home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Experimental BBS Explossion 3
/
Experimental BBS Explossion III.iso
/
virus
/
go_en1.zip
/
GO_EN1.DOC
< prev
next >
Wrap
Text File
|
1993-10-27
|
19KB
|
561 lines
ICOFILE:500=F1.ico
NOUPDOWN
-->> Name of this file: READ_ME.BAT
(Made with EDLAB's utility programs VIEWTXTG & BMP_ICO)
GO_EN1, the friendly A_Virus:
═════════════════════════════
A_Virus means Anti-Virus Software Tester.
Securing PC's against the malignant PC-Virus is not a straight forward task.
The need for protection, however, increases with the increased use of
computers. As the number of computers increases, so does the number of
people capable of making simple and complex programs. This increases the
number of quality programs, but also the number of 'quality' PC Viruses.
Prevention is better than cure:
GO_EN1 is a coupler type program, which can be used to demonstrate the way a
PC virus functions, without any danger. As it couples onto any DOS program,
specified by you, the same way as the most potent PC viruses do, it can be
used to test the value of your current virus protection.
Security starts with knowledge. GO_EN1 is a powerful way to obtain practical
knowledge about the coupler principle and thus enhance security.
The supplied A_Virus program and information package, has been designed to
assist you in gaining knowledge in PC security and management.
See also: Compuserve GO SWREG for "PC-AUDIT/CONTROL, UTILITY/TRAINING V2.4"
ICOFILE:250=go_en1a1.ico
I M P O R T A N T :
You may copy and distribute
the contents of this package,
provided no text, programs
etc., are altered and nothing
is omitted. You may not use
any programs, text etc., in
this package, commercially.
Obtain a commercial
(professional) version
through CompuServe.
ICOFILE:250=go_en1a2.ico
How to infect (couple) a DOS EXE file with A_Virus:
───────────────────────────────────────────────────
MEMCHECK.EXE is provided to allow you to test GO_EN1 on a DOS exe file.
MEMCHECK.EXE is a simple program that reports available base memory.
Uninfected (non coupled) MEMCHECK:
Be sure to have an uninfected version of MEMCHECK.EXE by running MEMCHECK
and confirm that it only reports your computers' available memory.
Infecting (coupling) MEMCHECK:
Infect MEMCHECK.EXE with the command line:
GO_EN1 MEMCHECK.EXE /SMIT
(Parameter must be upper case letters).
When you now run MEMCHECK it will display both the A_Virus critter and the
available memory in your computer.
─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
How to disinfect a DOS EXE file wich has the A_Virus:
─────────────────────────────────────────────────────
Be sure to have an infected version of MEMCHECK.EXE by running MEMCHECK
and confirm that it is both displaying the A_Virus and your computers'
available memory.
Disinfect MEMCHECK.EXE with the command line:
MEMCHECK.EXE /FJERN
The parameter /FJERN must be upper case letters.
When you now run MEMCHECK it will display only the available memory in your
computer. The friendly A_VIRUS has been removed.
─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
How to display the A_Virus in graphics:
──────────────────────────────────────
An A_Virus infected program recognises two different parameters' /FJERN and
/GRAFIK. By using the parameter /GRAFIK, the screen will change to VGA mode
and the A_Virus will be displayed in graphics.
If you try it on an infected MEMCHECK.EXE the command line would be:
MEMCHECK /GRAFIK
The parameter /GRAFIK must be upper case letters.
─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
The purpose with A_VIRUS, GO_EN1:
─────────────────────────────────
Anti-Virus software should help you identify and remove various PC viruses.
This has absolute security importance for any company or person who relies
on the PC, to run their business etc.
Does the Anti-Virus software work?
How would you know if you don't test it?
This is where GO_EN1 comes in.
Infect the supplied MEMCHECK program or any DOS EXE file you fancy, and
test your Anti-Virus software.
Could it find GO_EN1?
Probably not.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
What does GO_EN1 do?
────────────────────
GO_EN1 is a DOS EXE file coupling program. It checks the exe file for being
a proper DOS program and will not couple onto windows or OS2 exe files.
The coupling process assures that the GO_EN1 friendly A_VIRUS (NOT a PC
virus), is run whenever you run the infected (coupled) program. To prove
its existence, it shows a picture with the text A_VIRUS and explains how to
remove it from the infected program.
