PC User 1996 August

home *** CD-ROM | disk | FTP | other *** search

/ PC User 1996 August / PCUPLUS_AUG.ISO / toolkit / avp_pcu / userguid.doc < prev next >

Wrap

Text File | 1996-06-27 | 116.6 KB | 3,181 lines

────────────────────────────────────────────────────────────────────────── ANTIVIRAL TOOLKIT PRO v2.2 by Eugene Kaspersky ────────────────────────────────────────────────────────────────────────── USER'S GUIDE ────────────────────────────────────────────────────────────────────────── (c)Kami corp., Russia, 1992-1995. ────────────────────────────────────────────────────────────────────────── Microsoft, MS-DOS and Windows are registered trademarks of Microsoft Corporation. Borland, Turbo C, Borland C++ and Turbo Vision are registered trademarks of Borland International. Other brand and product names are trademarks or registered trademarks of their respective holders. AVP is a powerful integrated antiviral package. This package can be used as conventional and/or professional (Pro) antiviral system. It consists of four programs: Antiviral scanner/disinfector AVP.EXE Antiviral scanner/disinfector with database editor AVPRO.EXE Antiviral resident monitor AVPTSR.EXE Antiviral utilities AVPUTIL.COM The main features of AVP antiviral are: - a great number (more than 5000) of viruses and virus families that are detected and disinfected by AVP scanner; - Code Analyzer (heuristic scanner) detects new viruses or modified variants of old ones; - Unpacking and Extracting Engine allow to scan packed and archive files in on-the-fly mode; - Database Editor allows to add detection and disinfection information about new viruses which are unknown to current version of AVP scanner; - professional utilities and antiviral monitor are included. Table of Contents ──────────────────────────────────────────────────────────────────── 1. Installation and Getting Started with AVP 1.1. System Requirements 1.2. Using AVP to Detect, and Disinfect Viruses 1.3. SET file and Updating Procedure 1.4. Language Support File 1.5. It Seems that I have an Infection. What Should I Do? 2. Antiviral Scanner/Remover AVP 2.1. Description and Features 2.1.1. Main Features of the Pro Version 2.1.2. Main Database Features 2.2. Command Line Options and Errorlevels 2.3. Interface and Menu Commands 2.3.1. Scan Commands (Alt-S) 2.3.2. View Commands (Alt-V) 2.3.3. Edit Commands (ALt-E) (Pro Version) 2.3.4. Tools Commands (Alt-T) 2.4. Code Analyzer 2.5. Unpacking Engine 2.6. Extracting Engine 2.7. Help System 2.8. Messages 3. Antiviral Database (Pro version) 3.1. FILE Record 3.2. JMP Record 3.3. MEMORY Record 3.4. SECTOR Record 3.5. Link of Special Procedures 4. Antiviral Resident Monitor (Pro version) 4.1. Command Line Options 4.2. Messages List 4.3. Memory Map 5. Antiviral Utilities AVPUTIL (Pro version) 5.1. Menu Utilities 5.1.1. Disassembler/Debugger 5.1.2. Dump Editor 5.1.3. Memory Map 5.1.4. Interrupt Map 5.1.5. Tracer 5.1.6. Interceptor 5.1.7. System Information 5.1.8. Files List 5.2. Menu Object 5.3. Menu Block 5.4. Menu Setup 5.5. GoTo system 5.6. Hot Keys ──────────────────────────────────────────────────────────────────── 1. Installation and Getting Started with AVP ──────────────────────────────────────────────────────────────────── The installation procedure is quite simple. You should copy all files from the distributive floppy disk(s) to a newly created subdirectory of your hard drive (for example "C:\AVP") or use AVP from the floppy disk. If you already have a previous version of AVP you should overwrite it with the latest version. After copying this package to your hard disk it is ready to use. This product is a professional antiviral toolkit. It contains four main executable files: - antiviral scanner/disinfector AVP.EXE - antiviral scanner/disinfector/database editor AVPRO.EXE - antiviral monitor AVPTSR.EXE - antiviral utilities AVPUTIL.COM If you are a NOVICE USER it is better to use antiviral scanner AVP.EXE only. By running AVP.EXE you can scan your disk(s) for a virus presence, and disinfect a virus if one is found. The AVP.EXE is an integrated environment scanner. The control for AVP.EXE is based on standard pop-up menus and dialog boxes. By pressing the F1 hot key or by using the Help menu you will get all the information you need. If you are a SECURITY EXPERT you can use the professional features of this package the database editor, antiviral monitor, and utilities which are used for detecting, and analysis of new unknown viruses. 1.1. System Requirements ──────────────────────────────────────────────────────────────────── Hardware: Any PC-compatible computer with memory >= 640K. PC386+ with 1M or more of memory is recommended. Software: DOS version - 3.30 or above. Minimum free conventional memory - 580K. Minimum free file handles - 16. It is recommended to install XMS driver to avoid memory problems. To reach these conditions it is necessary to include in CONFIG.SYS file the lines: DEVICE=HIMEM.SYS DOS=HIGH FILES=32 1.2. Using AVP to Detect, and Disinfect Viruses ──────────────────────────────────────────────────────────────────── When using AVP.EXE it loads the antiviral database(s) at first, and then scans the system memory for a memory resident virus presence. Next the Test Dialog Box appears on the screen. Press the ENTER key to virus scan all your hard disks for viruses or point to the path of the files you want to virus scan for example (C:\TEST\). If you want to change the virus scanning options you should press the Alt-S hot key to call the Setup Dialog Box. To change the virus scanning path you should press the F9 hot key or select the Scan|Test menu. To cure infected files you should press Ctrl-F9 hot key or select the Scan|Cure menu. To exit AVP.EXE press the standard Alt-X hot key or select Scan|Exit menu. 1.3. SET file and Updating Procedure ──────────────────────────────────── The SET file (AVP.SET) contains a list of file names for the antivirus databases that are used for scanning, and disinfection of computer viruses. The SET file contains text strings (in ASCII format) that can be modified or changed with any text editor. Each line contains only one file name. They are the names of the antivirus database files used to scan, and disinfect computer viruses. To add a new database file to the list it is necessary to insert a new line into the SET file, and type the new file name there. To exclude a database file or files from the list you should either delete the line, or place the charcter ";" at the beginning of the line. For example: Database file Comment <- Do not include this line in the SET file or any comments below. ------------- -------------------------------------- KERNEL.AVB Kernel database ;DISINF.AVB Disinfection database, now excluded from the set V_941104.AVB Main anti-virus database TROJAN.AVB Trojan programs database UNPACK.AVB Unpacking engine EXTRACT.AVB Extracting engine CA.AVB Code Analyzer AVP should not be executed without the file KERNEL.AVB because no viruses will be detected. This file name must be in the first line of the SET file. To update your AVP package it is necessary to copy the update files into the AVP directory, and add the new database names to the SET file. For example: Database file Comment ------------- ------------------------------------------------------- KERNEL.AVB Kernel database V_941104.AVB Main antivirus database UP941113.AVB Update database UP941120.AVB Update database that was just added 1.4. Language Support File ────────────────────────── All messages from the AVP scanner (including Pro version) are collected in a Language Support File (AVP.LNG). This file must be present in AVP directory. The AVP scanner will not run if it cannot find the LNG file in the AVP directory. The default LNG file contains messages in English. To force AVP to use another language you should overwrite the default AVP.LNG (English) file with the language you want to use. To obtain a LNG file with the language you want to use contact the AVP dealer in your country. 1.5. It Seems that I have an Infection. What Should I Do? ──────────────────────────────────────────────────────────────────── The first step is executing AVP.EXE to virus scan all the programs files (executable/batch/SYS/overlay), and sectors of your disks including floppies disks. If the infected files/sectors are found, run the Cure process. If the infections are not found you should press the "Alarm!" button in Setup dialog box, and virus scan all your disks again. If AVP.EXE displays any warning messages you should call the system programmer, security expert, or contact us via E-Mail to send one of these infected files to us for analysis. For more information see the topic "Computer viruses detection, and removal methods" of the AVP.EXE Help system. ──────────────────────────────────────────────────────────────────── 2. Antiviral Scanner/Remover AVP ──────────────────────────────────────────────────────────────────── The AVP.EXE antiviral scanner tests, and disinfects files, and system disk sectors that are infected by known viruses, and checks them for suspicious code. You can read the descriptions of the known viruses in the Help system topics. 2.1. Description and Features ──────────────────────────────────────────────────────────────────── The AVP.EXE antiviral scanner checks for a virus presence in: - system memory - files including packed and archive - hard disk sectors containing the Master Boot Record - disk sectors containing the Boot sector - File Allocation Table The main features of AVP.EXE are: - removing of viruses from files, and system sectors. We recommend to restore the infected files from the backup copies but if it's impossible the AVP.EXE antiviral restores the infected objects to their original form (if it is possible) or in a form closest to the original one. - possibility to scan inside of packed and archive files. - the AVP.EXE scanner checks files, and system sectors for new unknown viruses the are not included in antiviral database. This feature is available with the Code Analyzer routine. According to several test results this routine detects about 80% of unknown viruses. - two different modes of file scanning: the default mode, and the redundant one. The default mode is enough in most of cases. By using the default mode the antiviral scanner analyses the file header, and the file entry point(s). The redundant search mode causes complete scanning of entire file instead of scanning the file's entry point(s) only. This is necessary in case of a infection by a specific virus or in case of a incorrect infection. - the test, and disinfection of the system memory. It's recommended to boot from the virus-clean system floppy before scanning the files, and sectors for viruses. It is necessary for a guaranteed absence of viruses in the memory because the memory resident virus can prevent the file recovery, and even reinfection of the files after scanning. There are memory resident viruses which wait for a antiviral program execution, and when this antiviral scanning is started these viruses damage disk sectors (see the virus "Caz". - the files, and system sectors can be tested for the changes in their bodies by using control sum (CRC) algorithm. If used the next antiviral scanning using AVP.EXE finds the differences between the old, and new control sums then AVP.EXE displays a corresponding message. - the AVP.EXE antiviral scanner checks whether it's own file has been modified, and if it detects changes AVP.EXE reports about it. - the powerful Help-system that contains the complete information about the viruses, and the methods about the removing the viruses. It's possible to view demo-effects while reading the virus descriptions if the virus manifests itself by a visible sign. - the support of the XMS memory, mouse, screen format 43/50 lines for EGA/VGA adapters. The antiviral scanner allows you to change, and save these settings. 2.1.1. Main Features of the Pro Version ──────────────────────────────────────────────────────────────────── The antiviral scanner/remover of the Pro version contains the antiviral database editor. By using this editor it's possible to create new antiviral database(s), and insert records with detection, and disinfection information for new viruses. By using these records the computer expert can direct the antiviral scanner to detect, and remove new unknown viruses. The antiviral database contains four types of records: JMP: calculation of the Entry Point into the file or sector body FILE: information about detection, and disinfection of file viruses SECTOR: information about detection, and disinfection of boot viruses MEMORY: information about detection, and disinfection of the memory component of TSR viruses The database fields are appending in the semi-automatical mode: it's enough to point where to search for the virus, how to remove it, and to point to the infected file or the file containing the infected sector. The information about this virus will be inserted into the new database record. 