home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Fritz: All Fritz
/
All Fritz.zip
/
All Fritz
/
FILES
/
VIRUTION
/
VIRSANSI.LZH
/
FICHECK4.DOC
< prev
next >
Wrap
Text File
|
1988-09-01
|
46KB
|
1,179 lines
Preventive Computer Medicine to help keep your system virus free.
Fixed Disk "File Integrity Checker"
**************************
*** ***
*** FICHECK ver 4.0 ***
*** MFICHECK ver 4.0 ***
*** PROVECRC ver 1.0 ***
*** ***
**************************
(C)Copyright 1988, Gilmore Systems
Gilmore Systems
P.O. Box 3831
Beverly Hills, CA 90212-0831
U.S.A.
Voice: (213) 275-8006 Data: (213) 276-5263
All Programs designed and written by Chuck Gilmore
First Printing: June, 1988
Second Printing: July, 1988
Third Printing: September, 1988
*************************
*** IMPORTANT NOTICES ***
*************************
Disclaimer
FICHECK.EXE / MFICHECK.EXE / PROVECRC.EXE are offered AS IS without
warranty of any kind. Gilmore Systems assumes no liability or
responsibility for loss of profit, data, or any consequential or
inconsequential damages resulting from the use or misuse of these
programs. This applies to all versions of the above mentioned programs.
These are Shareware/Evaluation versions
DO NOT ATTEMPT to run FICHECK.EXE or MFICHECK.EXE without first reading
this document in its entirety!
Although FICHECK.EXE and MFICHECK.EXE are released as shareware, they
are to serve as evaluation versions only. If you use these shareware
versions for a trial period of time (30 days), we urge you to order the
commercial (registered user) version for $15 (Calif. residents add .98
sales tax).
The commercial (registered user) version (XFICHECK.EXE) will make your
mouth drop with all of its advanced, sophisticated state-of-the-art
capabilities. But don't just take our word for it, use the supplied
shareware/evaluation versions to know what kind of quality you can
expect. For more information on the commercial (registered user)
version, see the pages of this document describing XFICHECK.
We use the terms "commercial version" and "registered user version"
interchangeably.
ATTENTION
FICHECK/MFICHECK are protected by federal copyright laws. We do grant
you the right, however to distribute and use these shareware/evaluation
versions as long as the following criteria are met:
1) The supplied programs and documentation are to be distributed as
a group consisting of the following: FICHECK.EXE, MFICHECK.EXE,
PROVECRC.EXE, PROVE.BAT, FICHECK4.DOC, and READ.ME files. They
are NOT to be unbundled.
2) No modifications, disassemblies, alterations, removal of
copyrights or other alterations are to be made, and no additional
files are to be added to the above six files.
3) No fee or monetary consideration is to be charged.
4) The six files that comprise this evaluation package (as described
in number 1 above), are NOT to be bundled, included, or used with
any other product(s) or service(s).
5) You can NOT charge fees to evaluate disk drives with this product
6) A 30 day trial period is granted - after that, you must order the
commercial version if you plan to keep using these programs.
FICHECK 4.0 / MFICHECK 4.0 - September, 1988
Table of Contents
TABLE OF CONTENTS
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 ......................... 1
Introduction .................................................... 1
Introducing FICHECK / MFICHECK .................................. 3
CRC Checking vs MCRC Checking ................................... 4
Using FICHECK / MFICHECK ........................................ 6
Using FICHECK / MFICHECK - Interactive Usage .................... 7
Using FICHECK / MFICHECK - Command Line Usage ................... 9
Using FICHECK / MFICHECK - Changing Screen Appearance .......... 11
More Information and Final Remarks ............................. 12
XFICHECK - The Commercial Version ................................... 14
Explanation .................................................... 15
Ordering Info .................................................. 15
Bonus! ......................................................... 16
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 1
Introduction
Introduction
Computer viruses have now become an international concern. They've
infected places such as NASA, EDS (subsidiary of GM), universities such
as Lehigh university, and Miami university) and countless other firms as
well as individuals. Major software houses are not immune either. If
they admit being struck by a virus, nobody would buy their software.