Coupling programs:
──────────────────
Any archive program which assembles the archived files in an executable
program is a coupling program and thus closely related to GO_EN1, the
A_Virus.
Do you want to know how to make A_Viruses and other coupling programs?
──────────────────────────────────────────────────────────────────────
Obtain proper information and source texts about
* A_Virus
(with source text in Turbo Pascal 6)
* PC virus and other PC problems
* Worms, the network disaster
* EDLAB Vaccine, professional prevention of PC virus spreading
* Coupling program (archive)
(with source text in Turbo Pascal 6)
* EDLAB-SafeMark:
PC auditing, control, anti-theft and anti-virus
* Anti-Virus software tests
* Utility programs from EDLAB(tm)
Total utility pack with programs, source texts, manual(s) etc., from
ICOFILE:0=afsnit.ico
>> Compuserve: GO SWREG, ID 100315,1371 <<
Title: PC-Audit/Control, utility/training, v2.4 from EDLAB(tm)
or
CompetiTronic Limited UK, Phone and Fax: >> (+44) 0506 811-457 <<
(automatic switch board, 6 lines)
ICOFILE:0=afsnit.ico
··> EDLAB Vaccine: Prevention is better than cure
Standard Anti Virus software cannot detect unknown viruses on programs
just purchased. They rely on knowing the 'virus fingerprint', which by
nature must be known to the Anti Virus software. This obviously works if
the virus is known AND the Anti Virus program is run.
Some, more considered Anti Virus programs, has added a limited or
extensive CRC check. Such a check demands that the CRC value is known AND
that the CRC check program is run. This latter can be done automatically
with a TSR program, provided you are not running OS2 or Windows-NT.
To demonstrate EDLAB-Protect(C), with EDLAB-Vaccine(C) code, memchk2
has EDLAB Vaccine embedded.
Attach the friendly A_Virus to memchk2 and run the infected program.
Sensational:
Imagine that all software producers used EDLAB Vaccine. It would spell
eradication of the PC virus. (Admitted: There must be a way around
EDLAB Vaccine, but we don't know it).
In fact: The coupler virus is one of the more sophisticated types and
actual auto detection is very complex. The simpler types, which are
patched into specific programs and then released, are also much simpler
to prevent.
Try to patch the protected memchk2 program (code).
For software pirates, patching the dongle protection or a serial number
or a company name is most interesting. To allow you to try your capacity,
in this area, memchk2 has a larger text area AND EDLAB Vaccine with
pirate patch prevention.
You could not patch memchk2 and still have it running! Well, this is one
more demonstration of the value of EDLAB Protect, which is a professional
program protection system, which incorporates EDLAB Vaccine.
memchk2.exo is your backup of memchk2.exe.
?\>copy memchk2.exo memchk2.exe
Above line restores memchk2.exe
Now try to patch the UNprotected memcheck program (code). It has exactly the
same larger text area. Easy to patch (change). You can even eradicate the
EDLAB text entirely and make it look like your program. It still runs.
Would you believe that programs protected with EDLAB Vaccine are easier to
sell? I certainly would prefer programs that are born with embedded
protection.
In honesty: I would love all programs on compuserve to have EDLAB Vaccine
embedded. Then I would know that I can download them without PC virus
worries. A very nice AND possible thought.
EDLAB Vaccine can be incorporated into ANY source text, if the compiler
allows linking of binary code (*.OBJ).
A simple source text shows the call of the EDLAB Vaccine function.
Source text in PASCAL and C++.
Obtain our shareware version of EDLAB Vaccine from Compuserve
(See the last 2 pages in this document).
Other products from EDLAB:
>> EDLAB-Protect (Non shareware)
A software protection system for the elimination of software piracy
and PC Virus.
>> EDLAB-Protect Administration System (Non shareware)
A complete serial number and customer administration system for protected
software. Must be acquired to make SafeWare Production Modules.
>> SafeWare Production System with BMS (Business Management System)
Provides a software production facility enabling the production of
Protected software. (Non shareware)
>> EDLAB-SafeMark and AntiTheft
Monitors and Audits software and hardware on PC's. Unique Fingerprint
facility adds software and hardware control, essential for larger corporate
and institutions.