2.1.2. Main Database Features ──────────────────────────────────────────────────────────────────── The main database features are: - using the control sums instead of the virus masks. The checksums of the parts of the virus code are placed into the records instead of the parts of code for comparing. This feature will decrease the size of the database, and increase scanning speed; - several standard methods of the virus detection, and disinfection. More than 10 standard methods of the virus disinfection make the procedure of including the new records quite easy; - dynamical linker of the special subroutines. This feature is used with detection, and disinfection of viruses that use encryption or nonstandard methods of infection. In these cases it's enough to write one's own C or Assembler program that decrypts/disinfects the virus, compile this program into OBJ-file, and insert this OBJ-file into the database record. These special subroutines will be linked with main EXE-module, and would be called during processing of the database records; - calls to external functions. These special subroutines of the database can access external names (constants, functions, arrays and structures). The external names are divided into standard (they are defined into the main EXE-module), and special (they are defined by user in one of the database records). The viruses from one virus family that use the same decryption algorithm can be decrypted by a special subroutine that is called with different arguments from several records. In this case it is necessary to write only a decryption subroutine, compile it, append it into the one of the database records, and then to call that routine from other database records. 2.2. Command Line Options and Errorlevels ──────────────────────────────────────────────────────────────────── When called from the DOS prompt AVP.EXE and AVPRO.EXE support the following format: AVP [OPTIONS ...] [file or disk NAME] Options ─────── "/T" switch directs the antiviral scanner to scan files, and sectors for the presence of viruses. In this mode, searching for viruses, and virus-like blocks in files, and disk boot sectors is carried out. This switch is "ON" default. "/-" switch directs the antiviral scanner to disinfect files, and boot sectors infected by viruses. The antiviral scanner recovers files, and sectors in their original form (if possible), or in a form closest to the original one. The infected boot sector, and MBR are overwritten by MS-DOS 6.0 system sectors if it is impossible to restore them to their original form. "/W[A][=filename]" directs tells the antiviral scanner to save all messages displayed in the scan windows into a report file. The "Filename" parameter is the name of the report file, the default name is AVP.MSG. "/WA" switch directs the antiviral scanner to append the report to the existing one, otherwise the report file will be overwritten. "/C" switch directs the antiviral scanner to detect modification in objects by using CRC table if this table has been created beforehand. "/D" switch directs the antiviral scanner to run in daily mode. In this mode AVP.EXE will process the antiviral scanning on the first execution only (in this day). It will not scan for viruses if it is executed again. This option is recommended for using the antiviral scanner from the AUTOEXEC.BAT file only. Note: The antiviral scanner will test it's host file (AVP.EXE or AVPRO.EXE) on every execution. "/M" switch directs the antiviral scanner to skip memory testing. "/P" switch directs the antiviral scanner to skip testing of the local disks Master Boot Records. "/B" switch directs the antiviral scanner to skip testing of the Boot Sectors of local logical drives. "/F" switch directs the antiviral scanner to test the File Allocation Table of local logical drives. "/O" switch directs the antiviral scanner to skip disinfection of the read-only files. "/S" switch turns off the beep signal. "/TMP=path" switch points to the directory for temporary or swap files. The environment variable TEMP (or TMP) is used by default. If neither the "/TMP" switch or environment variable are defined, the program's home directory is used for temporary, and swap files. "/X" switch directs the antiviral scanner not use XMS memory. If you experience conflicts with some memory managers you should disable the using of XMS memory. "/Y" switch directs the antiviral scanner to skip the dialog messages. This option is recommended for using the antiviral scanner in batch mode. "/Q" switch directs antiviral scanner to exit to the DOS prompt after virus scanning, otherwise the main antiviral menu will be invoked. This option is recommended for using the antiviral scanner in batch mode. "/?" switch directs the antiviral scanner to display the command-line help, and return to the DOS prompt. "NAME" parameter is the list of disk letters and/or file names which should be virus scanned. It is possible to use the wildcard symbols "?", and "*" in filenames, and wildcards instead of disk letters. When only the name of a disk has been specified, for example "A:", then the files with default extensions of the specified disks will be virus scanned. Other settings are loaded from AVP.INI file. Examples: C:\COMMAND.COM - to virus scan C:\COMMAND.COM file C:\*.COM - to virus scan all COM-files of C: drive C:*.* - to virus scan all files of C: drive C: D: E:*.COM - to virus scan all files with default extensions of C: and D: drives, then scan all COM-files of E: drive *: - to virus scan all files with default extensions of all logical hard disks (C:, D:, ...) Example of using AVP.EXE amd AVPRO.EXE from DOS command line: AVP.EXE /T /W C:*.* D:\MY_PROG\*.EXE D:*.COM /Y /Q This set of parameters directs AVP.EXE to virus scan all files of drive C:, then virus scan all *.EXE files of drive D: in directory D:\MY_PROG, and there after all *.COM files of drive D:. The report will be saved into the AVP.MSG (default) file. When the virus scanning is finished AVP.EXE will return to the DOS prompt. Errorlevels ─────────── The results of virus scanning are available in return codes (DOS Errorlevel) for use in batch files: 0 - No viruses were found. 1 - Scan is not complete. 3 - Suspicious objects were found. 4 - Known viruses were detected. 5 - All detected viruses were cured. 7 - File AVP.EXE is corrupted. 10 - Internal error in AVP.EXE program. 2.3. Interface and Menu Commands ──────────────────────────────────────────────────────────────────── This program has a standard Turbo-Vision user interface. Press the F10 hot key to activate the menu system. Use the right-left up-down, and enter keys to select an item. Then the submenus are displayed. Use the up-down, and enter keys to select an item: Scan (Alt-S) View (Alt-V) Edit (ALt-E) (Pro version) Tools (Alt-T) 2.3.1. Scan Commands (Alt-S) ──────────────────────────────────────────────────────────────────── With the Scan menu (Alt-S) you can test and/or disinfect files, and disk sectors. Scan│Test (F9) ──────────────────────────────────────────────────────────────────── With the Test command (F9) you can virus scan pointed objects for a virus presence. Several messages will appear in the information windows. The Start Dialog Box appears before the test/cure procedure: ╔═[■]═════════════ Test ══════════════════╗ ║ ║ ║ Path _c:________________________ ║ ║ ║ ║ ║ ║ OK ▄ Setup ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ║ ╚═════════════════════════════════════════╝ The "Path" field contains the list of disk letters and/or file names which should be virus scanned. It is possible to use the wildcard symbols '?' and '*' in filenames and wildcard '*' instead of disk letter. When only the name of a disk has been specified, for example 'A:', then the files with default extensions of the specified disk will be virus scanned. Other settings are loaded from AVP.INI file. Examples: C:\COMMAND.COM - to virus scan C:\COMMAND.COM file C:\*.COM - to virus scan all COM-files of C: drive C:*.* - to virus scan all files of C: drive C: D: E:*.COM - to virus scan all files with default extensions of C: and D: drives, then scan all COM-files of E: drive *: - to virus scan all files with default extensions of all logical hard disks (C:, D:, ...) Scan│Cure (Ctrl-F9) ──────────────────────────────────────────────────────────────────── With the Cure command (Ctrl-F9) you can virus scan pointed objects for a virus presence, and cure it. Several messages will appear in the information windows. The Request Dialog appears if the virus is detected while curing. ╔═[■]═════════════ Cure Request ═════════════════╗ ║ ║ ║ File: E:\VIRUS\v.com ║ ║ ║ ║ Virus: Yankee ║ ║ ║ ║ Cure ▄ Delete ▄ Skip ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ║ ║ Cure All ▄ Delete All▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════╝ The commands are: Cure - to cure this file Cure All - to cure all the files without request Delete - to delete the infected file Delete All - to delete all the infected files Skip - to skip curing this file Cancel - to cancel virus scanning Scan│RAMCure ──────────────────────────────────────────────────────────────────── With the RAMCure command you can cure the memory parts of the viruses. This operation can be performed automatically at the start of the program. See "Scan│Setup" also. Scan│Cure & make CRC ──────────────────────────────────────────────────────────────────── With the Cure & make CRC command you can virus scan, remove viruses, and create the CRC table at the same time. The CRC check is in use if the Use the CRC option in the Setup menu. It checks for modifications of the file/sector, and will accelerate the virus scanning about 2 times. Scan│Setup ──────────────────────────────────────────────────────────────────── The Setup command brings Setup Dialog, and you change the different options if it is necessary. ╔═[■]═════════════════════════ Scan Setup ═════════════════════════════╗ ║ ║ ║ Path: _*:________________________ Options ║ ║ [X] Load for cure ║ ║ Mask: Sector options [ ] Beep ║ ║ ( ) Programs [X] MBR [X] Show tree ║ ║ (*) All files [X] Boot [X] Split messages ║ ║ ( ) User defined: [X] FAT [X] Auto test dialog ║ ║ *.exe *.com ║ ║ File options Set options for: ║ ║ Mode [ ] Subdirectories ║ ║ [X] Warnings [X] Remote disks Speed ▄ ║ ║ [X] Code analyzer [X] Packed files ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ║ [ ] Redundant scan [X] Archive files Reliability ▄ ║ ║ [ ] Use CRC [X] Cure readonly ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ║ Alarm! ▄ ║ ║ Objects Memory options ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ║ [X] Sectors [X] Interrupts ║ ║ [X] Files [X] Buffers ║ ║ [X] Memory ║ ║ OK ▄ Save ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ║ ╚══════════════════════════════════════════════════════════════════════╝ Path ──── In this field you should type one or more path strings to be used for the virus scan procedure. See Start Dialog. Mask ──── The files that have these extensions will be virus scanned by default (when the file extensions are not pointed to directly in the "Path" field). The standard setting is "Programs" which will direct virus scanning of the files with extensions: *.BAT, *.COM, *.EXE, *.OV?, *.SYS. The selection of "All files" directs the virus scanning of all files marked in "Path" field. This is necessary in case of an infection by viruses that infect files on their opening and/or closing. When the "User defined" block is choosen only the files defined in corresponding field will be virus scanned. Mode ──── This box contains the options of main virus scanning modes. See also Scan Messages. "Warnings" directs activation of additional check procedures. This will display a warning message if a file/sector contains the modified or corrupted body of the known virus or a suspicious set of instructions is found in memory while memory scanning. "Code analyzer" directs activation of Code Analyzer engine. "Redundant scan" directs complete virus scanning of entire file instead of virus scanning only the file's entry point(s). This feature is strongly recommended in case of a infection by viruses such as "3nop" which writes itself into the middle of the file. In other cases this mode is not recommended because it will make the virus scanning procedure several times slower. "Use CRC" directs using the CRC table to detect modification of virus scanned objects. This table has to be created before using it by command Cure & make CRC. Objects ─────── This box contains the list of objects to scan. "Sectors" directs virus scanning of system sectors depending on which "Sector options" are choosen. "Files" directs virus scanning of disk files including System, Hidden, and Read Only files depending on the selection of the "File options". "Memory" directs virus scanning of system memory including the High Memory Area (if it is necessary) depending on "Memory options" choosen. Sector options ────────────── This box contains the list of system sectors to virus scan. "MBR" directs virus scanning of all Master Boot Records (first disk physical sector) of all available local Hard Drives for known viruses, and suspicious code. These sectors are virus scanned if the "Path" string contains any hard drive letter. "Boot" directs virus scanning of the Boot sectors of selected local logical drives for known viruses, and suspicious code. The boot sector is tested before the first disk file virus scanning. "FAT" directs the virus scanning engine to check the File Allocation Tables for suspicious situations such as "pseudo-bad" sectors. See also Scan Messages. File options ──────────── This box contains the list of file virus scanning options. See also Scan Messages. "Subdirectories" directs the virus scanning engine to process the subdirectory tree from the directory pointed to in the "Path" field. If the disk name is entered in "Path" field ("C:") the scanning engine will check the files, and directories from root directory. "Remote disks" directs