home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Experimental BBS Explossion 3
/
Experimental BBS Explossion III.iso
/
virus
/
valert2.zip
/
VALERT.DOC
< prev
Wrap
Text File
|
1993-12-07
|
26KB
|
462 lines
VALERT V2.0 is Copy(c)right 1989,1993 by Gary M. Raymond, New Orleans, La.
Continuously Monitors DOS Vector Tables for any signs of alteration.
Another powerful utility from the DiskSave Series by
Gary M. Raymond
P.O.Box 8184
New Orleans, La. 70182
(504) 288-6550
Compuserve 70613,3165
====================================================================
Files Provided:
VALERT.COM VALERT Utility
VALERT.DOC This document.
System requirements: PC/XT/AT, DOS 2.1 up, 128k+ ram, floppy
with hard drive, mono or color, any type graphic adapter.
NOTE: A Color monitor is recommended.
For technical information about this utility see end of doc.
====================================================================
Q What is VALERT?
A VALERT is a very small, powerful TSR utility, written in assembler,
whose purpose is to monitor the critical DOS Vector table and alert
the operator if changes occur. Should any application, for whatever
reasons, legitimate or not, take over any address on the vector
table, VALERT will alert you with a message on the screen.
Q What is a Vector Table?
A Many system program subroutines (called Interrupts) of DOS and BIOS
(the software and firmware components of your personal computer's
operating system) are located by calls to a special table of
addresses that are created as the operating system is initially
loaded. Because this table only "points" (like a vector) to the
location (addresses) of the actual code in higher memory, it is
called a Vector Table.
Q How does the Vector Table work?
A For either the computer hardware or the programmer's code to use an
interrupt service, it must first be called. This is accomplished with
the machine code hex instruction "CD" followed by a number that
ranges from 0 to 255 decimal. This hex number, following the CD, is
called the interrupt service number. Example: CD21 hex would invoke
the major DOS interrupt service 21 hex (which incidentally, has many,
many sub functions). However, the call merely uses the interrupt
"number" as a means of finding (or pointing to) the actual address of
the code it desires to run. The normal addressing system used by DOS
can require up to four bytes, usually consisting of a segment (two
bytes) and an offset (two more bytes). Since the total number of
possible services can range up to 256 decimal, with each requiring a
four byte address, the size of the vector table itself (that must
contain all of the addresses) becomes 256 x 4 (1024) bytes long. When
the cpu receives the instruction "CD21" it goes to location 21 x 4
(84 hex) in the table (which is 132 bytes up - 84 hex - from the zero
offset of the very beginning of RAM) to find the correct address of
the subroutine to jump to and begin executing. The processor knows
to multiply the service number times four automatically. This is the
simple gist of it. For additional information, you may order my
"Anyone Can Learn Assembler" complete home study tutorial for five
dollars.
Q When should I use VALERT?
A VALERT is basically a diagnostic and investigative tool. Its
primary job is to alert you when a program or a virus has hooked into
the DOS vector table. VALERT should be activated anytime you are
testing new and unfamiliar software. Or, whenever you are curious as
to what Interrupts any application might hook into.
Q Why would a virus hook into the vector table?
A A simple virus is a program similar to most other normal resident
programs. A resident program cannot run unless it has a way of
being activated. Since you would not purposely load or run a virus
program, it must have an automatic method of triggering or running
itself once it is lodged in memory. There are many ways it can do
this. Example: Anytime you hit a key, you cause Interrupt 9 to run
automatically so DOS can determine what key you hit. A virus could
replace the real address of Int 9 with its own address, then, when
you hit a key, check to see if a certain date has arrived; if it
has, it might destroy data on your hard drive, but if not, then it
would return control to the real Int 9 routine and keep waiting.
It can be that simple and it can be a lot more complicated.
Q How do you use VALERT?
A You invoke VALERT by typing its name at the command prompt. VALERT
can be loaded from any drive or directory as long as a DOS path
exists for the VALERT parent directory. If you are not sure, place
VALERT in your DOS directory. VALERT can be unhooked or disabled
in a similar fashion. Type VALERT 12345 (the default password) and
VALERT removes itself from memory.
Q Is VALERT safe to use?
A Absolutely! VALERT is a tiny passive TSR utility that does nothing
to alter your basic system operations in any way. It is
essentially invisible to either DOS or the active application and
will not noticeably slow any operation.
Q Tell me again what causes VALERT to activate?
A Before going resident VALERT makes a second copy of the critical DOS
Vector Table stored in low memory below BIOS. VALERT then goes
resident and begins to scan and compare the real vector table against
the copy. As long as the two tables compare identically, VALERT
remains silent. But if so much as one bit in one byte changes
anywhere in the vector table, VALERT will inform you with a center
screen message. This entire process is basically instantaneous.
