Fritz: All Fritz

home *** CD-ROM | disk | FTP | other *** search

/ Fritz: All Fritz / All Fritz.zip / All Fritz / FILES / VIRUTION / VDETECT.LZH / VIRUS.DOC < prev

Wrap

Text File | 1988-08-21 | 26KB | 607 lines

VIRUS DETECTER Version 1.1 Virus detection for the IBM Personal Computer and compatibles User's Manual (c) 1988 by Tim OBrien Table of Contents What is a VIRUS?............................................1 What is VIRUS DETECTER and how should it be used?...........2 How to invoke VIRUS DETECTER................................4 System Requirements.........................................6 A word from the author......................................7 Disclaimer..................................................8 Registration................................................9 Sample files created by VIRUS DETECTER......................11 PAGE 1 ----- WHAT IS A VIRUS? ----- A computer virus is a piece of program code that exists within an otherwise normal program. When this program is run, the viral code seeks out other programs within the computer and replicates itself. The other programs can be anywhere in your system and can even be the operating system itself. This infection can grow geometrically depending on the number and different types of programs you run (1 program infects 2, 2 infect 4, 4 infect 8...). At a given point in time or based on some other external triggers such as the number of times the program was run, the amount of free disk space is reduced to below 10%, or any of a million other circumstances, the viral code goes to work doing what it was intended for. It could be as harmless as blanking your screen or as vicious as formatting your hard disk and everything inbetween is possible. The concern over viruses has grown enormously over the past year and even NASA has been infected. You would think (or hope) that high security installations like NASA would be free from infections, but the fact of the matter is that it can happen to any computer, no matter how hard you try to prevent it. There is some software on the market today that tries to stop viruses from spreading by monitoring disk access and only allowing authorized updates. The biggest problem with these is that they are doing this monitoring while your doing your day-to-day work. You may not see any impact on performance with a fast cpu and disk, but not everyone has that sort of equiptment. A bigger problem is that some viruses are created knowing what and how these monitor programs work. Once knowing this the virus can circumvent the protection process. I by no means imply that these viral-fighting programs are less than adequate, but only want you to know that regardless of the precautions, a virus can still infect your system. PAGE 2 ----- WHAT IS A VIRUS DETECTER? ----- VIRUS DETECTER is 3000 lines of A86 assembler language code (and thus very fast) that takes a snapshot of the disk environment for up to 5 disk drives, each directory in each drive, and each file in each directory. Up to 10 different file extensions can be specified (I recommend EXE, COM, and SYS as a minimum) or an asterisk can be used to snapshot all files. The information is retained in read-only file VIRUS.NEW and consists of the following: o Selection criteria (drive letters and file extensions) o Each directory found on each drive o Each file in each directory that matches the file extensions specified o The size, date, and time of each file o A Standard CRC of each file o An altered CRC of each file On subsequent runs of VIRUS DETECTER, the VIRUS.NEW file is renamed to VIRUS.OLD and new VIRUS.NEW is created using the options from the previous run. After VIRUS.NEW is created, a comparison between VIRUS.OLD and VIRUS.NEW is done and all differences are written to VIRUS.RPT. The data in this report file consists of the following: o Reports all directories deleted o Reports all files deleted o Reports all directories added o Reports all files added o Reports the before and after statistics for all files that have been modified The CRC (cyclic