You know things are getting bad when you buy a name brand software
package at a computer store and find that it's infected by a virus!
Just what IS a computer Virus?
A computer virus is a small piece of code contained within a seemingly
innocent program. What's unique about the code is that when the program
is run, it attaches itself to other programs. When those other programs
are run, the virus inside them seeks out and attaches itself to yet more
programs on your disks. These other programs (the targets) can be ANY
program including your operating system (ie: command.com). Depending on
what instructions are present within the viral code, the results can be
quite severe - anything from wiping out your entire fixed disk to
ruining your data to altering video I/O functions so that your CRT
explodes! These catastrophic results are usually not carried out right
away - the people writing these viruses usually set "time bombs" in the
viral code. These "time bombs" can be anything - when a certain date is
reached, or a certain memory location is written to with a certain
value, or the number of files on your disk reaches a certain number, or
you run a program a certain number of times - these are just a few
examples of "triggers" that viruses set and look for. When the
"trigger" happens, then the viral code does its catastrophic dirty work.
Bulletin Board Systems
In addition to spreading computer viruses by infected software houses,
Bulletin Board Systems are a major target for the people who derive
pleasure out of writing viral code. ANY program on a BBS can be
downloaded by ANYONE. The person downloading a program from a BBS may
be a "virus implanter" and implant the downloaded program with a virus,
then upload it to other BBS's where perhaps thousands of people will
download the infected version of the program. The problem is reaching
epidemic proportions and as a result, some companies have banned the
downloading of programs from BBS's. This is indeed a shame, since BBS's
are there for the sharing of knowledge, information, and the opportunity
to get talented programmer's works known.
How Can I Tell If MY Computer Has Infected Programs?
Simply put, YOU CANNOT! That's the scariest part of it all. Viruses
may lie dormant for months or years on an infected system before they
show their symptoms. Programs will continue to run normally until one
day when the "trigger" is reached.
What Can I Do to Stop a Potential Virus?
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 2
Introduction
There are some viral-fighting programs available such as FLU-SHOT, and
versions of VACCINE. These programs attempt to block viruses from doing
things that viruses typically do. They attempt to block any altering of
COMMAND.COM or your other operating system's system files. They try to
alert you of low-level disk writing. These programs look for other
things as well but may slow your system down as a result. Some require
you to make lists of approved programs and TSR's. The problem with
these programs are that they are running on your system which may
contain a virus that looks for these particular programs and renders
them inactive or makes them think that everything's ok (sounds like
AIDs, doesn't it?) while they do their dirty work. The original version
of FLU-SHOT was found to contain a virus itself (NOT from the original
author), although newer versions have been corrected.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 3
Introducing FICHECK / MFICHECK
Introducing FICHECK / MFICHECK
FICHECK and MFICHECK are programs which differ from vaccine-type
programs and other programs that attempt to find, block, or alert you to
viruses. FICHECK does none of these things. As a matter of fact,
FICHECK can't even be run from your fixed disk! FICHECK is a preventive
medicine program which sort of takes a snapshot (x-ray) of your entire
fixed disk(s) and logs it to a file. The things FICHECK logs are the
date, time, size, attribute, and CRC (Cyclic Redundancy Check) of every
file on your fixed disk(s). It looks for differences in all of these
things whenever you decide to run it again and alerts you to any
changes. Any changes potentially mean a virus is at work - Viruses have
to alter files in some way in order to spread themselves. MFICHECK does
the same thing as FICHECK except it uses our unique MCRC (Modified
Cyclic Redundancy Check) instead of standard CRC checking.