Q How is VALERT effective in identifying a possible virus?
A Again, the majority of all simple viruses are in effect similar to
miniature TSR type programs themselves. The one major difference
between a normal program (that may legitimately hook into Vectors -
or a TSR) that will trigger VALERT is this: Once you disengage,
unhook, Exit or Quit the program, all Vectors should return to normal
and VALERT message should quit changing colors. If the VALERT message
continues to change color, either the program was poorly written (the
author forgot to unhook the vectors - a sign of very sloppy coding)
or you have an active virus. Should a more advanced virus cleverly
overwrite a system subroutine in memory, rather than hook the Vector
Table, you will need another of my system tools called CIALERT along
with VALERT. CIALERT does a pre and post crc comparison.
Q Is this a bullet-proof or fool-proof virus detection scheme?
A Unfortunately, no. There is really no such animal in my opinion.
But considering the huge size and slow speed of other scan type
virus detectors, VALERT is not too shabby by comparison. VALERT is
just another tool to use in your bag of tricks. VALERT is useless
if your system is already infected. VALERT is a prevention
utility.
Q What is the difference between VALERT and most virus SCAN utilities?
A Most scanners only work AFTER a new virus has been identified and
added to its scan list. They are, unfortunately, generally useless
when scanning a newly released, and possibly infected,
"self-uncompressing in memory type" exe distribution file. In other
words, scanners basically work after the fact. VALERT can catch a
possible virus at the moment of infection when it is used correctly.
Q What are the real facts concerning the threat of pc viruses?
A For the thirteen years I have been programming, here is what I have
observed and am still observing. First, the virus problem, with
regard to IBM or clones, is nowhere near the scale you might be led
to believe based on the hype seen in the media. There are many, many
areas of the U.S. where viruses have yet to appear. Contrary to
the virus definitions used some years ago, the loose definition of a
virus today is any kind of code that can cause damage and replicate
itself. This could easily qualify a poorly written program (with a
lot of bugs) as a virus or trojan, but nevertheless, that's what
some experts are insisting.
Q Are you saying that virus precautions are a waste of time?
A No, not at all. A word being used more and more in the business of
personal computers is "when" rather than "will". Sooner or later, if
you stick with using personal computers long enough, you are going to
experience a virus. I see many reasons for it. First, there is the
explosion in PC sales that continues to rise almost exponentially
with every passing year. Second, there is a recent noticeable
parallel rise in computer literacy as technology begins to filter
down more to the end-user levels. Example: A clever person with
something as common as the latest release of PowerBasic or Pascal
could create a virus in less than an hour if they were motivated. And
third, the PC virus has become the nouveau substitute for "non violent"
protests and "disruption" among and by disgruntled employees,
competitors, associates, club members, anyone who who feels slighted,
abused or bullied. The list of potential virus makers could include
anyone, anytime.
Q Where is a virus most likely to come from?
A Many lobby organizations that back the establishment software
industries (like the Software Publishers Association - the "don't
copy that floppy" group) would have you believe viruses come from
Bulletin Boards. Considering the very few cases ever linked directly
to Bulletin Boards, coupled with the 50,000 BBS'es now estimated to
be operating in the US alone, this is pure hysteria propaganda.
Shareware is costing the big software houses billions in lost sales
and they are simply not happy campers. You figure out the rest. You
are far more likely to get a virus-infected program by obtaining a
disk from an innocent (or otherwise) friend who wants to share a
program with you. I suggest testing all shareware programs that
come into your possession through the exchanging of disks with
friends (or strangers for that matter). Legally, you should not be
swapping commercial software. But, beware if you are! In my
opinion, the majority of all viruses are passed via non-licensed
copies of commercial products. Isn't it odd that in a perverse
sort of way, viruses are helping the big commercial software houses
stop piracy? Ever wonder why the shareware industry is more active
in the anti-virus utility business as compared to the big software
houses? Well, if there is a bottom line here, you had better be a
Boy Scout and... Be prepared!
Q I am told that a lot of normal application hooks into the vector
table; if so, would not these programs trigger VALERT?
A Yes, some applications will trigger VALERT, particularly DOS
management utilities. This can actually be useful inasmuch as it is
a good way to recognize that VALERT is actually working.
Q FALSE Alarms could be annoying; is there any way to prevent this?
A Yes, VALERT is NOT intended to be active at ALL times. This is why
it is designed with the ability to disable itself when you no longer
require its services. VALERT should be activated only when you are
going to load new or untried software for the first time. Or,
whenever you wish to explore the workings of existing software.
Activating VALERT is as simple as typing its name at the command
prompt (no matter where you or it is located).