>> EDLAB-Panorama: Corporate Safe PC Monitoring
Panorama is a add-on SafeMark module. It relies on information acquired
through SafeMark. It gives extensive 'At a Glance' graphic information
about corporate PC's. Multi user system.
>> Business Management System
General Accounts and administration for small to medium businesses.
Modularised for cost effective tailoring. Also available as multi user.
>> DBEDL
A database Viewer and Editor designed for database viewing and editing only.
>> DBSUPER, Professional
An advanced database program with Auto Guidance, Intelligent Help, Mimic,
Personal Commands, Automatic Screen Sensing, OOP, etc.
>> DBNSUPER (Non shareware)
A true multi user database for immediate multi user access. It has all the
qualities of DBSUPER plus multi user facility.
Standard license for 30 users.
>> CMDEDIT, Professional
A high quality application design tool in an ISO9000/BS5750 Design
Environment. Unique paste system reduces writing by a factor 10 or more.
21" screen gives 4 times more information. Essential for serious application
programmers. Direct DOS interrupts with HELP eliminates the need for IBM
technical manual.
>> CMDEDIT, Network Design (Non shareware)
All network commands included plus whatever CMDEDIT, Professional can do.
>> CMDEDIT Libraries (Non shareware)
Libraries assembled on request.
>> EDLAB-Phoneman/Business Appointment/Customer Contact Manager
A DBSUPER OOP application, modularised for cost effective Sales Office
Tailoring. Customer contact and sales tracking system with direct modem
access, phone bill calculation and EDLAB-PhoneMap. (Non shareware)
──────────────────────────────────────────────────────────────────────
Extract from the A_Virus source text:
{*************************************************************}
{ }
{ Turbo Pascal Source file for Turbo Version 6.0. }
{ GO_EN1 (A_Virus Anti Virus Software Tester). }
{ Created for EDLAB AntiVirus Division for test purpose.}
{ }
{ Copyright (C) 1993 Karlius, dan and Guns. }
{ }
{*************************************************************}
{$A+,B-,F+,I-}
{$M 4096,0,0}
program go_en1; (* Means good_one number 1 *)
uses
dos ,
crt ;
const
bufsize =1024*8; (* Size of buffer file/graphics *)
Location_ID :array(.1..8.) of char = ('O','f','S',' ','4','3','2','1');
file_ofs :longint=1024*30; (* Offset into the linked file *)
clklong :^longint =ptr($0000,$046C); (* 4 byte longint in BIOS works.*)
video_rows :^byte =ptr($0000,$0484); (* Number of lines - 1 *)
type
buftype =array(.1..bufsize.) of char;
var
params :string;
fld :dirstr;
fln :namestr;
fle :extstr;
fbuf :^buftype; (* File copy buffer *)
imgbuf :^buftype; (* Image ico buffer *)
lin2buf :^buftype; (* vga line buffer *)
fcon :text; (* Standard output *)
function MEM_ALLOCATE(bytes :word) :word; (* Get segment *)
var
reg :registers;
begin
REG.BX := (bytes div 16) + 1;
REG.AH := $48;
.
.
.
.
.