redundancy check) is the key to knowing when a virus has been detected. In order for viruses to remain un-detected, they must not modify the file size or date. At the time of this writing, I have heard of no viruses that do not change the CRC of the file. Specifically, the CRC is a process of taking the first byte within a file and through an algorithm, apply a value of the next byte in the file to derive a hexadecimal representation as of that byte in the file. This process repeates until each byte of the file has been applied to the algorithm. THIS PRODUCT USES 2 DIFFERENT CRC ALGORYTHMS. If, in the unlikely chance, some virus gets through one, it will be caught in the second. For those of you that are familier with the virus problem, Gilmore Systems of Beverly Hills California has a program that will create a modified version of a file that is different, but has the same CRC. They use this to show you that a standard CRC is not good enough for true virus detection. I ran their program called PROVECRC and then ran VIRUS DETECTER. VIRUS DETECTER DID show that the file was changed. One CRC was the same, but the second was not. As you may be able to deduce, the VIRUS.RPT file can also be used to know what file changes have been made. One client I support has well over 100 programs and batch files that I change periodically. When it comes time to produce a new release of the system, I run VIRUS DETECTER and it tells me all that I have changed and thus what I must update in the next release of the software. PAGE 3 ----- WHAT IS A VIRUS DETECTER? ----- (continued) Another by-product of VIRUS DETECTER is the ability to know what software is being used on a specific computer. If you are using VIRUS DETECTER in a business environment and have expensive word processors, spreadsheets, or data base managers, and you find that the files created by these products are not changing, you can pretty well assume that the products are not being used very often and may wish to reexamine the need for the software product on a specific machine. It would be ideal to install VIRUS DETECTER on a system known to be virus free, but this is most often not the case (your system is most likely to be virus free, but you cannot be sure). In this case you will use VIRUS.RPT to let you know if a program has been changed that should not have. Once knowing this you will obviously want to re-install the infected programs, and then run VIRUS DETECTER more often while logging the programs used. This process will narrow down the possible programs that may contain the virus and possibly narrow it down to the specific program if you are diligent in your efforts. Regardless of whether your system is known to be virus free or not, and once suspecting you have been infected, the very first course of action is to look at VIRUS.RPT and see if any new programs have been installed and determine if they came from a reliable source. Software purchased from reliable sources and vendors should be virus free. Software from a bulletin board, friends, or the black market is much less reliable. The way VIRUS DETECTER differs from most other anti-viral products that I have seen (other than using 2 different CRC algorythms as described earlier), is that it automatically keeps itself up-to-date every time you run it. Other products make you run their program one time to setup a base file, and a subsequent run to check if any differences have occurred. At this point you then have to run the program to setup a new base file. Other products written in some higher level languages such as C or PASCAL, are actually quite slow. VIRUS DETECTER is written in assembler and on an 8mhz machine with a 60ms, 20 megabyte disk drive will process the entire 20 megabytes in about 20 minutes. On an IBM PS/2 Model 60, it will process the 20 megabytes in roughly 5-6 minutes (Keep in mind that every byte of every file has to be read). PAGE 4 ----- HOW TO INVOKE VIRUS DETECTER ----- NOTE: THE FREE VERSION OF VIRUS DETECTER WILL NOT PROCESS THE ROOT DIRECTORIES OF ANY DISK DRIVE. IF YOU HAVE DONE A GOOD JOB OF DISK MANAGEMANT, THE ROOT DIRECTORY SHOULD CONTAIN 3 PROGRAMS ONLY (COMMAND.COM, IBMBIO.COM, AND IBMDOS.COM). I REALIZE THAT THESE ARE THE MOST IMPORTANT PROGRAMS IN YOUR SYSTEM, BUT I BELIEVE THAT QUALITY SOFTWARE IS WORTH A PRICE. VIRUS DETECTER IS NOT EXPENSIVE, ESPECIALLY WHEN COMPARED TO THE COST THAT A VIRUS CAN INCUR. VIRUS DETECTER should be installed into its own directory and will always look for and create its files in the drive/directory from where it was invoked. If you create a directory called VIRUS and always invoke VIRUS DETECTER from that directory, you will have no problems. If, on the other hand, you invoke VIRUS DETECTER from the root directory the first time, and from another directory on a subsequent run, VIRUS DETECTER will not be able to find the required file VIRUS.NEW and will abort. After installing VIRUS DETECTER, the first invocation is done by simply typing 'VIRUS' from the DOS prompt. Subsequent runs are done by typing 'VIRUS C' from the DOS prompt. The 'C' indicates that VIRUS DETECTER should perform a check against the VIRUS.NEW file that exists in the current directory. If the 'C' is not supplied, VIRUS DETECTER will only create a new base file (VIRUS.NEW). Whenever VIRUS DETECTER is run, it will search for VIRUS.NEW and rename it to VIRUS.OLD. If the program would be interrupted by control-c, a power outage, or an abort issued by VIRUS DETECTER, you can rename VIRUS.OLD to VIRUS.NEW so you will not lose the snapshot from the last run. It may be important to know exactly when VIRUS DETECTER issues this rename: If invoked as 'VIRUS': VIRUS.NEW is not renamed to VIRUS.OLD until after all options have been entered and processing against the drives has started. If invoked as 'VIRUS C': VIRUS.NEW is not renamed to VIRUS.OLD until after the options from the last run have been extracted from VIRUS.NEW. If VIRUS.NEW has been corrupted, VIRUS DETECTER will abort. VIRUS DETECTER will create the report file VIRUS.RPT only during the checkout process (VIRUS C). If VIRUS.RPT exists, it will be deleted and a new one allocated, again in directory from where VIRUS DETECTER was inkoked. PAGE 5 ----- HOW TO INVOKE VIRUS DETECTER ----- (continued) VIRUS DETECTER can be run from a batch file. VIRUS DETECTER has to go through the entire tree structure of each drive, but will always return to the directory where it started from. So if invoked from a batch file, no special commands are required to reposition yourself to a specific directory. VIRUS DETECTER will also set the ERRORLEVEL to 1 if any errors are detected so your batch file can pause, exit or do anything you specfy if a problem occurs. PAGE 6 ----- SYSTEM REQUIREMENTS ----- VIRUS DETECTER has been successfully run using DOS 2.0 through DOS 3.3 and has been run on the following machines (not all versions of DOS on all machines): o IBM PC o IBM XT o IBM XT/286 o IBM AT o IBM PS/2 Model 50, 60 and 80 o Compac Deskpro o Leading Edge Model D o Panasonic Business Partner VIRUS DETECTER has a color display while running and works well using Monochrome, CGA, EGA, and VGA adapters/monitors. PAGE 7 ----- A WORD FROM THE AUTHOR ----- I had been looking for quite some time to find a virus protection package that would be most suitable for my needs. Three problems were evident in nearly all other software I had tried: 1. The software would not update its base file on subsequent runs. This meant that after running the checkout process, I would have to re-run the program to re-create the base file and keep my system up to date. 2. Most other software was actually quite slow. Time is money and since I use my computer to support other clients, I found it bothersome to tie up my computer for well over an hour. 3. Most other software packages (and other non-virus detecting software) would work on one drive at a time only. This is one of my pet peeves and it really bothers me that so much software is like that. With DOS's limit of 30 meg per drive and with so many larger drives and multi-drive systems, software that functions on more