Fritz: All Fritz

home *** CD-ROM | disk | FTP | other *** search

/ Fritz: All Fritz / All Fritz.zip / All Fritz / FILES / VIRUTION / VIRSANSI.LZH / FICHECK4.DOC < prev next >

Wrap

Text File | 1988-09-01 | 46KB | 1,179 lines

Preventive Computer Medicine to help keep your system virus free. Fixed Disk "File Integrity Checker" ************************** *** *** *** FICHECK ver 4.0 *** *** MFICHECK ver 4.0 *** *** PROVECRC ver 1.0 *** *** *** ************************** (C)Copyright 1988, Gilmore Systems Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 U.S.A. Voice: (213) 275-8006 Data: (213) 276-5263 All Programs designed and written by Chuck Gilmore First Printing: June, 1988 Second Printing: July, 1988 Third Printing: September, 1988 ************************* *** IMPORTANT NOTICES *** ************************* Disclaimer FICHECK.EXE / MFICHECK.EXE / PROVECRC.EXE are offered AS IS without warranty of any kind. Gilmore Systems assumes no liability or responsibility for loss of profit, data, or any consequential or inconsequential damages resulting from the use or misuse of these programs. This applies to all versions of the above mentioned programs. These are Shareware/Evaluation versions DO NOT ATTEMPT to run FICHECK.EXE or MFICHECK.EXE without first reading this document in its entirety! Although FICHECK.EXE and MFICHECK.EXE are released as shareware, they are to serve as evaluation versions only. If you use these shareware versions for a trial period of time (30 days), we urge you to order the commercial (registered user) version for $15 (Calif. residents add .98 sales tax). The commercial (registered user) version (XFICHECK.EXE) will make your mouth drop with all of its advanced, sophisticated state-of-the-art capabilities. But don't just take our word for it, use the supplied shareware/evaluation versions to know what kind of quality you can expect. For more information on the commercial (registered user) version, see the pages of this document describing XFICHECK. We use the terms "commercial version" and "registered user version" interchangeably. ATTENTION FICHECK/MFICHECK are protected by federal copyright laws. We do grant you the right, however to distribute and use these shareware/evaluation versions as long as the following criteria are met: 1) The supplied programs and documentation are to be distributed as a group consisting of the following: FICHECK.EXE, MFICHECK.EXE, PROVECRC.EXE, PROVE.BAT, FICHECK4.DOC, and READ.ME files. They are NOT to be unbundled. 2) No modifications, disassemblies, alterations, removal of copyrights or other alterations are to be made, and no additional files are to be added to the above six files. 3) No fee or monetary consideration is to be charged. 4) The six files that comprise this evaluation package (as described in number 1 above), are NOT to be bundled, included, or used with any other product(s) or service(s). 5) You can NOT charge fees to evaluate disk drives with this product 6) A 30 day trial period is granted - after that, you must order the commercial version if you plan to keep using these programs. FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Table of Contents TABLE OF CONTENTS FICHECK 4.0 / MFICHECK 4.0 - September, 1988 ......................... 1 Introduction .................................................... 1 Introducing FICHECK / MFICHECK .................................. 3 CRC Checking vs MCRC Checking ................................... 4 Using FICHECK / MFICHECK ........................................ 6 Using FICHECK / MFICHECK - Interactive Usage .................... 7 Using FICHECK / MFICHECK - Command Line Usage ................... 9 Using FICHECK / MFICHECK - Changing Screen Appearance .......... 11 More Information and Final Remarks ............................. 12 XFICHECK - The Commercial Version ................................... 14 Explanation .................................................... 15 Ordering Info .................................................. 15 Bonus! ......................................................... 16 FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 1 Introduction Introduction Computer viruses have now become an international concern. They've infected places such as NASA, EDS (subsidiary of GM), universities such as Lehigh university, and Miami university) and countless other firms as well as individuals. Major software houses are not immune either. If they admit being struck by a virus, nobody would buy their software. You know things are getting bad when you buy a name brand software package at a computer store and find that it's infected by a virus! Just what IS a computer Virus? A computer virus is a small piece of code contained within a seemingly innocent program. What's unique about the code is that when the program is run, it attaches itself to other programs. When those other programs are run, the virus inside them seeks out and attaches itself to yet more programs on your disks. These other programs (the targets) can be ANY program including your operating system (ie: command.com). Depending on what instructions are present within the viral code, the results can be quite severe - anything from wiping out your entire fixed disk to ruining your data to altering video I/O functions so that your CRT explodes! These catastrophic results are usually not carried out right away - the people writing these viruses usually set "time bombs" in the viral code. These "time bombs" can be anything - when a certain date is reached, or a certain memory location is written to with a certain value, or the number of files on your disk reaches a certain number, or you run a program a certain number of times - these are just a few examples of "triggers" that viruses set and look for. When the "trigger" happens, then the viral code does its catastrophic dirty work. Bulletin Board Systems In addition to spreading computer viruses by infected software houses, Bulletin Board Systems are a major target for the people who derive pleasure out of writing viral code. ANY program on a BBS can be downloaded by ANYONE. The person downloading a program from a BBS may be a "virus implanter" and implant the downloaded program with a virus, then upload it to other BBS's where perhaps thousands of people will download the infected version of the program. The problem is reaching epidemic proportions and as a result, some companies have banned the downloading of programs from BBS's. This is indeed a shame, since BBS's are there for the sharing of knowledge, information, and the opportunity to get talented programmer's works known. How Can I Tell If MY Computer Has Infected Programs? Simply put, YOU CANNOT! That's the scariest part of it all. Viruses may lie dormant for months or years on an infected system before they show their symptoms. Programs will continue to run normally until one day when the "trigger" is reached. What Can I Do to Stop a Potential Virus? FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 2 Introduction There are some viral-fighting programs available such as FLU-SHOT, and versions of VACCINE. These programs attempt to block viruses from doing things that viruses typically do. They attempt to block any altering of COMMAND.COM or your other operating system's system files. They try to alert you of low-level disk writing. These programs look for other things as well but may slow your system down as a result. Some require you to make lists of approved programs and TSR's. The problem with these programs are that they are running on your system which may contain a virus that looks for these particular programs and renders them inactive or makes them think that everything's ok (sounds like AIDs, doesn't it?) while they do their dirty work. The original version of FLU-SHOT was found to contain a virus itself (NOT from the original author), although newer versions have been corrected. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 3 Introducing FICHECK / MFICHECK Introducing FICHECK / MFICHECK FICHECK and MFICHECK are programs which differ from vaccine-type programs and other programs that attempt to find, block, or alert you to viruses. FICHECK does none of these things. As a matter of fact, FICHECK can't even be run from your fixed disk! FICHECK is a preventive medicine program which sort of takes a snapshot (x-ray) of your entire fixed disk(s) and logs it to a file. The things FICHECK logs are the date, time, size, attribute, and CRC (Cyclic Redundancy Check) of every file on your fixed disk(s). It looks for differences in all of these things whenever you decide to run it again and alerts you to any changes. Any changes potentially mean a virus is at work - Viruses have to alter files in some way in order to spread themselves. MFICHECK does the same thing as FICHECK except it uses our unique MCRC (Modified Cyclic Redundancy Check) instead of standard CRC checking. FICHECK also checks the CRC of your master boot record/partition table (MFICHECK checks the MCRC of your master boot record/partition table) and logs this information as well as available disk space and FAT (File Allocation Table) ID byte. When these programs compare your actual disk information against the log (boot record info, FAT ID byte, disk space, all file parameters: date, time, size, attribute, CRC or MCRC), any discrepencies are reported to you, suggesting a possible virus at work - especially if the master boot record/partition table info has been changed. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 4 CRC Checking vs MCRC Checking CRC checking vs MCRC checking CRC (cyclic redundancy check) is a sophisticated check of sequential bytes in a file resulting in a unique number for that file. This unique number should change in the event any one or more bytes of the file change. If the CRC number for the file changes, it indicates the file has changed. CRC has been around for many years in communications protocols for transferring files from one computer to another over telephone lines with modems. When sending files across telephone lines, CRC checking does its job very well to insure that the data the receiving computer gets matches the data the sending computer sends. CRC was designed specifically for communications between computers. However, CRC IS NOT A RELIABLE METHOD FOR DETECTING CHANGES TO FILES THAT ALREADY EXIST ON YOUR DISK SYSTEM! Later in this document, we'll prove that to you with a program that will alter a file and keep its CRC intact. Basically, a resident virus on your system has all day to modify your files and keep the original CRC of those files the same. So-called anti-viral or file checking programs claiming to alert you of changes to your files based solely on CRC checking will offer no protection against virus or trojan programs capable of file alteration while maintaining CRC integrity. MCRC is a unique, modified CRC check developed exclusively by us at Gilmore Systems for the sole purpose of checking files on your disk system for modification. Our MCRC check is a highly reliable, state of the art check used in determining changes to files on your disk system. While CRC can be fooled by clever viruses and trojans, MCRC does NOT fall victim to these file altering programs. MCRC will detect changes to files where CRC shows no change. You may be asking yourself at this point - what if some hacker tears apart our code and discovers our MCRC algorithm, then incorporates a means of modifying files in his virus programs which leave MCRC intact? This is an excellent question but rest assured that if this happens, standard CRC checking will show the change. In other words, IT IS NOT POSSIBLE TO ALTER A FILE SUCH THAT BOTH CRC AND MCRC REMAIN UNCHANGED - one or the other (but not both) has to change! As promised earlier, here's how to work the PROVECRC.EXE program which will prove to you that file alteration is possible without affecting the original CRC. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 5 CRC Checking vs MCRC Checking *** *** IMPORTANT: Before you try this example, read the rest of this user's *** manual completely, then come back to this example! *** First, choose a file between 25 and 32,000 bytes in length to be altered (if you can't think of any, use our PROVECRC.EXE program as the file itself). Next, enter the following on the DOS command line: PROVECRC INFILE OUTFILE where INFILE is the name of the file to alter, and OUTFILE is the name of the file to store the altered copy in. INFILE will remain intact, but OUTFILE will have an altered copy of INFILE which retains the same CRC as INFILE and the same date, time, size, and attributes. Next, run a CRC checking program (or use FICHECK.EXE as described later in this document with the "/s=" option) to show the CRC of INFILE and OUTFILE, noting that the CRC values of each file are identical. Repeat this process with MFICHECK.EXE, noting the different MCRC values for each file. You can also run the DOS COMP program to prove that the two files are indeed different! The above process can be automated with the PROVE.BAT file provided. Simply enter the following on the DOS command line: PROVE INFILE OUTFILE FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 6 Using FICHECK / MFICHECK ------------------------------------------------------------------------ IMPORTANT NOTE: Throughout the remainder of this document: We will use FICHECK to mean either of FICHECK.EXE or MFICHECK.EXE Both are identical except FICHECK does CRC checking MFICHECK does MCRC checking We use the terms "hard disk" and "fixed disk" interchangeably ------------------------------------------------------------------------ Using FICHECK / MFICHECK You should have the following programs/files on your disk: FICHECK4.DOC - this document FICHECK.EXE - the FICHECK version 4.0 program MFICHECK.EXE - the MFICHECK version 4.0 program PROVECRC.EXE - the CRC disprover program PROVE.BAT - batch file for PROVECRC.EXE READ.ME - text of announcements, changes, etc. If you've used previous versions of FICHECK/MFICHECK, please destroy and replace them with these newer versions. These newer versions (version 4.0) are upward compatible with the logs created by version 3.0 (but not versions lower than 3.0). FICHECK should NOT be placed on your fixed disk - it will ONLY RUN FROM A FLOPPY, and furthermore, DOS MUST BE BOOTED FROM THAT FLOPPY DISK! Why all the hassle of booting from and running from a floppy? Simple. If you boot from a fixed disk, you may be booting from an infected copy of your operating system, starting an infected TSR, have an infected device driver, or may have run an infected program. If you boot from floppy, you don't give the viruses on your fixed disk a chance to become active. Therefore, the first thing you should do in order to prepare for using the FICHECK program is: 1) Boot DOS from your ORIGINAL distribution disk. 2) Format a bootable floppy. (use the command "FORMAT A:/S") 3) Copy FICHECK.EXE to the newly formatted disk. 4) Diskcopy this new disk for as many fixed disk drives or logical drives you have on your system and label each one for a specific drive (ie: FICHECK for drive C:, FICHECK for drive D:, etc). Anytime you want to run FICHECK, you should first turn your computer OFF, then back on with the bootable FICHECK diskette in drive A: (Hitting Ctrl-Alt-Del may not get rid of actively running viruses). FICHECK can be run 1 of 2 ways: interactively or command line arguments. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 7 Using FICHECK / MFICHECK - Interactive Usage Running FICHECK Interactively Simply type and enter "FICHECK" on the command line (without quotes). You'll be presented with a screen containing 3 sets of fields to fill in: 1) The Drive Letter of the fixed disk you wish to check. 2) The Processing Option you wish FICHECK to perform. 3) The filename extensions of the files you wish to check. The first field simply asks for the drive letter of the fixed disk drive you wish to check. The second field has one of three answers: N, C, or P which stand for New, Check, and Print, respectively. The first time you run FICHECK you should choose N which will scan your fixed disk and log a "snapshot" of your files, master boot record/partition table, FAT (file allocation table) ID byte, and disk free space. FICHECK will create 2 log files on floppy drive A named DRIVEx.CCK (holding file information), and DRIVEx.CDI (holding boot record and space information) where the "x" is the drive letter of the drive that's being logged (Note that MFICHECK uses extensions of ".MCK" and ".MDI" instead). You should run FICHECK with the N option after every BACKUP or immediately before running a new program, or whenever appropriate. Using the N option logs all files which may have been added since the last time you used the N option. Choosing C or P requires that your printer be turned on (writes to LPT1 or PRN). After running N, you should re-run the program choosing P for a readable hardcopy of the log (P runs at lightning speed). Run FICHECK with the C option after anytime you've run a new program such as one that may have been downloaded from a BBS (or even purchased from a store). Besides after running a new program, it would be very beneficial to give your disk a weekly checkup by running FICHECK with the C option. FICHECK will print any discrepencies in checks of the actual files on your fixed disk against the log entries, as well as report on any deleted or added files, and any removed or added directories, changed volume names, changed master boot record/partition table info, FAT ID byte, and disk free space. This report should alert you to possible infection by viruses present on your system and which files or programs may have become infected. Some discrepencies are normal: - If you're a programmer, the only EXE, COM, OBJ, LIB, SYS or BAT files that should have changed are the ones YOU create or modify. - If you've edited an existing text file this will be reported by FICHECK if you've used "*" or supplied its extension. - Many programs modify data files (ie: database programs modify database files, games may modify their own data files, etc). This is normal but will be reported by FICHECK nonetheless. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 8 Using FICHECK / MFICHECK - Interactive Usage The third field lets you enter anywhere from 0 to 10 different extensions (filename extensions) which can be anywhere from one to three characters including the wildcards (? and *). If you're not familiar with wildcards, please consult your DOS manual. Whenever you specify extensions, FICHECK only looks for and checks filenames on your fixed disk that match the extensions you supply. For instance, if you supply EXE, COM, SYS, and BAT (which we recommend as a minimum), FICHECK will only check or look for files matching those extensions (ie: *.EXE, *.COM, *.SYS, and *.BAT). Some programs use overlays, usually matching the OV? extension. For maximum protection, use "*" by itself (without quotes) to check and look for EVERY file on your fixed disk (including those without any extensions). If you use "*" (without quotes) by itself, ALL files on your fixed disk will be specified, whereas if you use "*" as in "XX*", all files matching "XX*" will be specified along with any other exensions you specify (if any). If you don't enter any extensions, "*" will default (ALL files). NOTE: WE VERY STRONGLY SUGGEST USING "*" (without quotes) EVERY TIME YOU USE "FICHECK" - NO MATTER WHICH OPTION (N,C,P) YOU CHOOSE. Once all three fields have been filled in by you, press the F2 key on your keyboard to start processing. Anytime before pressing F2, you can press F1 for brief help with the field you're on, or F10 to quit the program. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 9 Using FICHECK / MFICHECK - Command Line Usage Running FICHECK With Command Line Arguments You can run FICHECK with command line arguments in one of three methods: method 1: FICHECK d: /n=EXT | /c=EXT | /p=EXT [/o=OUTFILE] method 2: FICHECK /s=FILESPEC method 3: FICHECK /v Method 1 The arguments are not case sensitive so feel free to use lower and/or uppercase characters. Spacing is not important either, use spaces wherever you want or none at all. The argument definitions are: d: - The drive letter of the fixed disk drive to check. /n= - Identical to N of field 2 of interactive usage. /c= - Identical to C of field 2 of interactive usage. /p= - Identical to P of field 2 of interactive usage. EXT - Identical to field 3 of interactive usage. Extensions must be separated by commas. [/o=OUTFILE] - The brackets surrounding this argument mean it's optional - don't use the brackets. /o=OUTFILE if present, will print output to the filespec specified by OUTFILE instead of your printer. OUTFILE should contain a COMPLETE PATH INCLUDING DRIVE. Note that printed output (which would be routed to OUTFILE) takes place when the C or P options are used. Note that ONLY ONE of /n=, /c=, or /p= is to be used (just as in the interactive mode). Examples: FICHECK c: /n=* creates new log of ALL files on drive C FICHECK c: /n=exe,com,sys,bat creates new log of files on drive C: matching *.exe, *.com, *.sys, *.bat FICHECK e:/p=* makes a readable hardcopy of everything in the DRIVEE.CCK log. Also useful for a great "enhanced" disk drive listing. FICHECK e:/p=* /o=c:\log_e same as above but creates file C:\LOG_E and prints to this file instead of your printer. FICHECK f:/c=* checks drive F against the log DRIVEF.CCK and prints any discrepencies FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 10 Using FICHECK / MFICHECK - Command Line Usage on your printer. FICHECK f: /c=* /o=c:\report same as above but creates file C:\REPORT and prints to this file instead of your printer. FICHECK d: /c=exe,com,sys,bat checks drive D against log DRIVED.CCK and prints any discrepencies on your printer. Note that only *.exe, *.com, *.sys, and *.bat will be checked against the matching log entries. Method 2 FICHECK / MFICHECK has the abiltiy to scan single files (or groups of files via wildcards) for CRC calculation (or MCRC calculation with MFICHECK). This feature is invoked by using the "/s=" option. Note that when "/s=" is used, no other command line arguments are allowed. Also note that when "/s=" is used, you are not limited to hard disks - you may specify floppy drives. When "/s=" is used, the file(s) will be listed along with their size, date, time, attribute, and CRC or MCRC. Examples: FICHECK /s=*.exe calculates and displays info on *.exe files in current directory. FICHECK /s=c:\ibmbio.com calculates and displays info about c:\ibmbio.com FICHECK /s=a:\*.bat calculates and displays info about all *.bat files found in current directory for drive A: FICHECK /s=*.* >prn calculates and prints info (on printer) about all files in current directory and drive. NOTE: Logs are not used, created, read, or modified when the "/s=" option is used. Also note that the "/s=" option is only available during command line processing and that no other options are allowed when "/s=" is used. Method 3 FICHECK incorporates code that can test itself to see if any changes to itself were made. To test the validity of FICHECK, simply enter: FICHECK /v FICHECK will then perform a validity test of itself. You should use this method periodically to insure that FICHECK has not become infected or altered in any way. FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 11 Using FICHECK / MFICHECK - Changing Screen Appearance ******************************************************* *** Changing the FICHECK/MFICHECK screen appearance *** ******************************************************* The FICHECK screen was designed with color monitors in mind. Although FICHECK incorporates code to automatically detect your monitor type (color or monochrome), you can force changes to the screen appearance by use of an environment variable. To do this, enter one of the following on the DOS command line prior to starting FICHECK (you only need to do this once unless you restart your machine): SET SCRMODE=MONO SET SCRMODE=OTHER If you have a color monitor and don't like the blue background, you would use the SET SCRMODE=MONO command above. If you have a nonstandard monitor and the FICHECK screen doesn't display properly, use the SET SCRMODE=OTHER command above. To turn off these commands (defaulting back to the built in auto-detection), enter "SET SCRMODE=" (without quotes). FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 12 More Information and Final Remarks ************************ *** MORE INFORMATION *** ************************ Even if you only plan on using FICHECK/MFICHECK in the interactive mode of operation, you should still view the help screens by entering one of the following on the DOS command line: FICHECK /help MFICHECK /help There are 3 screens of help which will present themselves. The last screen also provides information on our commercial XFICHECK program. *********************************** *** IMPORTANT FINAL REMARKS *** *********************************** Whenever booting your system from a floppy, it is extremely important to boot from the same version of DOS on floppy as that on your fixed disk! Running FICHECK with the N option will only log the current state of your files on your fixed disk(s), which may already contain