the virus scanning engine to virus scan remote (network) drives if the "Path" field contains the string "*:" (all disks). "Packed files" activates the Unpack Engine. "Archive files" activates the Extract Engine. "Cure readonly" directs disinfection of the Read Only files. Memory options ────────────── This box contains two memory virus scanning options. See also Scan Messages. "Interrupts" directs tracing, and checking disk and DOS interrupts. This routine can conflict with some antiviral memory resident utilities, and generate false alarms. In this case either disable the "Interrupts" option, or remove the antiviral utility from memory. Warning: some memory resident viruses cannot be detected if the "Interrupts" option is disabled. "Buffers" directs checking the number of system buffers, and comparing this value with the number of string BUFFERS=xxx in CONFIG.SYS file. This routine displays a warning message if these values are different. Warning: some utilities such as QEMM change the format of the buffers list. The buffer checking routine does not work correctly in this case. Options ─────── This box contains miscellaneous options. "Load for cure" directs the loading of the entire antiviral database into memory. If this option is disabled the main virus scanning engine will load only the data needed to detect viruses, and not load the data needed to disinfect them. In this case the antiviral scanner occupies less system, and XMS memory. "Beep" directs the virus scanning engine to beep if the virus is found. "Show tree" directs the virus scanning engine to display a tree of scanned directories. "Split messages" directs the virus scanning engine to split the messages in two different windows: "Scan window" and "Checkup window". The Scan window will contain information about infected objects (files, sectors and memory) as well as warnings, and some other messages. The Checkup window will contain a list of clean objects. If this option is disabled all messages will be shown in the "Scan window". "Auto test dialog" directs the virus scanner to display Start Dialog Box directly after execution from DOS prompt. Set option for ────────────── We understand very well that there are too many different options for the NOVICE USER. To make the NOVICE USER's life more comfortable we have decided to include a few buttons which globally change the setup for different situations. "Speed" sets the corresponding options to make the virus scanning process fast. "Reliability" sets the options to virus scan with confidence. This option is default. "Alarm!" should be used in case of an unknown virus which infects your computer, and cannot be found with other settings. Warning: if you have a large hard drive with thousands of files, and a lot of archives, virus scanning with "Alarm!" can take several hours. Save button ─────────── By using this button you can save the setup settings into the configuration file AVP.INI. Scan│Save Report ──────────────────────────────────────────────────────────────────── The Save Report command brings Report Dialog. You can save the virus scanning information in the text file or print it. ╔═[■]════════════════ Report ════════════════════╗ ║ ║ ║ To ( ) Printer [X] Statistics ║ ║ (*) File [X] Scan info ║ ║ C:\AVP\AVP.msg [ ] Check up info ║ ║ ║ ║ OK ▄ Save Setup ▄ Cancel ▄ ║ ║ ▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀ ║ ╚════════════════════════════════════════════════╝ Switch 'To' is used for direct report to printer or file. Options and buttons: Statistics - include statistic information Scan info - include virus scan information Check up info - include information about clean objects Save Setup - save the setup settings into the configuration file AVP.INI Scan│Dos Shell ──────────────────────────────────────────────────────────────────── With the DOS Shell command you can leave the program temporarily to perform a DOS command or run another program. To return to this program, type EXIT at the DOS prompt. Scan│Exit (Alt-X) ──────────────────────────────────────────────────────────────────── The Exit command (Alt-X) terminates the program AVP.EXE. The program terminates automatically after scanning if command line includes the /Q option. Errorlevels: 0 - Viruses are absent. 1 - Scan is not complete. 3 - Suspicious objects are founded. 4 - Viruses are detected. 5 - All detected viruses are cured. 7 - File AVP.EXE is corrupted. 10- Internal error AVP.EXE. 2.3.2. View Commands (Alt-V) ──────────────────────────────────────────────────────────────────── The View menu (Alt-V) contains commands to close, move, and perform other window-management instructions. Most of the windows in this program support all standard window elements including scroll bars, close box, and zoom icons. View│Scan Window (F7) ──────────────────────────────────────────────────────────────────── Choose the Scan Window (F7) to view the output of the main virus scan information, and any related messages. This window is opened automatically if any messages are directed into it. View│Check Up Window (Alt-F7) ──────────────────────────────────────────────────────────────────── Choose the Check Up Window (Alt-F7) to view the output of files that have been virus scanned, and listed as "ok." This window is automatically opened if any message are directed into it. View│Statistics ──────────────────────────────────────────────────────────────────── Choose the Statistics window to view statistical information about the virus scanning process. View│Clear Messages ──────────────────────────────────────────────────────────────────── Choose the Clear Messages (F8) to clear all messages in both the Scan, and the Check Up windows. View│25/50 Lines (Alt-F9) ──────────────────────────────────────────────────────────────────── Choose the (ALT-F9) to change the video mode from 25/50 lines. View│Zoom (F5) ──────────────────────────────────────────────────────────────────── Choose the Zoom (F5) to re-size the active window to the maximum size. If the window is already zoomed you can choose this command to restore it to its previous size. You can also double-click anywhere on the window's title bar (except where an icon appears) to zoom or un-zoom the window. View│Next (F6) ──────────────────────────────────────────────────────────────────── Choose the Next (F6) to cycle forwards through the windows of the desktop. View│Close (Alt-F3) ──────────────────────────────────────────────────────────────────── Choose the Close (Alt-F3) to close the active window. You can also click the Close box in the upper right corner to close the window. View│Resize (Ctrl-F5) ──────────────────────────────────────────────────────────────────── Choose the Resize (Ctrl-F5) to re-size, and move the active window. Use Up,Dn,Left,Right keys to move, and Shift-(Up,Dn,Left,Right) to re-size the window. Press ENTER when done. 2.3.3. Edit Commands (ALt-E) (Pro Version) ──────────────────────────────────────────────────────────────────── Menu Edit (Alt-E) is used for editing the antiviral databases. Edit│Open Base (F3) (Pro version) ──────────────────────────────────────────────────────────────────── The Open Base command (F3) displays the Open Base dialog box. With this dialog box you can select the base to edit with the Base Editor. Keys: Up,Dn,PgUp,PgDn - moving through the records Ins - new record Del - delete record Ctrl-Ins - get record into clipboard Ctrl-Del - cut record into clipboard Shift-Ins - paste record from clipboard Select record and press ENTER. Form Dialog appears, then you can modify different fields in record. Use TAB to move through fields. Edit│Close Base (Pro version) ──────────────────────────────────────────────────────────────────── The Close Base command is used for saving, and the closing the database. Edit│Save Base (F2) (Pro version) ──────────────────────────────────────────────────────────────────── The Save Base command (F2) is used for the saving of the database. Edit│Save All (Ctrl-F2) (Pro version) ──────────────────────────────────────────────────────────────────── The Save All command (Ctrl-F2) is used for saving all the opened bases. Edit│Cut (Shift-Del) (Pro version) ──────────────────────────────────────────────────────────────────── The Cut command (Shift-Del) is used to cut the record into the clipboard. You can use the Paste command to paste the record from the clipboard. Edit│Copy (Ctrl-Ins) (Pro version) ──────────────────────────────────────────────────────────────────── The Copy command (Ctrl-Ins) is used for copying the record into the clipboard. You can use the Paste command to paste the record from the clipboard. Edit│Paste (Shift-Ins) (Pro version) ──────────────────────────────────────────────────────────────────── The Paste command (Shift-Ins) is used to paste the record from the clipboard. You can use the Copy command to copy the record into the clipboard, and Cut command to cut the record into the clipboard. Edit│Active Bases (F4) (Pro version) ──────────────────────────────────────────────────────────────────── The Active Bases command (F4) displays the dialog box used to control the list of the antiviral bases which are active during scanning. 2.3.4. Tools Commands (Alt-T) ──────────────────────────────────────────────────────────────────── The Tools menu (Alt-T) contains the commands to backup, and restore the disk system areas. Tools│Backup system area ──────────────────────────────────────────────────────────────────── Choose the Backup system area command to make a backup copy of the system area of the computer's CMOS information, the MBR of the first hard drive, and the Boot sector of the Active partition. This copy is stored in the file AVP.SBK of the A: drive (rescue disk). To restore the system area in case of an infection by an unknown virus choose the Restore system area command. Tools│Restore system area ──────────────────────────────────────────────────────────────────── Choose the Restore system area command to restore the system area of the computer's CMOS information, the MBR of the first hard drive, and the Boot sector of the Active partition from the backup copy in case of infection by unknown virus. The reserve copy must be previously stored by the Backup system area command. This procedure creates the file AVP.SBK on A: drive (rescue disk). 2.4. Code Analyzer ──────────────────────────────────────────────────────────────────── The Code Analyzer (heuristic scanner) scans the code of algorithm branches of the files, and disk boot sectors for virus-like instructions. This routine displays several warning messages, if there are instructions such as, file opening, and/or writing, interrupt hooking, and so on. The messages of Code Analyzer are in the format : virus Type XXXX suspicion ([encrypted],tail) where "XXXX" is one of the strings: Com - this file looks like it's infected by a unknown COM virus; Exe - this file looks like it's infected by a unknown EXE virus; ComExe - this file looks like it's infected by a virus which infects the files of both COM and EXE formats; ComTSR, ExeTSR, ComExeTSR - this file looks like it's infected by a memory resident COM, or EXE, or COM and EXE virus; Boot - this file looks like a file image of boot virus, or like a boot-virus dropper; Trojan - this file looks like a trojan program. "encrypted" indicates that a suspicious file, and/or sector contains a decryption routine. "tail" is the distance in bytes between file length, and the file (program) entry point. Of course, this engine theoretically can generate false alarms in some cases, as well as, any heuristic algorithm, but we have tested this one on a very large number of files, and it didn't have any one really false alarm. If you experience false alarms on your computer please send us samples of these files for us to analyze, or send us the names of the files, and the corresponding packages to help us create a known false alarm list. Second, the Code Analyzer checks a lot of algorithm branches (including several sub-branches) of code when virus scanning files. As the result, the virus scanner works about two times slower with the Code Analyzer active. This routine detects about 80% of our collection of viruses without the main antiviral database, so we suppose that about 80% of new viruses will be detected. Third, the current version of the Code Analyzer does not remove viruses from files, and it marks possible infections as "suspicious". For removing new viruses call a technical expert or send us a sample by E-mail for analysis. We will send back a small antiviral base to cure this virus as soon it is possible (usually within two days). 