FICHECK also checks the CRC of your master boot record/partition table
(MFICHECK checks the MCRC of your master boot record/partition table)
and logs this information as well as available disk space and FAT (File
Allocation Table) ID byte. When these programs compare your actual disk
information against the log (boot record info, FAT ID byte, disk space,
all file parameters: date, time, size, attribute, CRC or MCRC), any
discrepencies are reported to you, suggesting a possible virus at work -
especially if the master boot record/partition table info has been
changed.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 4
CRC Checking vs MCRC Checking
CRC checking vs MCRC checking
CRC (cyclic redundancy check) is a sophisticated check of sequential
bytes in a file resulting in a unique number for that file. This unique
number should change in the event any one or more bytes of the file
change. If the CRC number for the file changes, it indicates the file
has changed.
CRC has been around for many years in communications protocols for
transferring files from one computer to another over telephone lines
with modems. When sending files across telephone lines, CRC checking
does its job very well to insure that the data the receiving computer
gets matches the data the sending computer sends.
CRC was designed specifically for communications between computers.
However, CRC IS NOT A RELIABLE METHOD FOR DETECTING CHANGES TO FILES
THAT ALREADY EXIST ON YOUR DISK SYSTEM! Later in this document, we'll
prove that to you with a program that will alter a file and keep its CRC
intact.
Basically, a resident virus on your system has all day to modify your
files and keep the original CRC of those files the same. So-called
anti-viral or file checking programs claiming to alert you of changes to
your files based solely on CRC checking will offer no protection against
virus or trojan programs capable of file alteration while maintaining
CRC integrity.
MCRC is a unique, modified CRC check developed exclusively by us at
Gilmore Systems for the sole purpose of checking files on your disk
system for modification. Our MCRC check is a highly reliable, state of
the art check used in determining changes to files on your disk system.
While CRC can be fooled by clever viruses and trojans, MCRC does NOT
fall victim to these file altering programs. MCRC will detect changes
to files where CRC shows no change.
You may be asking yourself at this point - what if some hacker tears
apart our code and discovers our MCRC algorithm, then incorporates a
means of modifying files in his virus programs which leave MCRC intact?
This is an excellent question but rest assured that if this happens,
standard CRC checking will show the change. In other words, IT IS NOT
POSSIBLE TO ALTER A FILE SUCH THAT BOTH CRC AND MCRC REMAIN UNCHANGED -
one or the other (but not both) has to change!
As promised earlier, here's how to work the PROVECRC.EXE program which
will prove to you that file alteration is possible without affecting the
original CRC.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 5
CRC Checking vs MCRC Checking
***
*** IMPORTANT: Before you try this example, read the rest of this user's
*** manual completely, then come back to this example!
***
First, choose a file between 25 and 32,000 bytes in length to be altered
(if you can't think of any, use our PROVECRC.EXE program as the file
itself). Next, enter the following on the DOS command line:
PROVECRC INFILE OUTFILE
where INFILE is the name of the file to alter, and OUTFILE is the name
of the file to store the altered copy in. INFILE will remain intact,
but OUTFILE will have an altered copy of INFILE which retains the same
CRC as INFILE and the same date, time, size, and attributes. Next, run
a CRC checking program (or use FICHECK.EXE as described later in this
document with the "/s=" option) to show the CRC of INFILE and OUTFILE,
noting that the CRC values of each file are identical. Repeat this
process with MFICHECK.EXE, noting the different MCRC values for each
file. You can also run the DOS COMP program to prove that the two files
are indeed different!
The above process can be automated with the PROVE.BAT file provided.
Simply enter the following on the DOS command line:
PROVE INFILE OUTFILE
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 6
Using FICHECK / MFICHECK
------------------------------------------------------------------------
IMPORTANT NOTE:
Throughout the remainder of this document:
We will use FICHECK to mean either of FICHECK.EXE or MFICHECK.EXE
Both are identical except
FICHECK does CRC checking
MFICHECK does MCRC checking
We use the terms "hard disk" and "fixed disk" interchangeably
------------------------------------------------------------------------
Using FICHECK / MFICHECK
You should have the following programs/files on your disk:
FICHECK4.DOC - this document
FICHECK.EXE - the FICHECK version 4.0 program
MFICHECK.EXE - the MFICHECK version 4.0 program
PROVECRC.EXE - the CRC disprover program
PROVE.BAT - batch file for PROVECRC.EXE
READ.ME - text of announcements, changes, etc.