infected files. Subsequent runs using the C option alert you to any changes which may have occurred. Any of the changes reported is an alert of a potential virus. If a file has changed that shouldn't have, remove it from your system immediately and replace it with the same file from your original distribution diskette. If COMMAND.COM, IBMBIO.COM, or IBMDOS.COM have changed on your drive C, turn off your computer immediately. Insert your original DOS diskette in Drive A and restart your computer. Once restarted, do a "SYS C:" to overwrite these files to the way they should be. If COMMAND.COM was the only file that changed, turn off your computer immediately. Insert your original DOS Diskette in Drive A and restart your computer. Once restarted, do a "COPY COMMAND.COM C:" or to the appropriate disk drive. FICHECK searches all file attributes - system, hidden, etc. Once processing has started, FICHECK starts a timer and when processing finishes, FICHECK prints how long it ran. On computers running at 4.77 Mhz such as the original IBM XT's, FICHECK may take a while to complete its job. On computers such as the IBM PS/2 Model 80 running at 20 Mhz, FICHECK flies right through. We've incorporated fast algorithms so that FICHECK will run through your system as fast as possible. It's pretty difficult to evade a CRC (cyclic redunancy check) of your files, not to mention changing file size by adding a couple of bytes or so. Clever viruses install themselves over unused portions of program files, and manage to keep the same size, date, time, and attribute of the file. But even with these protective checks, CRC does not guarantee that some clever deviant may code a virus to attempt to match the original CRC of FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 13 More Information and Final Remarks a file it altered. There are no reports of this yet, but as more CRC checking programs such as this are in use, virus-writing programmers will have to incorporate code (mutations) to match the CRC of the original file when they alter it. It's not a small task for them, however CRC checking is a well known method. If you can test a file for CRC, you can alter a file such that its CRC stays the same. Because of this, we offer another version of FICHECK (MFICHECK or Modified FICHECK) which uses a unique, modified CRC check which is not known to the virus-writing programmers (and we won't make the method public in order to protect you). Since the modification we made to the CRC algorithm is unknown to anyone but us, a virus-writing programmer will not know how to defeat the check. The MFICHECK program is distributed with FICHECK, and its operation is identical to that of FICHECK with 2 exceptions: 1) it uses an extension of ".MCK" and ".MDI" instead of ".CCK" and ".CDI", and 2) it uses our unique Modified CRC (MCRC) check instead of standard CRC checking. We also anticipate these deviant virus-writing programmers to hack away at our MFICHECK program in an attempt to discover the MCRC checking algorithm so that the viruses they write can also modify your programs and files to match our MCRC values. Have no fear - we have a solution to that too. Although its possible for a virus to alter the contents of a file and cleverly maintain the same CRC value, the MCRC value will change. Likewise, if the virus incorporates code that alters a file and cleverly maintains the same MCRC, the CRC value will change. No matter what the virus does to your files, if it is altered in any way, either the CRC or the MCRC has to change. It is virtually impossible to alter a file and maintain both the original CRC and MCRC values - one or the other will change and will be detected by our File Integrity Checking programs. You could employ this dual checking method by running FICHECK, then immediately running MFICHECK but that would be too time consuming to be worth the bother - we have another solution - read on! FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems XFICHECK - The Commercial Version Page 14 Explanation When you register your copy of FICHECK with us, we'll send you not only guaranteed, virus-free copies of FICHECK and MFICHECK, but also our commercial XFICHECK program as well. XFICHECK (eXtended FICHECK) incorporates both CRC and MCRC checking in a single pass, and doesn't take much longer to run than MFICHECK. The added security and peace of mind of dual-cheking for CRC and MCRC alone is worth the registration fee, but that's not all XFICHECK does. XFICHECK does everything FICHECK and MFICHECK does together, AND has more features: - Dual CRC and MCRC checking in a single pass! Saves enormous time! Can optionally be forced to do CRC or MCRC only. - Allows Exclusion of extensions from searches as well as inclusion (saves more time!) - Can optionally ignore the archive bit of the attribute byte (eliminates long reports when C option is used after a backup is performed). - Records information on ALL bootable partitions (FICHECK only does the master boot record/partition table). - Stores actual master boot record/partition table