2.5. Unpacking Engine ──────────────────────────────────────────────────────────────────── The utilities which compress the body of a executable file are quite popular. They save a compressed file on a disk with self-uncompressing code. On execution this code uncompresses (in memory) the body of host program, and returns control to it. The executable file infected by a virus can be compressed by different versions of compression utilities. Ordinary antiviral scanners pass this file as not being infected because this file does not contain a virus mask - that mask is compressed, as well as, the body of host file. For complete scanning it is necessary to uncompress the file before scanning. The Unpacking Engine module of AVP 2.0 does this for different versions of the most popular compression utilities such as DIET, PKLITE, LZEXE and EXEPACK. When virus scanning the Unpacking Engine creates a temporary file, and writes into it the uncompressed body of the host file. Then the Unpacking Engine passes this temporary file to the virus scanning engine. If this file is not infected, the virus scanning engine will delete the temporary file after the virus scanning. If this file is infected by known virus, it's possible (in the Cure mode of Scan menu) to remove the virus from the temporary file (disinfect the file), and replace the original compressed file with an uncompressed, and disinfected result. The Unpacking Engine module does the same operations as above for some versions of the immunization routines used by CPAV, and F-XLOCK immunizers. This is necessary because the infected, and then immunized file has another entry point, and it makes the virus detection procedure more difficult. By using the Unpacking Engine it's possible to scan these types of files for possible virus infections. This module also detects some versions of executable file encryptors, such as CryptCOM. These utilities encrypt executable files, and make it impossible to detect a virus within them without decryption of the file first. The Unpacking Engine module will be updated for new versions of compression utilities, immunizers, and encryptors in case of need. 2.6. Extracting Engine ──────────────────────────────────────────────────────────────────── The problem "viruses in archives" is one of the most difficult antiviral problems. The infected file can sleep several years in some old archive, and quickly spread upon extracting. If you use Pkware's PKZIP (.ZIP) or ARJ Software's (.ARJ) you can detect viruses within these archives, and protect yourself from this situation. When scanning compressed archives the Extracting Engine extracts the files from the archive by masking them into a temporary file, and then passing it to the virus scanning engine. This temporary file will be deleted after virus scanning. Note: AVP does not disinfect the viruses in archives, but only detects infected files. AVP cannot scan archives locked with a password. Of course, if the infected file was encrypted by the CryptCOM utility, then compressed with DIET or PKLITE, and then stored in ZIP or ARJ file, AVP will detect it as infected. 2.7. Help System ──────────────────────────────────────────────────────────────────── Context sensitive Help System is available any time, except scanning, by pressing the F1 key. The Alt-F1 combination brings previous help screen, the Alt-P and Alt-N combinations bring previous/next topics. Some of the viruses call the sound or video effects. These effects are extracted from the virus bodies and included into the effect demonstration database. It is necessary to press the Alt-D key in the Help windows for call the demonstration, if this demonstration presents. To exit from demonstration it is necessary to press the ESC key. Some of viruses or the families of viruses call several effects. In this case it is necessary to press the SPACE key to see or hear next demonstration. Press the SPACE key also for accelerate the moving some of the demonstration, for example, for demonstration of the falling letters by "Cascade" viruses. Attention! Some of the viruses cause not dangerous changes of the system parameters while executing effects, for example, the timer value, the value of some ports, etc. This can cause the incorrect executing of the next effects or conflict with execution of background programs in multitasking mode. Some of the viruses use direct writing to video memory and can crash the system managers such as QEMM. PLEASE leave multitasking environment (MS-Windows, OS/2) and disable system managers (QEMM) before viewing of demo effects. The demonstration of some video effects can be executed correct under certain conditions, for example, on VGA or HERCULES monitor only. The executing of this demonstration on the wrong type of adapter can cause the hang-up of the computer. Recommended VGA adapter for executing the video demonstrations. 2.8. Messages ──────────────────────────────────────────────────────────────────── Scan Messages ───────────── : ok No virus is found in this file/sector. This file/sector will not cause a "warning" or "suspicious" message. : virus NAME detected Virus NAME has been detected in this file/sector. To remove this virus you should run the scan procedure in CURE mode. : virus NAME cured Virus NAME has been removed from this file/sector or the TSR part of a memory resident virus has been disinfected in the system memory. It is not necessary to reboot the computer after CURE with AVP.EXE if the virus was detected in system memory, but we recommend to reboot computer anyway, and execute the virus scanner again in this situation. : virus NAME deleted Infected file was deleted. : virus NAME cure failed This file/sector is infected incorrectly by a virus, and the cure procedure may destroy this file/sector. This message appears if the file/sector is placed on a write protect disk also. You should replace these files with the original ones (from a backup) or reinstall the DOS in case of a infected sector. : virus NAME cure skipped The cure procedure of the file/sector is skipped by user. : virus NAME cure cancelled The cure procedure of the file/sector is cancelled by user. : virus NAME warning (tail) The virus scanner displays this message if file/sector contains a modified or corrupted body of a known virus or a suspicious set of instructions has been found in memory. Tail is the distance in bytes between file length, and file (program) entry point. : virus TYPE suspicious (encrypted,tail) These messages are displayed by the Code Analyzer engine if a virus-like set of instructions has been found in a file/sector. : EXE file but COM extension : COM file but EXE extension The internal file format, and the file name extension are different. : pseudobad cluster NUMBER The normal disk cluster is marked as bad on File Allocation Table. This situation may be a warning of new boot virus infection. : I/O error This message appears in cases of write protected disk / share violation / unpacking errors / disinfection of a read-only file if the switch 'Cure read only' is disabled in the Setup. : trace warning at xxxx:xxxx Interrupt 13h or/and 21h handler(s) contains "virus-like" instructions. This message may be a first signal of virus infection. In some cases this message is displayed when the some uninfected programs are present in the memory, for example the popular utility RELEASE. If the 'trace warning' displays you should find out the program that caused this message. It is necessary to analyze the memory map at the address where the message pointed. Next is to comment out by using the REM instruction different commands in the AUTOEXEC.BAT, and CONFIG.SYS files while the message appears. Attention! Some of the resident viruses stop the tracing. They reset or hang-up the computer while tracing. It is necessary to be careful because if the computer hangs up while tracing it can indicate that the memory resident virus is present in the system memory. : Buffers warning: Config.sys:N1, really:N2 This is a message displayed during analysis of the number of system buffers. You should be careful if the number of system buffers, and the number of buffers of CONFIG.SYS file are different because the virus can infect the DOS system areas. : packed file. Method XXXX This message appears on processing of packed or immunized file. : archive file. Format XXXX This message appears on processing of archive file. : unknown format This message appears on processing of files packed or compressed with unknown format or stored in archive with password. Scan Dialog Messages ──────────────────── : This virus is not curable, and the infected file must be deleted : This sector is not curable, and must be overwritten with a standard one These messages indicate that a file or sector is infected by a not-disinfectable virus. You should delete all these files, and replace them with backup copies or re-install the system on infected disk. : Delete all infected files?! Are you sure? : Delete all infected sectors and files?! Are you sure? These messages are displayed when pressing the "Delete all" button in Cure Request Dialog. : Could not open file Error opening the file while scanning. : No memory to init tables. Redundant scan is not available No free memory to allocate tables. : Can't use CRC from floppy drive CRC tables are placed on floppy drive. : Wrong Path Wrong path string for scanning. : Error with swap file No free space for swap data or no free system handles for file. Check disk free space or increase FILES= value in CONFIG.SYS file. Installation Messages ───────────────────── : File AVP.EXE is infected by virus This message indicates that AVP.EXE executable file is infected. : File AVP.EXE is corrupted. Continue of execution can caused a lost of data. Continue? This message warns about modification or corruption of the AVP.EXE file. : File NAME not exist The database file not found. : No database in set No SET file found. : The set of virus bases is out of date. You should update your antiviral software at least once in three months. The databases are out of date. : Not enough free file handles. Insert line FILES=32 in CONFIG.SYS file. No free file handles to create swap files. : Your system clock is not set to a correct date The current system date value is wrong. Backup and Restore Messages ─────────────────────────── : Insert rescue disk in A: : Backup file corrupted. Restore not complete : I/O Error. Restore not complete : I/O error. Backup not complete Database Messages ───────────────── : LINK name: need linked proc : Different pages in record : Large Offset in record : Error file format : This base is locked for edit : Error version number : Corrupted data in record : Record too large : Unknown record in base : Data is already being edited. Close form before deleting : Are you sure you want to delete this item? : Reload bases? : Cannot create file. Data not saved : Error opening file : Database has been modified. Save? : Form data has been modified. Save? : Unresolved external : Can't link FIXUPP 8X. All functions must be declared as "far" : Unknown FIXUPP type : Can't link Groups : Unknown OBJ record type : Large record : Effective part of OBJ module must be < 64K Other Messages ────────────── : Error with INI File : Out of Memory : Low memory to load help system : Reload bases for cure? : There are no XMS memory detected. To avoid memory problems we recommend to install XMS driver : Can't open temporary file ──────────────────────────────────────────────────────────────────── 3. Antiviral Database (Pro version) ──────────────────────────────────────────────────────────────────── The Antiviral Database (DB) is the file which contains the records of the different types of infections. The main types of records are: MEMORY, SECTOR, JMP, FILE. The MEMORY record contains the information for searching, and disinfecting memory resident viruses. The virus scanner checks the system memory for memory resident viruses according to the list of MEMORY records, and if a virus is detected, the scanner deactivates it in memory, and displays a corresponding message. The SECTOR record contains information for the searching, and disinfecting boot viruses. The virus scanner checks, and disinfects boot sectors according to the list of SECTOR records, and displays a messages if the virus is found. The FILE record contains information for the searching, and disinfecting of file viruses. The virus scanner checks, and disinfects files according to the list of SECTOR records, and displays a messages if a virus is found. Records of type JMP are used for the calculation of the file (virus) entry point. In EXE files the JMP record calculates the start address of the module. In SYS files the JMP record calculates the STRATEGY & INTERRUPT subroutines addresses, and in COM files, and boot sectors it analyzes the code at the beginning of the file/sector. The record contains fields, and the main types of fields are: Name Type (internal format of the file, MBR or BOOT sector) Area1: Page, offset and length of code to calculate the first checksum Area2: Page, offset and length of code to calculate the second checksum Pointers to special routines (decryption and disinfection routines) Method of disinfection All digits in all fields of the database records are hexadecimal. JMP, and MEMORY records contain the limited set of fields listed above. Field "Name" ──────────── Each record (excluding JMP ones, in which the Name field is comment only) begin with the Name field. This field contains the string that is displayed if the virus scanner detects a corresponding virus. An example of names are: Atomic Intruder.1331 Jeru.Sunday.b You are allowed to use any ASCII digits or characters in the Name excluding spaces, and special characters: delimiter "." and "the same name" identifier "#". The Delimiter "." is used to separate the virus name with subnames, and copy the part of previous name to current one. If the name begins from point delimiter, it means that name of current record begins from first subname of previous record. If the name begins from two point delimiters, it means that the name begins from first, and second subnames of previous record. If the Identifier "#" is at the beginning of the record it forces the virus scanner to use the name of the previous record. If the string begins with the "#" identifier the