If you've used previous versions of FICHECK/MFICHECK, please destroy and
replace them with these newer versions. These newer versions (version
4.0) are upward compatible with the logs created by version 3.0 (but not
versions lower than 3.0).
FICHECK should NOT be placed on your fixed disk - it will ONLY RUN FROM
A FLOPPY, and furthermore, DOS MUST BE BOOTED FROM THAT FLOPPY DISK!
Why all the hassle of booting from and running from a floppy? Simple.
If you boot from a fixed disk, you may be booting from an infected copy
of your operating system, starting an infected TSR, have an infected
device driver, or may have run an infected program. If you boot from
floppy, you don't give the viruses on your fixed disk a chance to become
active. Therefore, the first thing you should do in order to prepare
for using the FICHECK program is:
1) Boot DOS from your ORIGINAL distribution disk.
2) Format a bootable floppy. (use the command "FORMAT A:/S")
3) Copy FICHECK.EXE to the newly formatted disk.
4) Diskcopy this new disk for as many fixed disk drives or logical
drives you have on your system and label each one for a specific
drive (ie: FICHECK for drive C:, FICHECK for drive D:, etc).
Anytime you want to run FICHECK, you should first turn your computer
OFF, then back on with the bootable FICHECK diskette in drive A:
(Hitting Ctrl-Alt-Del may not get rid of actively running viruses).
FICHECK can be run 1 of 2 ways: interactively or command line arguments.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 7
Using FICHECK / MFICHECK - Interactive Usage
Running FICHECK Interactively
Simply type and enter "FICHECK" on the command line (without quotes).
You'll be presented with a screen containing 3 sets of fields to fill
in:
1) The Drive Letter of the fixed disk you wish to check.
2) The Processing Option you wish FICHECK to perform.
3) The filename extensions of the files you wish to check.
The first field simply asks for the drive letter of the fixed disk drive
you wish to check.
The second field has one of three answers: N, C, or P which stand for
New, Check, and Print, respectively. The first time you run FICHECK you
should choose N which will scan your fixed disk and log a "snapshot" of
your files, master boot record/partition table, FAT (file allocation
table) ID byte, and disk free space. FICHECK will create 2 log files on
floppy drive A named DRIVEx.CCK (holding file information), and
DRIVEx.CDI (holding boot record and space information) where the "x" is
the drive letter of the drive that's being logged (Note that MFICHECK
uses extensions of ".MCK" and ".MDI" instead). You should run FICHECK
with the N option after every BACKUP or immediately before running a new
program, or whenever appropriate. Using the N option logs all files
which may have been added since the last time you used the N option.
Choosing C or P requires that your printer be turned on (writes to LPT1
or PRN). After running N, you should re-run the program choosing P for
a readable hardcopy of the log (P runs at lightning speed).
Run FICHECK with the C option after anytime you've run a new program
such as one that may have been downloaded from a BBS (or even purchased
from a store). Besides after running a new program, it would be very
beneficial to give your disk a weekly checkup by running FICHECK with
the C option. FICHECK will print any discrepencies in checks of the
actual files on your fixed disk against the log entries, as well as
report on any deleted or added files, and any removed or added
directories, changed volume names, changed master boot record/partition
table info, FAT ID byte, and disk free space. This report should alert
you to possible infection by viruses present on your system and which
files or programs may have become infected. Some discrepencies are
normal:
- If you're a programmer, the only EXE, COM, OBJ, LIB, SYS or BAT
files that should have changed are the ones YOU create or modify.