and ALL separate boot partitions on disk - saves this in a hidden/read-only file on floppy disk. - Can optionally restore master boot record/partition table and any of the separate boot partitions. - Can optionally be run from hard disk (without boot from floppy and without starting the program from floppy - NOT RECOMMENDED). - Reports on disk space also include: available clusters, total clusters, bytes per sector, and sectors per cluster as well as any changes to them. This is in addition to disk free space and FAT ID. - Can be run from the command line to do a quick CRC and MCRC of any file or group of files on any disk (including floppies). Does not require or use the log. - Stores information in the log as to its creation criteria: - search extensions specified in creation - search extensions excluded in creation - date/time of log creation (independent of date/time of file) - Log creation criteria (above) is printed in all reports along with: - search extensions specified for current report - search extensions excluded for current report - date/time of current report FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems XFICHECK - The Commercial Version Page 15 Ordering Info ************************ *** Order Today! *** ************************ If you've obtained this copy of FICHECK from a friend or BBS (shared programs), there is NO guarantee that your copy of FICHECK hasn't become infected by a virus. We cannot guarantee that somebody didn't download this program, infect it (purposely or accidentally), and pass it on by uploading it to other BBS's or giving it to friends. Since FICHECK and MFICHECK are shareware, we would normally encourage you to try it, then register if you like it. Recall that early versions of FLU-SHOT became infected. You may use these programs at your own risk. We can only guarantee that the copy of FICHECK we send you on floppy via U.S. mail is free of viruses (or you can download the shareware version from our BBS). Only $15 to order (U.S. currency, check, or use your VISA/MC when ordering by phone). When you order, we'll send you not only a copy of FICHECK and MFICHECK, but our powerful commercial version - XFICHECK. Unless you specifically request a 3-1/2" micro-floppy disk, we will send you a 5-1/4" floppy disk. FICHECK, MFICHECK and XFICHECK will run on all true IBM compatible computers running the IBM PC-DOS or MS-DOS operating systems versions 2.0 and above. Some fixed disks require drivers which should be placed on your boot diskettes from the original driver distribution diskette. FICHECK, MFICHECK and XFICHECK will run on the entire family of IBM (and compatible) computers ranging from the XT to all of the PS/2 models. Fixed disks containing the OS/2 operating system and associated files can also be checked since they maintain the same file structure as DOS - you must still format DOS bootable diskettes to use the programs. To order, send $15 (Calif. residents add 6.5% sales tax - $15.98) to: Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 - or call us with your VISA/MC number at (213) 275-8006 - - or register online on our "Virus Info" BBS at (213) 276-5263 - FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems XFICHECK - The Commercial Version Page 16 Bonus! *************** *** *** *** Bonus! *** *** *** *************** As a bonus for ordering, we will grant you 6-months of usage on our "Virus Info" BBS which is dedicated to the topic of Computer Viruses. We would like to maintain a central log of CRC and MCRC values for as many programs and files as we can. If you're an ORIGINAL program author and would like the CRC and MCRC values of your works published on our "Virus Info" BBS, please contact us for information. As a user of our BBS, you can compare these values with the actual values found by FICHECK and/or MFICHECK (or XFICHECK) to verify integrity of programs and files downloaded from other BBS's. The only uploading we allow is: text and source code files relating to the topic of computer viruses. Executable programs may be uploaded provided that it's source code accompanies the programs. Other executable programs can be uploaded by special arrangement with the sysop. An electronic mail and public message system will also be available for you to participate in. For our registered users, the most current versions of XFICHECK will automatically by sent via first class mail. If you're not a registered user, you can still call our BBS and register with your Visa/MC online. Many companies such as us use BBS systems to exchange and share information, ideas, new technologies, programs, tools, and multitudes of other things. How can we continue to use these invaluable offerings in fear of destruction of your most valuable programs, data, or even hardware? We hope that our "File Integrity Check" programs will offer you security against these fears and at the same time inspire other programmers to create other anti-viral or preventive computer medicine type programs. - Chuck Gilmore, President FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems