
France
Germany
Ghana
Hong
Hungary
India
Indonesia
Iran
Ireland
Italy
Ivory
Coast
Kenya
Korea
Kuwait
Luxembourg
Madagascar
Malaysia
Malta
Mauritius
Mexico
Netherlands
Zealand
Nigeria
Norway
Oman
Pakistan
Philippines
Poland
Portugal
Qatar
Reunion
Saudi
Arabia
Singapore
South
Africa
Spain
Sweden
Switzerland
Taiwan
Thailand
Turkey
United
Kingdom
United
States
Venezuela
Zimbabwe
If you have any problems contacting your local distributor, call S&S International on +44 442 877877, or fax us on +44 442 877882. "
See also: Upgrades and Main
Menu <
Distribution in: Argentina & Columbia 8
Economic Data sl
Ponzano, 39-3o
28003 Madrid
Spain
Tel: +34 1 442 2800
Fax: +34 1 442 2294
Back
Distributors
Distribution in: Australia & New Zealand \
Loadplan Australasia Pty Ltd
215 Moray Street
South Melbourne
Victoria 3205
Australia
Tel: +61 3 690 0455
Fax: +61 3 690 7349
Back
Distributors
Distribution in: Germany & Austria c
Markt & Technik Buch - und Software Verlag GmbH & Co.
Hans-Pinsel Stra
8013 Haar
Germany
Tel: +49 8946 00 30
Fax: +49 8946 00 34 30
Back
Distributors
Distribution in: Bahrain, Kuwait, Oman, Qatar, Saudi Arabia & UAE Y
LBI International, Inc.
No 2 Torri Katur
Lourdes Lane
St Georges
St Julians
Malta
Tel: +356 344257
Fax: +356 340761
Back
Distributors
Distribution in: Belgium, Luxembourg & Netherlands ^
Data Alert International B.V
Laan van Eik en Duinen 166
2564 GW Den Haag
The Netherlands
Tel: +31 70 323 0021
Fax: +31 70 323 7891
Back
Distributors
Distribution in: Brazil u
PC Software e Consultoria Ltda
Voluntarios da Patria 45/13
Botafogo
22270-000
20031 Rio de Janeiro RJ
Brazil
Tel: +55 21 537 0405
Fax: +55 21 537 1411/286 8207
Back
Distributors
Distribution in: South East Asia, Korea U
(Brunei, Hong Kong, Indonesia, Malaysia, Philippines, Singapore, Taiwan & Thailand) R
Digitus Computer Systems
11 Dhoby Ghaut
#09-01 Cathy Building
Singapore 0922
Tel: +65 337 1945
Fax: +65 336 9672
Back
Distributors
Distribution in: Canada, Mexico & United States [
Ontrack Computer Systems Inc
Suites 15-19, 6321 Bury Drive
Eden Prairie
MN 55346
Tel: +1 612 937 1107
Fax: +1 612 937 5815
Back
Distributors
Distribution in: Chile V
Bysupport Computacion SA
Vera y Pintado 2575, Providence
Santiago de Chile
Chile
Tel: +56 2251 9580
Fax: +56 2233 5917
Back
Distributors
Distribution in: Czechoslovakia & Hungary <
Lynx sro
Stiefanikova 50a
040 01 Kosice
Czechoslovakia
Tel: +42 95 6227309 or 95 6227319
Fax: +42 95 6226562
Back
Distributors
Distribution in: Denmark D
Swanholm Computing A/S
Maglebjergvej 5a
DK-2800 Lyngby
Denmark
Tel: +45 45 93 34 34
Fax: +45 45 93 42 43
Back
Distributors
Distribution in: Finland <
LAN Vision OY
Sinikalliontie 14
SF-02630 Espoo
Finland
Tel: +358 0 502 1947