than one drive is a must. (A popular and quite usefull file find utility works on the current drive only. I will be making my own version of this that will search all drives on the system.) Since I could not find a satisfactory product, I decided to write my own. I took the extra time and effort to write it in assembler and feel that the result was well worth the time and aggravation spent. I also thought long and hard as to what other by-products could be gained while performing the virus detection and found that virus detection itself was the by-product. For me, knowing what files and programs have been added, deleted, or changed in any way is most important. This may not be the case for you, but after using VIRUS DETECTER for some time, you will find it to be quite usefull for a variety of other tasks. PAGE 8 ----- DISCLAIMER ----- The following disclaimer should be viewed as a legal obligation on my part to protect myself. I by no means imply that VIRUS DETECTER is flawed in any way. I have every intention to make modifications and enhancements to ensure that VIRUS DETECTER is the best possible product. If you are having problems with VIRUS DETECTER or suspect that it may be flawed in any way, notify me and I will make the necessary changes as soon as possible, and distribute it accordingly. VIRUS DETECTER is distributed as is, with no guarantee that it will work correctly in all situations. In no event will the Author be liable for any damages, including lost profits, lost savings or other incidental or consequential damages arising out of the use of or inability to use this program, even if the Author has been advised of the possibility of such damages, or for any claim by any other party. The VIRUS DETECTER distribution package, consisting of the program and documentation file are copyright (c) 1988 by Tim OBrien. The author reserves the exclusive right to distribute this product, or any part thereof, for profit. Under NO CIRCUMSTANCES may modified versions or dis-assembled versions be distributed, either for profit or in the public domain. User's groups, clubs, libraries and clearing houses are authorized to distribute the FREE version of VIRUS DETECTER persuint to the following conditions: 1. No charge is made for the software or documentation. A nominal distribution fee may be charged, provided that it is no more that $5 total. 2. The program and documentation are distributed together and are not modified in ANY way. PAGE 9 ----- REGISTRATION ----- Once you become a registered user of VIRUS DETECTER, you will receive a new version of VIRUS DETECTER which will include root directory files in the virus detection process. You will also receive the following benefits: o Support by phone, mail, or through my private bulletin board system. Support will only be provided to registered users. o Notice of significant upgrades and bug fixes. You will be notified by mail for any such updates. There will be no charge for updates as long as you send me a diskette and return postage. You can also receive a free update through my private bulletin board. Each copy of VIRUS DETECTER is registered for use on one computer only and a registered copy is required for each additional computer. The price breakdown is given below: Copies Price Per Copy --------- ---------------- 1-50 $25.00 51-100 $21.00 101-500 $17.00 500+ $14.00 The registered version of VIRUS DETECTER can be used in commercial, educational, and governmental institutions. The free version of VIRUS DETECTER is expressly prohibited for use in commercial, educational, and governmental institutions except for the purpose of evaluation. PAGE 10 ----- REGISTRATION FORM ----- Please send me a copy of the current full version of VIRUS DETECTER and add me to the list of registered users, to be eligible for support and update notices. Computer Model: ___________________________________________ Diskette Type: _______ 5.25 in. ________ 3.5 in. Copies: _______ 5.25 in. ________ 3.5 in Company Name: ________________________________________________ Your Name: ________________________________________________ Title: ________________________________________________ Address: ________________________________________________ City, State, Zip: ________________________________________________ Any initial comments about VIRUS DETECTER? ______________________ _________________________________________________________________ _________________________________________________________________ Where did you hear about VIRUS DETECTER? ________________________ _________________________________________________________________ _________________________________________________________________ Send registration form and check or money order to: Tim OBrien P.O. Box 742 Mequon, Wi. 53092 (414) 241-9504 PAGE 11 ----- SAMPLE FILES CREATED BY VIRUS DETECTER ----- VIRUS.NEW and VIRUS.OLD both have the following format: VIRUS DETECTER STARTED AT 17:24 ON 08-13-1988 VERSION 1.1 **Building New Base File** DRIVES BEING CHECKED: C D FILE EXTENSIONS BEING CHECKED: * DIR FILE EXT SIZE DATE TIME CRC1 CRC2 DIR: C:\ FILE: AUTOEXEC BAT 441 8-11-88 3:36p 2E58 3E5A FILE: COMMAND COM 23791 12-30-85 12:00p 0661 007A FILE: CONFIG SYS 250 8-11-88 5:28p 6A61 F3E1 FILE: IBMBIO COM 16369 12-30-85 12:00p 2C75 4902 FILE: IBMDOS COM 28477 12-30-85 12:00p E8E8 A49C FILE: TREE QCD 1890 8-11-88 9:34p EA2F 44B4 DIR: C:\A86 FILE: A86 COM 22006 6-06-88 9:52p DC1C 18D4 FILE: D86 COM 17293 6-06-88 10:13p 9924 A6CB FILE: EDIT BAT 13 7-25-88 4:15p F517 3EF1 FILE: MAKE BAT 14 8-09-88 4:22p 5771 F0A5 DIR: C:\A86\A86DOCS FILE: DOCS ARC 223587 7-24-88 12:31a 8B94 341D DIR: C:\A86\A86FILES FILE: A86FILES ARC 54107 8-09-88 12:25a 818C 4A9F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DIR: D:\UTIL FILE: ANSWER COM 308 2-03-86 9:33a 3CEE 5FEA FILE: ASK COM 512 10-30-84 10:09a 236E DB02 FILE: B COM 4352 3-19-86 11:27a C030 3D0A FILE: BEEP EXE 5324 3-01-87 4:00p 3B47 CB29 FILE: TREE COM 512 10-07-87 5:49p 1438 E628 FILE: VPRINT COM 4500 3-23-88 8:56p 7F39 5E2C FILE: VSI COM 16678 4-13-86 3:23p 854C 44A0 VIRUS DETECTER ENDED AT 17:40 ON 08-13-1988 PAGE 12 ----- SAMPLE FILES CREATED BY VIRUS DETECTER ----- (continued) VIRUS.RPT has the following format: VIRUS DETECTER STARTED AT 15:54 ON 08-14-1988 VERSION 1.1 Report of differences since last run FILE EXT SIZE DATE TIME CRC1 CRC2 DIRECTORY: C:\ARC DELETED FILE: A86STUFF ARC 429056 7-22-88 12:44p A7B8 49A1 DIRECTORY: C:\MCQCOMM ADDED FILE: W0001001 WRK 15196 5-25-88 8:53p 71C7 05BA DIRECTORY: C:\MCQXXX\DATAFILE ADDED FILE: MC DAT 1258 8-14-88 3:49p BD0C 6BDF ADDED FILE: MC IDX 63 8-14-88 3:49p 3566 249F DELETED FILE: MCALT IDX 84 8-14-88 3:49p 1D0D A5D0 ADDED FILE: MF DAT 1206 8-14-88 12:32a 27B4 5117 ADDED FILE: MF IDX 90 8-14-88 3:47p 7408 A9C0 CHANGED FILE FROM: SCREEN DAT 81031 8-13-88 5:23p 5F80 4DCC TO: SCREEN DAT 84621 8-13-88 11:07p A7B3 A300 DIRECTORY: C:\MCQXXX\PROCS CHANGED FILE FROM: INDEXES 742 5-12-88 10:08p C524 D41E TO: INDEXES 1059 8-14-88 3:47p 811F 9AC0 DIRECTORY: C:\MCQXXX\PROGRAMS CHANGED FILE FROM: FILEBLD WB 2998 5-12-88 9:45p 1CCE 4EA1 TO: FILEBLD WB 3835 8-14-88 12:23a AB26 044F ADDED FILE: MCMAINT WB 9565 8-14-88 12:31a F955 3EFA ADDED FILE: MCRPTA WB 4639 8-14-88 1:11a E575 910F ADDED FILE: MCRPTB WB 12617 8-14-88 1:15a 7B1B 2F08 ADDED FILE: MCRPTC WB 6034 8-14-88 1:30a 2911 B8A4 DELETED FILE: MCRPTD WB 12688 8-14-88 1:42a 2499 DFAA CHANGED FILE FROM: MENU WB 5944 7-25-88 8:52p 82F2 3A44 TO: MENU WB 6159 8-13-88 10:16p E46E D09C ADDED FILE: MFMAINT WB 3748 8-13-88 10:16p 477D 3D4F CHANGED FILE FROM: SCRNGEN WBO 24676 1-12-88 8:34p 215F C77E TO: SCRNGEN WBO 24905 8-13-88 11:09p D0C9 10D9 ADDED DIRECTORY: C:\MCQXXX\TIM ADDED FILE: LISTPGM WB 1691 7-20-88 9:03p 8632 22FE DELETED DIRECTORY: C:\NEW DELETED FILE: VIRUS COM 20340 8-09-88 4:44p B158 B8A2 DELETED FILE: VIRUS NEW 1200 8-10-88 7:41p 9DB2 3997 DELETED FILE: VIRUS OLD 1200 8-09-88 6:25p 63E0 D2AB DELETED FILE: VIRUS RPT 480 8-10-88 7:41p 75BF 0A77 DIRECTORY: C:\OBDOS CHANGED FILE FROM: UNARC BAT 63 8-13-88 9:06p C5EA 3EA6 TO: UNARC BAT 63 8-13-88 9:06p 1DCB 5AE0 VIRUS DETECTER ENDED AT 16:10 ON 08-14-1988