- If you've edited an existing text file this will be reported
by FICHECK if you've used "*" or supplied its extension.
- Many programs modify data files (ie: database programs modify
database files, games may modify their own data files, etc). This
is normal but will be reported by FICHECK nonetheless.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 8
Using FICHECK / MFICHECK - Interactive Usage
The third field lets you enter anywhere from 0 to 10 different
extensions (filename extensions) which can be anywhere from one to three
characters including the wildcards (? and *). If you're not familiar
with wildcards, please consult your DOS manual. Whenever you specify
extensions, FICHECK only looks for and checks filenames on your fixed
disk that match the extensions you supply. For instance, if you supply
EXE, COM, SYS, and BAT (which we recommend as a minimum), FICHECK will
only check or look for files matching those extensions (ie: *.EXE,
*.COM, *.SYS, and *.BAT). Some programs use overlays, usually matching
the OV? extension. For maximum protection, use "*" by itself (without
quotes) to check and look for EVERY file on your fixed disk (including
those without any extensions). If you use "*" (without quotes) by
itself, ALL files on your fixed disk will be specified, whereas if you
use "*" as in "XX*", all files matching "XX*" will be specified along
with any other exensions you specify (if any). If you don't enter any
extensions, "*" will default (ALL files). NOTE: WE VERY STRONGLY
SUGGEST USING "*" (without quotes) EVERY TIME YOU USE "FICHECK" - NO
MATTER WHICH OPTION (N,C,P) YOU CHOOSE.
Once all three fields have been filled in by you, press the F2 key on
your keyboard to start processing. Anytime before pressing F2, you can
press F1 for brief help with the field you're on, or F10 to quit the
program.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 9
Using FICHECK / MFICHECK - Command Line Usage
Running FICHECK With Command Line Arguments
You can run FICHECK with command line arguments in one of three methods:
method 1: FICHECK d: /n=EXT | /c=EXT | /p=EXT [/o=OUTFILE]
method 2: FICHECK /s=FILESPEC
method 3: FICHECK /v
Method 1
The arguments are not case sensitive so feel free to use lower and/or
uppercase characters. Spacing is not important either, use spaces
wherever you want or none at all. The argument definitions are:
d: - The drive letter of the fixed disk drive to check.
/n= - Identical to N of field 2 of interactive usage.
/c= - Identical to C of field 2 of interactive usage.
/p= - Identical to P of field 2 of interactive usage.
EXT - Identical to field 3 of interactive usage. Extensions
must be separated by commas.
[/o=OUTFILE] - The brackets surrounding this argument mean it's
optional - don't use the brackets. /o=OUTFILE if
present, will print output to the filespec specified
by OUTFILE instead of your printer. OUTFILE should
contain a COMPLETE PATH INCLUDING DRIVE. Note that
printed output (which would be routed to OUTFILE)
takes place when the C or P options are used.
Note that ONLY ONE of /n=, /c=, or /p= is to be used (just as in the
interactive mode).
Examples:
FICHECK c: /n=* creates new log of ALL files on drive C
FICHECK c: /n=exe,com,sys,bat creates new log of files on drive C:
matching *.exe, *.com, *.sys, *.bat
FICHECK e:/p=* makes a readable hardcopy of everything
in the DRIVEE.CCK log. Also useful for
a great "enhanced" disk drive listing.
FICHECK e:/p=* /o=c:\log_e same as above but creates file C:\LOG_E
and prints to this file instead of your
printer.
FICHECK f:/c=* checks drive F against the log
DRIVEF.CCK and prints any discrepencies
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 10
Using FICHECK / MFICHECK - Command Line Usage
on your printer.
FICHECK f: /c=* /o=c:\report same as above but creates file
C:\REPORT and prints to this file
instead of your printer.
FICHECK d: /c=exe,com,sys,bat checks drive D against log DRIVED.CCK
and prints any discrepencies on your
printer. Note that only *.exe, *.com,
*.sys, and *.bat will be checked
against the matching log entries.