show_information_Linked;
end;
end;
procedure execute_the_original_part_of_program_as_child;
begin
(* --------- Isolate path for this program ------------ *)
fsplit(fexpand(paramstr(0)),fld,fln,fle);
fbuf:=ptr(MEM_ALLOCATE(1024*16),0);
if fbuf = NIL then
begin
writeln(fcon,'Need more free memory!');
halt(1);
end;
(* --------- Copy this program's original part -------- *)
if fcopy(fexpand(paramstr(0)),fld+'$$$.EXE',file_ofs) then
begin
(* --------- Remove eventual old left over ------------ *)
fdelete(fld+'$$$.DAT');
(* --------- Hide this program ------------------------ *)
frename(fexpand(paramstr(0)),fld+'$$$.DAT');
(* --- Let 'original program have the original name --- *)
frename(fld+'$$$.EXE',fexpand(paramstr(0)));
(* --------- Let the virus show it is here ------------ *)
show_virus_critter; (* Make your own procedure if you wish *)
if not MEM_DEALLOCATE(seg(fbuf^)) then
begin
writeln(fcon,'Error: Could not free memory!');
halt(1);
end;
(* --------- Now call the 'original' program ---------- *)
swapvectors;
exec(fexpand(paramstr(0)),params);
swapvectors;
(* --------- Get back the virus version --------------- *)
fdelete(fexpand(paramstr(0)));
frename(fld+'$$$.DAT',fexpand(paramstr(0)));
(* --------- All done --------------------------------- *)
halt(exitcode); (* Pass exit code from child to DOS *)
end
else
begin
(* --------- Remove failed copy ----------------------- *)
fdelete(fld+'$$$.EXE');
show_information_Linked;
if not MEM_DEALLOCATE(seg(fbuf^)) then
begin
writeln(fcon,'Error: Could not free memory!');
halt(1);
end;
end;
end;
begin (* GO_EN1 *)
assign(fcon,''); (* Assign fcon to standard output *)
rewrite(fcon);
Collect_Params;
if pos('GO_EN1.EXE',paramstr(0)) > 0 then
begin (* Unlinked version *)
if pos('/SMIT',params) > 0 then
begin
fbuf:=ptr(MEM_ALLOCATE(1024*16),0);
if fbuf = NIL then
begin
writeln(fcon,'Need more free memory!');
halt(1);
end;
infect_program_with_A_Virus;
if not MEM_DEALLOCATE(seg(fbuf^)) then
begin
writeln(fcon,'Error: Could not free memory!');
halt(1);
end;
end
else
begin
show_information_Unlinked;
end;
end (* Unlinked version *)
else
begin (* Linked version *)
if pos('/INFO',params) > 0 then
begin
show_information_Linked;
end
else
begin
if pos('/FJERN',params) > 0 then
begin
fbuf:=ptr(MEM_ALLOCATE(1024*16),0);
if fbuf = NIL then
begin
writeln(fcon,'Need more free memory!');
halt(1);
end;
remove_virus_from_program;
if not MEM_DEALLOCATE(seg(fbuf^)) then
begin
writeln(fcon,'Error: Could not free memory!');
halt(1);
end;
end
else
begin
execute_the_original_part_of_program_as_child;
end;
end;
end; (* Linked version *)
close(fcon);
end. (* GO_EN1 *)
ICOFILE:0=afsnit.ico
How to order EDLAB Utility pack and other EDLAB products:
═════════════════════════════════════════════════════════
ICOFILE:10=COMPUSER.ICO
Register shareware:
Compuserve GO SWREG
Keyword: "EDLAB"
or Compuserve ID: 100315,1371
Registration benefits:
Register for any EDLAB package, and recieve the enhanced
professional version, manual(s) and support.
════════════════════════════════════════════════════
EDLAB Shareware available:
"PC Audit/Control, EDLAB"
"Panorama-E for Managers, EDLAB"
"Graphic Menu System, EDLAB"
"Utility/Training, EDLAB"
"Pascal Utility Source texts, EDLAB"
"DBSUPER appl. source texts, EDLAB"
"Interactive DB3 database program, EDLAB DBSUPER."
"Interactive DB3 database viewer, EDLAB DBEDL.
"Business Management: Order module, EDLAB"
"Business Management: Invoice module, EDLAB"
"Business Management: Stock module, EDLAB"
"Business Management: Account module, EDLAB"
"Business Management: Order source text, EDLAB"
"Business Management: Invoice source text, EDLAB"
"Business Management: Stock source text, EDLAB"
"Business Management: Account source text, EDLAB"
+ much more (Search with keyword EDLAB)
Download our shareware from:
Compuserve GO IBMSYS
Keyword: "EDLAB"
or Compuserve ID: 100315,1371
and
Compuserve GO ZIFFNET, GO PBSAPPS
Keyword: "EDLAB"
or Compuserve ID: 100315,1371
EDLAB(tm) has produced high quality, professional programs since 1986,
for the Silicon Wafer ind., Automated machines, Public bodies etc.
__________________________________________________________________________
Also run the BAT files
AUDIT.BAT
Explains the use of the programs
EDLABINF.EXE
EDLABAUD.EXE
- - -
EXAMPLE.BAT
Examples of MEMCHECK and MEMCHK2 infected, disinfected, patched etc.
- - -
UTILUSE.BAT
General EDLAB utility program use and explanation.
**** END ****