rest of that string is not used. You can fill it with comments if you like. Examples: Record Name: Output: -------------------------------- Cascade.1701.a Cascade.1701.a # Cascade.1701.a ..b Cascade.1701.b .1704.a Cascade.1704.a ..b Cascade.1704.b #Cascade_Virus Cascade.1704.b #Cascade_Memory Cascade.1704.b Field "Type" ──────────── The TYPE field identifies the format of file, and where the virus scanner searches for that virus (FILE record) or the type of system sector where the virus scanner searches for a boot virus (SECTOR record). The allowed types are COM, EXE, SYS, and NEW EXE in the FILE records, BOOT, and MBR in the SECTOR records. If the record is marked as COM, and EXE, the scanner will not check SYS-files for that record, if the record is marked as SYS only, the scanner will scan SYS-files only for that record. Pages ───── When virus scanning the virus scanner puts the code of file or sector into its internal pages (blocks of memory). There are several available pages: HEADER - 400h bytes, file header code PAGE_A - 400h bytes, entry point code PAGE_B - 400h bytes, "second jump" code PAGE_C - 1000h bytes, for using in special routines FILE - virtual page, is used to reach the data that is out of other pages. When virus scanning the system sectors or DOS executables the HEADER contains the body of sector it scanned (200h bytes) or 400h bytes of code from the file beginning. The PAGE_A contains 400h bytes (or rest of the sector) from the entry point. It there is another JMP command in PAGE_A, the 400h bytes of code where the "second jump" points, is placed in PAGE_B. When virus scanning multi-entries files (such as SYS and NEW EXE files) the virus scanner checks each entry many times, until the number of entries is found. When scanning the code of entry, it is placed in PAGE_A, and code of "second jump" is placed in PAGE_B. If there are NEW EXE files two parts of file are virus scanned the DOS component, and NEW component. When virus scanning of NEW component the code of the NEW EXE Header it is copied into the page HEADER, and the other pages are filled as written above. COM file EXE/SYS file NEW EXE file ┌───────┐ ┌───────┐ ┌───────┐ ┌─│Page │ EXE/SYS│Page │ EXE │ │ JMP│ │HEADER │ header│HEADER │ header│ │ │ │-------│ │-------│ │-------│ │ │ │ │ │ NE │Page │ │ │ │ │ │ header│HEADER │ └>│-------│ Entry│-------│ │-------│ ┌─│PAGE_A │ ┌─│PAGE_A │ │ │ JMP│ │ │ JMP│ │ │ Entry│-------│ │ │-------│ │ │-------│ ┌─│PAGE_A │ │ │ │ │ │ │ │ │ │ └>│-------│ └>│-------│ │ │-------│ │PAGE_B │ │PAGE_B │ └>│PAGE_B │ │ │ │ │ │ │ │-------│ │-------│ │-------│ └───────┘ └───────┘ │ │ └───────┘ The Algorithm for filling of the pages is HEADER, PAGE_A and PAGE_B, and is defined in the JMP records. PAGE_C is used by the special (decryption or cure) subroutines and used as a read/write buffer, and area for decrypted virus code. ┌──────┐ ┌──────────────────┐ ┌──────┐ │PAGE_A│───>│decryption routine│───>│PAGE_C│ └──────┘ └──────────────────┘ └──────┘ file ┌───────┐<────┐ │ │ │ writing │-------│ ┌──────┐ │ │ │PAGE_C│ │ │ └──────┘ . . . ^ │-------│ │ reading │ │─────┘ └───────┘ The page FILE is a virtual one. It is not a block of memory. Elements of the page FILE have signed offsets. The null address of page FILE equals the file entry point address. This page is used during file disinfection to reach the file code which is out of other pages. file ┌───────┐ │HEADER │ │-------│ │ │ │ │FILE-0400h │ │ │-------│FILE+0000 │PAGE_A │ │-------│FILE+0400h │ │ │ │FILE+0800h . . . │-------│ │PAGE_B │ │-------│ │ │ └───────┘ Check Sums ────────── To detect a virus the virus scanner uses check sums (control sums) instead of the conventional signatures. All check sums are double word in length (32 bits). The algorithm of check sum calculation is one of the standard CRC algorithms. The virus scanner calculates check sums for each scanned object, and compares it with list of check sums that are stored in the database records. There are two check sums that are used in the SECTOR, and FILE records: rough (on code of small length), and final (on code of long length). The MEMORY record contains only the checksum. In FILE and SECTOR records it is recommended to use length, and offset of the code for the first checksum in these limits: - the length of code is less or equal to 10h; - the offset of the start of code is equal to zero. In this case the internal cache is used. If it is impossible to select the code in these limits, you should use another one. If the length of first check sum is over or equal to 8 and the calculated (on scanning) sum is equal to that check sum, the virus scanner displays the warning message: virus NAME warning (tail length) where NAME is string from Name field of corresponding database record. Record Processing ───────────────── When virus scanning files or sectors the virus scanner opens the file (locates the sector), calculates entry point, fills the pages HEADER, PAGE_A, PAGE_B, and then calculates the first checksum. If that checksum is equal to first checksum of record a second checksum is calculated. If there is special decode routine, it is executed before calculation of second checksum. If the second checksum is equal to checksum stored in the record, the virus scanner displays a corresponding message. If it is executed for the cure process, it processed the disinfection fields. If there is a special disinfection routine, it is executed before processing of these fields. When virus scanning the system memory the virus scanner calculates the checksums of the areas of the system memory at addresses from a limited list (Memory Record). If that checksum is equal to the checksum of the record, it disinfects that area of the system memory according to other record fields. When calculating the entry point the virus scanner calculates checksums in the page HEADER, and compares them to the checksums from JMP records. If sums are equal to the record's ones, it processes corresponding method of entry point address calculation. Creating a New Record ────────────────────- To attach the information about a new virus into the database it is necessary to: - open a new record (INSERT key), - select the type of the record (FILE, SECTOR, JMP, MEMORY, ...) - type the name of virus, - select the type of objects to check (for FILE and SECTOR records), - fill the checksum areas (select pages, offsets and lengths), - fill the disinfection fields (or set method of disinfection to FAIL), - link the special routines (if it is necessary), - calculate the checksum by using the SUM command that automatically calculates sums by pointing to an infected file, or type the virus mask manually. If you describe a virus that does not have the code which is useful for calculating the sums (polymorphic virus), it is necessary to set the length of the first control sum to zero, and link the object code of the decryptor by the LINK command of the form. In this case you should calculate the second control sum in PAGE_C. See samples of database records in SAMPLES.ZIP file. 3.1. FILE Record ──────────────────────────────────────────────────────────────────── Fields ────── Type type of the record (COM or/and EXE or/and SYS or/and WIN) Name virus name Page_1 page for the control sum 1 Offset_1 offset for the control sum 1 Len_1 length for the control sum 1 Sum_1 control sum 1 Page_2 page for the control sum 2 Offset_2 offset for the control sum 2 Len_2 length for the control sum 2 Sum_2 control sum 2 Cure_Method remove method Cure_Page page for the cure method Cure_Data_1 cure data Cure_Data_2 cure data Cure_Data_3 cure data Cure_Data_4 cure data Cure_Cut number of the bytes to cut file Commands ──────── Link attach the object code to the record Sum calculate the control sums The Record Processing Algorithm ─────────────────────────────── The file is dispatched by the JMP records (the calculation of the EP, EP_Next values, filling the HEADER, PAGE_A, PAGE_B pages) before calling the virus check loop. The check loop processes all the file records. For each file record the first control sum is calculated (in page pointed by Page_1 field from Offset_1 on Len_1 bytes). This sum is compared with the value from the field Sum_1. If these values are equal then the second control sum is calculated (in page pointed by field Page_2 from Offset_2 on Len_2 bytes). The decode procedure is called before the calculation of second control sum if that procedure presents in linked module. If the second control sum is equal to the Sum_2 field then the virus scanner removes the viruses according to the method pointed in the field Cure_Method. The Fields Cure_Page, Cure_Data_1, Cure_Data_2, Cure_Data_3, Cure_Data_4, Cure_Cut are used for removing the virus. The field Cure_Page is used to point to the page from which the data for cure is getting with the offsets Cure_Data_x. If Cure_Page=FILE then the data for cure is getting from the tested file with the offsets EP+Cure_Data_x. The Cure_Data_x fields is signed. The standard method is applied after the special cure procedure, if this procedure is presented in linked module and returned R_PRECURE. Cure Methods ──────────── MOVE and LEHIGH ─────────────── These methods repair the bytes of file beginning. They are used against the viruses that append themselves to the file end, and alter the file beginning. Repairing: Cure_Data_2 bytes are copied to file beginning with offset Cure_Data_3 from the page pointed to in the Cure_Page with offset Cure_Data_1. If the file name is COMMAND.COM, then fill file with 0 from the Entry_Point minus Cure_Cut offset to the end of the file, otherwise it sets the file length to the Entry_Point minus Cure_Cut offset. The Cure_Data_4 field is not used. JERUSALEM ───────── It is used against the viruses which write themselves into the file beginning, and shift the file body. Repairing: The file is moved to the beginning on Cure_Data_1 bytes. The file length is decreased by Cure_Data_1 + Cure_Cut bytes. The Cure_Page, Cure_Data_2, Cure_Data_3, Cure_Data_4 fields are not used. START ───── It is used against viruses which write themselves into the file beginning, and move the original beginning to the end of the file. Repairing: The file length is decreased by the Cure_Cut bytes, then the part of the code is moved from the file end to the file beginning. If the file length is less than Cure_Data_1*2, then it moves the File_Length minus Cure_Data_1 bytes (File_Length after decreasing by Cure_Cut bytes), otherwise is moves Cure_Data_1 bytes, and the file length is decreased by Cure_Data_1 bytes. The Cure_Page, Cure_Data_2, Cure_Data_3, Cure_Data_4 fields are not using. EXE_CISS, EXE_CISS_10, EXE_CIS, EXE_CIS_10, EXE_CI, EXE_CI_10 ───────────────────────────────────────────────────────────── EXE-file header repair methods. EXE_CISS - repair the values of all header register fields (CS,IP,SS,SP) EXE_CIS - repair the values of CS, IP and SS header register fields EXE_CI - repair the values of CS and IP header register fields EXE_CISS_10, EXE_CIS_10, EXE_CI_10 methods are the same as listed above with one exception: the CS and SS header register fields are decreased by 10h before restoring. The values of the header register fields for all the Pages except FILE are: CS: word ptr Cure_Page[ Cure_Data_1 ] IP: word ptr Cure_Page[ Cure_Data_2 ] SS: word ptr Cure_Page[ Cure_Data_3 ] SP: word ptr Cure_Page[ Cure_Data_4 ] Cure_Data_x are unsigned. The values for the header register fields if Cure_Page=FILE are: CS: word ptr File[ EP+Cure_Data_1 ] IP: word ptr File[ EP+Cure_Data_2 ] SS: word ptr File[ EP+Cure_Data_3 ] SP: word ptr File[ EP+Cure_Data_4 ] Cure_Data_x are signed. The file length is decreased by EP minus Cure_Cut bytes. The EXE-module size fields of EXE-header are corrected too. SYS_SI and SYS_I ──────────────── SYS-file header repair methods. SYS_SI - repair the value of the Strategy and Interrupt header fields SYS_I - repair the value of the Interrupt header field The values for the header fields are: Strategy - word ptr Cure_Page[ Cure_Data_1 ] Interrupt - word ptr Cure_Page[ Cure_Data_2 ] DELETE ────── It deletes the infected file. FAIL ──── This method displays the message "virus NAME cure failed". It is used as a temporary name for viruses which are "disinfectable", but the current version of the virus scanner does not disinfect them correctly. SPECIAL ─────── For a complex virus that uses encryption or the courage algorithm the standard methods are not allowed. In this situation you should write a special procedure to cure the virus, then compile it and, attach the object code to the record by Link command. Example ─────── The COM-file is infecting by the virus "Tiny". On infection this virus appends to file 4 bytes at the beginning of the file, then it appends 140 bytes of the virus body, then it modifies the first four bytes of the file (jmp to the virus body): 4D DEC PB E9 xx xx JMP NEAR Loc_Virus It is necessary to register a new JMP record because the code of the virus jump is not standard: JMP record: Name Tiny Len_1 02 Sum_1 xxxxxxxx <<< sum is calculated with Sum command Offset_2 00 Len_2 00 Sum_2 00 Jmp_Method OFFSET Jmp_Data 02 Then you should register a new FILE record: Type COM Name Tiny Page_1 PAGE_A Offset_1 00 Len_1 08 Sum_1 xxxxxxxx <<< sum is calculated with Sum command Page_2 PAGE_A Offset_2 00 Len_2 40 Sum_2 xxxxxxxx <<< sum is calculated with Sum command Cure_Method MOVE Cure_Page FILE Cure_Data_1 -04 Cure_Data_2 04 Cure_Data_3 00 Cure_Data_4 00 Cure_Cut -04 3.2. JMP Record ──────────────────────────────────────────────────────────────────── Fields ────── Name name of the record (information field) Len_1 length for the control sum 1 Sum_1 control sum 1 Offset_2 offset for the control sum 2 Len_2 length for the control sum 2 Sum_2 control sum 2 Jmp_Method method of jump Jmp_Data data for jump method Commands ──────── Link attach the object code to the record Sum calculate the control sums The Record Processing Algorithm ─────────────────────────────── The file is dispatched by the JMP records (the calculation of the EP, EP_Next values, filling the HEADER, PAGE_A, PAGE_B pages) before calling the virus check loop. After the file opening the 400h bytes from the file beginning are read into the pages Header and Page_A. The contents of the other pages are set to zero. Next the virus scanner will run the JMP loop for detecting the file entry point (EP). The first control sum on Len_1 bytes of the page Header is calculated for each JMP record. This value is compared to the value of the field Sum_1. If these values are equal then the second control sum in the page Header from Offset_2 on Len_2 bytes is calculated. If the second control sum is equal to the value of the Sum_2 field then the value of EP is calculated according to the method which is pointed by the field Jmp_Method with data from the field Jmp_Data. The 400h bytes of the code from the file at the offset EP are read into the page Page_A. This procedure repeats one time for filling EP_Next and Page_B by using the page Page_A instead of the page Header. This procedure is called on calculation of jumps in boot sectors also. EP Calculation Methods ────────────────────── OFFSET ────── It used to dispatch the commands like: xxxx:0100 E9 xx xx JMP NEAR Loc_Virus .... .... xxxx:0100 E8 xx xx CALL NEAR Loc_Virus .... .... or the instruction combinations like: xxxx:0100 90 NOP xxxx:0101 E9 xx xx JMP NEAR Loc_Virus .... .... The EP value is calculated as address of command, where control is passed to by instruction JMP NEAR or CALL NEAR. EP = word ptr Header[Jmp_Data] + Jmp_Data + 2. ADDRESS ─────── It used to dispatch the commands of the COM-files like: xxxx:0100 68 xx xx PUSH OFFSET Vir_Loc xxxx:0103 C3 RET .... .... xxxx:0100 B8 xx xx MOV AX, OFFSET Vir_Loc xxxx:0103 FF D0 CALL AX .... .... The EP value is calculated as the address of command, where control passed to by the RET/JMP/CALL instruction. EP = word ptr Header[Jmp_Data] - 0100h. DATA ──── It used to dispatch commands of the COM-files like: xxxx:0100 FF 26 04 01 JMP WORD PTR [0104] xxxx:0104 xx xx DW Vir_Offset .... .... EP = word ptr File [Jmp_Data] - 0x100. FAIL ──── This method displays the message "virus NAME cure failed" and is used as a temporary name for viruses under analysis. SPECIAL ─────── For complex commands the standard methods are not allowed. In that situation you should write a special procedure to calculate EP, then compile it, and attach the object code to the record by the Link command. The dispatch of the EXE-file header, and the short jumps instruction use SPECIAL methods. Note: Most jump codes are calculated by the current set of JMP records which are included in main antiviral database. Please check the virus scanner for jump calculation before adding a new one. Example ─────── The code of the infected file beginning: 0000 90 NOP 0001 90 NOP 0002 E9 xx xx JMP Virus The files filling: Name nop_nop_jmp Len_1 0003 Sum_1 xxxxxxxx <<< sum is calculated with Sum command Offset_2 0000 Len_2 0003 Sum_2 xxxxxxxx <<< sum is calculated with Sum command Jmp_Method OFFSET Jmp_Data 0003 3.3. MEMORY Record ──────────────────────────────────────────────────────────────────── Fields ────── Name virus name Method search method Segment value of the segment Segm (method ADDRESS) Offset_1 offset value for search Control_Byte control byte Len_1 length for the control sum 1 Sum_1 control sum 1 Offset_2 offset of the replace code Len_2 length of the replace data ( <5 ) Replace_Bytes bytes for replacing Commands ──────── Link attach the object code to the record Sum calculate the control sums Record Processing Algorithm ─────────────────────────── The virus scanner scans the set of the addresses Segm:Offs according to the Method field. For each of the addresses it compares the byte of the system memory at the address Segm:Offs + Offset_1 with the value of the Contol_Byte field. If these value are equal then it calculates the control sum at the address Segm:Offs + Offset_1 on the Len_1 bytes. If the control sum is equal to the Sum field the scanner displays a corresponding message, and replaces the Len_2 bytes from Segm:Offs+Offset_2 by the sequence of the bytes from the Replace_Bytes field. Search Methods ────────────── ADDRESS ─────── To search at one fixed address. Segm, and Offs are pointed by the field. The value of Offs is equal to the zero. CUT ─── To search in memory that is 'cut' from DOS (as a lot of boot viruses do). The Segm value is changed from the end of the Z block of DOS memory blocks until A000h by increasing by the one. The value of Offs is equal to the zero. MCB ─── To search in the DOS memory blocks. The Segm value is changed in the segment addresses of all the MCB blocks. The value of Offs is equal to the zero. Attention! The Segm value is equals to the address of memory block body not to the address of the memory CONTROL block (MCB). TRACE ───── To trace the interrupts 21h, and 13h. The values of Segm:Offs are changed in the list of the address with all the over-segment jumps. SCAN ──── The virus scanning of the memory. The Segm value is changed from 0000h until the segment address of scanner by increasing by one. The value of Offs is equal to the zero. FULL_SCAN ───────── The virus scanning of the entire memory. The Segm value is changed from 0000h until A000h by increasing by one. The value of Offs is equal to the zero. SPECIAL ─────── The special search, and removing procedure is called if this method is pointed. You should write a special procedure, compile it, and attach the object code to the record by the Link command if you point this method. Example ─────── The code in infected system memory: 1234:0123 80 FC 3D CMP AH,3Dh 1234:0126 74 xx JE Infect_File 1234:0128 E9 xx xx JMP Continue 1234:012B . . . . . . . . . The first deactivation method: TRACE ───────────────────────────────────── The fields filling: Method TRACE Segment 0000 Offset_1 0000 Control_Byte 80 Len_1 8 Sum xxxxxxxx <<< sum is calculated by the Sum command Offset_2 3 Len_2 2 Replace_Bytes 90 90 The code in the memory after curing: 1234:0123 80 FC 3D CMP AH,3Dh 1234:0126 90 NOP 1234:0127 90 NOP 1234:0128 E9 xx xx JMP Continue 1234:012B . . . . . . . . . The second deactivation method: MCB ──────────────────────────────────── The fields filling: Method MCB Segment 0000 Offset_1 0123 Control_Byte 80 Len_1 8 Sum xxxxxxxx <<< sum is calculated by the Sum command Offset_2 0126 Len_2 2 Replace_Bytes 90 90 3.4. SECTOR Record ──────────────────────────────────────────────────────────────────── Fields ────── Type type of the record (BOOT and/or MBR) Name virus name Offset_1 offset for the control sum 1 Len_1 length for the control sum 1 Sum_1 control sum 1 Page_2 page for the control sum 2 Offset_2 offset for the control sum 2 Len_2 length for the control sum 2 Sum_2 control sum 2 Cure_Method remove method Cure_Page page for the cure method Cure_Addr_A cure data Cure_Addr_B cure data Cure_Offset cure data Commands ──────── Link attach the object code to the record Sum calculate the control sums Record Processing Algorithm ─────────────────────────── When virus scanning the system sector is read into the page Header (200h bytes). Next the virus scanner will run the JMP loop for detecting the entry point (EP) as well as the calculation of file entry point. The bytes from entry point until the end of sector are moved to Page_A. The contents of other pages are set to zero before running the detection loop. The first control sum is calculated in the page Header from Offset_1 on Len_1 bytes. If the first control sum is equal to the Sum_1 value then the second control sum is calculated in page which is pointed to by the Page_2 field from Offset_2 on Len_2 bytes. The decode procedure is called before calculating the second control sum, if this procedure is presented linked module. If the second control sum is equal to the Sum_2 field then the virus scanner removes the virus according to method which is pointed to in the field Cure_Method. The Cure_Addr_A, Cure_Addr_B, Cure_Offset fields are used for removing the virus. The standard method is applied after the special cure procedure, if this procedure is presented linked module and returned R_PRECURE. The address of the sector (Boot or MBR) can be pointed to by two methods: the physical address (head,track§or - two arguments) or the logical address (the number of the sector of the logical disk - one argument). These methods use different interrupts. Addressing Sector address Interrupt ────────── ────────────── ───────── logical logical sector - CX INT 25h/26h physical track and sector - CX INT 13h head - DH Cure Methods ──────────── ADDRESS ─────── If absolute addressing is used. The original MBR or Boot sector are moved from the disk sector at the absolute address Cure_Addr_A/Cure_Addr_B (track§or/head or CX/DH in the INT 13h format). The fields Cure_Page, and Cure_Offset are not used. ABSOLUTE ──────── If absolute addressing is used. The original MBR or Boot sector are moved from the disk sector at the absolute address CX/DH in the INT 13h format, where CX and DH values are got from the page Cure_Page: CX = word ptr Cure_Page [Cure_Addr_A] + Cure_Offset DH = byte ptr Cure_Page [Cure_Addr_B] LOGICAL ─────── It is the same as the ABSOLUTE method except for the addressing. The logical addressing is used: CX = word ptr Cure_Page [Cure_Addr_A] + Cure_Offset The Cure_Addr_B field is not used. DELETE ────── The standard MBR or Boot sector of MS-DOS 6.0 is placed into the disk sector. Note: this method can be dangerous if the disk has been formatted with non standard utilities. FAIL ──── This method displays the message "virus NAME cure failed". It is used as a temporary name for viruses which are "disinfectable", but the current version of scanner does not disinfect them correctly. SPECIAL ─────── For complex viruses that use an encryption or a stealth algorithm the standard methods are not allowed. In this situation you should write a special procedure to cure the virus, then compile it, and attach the object code into the record by the Link command. Example: ──────── The Boot sector has been infected by the "Stoned" virus. That virus saves the original Boot sector in the absolute sector at the address 3/1 (sector/head). Fields filling: Type BOOT Name Stoned Offset_1 00 Len_1 08 Sum_1 xxxxxxxx <<< sum is calculated with Sum command Program_Flag NO Page_2 HEADER Offset_2 15 Len_2 80 Sum_2 xxxxxxxx <<< sum is calculated with Sum command Cure_Method ADDRESS Cure_Page FILE Cure_Addr_A 03 Cure_Addr_B 01 Cure_Offset 00 3.5. Link of Special Procedures ──────────────────────────────────────────────────────────────────── These special procedures are used to expand the capability of the antiviral database. They attach to the records in the antiviral database, and are used for the detection, and removal of difficult viruses that use nonstandard infection methods or self-encryption algorithms. The special procedures may be written on C, assembler, and other languages that support the C standard of subroutines calls. Borland C compilers are recommended. You can attach these special procedures to the records of the antiviral database after compiling them to the object modules. The attached code would be read from the database, and linked with the main anti-virus executable during the loading of the database. When virus scanning the main program would use these procedures, as well as, its own internal subroutines. We recommend the SMALL model for compiling the source modules if there is no static data, and the HUGE model if the static data is present. The using of TINY model is impossible. For example, the compiling FILENAME.C to FILENAME.OBJ can be performed with Borland C by the command: bcc -mh -c -K filename.c Standard Names of Special Procedures ──────────────────────────────────── One or two procedures with standard names (like 'main' in C) must be present in the linked module. There are three standard names: decode() {procedure body} // decryption procedure cure() {procedure body} // removing procedure jmp() {procedure body} // procedure for entry point calculation The names "decode" and "cure" can be used together or separately in FILE, and SECTOR records. In TSR records it can be used in the "cure" procedure only. In JMP records it can be used in the "jmp" procedure only. Using of External Procedures, and Data ────────────────────────────────────── The special procedures use external procedures, and data. Before access to these names it is necessary to describe those names as external. The names which are defined in the main program can be accessed from any special procedure. These names are defined in SAMPLES\DLINK.H file. See this file for more info. The access to the external names that were defined in other linked modules are available if the record with the definition is placed BEFORE the record with the call to the external name. Correct example: Record Cascade.1701: define Decode_Cascade(...) {...} call Decode_Cascade(...) Record Cascade.1704: call Decode_Cascade(...) Incorrect example: Record Cascade.1701: call Decode_Cascade(...) Record Cascade.1704: define Decode_Cascade(...) {...} call Decode_Cascade(...) ──────────────────────────────────────────────────────────────────── 4. Antiviral Resident Monitor (Pro version) ──────────────────────────────────────────────────────────────────── The Antiviral Monitor (AVPTSR) is the memory resident "lie detector". It allows you to detect suspicious actions on your computer. Using the AVPTSR it is possible to stop the spreading of a computer virus in the earliest stage of infection. Apart from this, the AVPTSR may be helpful when you work with programs that you think might be infected by a virus or a trojan horse. The AVPTSR lets you monitor the computer's memory allocation (window "Memory Map" in the main menu of the AVPTSR). This will allow you to detect memory-resident viruses upon execution of a infected program. In the "Menu" portion of the AVPTSR you are able to select the options you want to monitor for, or situations the AVPTSR should monitor for. The main AVPTSR functions are: - the detection of infected files and disk sectors; - the control for changing and renaming of executable files (COM and EXE files); - the control for writing to the disks at absolute address, and the disk formatting; - the control for appearance of resident programs; - the control for several dangerous DOS functions. Also, the monitor controls RAM allocation, and the status of some DOS system areas. When "suspicious" behavior of the computer is intercepted the AVPTSR will display a warning message (a window containing detailed information appears on the screen), and waits for a command that allows or prohibits the intended action. The complete list of the displayed messages is giving below. The main menu for the AVPTSR is opened by pressing both keys Alt and "-" at the same time, to quit press the ESC key. When displaying the AVPTSR menu two windows appear on the screen: the mode setting window and the memory map window. ╔═════════════════╦══════════════════╤═════════════════╤═══════════╗ ║Access to files √║ Total: 640 K │ ROM BIOS: 640 K │DOS: 640 K ║ ║Memory check √╠════╤════╤═══════╤╧═══════════╤═════╧═══════════╣ ║Format sector √║MCB │PSP │ Size │ Owner │ Hooked vectors ║ ║Write to sector √╟────┼────┼───────┼────────────┼─────────────────╢ ║Dangerous calls ║0A49│0A49│ 2,368│COMMAND.COM │2E ║ ║Scan on EXEC √║0ADE│0000│ 64│ free │ ║ ║Scan on OPEN ║0AE3│0A49│ 256│COMMAND.COM │ ║ ║Check all files ║0AF4│0B00│ 176│RTSR.COM │ ║ ║Registers ║0B00│0B00│ 1,536│RTSR.COM │ ║ ║Remove AVPTSR ║0B61│0B6D│ 176│PRN2FILE.EXE│ ║ ╚═════════════════╣0B6D│0B6D│ 75,104│PRN2FILE.EXE│08 17 28 ED F0 F6║ ░░░░░░░░░░░░░░░░░░║1DC4│1DD0│ 176│AVPTSR.EXE │ ║ ░░░░░░░░░░░░░░░░░░║1DD0│1DD0│ 16,888│AVPTSR.EXE │09 13 1B 20 21 22║ ░░░░░░░░░░░░░░░░░░║ │ │ │ │2A 2F 40 EE ║ ░░░░░░░░░░░░░░░░░░║2113│0000│282,304│ free │FE ║ ░░░░░░░░░░░░░░░░░░╚════╧════╧═══════╧════════════╧═════════════════╝ The mode setting window (Left side of Display box) indicates the selected detection modes which corresponding to suspicious operations. This section is used for their selection. You can change the options by using the <RETURN> or <ENTER> keys. It's possible to change these options by reinstalling the AVPTSR. The AVPTSR finds in the system memory its copy loaded earlier and passes to it the arguments specified in the command line. The monitor modes are: Access to files : stop the modification or deleting of the files Memory check : check the system memory Format sector : stop formatting Write to sector : stop writing to disk sectors Dangerous calls : stop dangerous DOS calls and interrupt tracing Scan on EXEC : scan the files for the viruses on execution Scan on OPEN : scan the files for the viruses on opening Check all files : stop the modifying and scan all files, or COM/EXE/SYS/OVL/BIN only Registers : show the registers Remove AVPTSR : remove AVPTSR from system memory 4.1. Command Line Options ──────────────────────────────────────────────────────────────────── The format for loading the AVPTSR from DOS prompt or BAT-file is: C:>AVPTSR [option...] the options are: /A - disable the control for the accessing to executable files /M - disable the memory checking /F - disable the control for formatting /W - disable the control for absolute disk writing /R - disable the registers window /D - disable the control for the dangerous calls /V - load antiviral database and enable known virus detection If no options are choosen then all the modes are switched ON excluding /V argument. For example, when loading the AVPTSR with the options: C:>AVPTSR /A /F /R all modes will be activated except the control for the executable files and control for the disk formatting. The register window is closed. C:>AVPTSR /V The "/V" option instructs the AVPTSR to load the antiviral databases listed in AVP.SET file into memory. The AVPTSR will now detect known viruses in files and sectors when accessing them. This option uses a large portion of the system memory. 4.2. Messages List ──────────────────────────────────────────────────────────────────── When "suspicious" behavior of the computer is found the AVPTSR displays a warning message and waits for the your instruction to allow or cancel the access to this file or sector. The AVPTSR displays a warning message also when the a virus is detected in the file or disk sector. ┌────────────────────────────┐ │ PROGRAM_NAME │ │ warning message │ │ │ │ [ OK ] [ Cancel ] [ Free ] │ └────────────────────────────┘ If the warning box appears you must either to allow [ OK ] or disallow [ Cancel ] the operation that caused the warning message. It's possible to disable the control for this function by selecting [ Free ]. When selecting the [ OK ] operation the computer will continue the execution of the operation that was stopped. When canceling the operation by selecting the [ Cancel ] selection the AVPTSR sets the error code that causes the error message ("file not found", "disk is write protected" etc...) and return to the program which has called the "suspicious" operation. Some operations are executed repeatedly (performing disk formatting or optimization). In that case it is convenient to turn off the corresponding mode for the time being. The warning messages for that mode are switched off and the warning messages will not be displayed. Virus Detection ──────────────────────────────────────────────────────────────────── The AVPTSR controls the access to executable files, and disk sectors, and checks these objects for the known viruses. If a virus is found then the AVPTSR displays one of the messages: ┌──────────────────────────────┐ ┌──────────────────────────────┐ │ Disk X: │ │ File FILE_NAME │ │ infected by virus VIRUS_NAME │ │ infected by virus VIRUS_NAME │ └──────────────────────────────┘ └──────────────────────────────┘ The virus detection routine may be turned on at anytime if the antiviral database is loaded into the memory when the AVPTSR is installed. If the database is not installed, that routine cannot be turned on. The AVPTSR may scan the files on their execution (Scan on EXEC) or on their opening (Scan on OPEN). Access to Executable Files ──────────────────────────────────────────────────────────────────── These messages appear during operations that result in changes to COM or EXE files (change of the name, opening for writing, creation of a file). Such actions are taken by practically all viruses (except boot viruses) on an attempt to infect files. ┌───────────────────────────────┐ │ PROGRAM_NAME │ │ opening for writing FILE_NAME │ └───────────────────────────────┘ ┌────────────────────┐ │ PROGRAM_NAME │ │ creating FILE_NAME │ └────────────────────┘ ┌────────────────────┐ │ PROGRAM_NAME │ │ renaming FILE_NAME │ └────────────────────┘ Memory and Buffers Check ──────────────────────── Many viruses leave their resident parts in the computer memory, some of them use DOS interrupts. In this case the message that a program attempts to go memory-resident will be displayed. ┌─────────────────────────────┐ │ PROGRAM_NAME stays resident │ └─────────────────────────────┘ Some of viruses install their resident part into the system buffers by excluding one or several of the buffers from the buffer list. The AVPTSR checks this and displays the message: ┌────────────────────────────────────────┐ │ Number of DOS buffers decreased on xxx │ └────────────────────────────────────────┘ Majority of viruses install their resident part in the memory area allocated for programs by decreasing the size of free memory. The AVPTSR hooks such situations and displays the message: ┌────────────────────────────────┐ │ Free memory decreased on xxx K │ └────────────────────────────────┘ When the mode "Memory check" is switched on the AVPTSR restores the interrupt vector table after each program is terminated. This blocks a majority of memory-resident viruses from spreading, and some viruses will be simply destructed. Disk Access ──────────────────────────────────────────────────────────────────── ┌─────────────────────────────┐ │ PROGRAM_NAME │ │ writing (int xx) on disk X: │ └─────────────────────────────┘ ┌─────────────────────────────┐ │ PROGRAM_NAME │ │ formatting (int xx) disk X: │ └─────────────────────────────┘ These messages inform you that a program is trying to write to the disk one or more sectors by using absolute sector addressing or is trying to format one or several disk sectors. These functions normally are not used by ordinary programs (except utilities for disk formatting, optimization and restoring) but are used by some viruses. The use of the 13h, 40h, 26h interrupts is one of the most effective ways of corrupting information on a disk, particularly - the Disk Partition Table and File Allocation Table. Attention! In the message about writing to the disk or formatting disk sectors with the 13h and 40h interrupts, the letter of the physical disk ('A:' first, 'B:'- second and so on) is indicated. If the hard disk is divided into several logical disks then in the message the letter of the PHYSICAL disk is indicated: 'C:' if the first hard disk is being addressed, 'D:' in case when the second hard disk is being addressed. To find out what logical disk is being written to, it is necessary to analyze Disk Partition Tables on all logical disks. Dangerous DOS Functions Call ──────────────────────────────────────────────────────────────────── ┌────────────────┐ │ PROGRAM_NAME │ │ dangerous call │ └────────────────┘ Messages of this kind warn you that there is a dangerous call to DOS that is not typically used for application programs. Dangerous DOS functions are often used by viruses to spread themselves or to have the access to the DOS system areas. Register Window ──────────────────────────────────────────────────────────────────── When the "registers" mode is switched on, the AVPTSR will be accompanied by the list of all registers states. ┌────────────────────────────┬───────────────────────────────────┐ │ PROGRAM_NAME │ CS:IP=xxxx:xxxx AX=xxxx CX=xxxx │ │ dangerous call │ SS:SP=xxxx:xxxx BX=xxxx DX=xxxx │ │ │ DS:SI=xxxx:xxxx BP=xxxx │ │ [ OK ] [ Cancel ] [ Free ] │ ES:DI=xxxx:xxxx Flags=xxxx │ └────────────────────────────┴───────────────────────────────────┘ 4.3. Memory Map ──────────────────────────────────────────────────────────────────── Memory map contains five columns: the first - the segment address of MCB (Memory Control Block); the second - the PSP (Program Segment Prefix) segment address, the third - the block size in paragraphs (16 bytes) or kilobytes; the fourth - the name of a program occupying the memory block or the character '?' if there is no name. the fifth - the interrupt vectors being used. Also are specified: the size of free memory ───────────────────────────┐ RAM size indicated by BIOS ─────────────────────┐ │ RAM size ─────────────────────────────┐ │ │ │ │ │ The discrepancy between total memory size and │ │ │ the size indicated by ROM BIOS or DOS signals │ │ │ often that there is a virus in the system. │ │ │ One should bear in mind that in some cases │ │ │ this discrepancy is quite legal. │ │ │ ┌────────────────────────┘ │ └──┐ │ ┌──────────┘ │ ╔═════════════════╦════│═════════════╤══│══════════════╤═│═════════╗ ║Access to files √║ Total: 640 K │ ROM BIOS: 640 K │DOS: 640 K ║ ║Memory check √╠════╤════╤═══════╤╧═══════════╤═════╧═══════════╣ ║Format sector √║MCB │PSP │ Size │ Owner │ Hooked vectors ║ ║Write to sector √╟────┼────┼───────┼────────────┼─────────────────╢ ║Dangerous calls ║0A49│0A49│ 2,368│COMMAND.COM │2E ║ ║Scan on EXE √║0ADE│0000│ 64│ free │ ║ ║Scan on OPEN ║0AE3│0A49│ 256│COMMAND.COM │ ║ ║Check all files ║0AF4│0B00│ 176│RTSR.COM │ ║ ║Registers ║0B00│0B00│ 1,536│RTSR.COM │ ║ ║Remove AVPTSR ║0B61│0B6D│ 176│PRN2FILE.EXE│ ║ ╚═════════════════╣0B6D│0B6D│ 75,104│PRN2FILE.EXE│08 17 28 ED F0 F6║ ░░░░░░░░░░░░░░░░░░║1DC4│1DD0│ 176│AVPTSR.EXE │ ║ ░░░░░░░░░░░░░░░░░░║1DD0│1DD0│ 16,888│AVPTSR.EXE │09 13 1B 20 21 22║ ░░░░░░░░░░░░░░░░░░║ │ │ │ │2A 2F 40 EE ║ ░░░░░░░░░░░░░░░░░░║2113│0000│282,304│ free │FE ║ ░░░░░░░░░░░░░░░░░░║5B13│0000│279,296│ free │FE ║ ░░░░░░░░░░░░░░░░░░║9F44│ - │ 3,008│ ? │1C 21 ────┐ ║ ░░░░░░░░░░░░░░░░░░║A000│ - │ 98,304│EGA memory │ │ ║ ░░░░░░░░░░░░░░░░░░╚════╧════╧═══════╧════════════╧══════════│══════╝ │ File virus "Yankee" ───────┘ ──────────────────────────────────────────────────────────────────── 5. Antiviral Utilities AVPUTIL (Pro version) ──────────────────────────────────────────────────────────────────── The Antiviral Utilities are intended to analyze the computer state if it is infected by a virus that is unknown to the virus scanner AVP.EXE. The Utilities comprise a set of useful functions, integrated into one environment. WARNING! THIS PROGRAM MAY CAUSE SYSTEM HALT OR LOSS OF DATA. BE CAREFUL! AVPUTIL is started either from execution from the command line or by pressing hotkey Alt-'+' or Alt-Ctrl-'+' at the same time if used in memory resident mode. There are four main menus available: Utilities: activating, and management of the functions Object: select the object to work with Block: blocks management, and find/replace functions Setup: setup switches, and exit keys AVPUTIL is executed from DOS prompt in format: AVPUTIL [option] [filename] options: /V - load FILENAME for view/edit, not for debugging /P - force AVPUTIL to stay memory resident filename: the file name to view/edit or debug with AVPUTIL (the default mode is "load for debug"). 5.1. Menu Utilities ──────────────────────────────────────────────────────────────────── The Utilities Menu allows you to select, and activate the main functions: ╔════════════════════╗ ║ Disassembler Alt-E ║ activate disassembler/debugger ║ Dump Alt-D ║ activate dump editor ║ Memory map Alt-M ║ activate memory map ║ Interrupts Alt-I ║ activate interrupt map ║ System info Alt-Y ║ show system information ║ Trace result Alt-T ║ show result of interrupt tracing ║ Files Alt-F ║ show list of file handles ║ Zoom F5 ║ zoom/unzoom current window ║ User screen Alt-F5 ║ show user screen ║ Next window F6 ║ move to the next window ╚════════════════════╝ 5.1.1. Disassembler/Debugger ─────────────────────────────────────────────────────────────── The Disassembler allows you to view the contents of memory as a sequence of CPU instructions, and to trace this code. This utility is convenient for analysis, and debugging of memory resident code (for example, for analysis of the memory-resident viruses). The start address of code to be disassembled is selected with the cursor keys, and the keys of hexadecimal digits, or use GoTo system for fast switching. Some additional Function keys are available in the Disassembler. 5.1.2. Dump Editor ─────────────────────────────────────────────────────────────── The Dump Editor displays the contents of the file, sector, or RAM in either hexadecimal or ASCII form, and allows you to make changes to them. The required address is selected with the cursor keys or the keys of the hexadecimal digits. You can also use GoTo system for fast switching. You can edit data at any address of memory. Use the TAB key to switch to the dump or addresses fields, then use the hexadecimal digits in the hex field or the ASCII symbols in the ASCII field. Any changes will appear on the screen, and in the memory at the same moment if the edited object is in memory. Some additional Function keys that are available in Dump Editor. 5.1.3. Memory Map ─────────────────────────────────────────────────────────────── The memory map consists of six columns that give you the following information: Addr segment address of memory block PSP segment address of program segment prefix (PSP) Size block size in bytes Owner block owner name (name of a program or system area), if the name is not specified then the character '?' is given Type the memory block type Hooked the list of interrupts that point into this memory block. vectors ╔════╤════╤═══════╤════════════╤═══════╤════════════════════════════╗ ║Addr│PSP │ Size │ Owner │ Type │ Hooked vectors ║ ╟────┼────┼───────┼────────────┼───────┼────────────────────────────╢ ║0A1F│0A2D│ 208│COMMAND.COM │envir │ ║ ║0A2D│0A2D│ 2,640│COMMAND.COM │program│23 ║ ║0AD3│0A2D│ 256│COMMAND.COM │envir │ ║ ║0AE4│0AF2│ 208│AVPUTIL.COM │envir │ ║ ║0AF2│0AF2│ 55█▀▀▀▀▀▀▀▀▀▀▀▀▀▀█ │program│22 DF E0 E3 EE FC ║ ║189C│0000│554█ Disassembler █ │ │E4 E7 F9 FD FE ║ ║A000│0008│ 80█ Dump (HEX) █ │envir │41 43 46 ║ ║B3B3│ - │ █ Dump (ASCII) █ │program│ ║ ║ │ │ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄█ │ │ ║ ╚════╧════╧════════════════════╧═══════╧════════════════════════════╝ Use the cursor line to select the block, and press the <Enter> key to activate the Memory Map menu. This menu allows you to select how to view the corresponding block with either the Disassembler or Dump. When the Disassembler or Dump editors are used, the address offset will be set to 100h if the type of block is a program. Otherwise it will be set to zero. 5.1.4. Interrupt Map ─────────────────────────────────────────────────────────────── This window displays the information about the interrupt vectors states, the number of the interrupt, the vector value in the format SEGMENT:OFFSET, and the name of the program or the memory system area the interrupt vector points to. For the interrupts which are used most often their functions (purpose) are commented. ╔═══════╤═══════════╤══════════════╤════════════════════════════════╗ ║Int 04 │ 0070:06F4 │ MSDOS.SYS │ Int 4 on overflow ║ ║Int 05 │ 012F:0014 │ QEMM386$ │ Print screen ║ ║Int 06 │ 012F:0018 │ QEMM386$ │ 80286+ Undefined opcode ║ ║Int 07 │ 01█▀▀▀▀▀▀▀▀▀▀▀▀▀▀█6$ │ 80286+ No math unit ║ ║Int 08 │ 02█ Disassembler █.exe │ IRQ0 - Timer ║ ║Int 09 │ F6█ Dump (HEX) █OM │ IRQ1 - Keyboard ║ ║Int 0A │ B6█ Dump (ASCII) █ │ IRQ2 - EGA vertical retrace ║ ║Int 0B │ B6█ Tracer █ │ IRQ3 - COM port 2 ║ ║Int 0C │ EB█ Interceptor █OM │ IRQ4 - COM port 1 ║ ║Int 0D │ B6█ New value █ │ IRQ5 - Fixed disk or LPT1 ║ ║Int 0E │ B6█▄▄▄▄▄▄▄▄▄▄▄▄▄▄█ │ IRQ6 - Diskette ║ ╚═══════╧══════════════════════════╧════════════════════════════════╝ Use the cursor line or press the hexadecimal digits to select the interrupt vector, then press the <Enter> key to activate the Interrupt menu. This menu allows you to select what your desired action is with this interrupt vector. Disassembler disassembler from the interrupt address Dump (HEX) dump from the interrupt address Dump (ASCII) dump from the interrupt address Tracer trace this interrupt Interceptor intercept this interrupt New value change the value of this interrupt vector 5.1.5. Tracer ─────────────────────────────────────────────────────────────── WARNING! Use of this function with incorrect parameters may cause your system to halt or loss of data! The tracer goes along the path (handler) of the specified interrupt, and provides the tracing assembler listing. The listing comprises the names of the programs which hook the specified interrupt, the addresses, hexadecimal dump, and the mnemonics of assembler instructions that are executed during the tracing process. The tracer is useful for detection of a unknown virus, and it is able to help you to analyze it. Selection of the interrupt to be traced, and initial states of the registers are made in the registers menu: █▀▀▀▀▀▀▀▀▀ Trace Int 21h : ▀▀▀▀▀▀▀▀▀█ █ AX 6200 CS:IP 0000:0000 FL 7202 █ █ BX 0000 DS:SI 1CEE:0000 █ █ CX 0000 ES:DI 1CEE:0000 █ █ DX 0000 SS:SP 1CEE:FFFE BP 0000 █ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█ This window is displayed also after executing of selected interrupt. 5.1.6. Interceptor ─────────────────────────────────────────────────────────────── WARNING! Use of this function may cause your system to halt or loss of data! The interceptor installs it's own code into the chain of the selected interrupt, and reports every call of this interrupt. Upon interception the message window is displayed. This window contains the information about the number of the hooked interrupt, the current states of all the registers, and the string which is pointed to by the selected registers (DS:DX by default). █▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀█ █ INT 21 [AVPUTIL.COM ] █ █─────────────────────────────█ █ Dos service █ █═════════════════════════════█ █ AX 3D02 DI E88A DS 0B6D █ █ BX 033A SI 0037 ES 0B6D █ █ CX 0000 BP 0B6D █ █ DX 8F45 SP 098C SS 934E █ █─────────────────────────────█ █ Flags 0F02 CS:IP 0B6D:50A3 █ █═════════════════════════════█ █ DS:DX [C:\AVPUTIL.INI ] █ █ Back BA9876543210 [Trace ] █ █ [ OK ] [Cancel] [ Free ] █ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█ The interceptor stores the latest 12 interrupt calls, and the information about them can be displayed by using the "Back" button. The control buttons are: OK - continue interrupt Cancel - set Carry flag, and break the interrupt call Free - release the interrupt calls Trace - calls the INT 3 (Debug Breakpoint). This feature is used by memory resident debuggers which hook INT 3. In other case this button is the same as the "OK" button. The number of the interrupt for intercept is selected in the "Interrupts" window by pressing the <Enter> key on the selected interrupt, and the "Interceptor" line of the pop-up menu is then displayed. The intercepted interrupt is marked by a symbol. The resetting of the interceptor is executed the same way or by using the "Free" button in the "Interceptor" window. 5.1.7. System Information ─────────────────────────────────────────────────────────────── The System Information menu displays the state of the computer, for example: █▀▀▀▀▀▀▀ System info ▀▀▀▀▀▀▀█ █ Main processor: 80486 █ █ Processor mode: V86 █ █ Coprocessor: Present █ █ DOS memory: 640 K █ █ Serial ports: █ █ 03F8, 02F8 █ █ Parallel ports: █ █ 0378, 03BC, 03BC █ █ Processor ID: █ █ GenuineIntel █ █ Model: 3 Stepping: 5 █ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█ 5.1.8. Files List ──────────────────────────────────────────────────────────────────── The Files menu displays the state of the file handles, including names of the files are opened, the files' open modes, attributes, time and date stamps, sizes and current offsets in the files. 5.2. Menu Object ──────────────────────────────────────────────────────────────────── The Object Menu allows you to select the object to view or modify. ╔════════════════════╗ ║ Memory ║ set memory as object to work with ║ Load file Alt-L ║ load file as program into the memory, ║ ║ and set disassembler/debugger to entry point ║ View file Alt-V ║ set file as object to work with ║ Log. sector Alt-G ║ set logical sector as object to work with ║ Phys. sector Alt-P ║ set physical sector as object to work with ╚════════════════════╝ In the memory resident mode the accessing of files or sectors is available when pressing the Alt-Ctrl-'+' keys only. 5.3. Menu Block ──────────────────────────────────────────────────────────────────── The Block Menu is used to work with blocks of data, and for searching, and replacing data. ╔════════════════════╗ ║ Mark F8 ║ mark beginning/end of block ║ Find F7 ║ find code in the object ║ Find next Shift-F7 ║ find next pattern in the object ║ Find prev. Ctrl-F7 ║ find previous pattern in the object ║ Replace Alt-F7 ║ replace code with new one ║ Fill ║ fill marked area in object with pattern ║ Save Alt-W ║ save marked area of object as file ╚════════════════════╝ 5.4. Menu Setup ──────────────────────────────────────────────────────────────────── The Menu Setup allows you to configure, and manage the Utilities. ╔══════════════════╗ ║ Stop at INT 3 ║ hook breakpoint (INT 3) interrupt vector ║ Change segment ║ do not change/add 1000h to segment value ║ ║ on segment bound ║ Address link ║ set correction of the addresses in different windows ║ Allow graph.mode ║ allows working in different video modes ║ Save desktop ║ write the current settings into INI file ║ Stay TSR ║ terminate execution but stay resident in memory ║ Remove TSR ║ terminate execution, and remove resident part ║ ║ of program from memory ║ Quit Alt-X ║ terminate execution, and quit to DOS ╚══════════════════╝ 5.5. GoTo system ─────────────────────────────────────────────────────────────── The Utilities have a GoTo history system for storing, and fast switching between different addresses of memory. The GoTo system is available in the Dump Editor, and Disassembler. To activate the GoTo system press <Enter> or Ctrl-F5 keys. To store the current address in the history buffer press <Enter> again. If you want to use the address from the history buffer, highlight the required line with the cursor keys and press <Enter>. You can edit any line of the history buffer. Use hexadecimal digits, and register names. For example: 100 0:46C SS-1:001F+BX-DS+FL CS:IP 5.6. Hot Keys ──────────────────────────────────────────────────────────────────── The hot keys are: TSR management Alt-'+' immediate activation of memory resident part Alt-Ctrl-'+' wait until the DOS functions are free for use, and activate memory resident part menu management Alt-U activate Utilities menu Alt-O activate Object menu Alt-B activate Block menu Alt-S activate Setup menu F9 activate the last menu that was called mode management Alt-E, Alt-1 disassembler of the current object Alt-D, Alt-2 hexadecimal dump of the current object Alt-M, Alt-3 memory map Alt-I, Alt-4 interrupt vectors map Alt-F files list Alt-Y system information Alt-T results of the interrupt tracing Alt-X, F10 quit to DOS or to the interrupted program object management Alt-L load file as program into the memory Alt-V set file as object to work with Alt-G set logical sector as object to work with Alt-P set physical sector as object to work with blocks management F8 mark beginning/end of block F7 find code in the object Shift-F7 find next pattern in the object Ctrl-F7 find previous pattern in the object Alt-F7 replace code with new one Alt-W save marked area of object as file windows management F5 zoom/unzoom the current window Alt-F5 show user screen F6 move to the next window Tab move to the next field of the window