Method 2
FICHECK / MFICHECK has the abiltiy to scan single files (or groups of
files via wildcards) for CRC calculation (or MCRC calculation with
MFICHECK). This feature is invoked by using the "/s=" option. Note
that when "/s=" is used, no other command line arguments are allowed.
Also note that when "/s=" is used, you are not limited to hard disks -
you may specify floppy drives. When "/s=" is used, the file(s) will be
listed along with their size, date, time, attribute, and CRC or MCRC.
Examples:
FICHECK /s=*.exe calculates and displays info on *.exe files
in current directory.
FICHECK /s=c:\ibmbio.com calculates and displays info about
c:\ibmbio.com
FICHECK /s=a:\*.bat calculates and displays info about all *.bat
files found in current directory for drive A:
FICHECK /s=*.* >prn calculates and prints info (on printer) about
all files in current directory and drive.
NOTE: Logs are not used, created, read, or modified when the "/s="
option is used. Also note that the "/s=" option is only available
during command line processing and that no other options are
allowed when "/s=" is used.
Method 3
FICHECK incorporates code that can test itself to see if any changes to
itself were made. To test the validity of FICHECK, simply enter:
FICHECK /v
FICHECK will then perform a validity test of itself. You should use
this method periodically to insure that FICHECK has not become infected
or altered in any way.
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 11
Using FICHECK / MFICHECK - Changing Screen Appearance
*******************************************************
*** Changing the FICHECK/MFICHECK screen appearance ***
*******************************************************
The FICHECK screen was designed with color monitors in mind. Although
FICHECK incorporates code to automatically detect your monitor type
(color or monochrome), you can force changes to the screen appearance by
use of an environment variable. To do this, enter one of the following
on the DOS command line prior to starting FICHECK (you only need to do
this once unless you restart your machine):
SET SCRMODE=MONO
SET SCRMODE=OTHER
If you have a color monitor and don't like the blue background, you
would use the SET SCRMODE=MONO command above. If you have a nonstandard
monitor and the FICHECK screen doesn't display properly, use the SET
SCRMODE=OTHER command above. To turn off these commands (defaulting
back to the built in auto-detection), enter "SET SCRMODE=" (without
quotes).
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 12
More Information and Final Remarks
************************
*** MORE INFORMATION ***
************************
Even if you only plan on using FICHECK/MFICHECK in the interactive mode
of operation, you should still view the help screens by entering one of
the following on the DOS command line:
FICHECK /help
MFICHECK /help
There are 3 screens of help which will present themselves. The last
screen also provides information on our commercial XFICHECK program.
***********************************
*** IMPORTANT FINAL REMARKS ***
***********************************
Whenever booting your system from a floppy, it is extremely important to
boot from the same version of DOS on floppy as that on your fixed disk!
Running FICHECK with the N option will only log the current state of
your files on your fixed disk(s), which may already contain infected
files. Subsequent runs using the C option alert you to any changes
which may have occurred. Any of the changes reported is an alert of a
potential virus. If a file has changed that shouldn't have, remove it
from your system immediately and replace it with the same file from your
original distribution diskette. If COMMAND.COM, IBMBIO.COM, or
IBMDOS.COM have changed on your drive C, turn off your computer
immediately. Insert your original DOS diskette in Drive A and restart
your computer. Once restarted, do a "SYS C:" to overwrite these files
to the way they should be. If COMMAND.COM was the only file that
changed, turn off your computer immediately. Insert your original DOS
Diskette in Drive A and restart your computer. Once restarted, do a
"COPY COMMAND.COM C:" or to the appropriate disk drive.
FICHECK searches all file attributes - system, hidden, etc. Once
processing has started, FICHECK starts a timer and when processing
finishes, FICHECK prints how long it ran. On computers running at 4.77
Mhz such as the original IBM XT's, FICHECK may take a while to complete
its job. On computers such as the IBM PS/2 Model 80 running at 20 Mhz,
FICHECK flies right through. We've incorporated fast algorithms so that
FICHECK will run through your system as fast as possible.
It's pretty difficult to evade a CRC (cyclic redunancy check) of your
files, not to mention changing file size by adding a couple of bytes or
so.
Clever viruses install themselves over unused portions of program files,
and manage to keep the same size, date, time, and attribute of the file.
But even with these protective checks, CRC does not guarantee that some
clever deviant may code a virus to attempt to match the original CRC of
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
FICHECK 4.0 / MFICHECK 4.0 - September, 1988 Page 13
More Information and Final Remarks
a file it altered. There are no reports of this yet, but as more CRC
checking programs such as this are in use, virus-writing programmers
will have to incorporate code (mutations) to match the CRC of the
original file when they alter it. It's not a small task for them,
however CRC checking is a well known method. If you can test a file for
CRC, you can alter a file such that its CRC stays the same. Because of
this, we offer another version of FICHECK (MFICHECK or Modified FICHECK)
which uses a unique, modified CRC check which is not known to the
virus-writing programmers (and we won't make the method public in order
to protect you). Since the modification we made to the CRC algorithm is
unknown to anyone but us, a virus-writing programmer will not know how
to defeat the check. The MFICHECK program is distributed with FICHECK,
and its operation is identical to that of FICHECK with 2 exceptions: 1)
it uses an extension of ".MCK" and ".MDI" instead of ".CCK" and ".CDI",
and 2) it uses our unique Modified CRC (MCRC) check instead of standard
CRC checking.
We also anticipate these deviant virus-writing programmers to hack away
at our MFICHECK program in an attempt to discover the MCRC checking
algorithm so that the viruses they write can also modify your programs
and files to match our MCRC values. Have no fear - we have a solution
to that too. Although its possible for a virus to alter the contents of
a file and cleverly maintain the same CRC value, the MCRC value will
change. Likewise, if the virus incorporates code that alters a file and
cleverly maintains the same MCRC, the CRC value will change. No matter
what the virus does to your files, if it is altered in any way, either
the CRC or the MCRC has to change. It is virtually impossible to alter
a file and maintain both the original CRC and MCRC values - one or the
other will change and will be detected by our File Integrity Checking
programs. You could employ this dual checking method by running
FICHECK, then immediately running MFICHECK but that would be too time
consuming to be worth the bother - we have another solution - read on!
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
XFICHECK - The Commercial Version Page 14
Explanation
When you register your copy of FICHECK with us, we'll send you not only
guaranteed, virus-free copies of FICHECK and MFICHECK, but also our
commercial XFICHECK program as well. XFICHECK (eXtended FICHECK)
incorporates both CRC and MCRC checking in a single pass, and doesn't
take much longer to run than MFICHECK. The added security and peace of
mind of dual-cheking for CRC and MCRC alone is worth the registration
fee, but that's not all XFICHECK does. XFICHECK does everything FICHECK
and MFICHECK does together, AND has more features:
- Dual CRC and MCRC checking in a single pass! Saves enormous time!
Can optionally be forced to do CRC or MCRC only.
- Allows Exclusion of extensions from searches as well as inclusion
(saves more time!)
- Can optionally ignore the archive bit of the attribute byte
(eliminates long reports when C option is used after a backup is
performed).
- Records information on ALL bootable partitions (FICHECK only does
the master boot record/partition table).
- Stores actual master boot record/partition table and ALL separate
boot partitions on disk - saves this in a hidden/read-only file on
floppy disk.
- Can optionally restore master boot record/partition table and any
of the separate boot partitions.
- Can optionally be run from hard disk (without boot from floppy and
without starting the program from floppy - NOT RECOMMENDED).
- Reports on disk space also include: available clusters, total
clusters, bytes per sector, and sectors per cluster as well as any
changes to them. This is in addition to disk free space and FAT ID.