Fax: +358 0 524 149
Back
Distributors
Distribution in: France 9
ABSoft
Parc Burospace 14
91572 Bievres cedex
France
Tel: +33 1 69 33 70 00
Fax: +33 1 69 33 70 10
Back
Distributors
Distribution in: Ghana & Nigeria `
Software Marketing Consultancy
House No B26/28 New Achimota
PO Box 8592
Accra-North
Ghana
Tel: +233 21 227210
Fax: +233 21 668862
Back
Distributors
Distribution in: India d
Comsoft Services
52 Regency Chambers
Near to Nandi Cinema
Bandra (W)
Bombay-400 050
India
Tel: +91 22 643 1233 or 643 1246 or 643 8744
Fax: +91 22 642 2182
Back
Distributors
Distribution in: Iran j
Shabakeh Gostar Corporation
Building No 10
Palizi Square
North Sohrevardi Avenue
Tehran 15568
Iran
Tel: +98 21 867615
Fax: +98 21 826058 or 867615
Back
Distributors
Distribution in: Ireland ^
Priority Data Systems Ltd
Priority House
63 Patrick St
Dun Laoghaire
Co Dublin
Ireland
Tel: +353 (01) 2845600
Fax: +353 (01) 2800311
Back
Distributors
Distribution in: Italy 9
Siosistemi srl
Via Cefalonia 58
25125 Brescia
Italy
Tel: +39 30/2421074
Fax: +39 30/222249
Back
Distributors
Distribution in: Kenya /
Memory Masters
PO Box 70158
Nairobi
Kenya
Tel: +254 2 751916
Fax: +254 2 751916
Back
Distributors
Distribution in: Madagascar & Mauritius E
Megabyte Computers
Kwan Tee Street
Caudan
Port Louis
Mauritius
Tel: +230 212 3638/6668
Fax: +230 208 0940
Back
Distributors
Distribution in: Malta O
Panta Computer Company Ltd
Panta House
Birkirkara Road
Msida MSD03
Malta
Tel: +356 441361
Fax: +356 492741/44
Back
Distributors
Distribution in: Norway U
Swanholm Computing Norway A/S
EDB-Senteret
Wdm Thranesgt 77
N-0175 Oslo
Norway
Tel: +47 2 11 68 28
Fax: +47 2 11 63 63
Back
Distributors
Distribution in: Pakistan g
Super Services (pvt) Ltd
910-912 9th Floor Gul Tower
I.I Chundrigar Road
Karachi -74000
Pakistan
Tel: +92 21 242 3058
Fax: +92 21 241 5893
Back
Distributors
Distribution in: Poland ;
Dagma sp. z o.o
Gen Jankego 15
40-615 Katowice
Poland
Tel/Fax: +48 32 523 789 or 524 439 or 525 200
Back
Distributors
Distribution in: Portugal ^
RSVP Consultores Associados, Lda
Rua Conde de Avranches, 659 - 2 Esq
4200 Porto
Portugal
Tel: +351 2 83 00 741
Fax: +351 2 83 00 740
Back
Distributors
Distribution in: South Africa T
BSS (Pty) Ltd
PO Box 811, Gallo Manor
Sandtown 2052
Johannesburg
South Africa
Tel: +27 11/44 48600
Fax: +27 11/44 42959
Back
Distributors
Distribution in: Sweden =
QA Informatik AB
Alstavagen 15
S 17 526 Jarfalla
Sweden
Tel: +46 8/760 2600
Fax: +46 8/760 2605
Back
Distributors
Distribution in: Switzerland K
Markt & Technik (Switzerland)
Kollerstra
CH-6300 Zug
Switzerland
Tel: +41 42 440660
Fax: +41 42 415660
Back
Distributors
Distribution in: Turkey
Logosoft Yazilim San ve Tic Ltd Sti
Albay Faik Sozener Cad.
Benson Is Merkezi 21/3
81300 Kadikoy
Istanbul
Turkey
Tel: +90 216 348 7986/348 1399
Fax: +90 216 348 1754
Back
Distributors
Distribution in: United Kingdom g
S&S International PLC
Alton House Business Park
Gatehouse Way
Aylesbury
Bucks
HP19 3XU
England
Tel: +44 (0)296 318700
Fax: +44 (0)296 318777
Support tel: +44 (0)296 318733
Support fax: +44 (0)296 318734
Back
Distributors
Distribution in: Venezuela s
GDV Sistemas srl
Avenida La Facultad
Edificio Parapara
Piso 1, Oficina 5
Los Chaguaramos
Caracas
Venezuela
Tel: +582 672 72 12
Tel/Fax: +582 662 86 19
Fax: +582 661 38 24
Back
Distributors
Distribution in: Zimbabwe y
Ryval Computers (private) Limited
4th Floor Pollack House
Robson Manyika Avenue
PO Box AY249 AMBY
Harare
Zimbabwe
Tel: (263-4) 750727 or 791583
Fax: (263-4) 750986
back
Distributors
Generic Decryption Engine:
The dynamic nature of the virus world has meant that further advances needed to be made to cope with the latest viruses. With the Generic Decryption Engine S&S International's position as the most technologically advanced anti-virus company in the world is underlined once more.
The anti-virus community has recently seen the first instances of a new polymorphic
engine being used in viruses. The Nuke Encryption Device (NED) offers enormously high levels of polymorphism to the virus author. The engine is so polymorphic that a statistical analysis resembles any fairly ordinary program. Statistical analysis is not enough to accurately detect (with no false alarms) viruses created with NED. Similarly the Dark Avengel's Multiple Encrypter (DAME) is impossible to detect reliably with conventional methods. ,
What was required was a method that would: L
a) detect it, 100%
b) give zero false alarms
c) not slow down Findvirus
The research and development team at S&S International set out on a project to write a program that could decrypt any encrypted program. The idea was, look at the code, work out the decryption algorithm from the code, and then decrypt the virus.
1. 100% IDENTIFICATION:
Once the code is decrypted, you have inside the encrypted part, a constant byte sequence - identification.
2. FUTURE PROOF:
If it is a truly general decryptor, it will work for MTE, TPE, NED, and also for things that will come along in future.
3. ZERO FALSE ALARMS:
False alarms result because encrypted viruses are so variable. With a Generic Decryption Engine we are looking at something that is not variable: the decrypted bytes of the virus.
4. PRECISE IDENTIFICATION:
If we've decrypted the virus, we can then do an exact identification by checksumming it (in effect, taking a fingerprint).
5. REPAIR:
Precise identification and complete decryption means repair is possible.
6. SPEED:
We have recorded speeds in excess of six (6) megabytes/second. The Generic Decryption Engine will not slow down FindVirus in conventional operation. Of course if a polymorphic virus is found during the scan there is a slight slowdown during the decryption process. H
The Generic Decryption Engine produced in the S&S International Virus Labs doesn't need to know anything about how the NED works. The Generic Decryption Engine knows how to decrypt anything that is encrypted. Once decrypted a virus is relatively simple to identify by the constant sequence of bytes hidden by the encryption.
In its first test run the Generic Decryption Engine successfully decrypted, and detected almost every single file infected with the NED virus, Itshard. When run against a large collection of clean files it gave no false alarms.
In further tests our researchers found that almost every encrypted virus in their collection could be now decrypted and repaired. Furthermore we found that our scanner could now perform exact (meaning the user is returned the exact file, without any changes) repair of viruses such as V2P6 which many other products can not even detect reliably. Immensely polymorphic viruses such as Bosnia, Trigger and Tremor can be detected with ease, and no false alarms.
The future in the virus world belongs to the polymorphic viruses; they are the most difficult to detect, and indeed many products simply give up on them. The virus authors know this, so this is the kind of virus that the more sophisticated authors write. It is, therefore, especially important to be able to detect this kind of virus. The Generic Decryption Engine allows Dr Solomon's Anti-Virus Toolkit to do this.
(.txt)