- Can be run from the command line to do a quick CRC and MCRC of any
file or group of files on any disk (including floppies). Does not
require or use the log.
- Stores information in the log as to its creation criteria:
- search extensions specified in creation
- search extensions excluded in creation
- date/time of log creation (independent of date/time of file)
- Log creation criteria (above) is printed in all reports along with:
- search extensions specified for current report
- search extensions excluded for current report
- date/time of current report
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
XFICHECK - The Commercial Version Page 15
Ordering Info
************************
*** Order Today! ***
************************
If you've obtained this copy of FICHECK from a friend or BBS (shared
programs), there is NO guarantee that your copy of FICHECK hasn't become
infected by a virus. We cannot guarantee that somebody didn't download
this program, infect it (purposely or accidentally), and pass it on by
uploading it to other BBS's or giving it to friends.
Since FICHECK and MFICHECK are shareware, we would normally encourage
you to try it, then register if you like it. Recall that early versions
of FLU-SHOT became infected. You may use these programs at your own
risk.
We can only guarantee that the copy of FICHECK we send you on floppy via
U.S. mail is free of viruses (or you can download the shareware version
from our BBS).
Only $15 to order (U.S. currency, check, or use your VISA/MC when
ordering by phone).
When you order, we'll send you not only a copy of FICHECK and MFICHECK,
but our powerful commercial version - XFICHECK.
Unless you specifically request a 3-1/2" micro-floppy disk, we will send
you a 5-1/4" floppy disk. FICHECK, MFICHECK and XFICHECK will run on
all true IBM compatible computers running the IBM PC-DOS or MS-DOS
operating systems versions 2.0 and above. Some fixed disks require
drivers which should be placed on your boot diskettes from the original
driver distribution diskette. FICHECK, MFICHECK and XFICHECK will run
on the entire family of IBM (and compatible) computers ranging from the
XT to all of the PS/2 models. Fixed disks containing the OS/2 operating
system and associated files can also be checked since they maintain the
same file structure as DOS - you must still format DOS bootable
diskettes to use the programs.
To order, send $15 (Calif. residents add 6.5% sales tax - $15.98) to:
Gilmore Systems
P.O. Box 3831
Beverly Hills, CA 90212-0831
- or call us with your VISA/MC number at (213) 275-8006 -
- or register online on our "Virus Info" BBS at (213) 276-5263 -
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems
XFICHECK - The Commercial Version Page 16
Bonus!
***************
*** ***
*** Bonus! ***
*** ***
***************
As a bonus for ordering, we will grant you 6-months of usage on our
"Virus Info" BBS which is dedicated to the topic of Computer Viruses.
We would like to maintain a central log of CRC and MCRC values for as
many programs and files as we can. If you're an ORIGINAL program author
and would like the CRC and MCRC values of your works published on our
"Virus Info" BBS, please contact us for information. As a user of our
BBS, you can compare these values with the actual values found by
FICHECK and/or MFICHECK (or XFICHECK) to verify integrity of programs
and files downloaded from other BBS's. The only uploading we allow is:
text and source code files relating to the topic of computer viruses.
Executable programs may be uploaded provided that it's source code
accompanies the programs. Other executable programs can be uploaded by
special arrangement with the sysop. An electronic mail and public
message system will also be available for you to participate in. For
our registered users, the most current versions of XFICHECK will
automatically by sent via first class mail. If you're not a registered
user, you can still call our BBS and register with your Visa/MC online.
Many companies such as us use BBS systems to exchange and share
information, ideas, new technologies, programs, tools, and multitudes of
other things. How can we continue to use these invaluable offerings in
fear of destruction of your most valuable programs, data, or even
hardware? We hope that our "File Integrity Check" programs will offer
you security against these fears and at the same time inspire other
programmers to create other anti-viral or preventive computer medicine
type programs.
- Chuck Gilmore, President
FICHECK/MFICHECK User Guide - (C)Copyright 1988, Gilmore Systems