Q What should I do if VALERT warns that a vector has been hooked
while trying new software?
A Right off, do not panic. Remember, some programs, particularly those
written in assembler, hook into vectors routinely. Directory Freedom
and Q-Edit (two common shareware programs) will trigger VALERT. Let
me repeat, the test is not simply that VALERT flashes its warning
message in changing colors, it's whether or not the color changes
stop or the warning message goes away AFTER you "Exit" or "unhook"
the program being tested. If the message FAILS to disappear or stop
changing color after you have "exited" or "unhooked" the program and
returned to DOS, this is the real WARNING! It means certain Vectors
are still hooked! Even then, should you have a possible virus, most
Viruses seldom do anything very quickly. You usually will have
adequate time to take counter measures. Additionally, you should look
for any signs of unusual or suspect activity. This could be your HD
or floppy light flashing when you would not expect it to. If your
intuition tells you something is wrong, hit the power switch. Remove
the program floppy disk from the drive and replace the program disk
with a known, good, virus free bootable floppy. Then reboot the
computer. If the suspect program was already copied to a hard drive,
simply go back and delete it. If a virus was infecting the program,
this process, 99.99% of the time, will rid your system of it.
Q Is there any kind of virus that could escape detection by VALERT?
A Anything is possible. VALERT is simply another tool in your arsenal
of virus defenses. If you are using two of my other DiskSave
utilities, BOOTSAVE and FATSAVE, along with VALERT, you are probably
100% safe. The most insidious of all viruses (and also the most
uncommon) usually try to take permanent residence in the boot sector
of the default hard drive. By using BOOTSAVE and BOOTBACK you can
restore the integrity of the boot code. Some types of virus might
ignore the vector table and overwrite the memory area where the
system interrupt subroutines themselves are located. In this case,
you will need CIALERT which does both a vector and crc integrity scan
of all os code in memory. CIALERT is only available to registered
users of VALERT.
Q How can I do a simple test of VALERT to insure it is working?
A After following the instructions for correct installation, load any
TSR utility that you already use and are familiar with. Seconds after
going resident, VALERT should warn that vectors have been hooked.
Q Why should a company or individual use VALERT?
A There are many PRACTICAL reasons for using VALERT. It can aid in
the identification of virus-infected programs that might otherwise
escape your attention until it is too late. It is useful in
detecting whether or not normal application programs hook into DOS
or BIOS services for diagnostic purposes. Advanced V-Alert will
even tell you which vectors are affected and give the newly
substituted addresses on screen.
Q How is VALERT's unhook password determined?
A The shareware version of VALERT is preset with a password key of
"12345." After registration, we will provide you with the method for
changing the code to any five digits of your choice. Once you know
how to do it, a password change can be accomplished in less than five
seconds with the version of VALERT you already have!
Q How is the password changed?
A The password cannot be changed unless the operator knows the current
active password. This is generally enough security for most typical
environments. Instructions are provided with registration.
Q How much memory does VALERT require?
A Not even enough to be noticed (under two kbytes when resident).
Q Since VALERT is a TSR, could it interfere with any other TSR's?
A No. VALERT does not intercept the keyboard interrupt like most
ordinary TSR's. VALERT makes no DOS or BIOS calls. VALERT is not
dependent on the use of a hot key or any special DOS commands to
operate. VALERT does not care what TSR's are loaded as long as
VALERT is the LAST to load. More importantly, VALERT can unhook
cleanly and properly by restoring all memory it previously
occupied. Remember, you must always load VALERT as the last TSR,
for correct operation.
Q Can VALERT be compromised by a virus?
A If a virus is ALREADY in your system, VALERT can be compromised.
However, by the very nature of how VALERT works, it is indirectly a
virus PREVENTION mechanism. A computer virus cannot infect your
computer through the air. It must gain physical access. This is
almost always done by riding piggy back on a file you copy from an
infected diskette onto one of your mass storage devices. If you
can detect the virus immediately after transfer, your odds for saving
data improve dramatically. Although VALERT is not intended as an
anti-viral utility, it is probably one of the best defenses against
passing a virus to your system other than removing or disabling the
floppy drives from the cabinet of a work station.
--------------------------------------------------------------------
CHANGING PASSWORDS: VALERT has the unique ability to allow its
registered users to change passwords. To change the password, you
must be in the parent directory (the one where VALERT is located).
It takes less than a few seconds and is very easy to do. Information
on the procedure is provided if you decide to use the utility and
obtain registration.
--------------------------------------------------------------------
====================================================================
V2.0 12/8/93 First public release
====================================================================
┌─────────┐
│ MEMBER │ Society of
│ ┌──────┴──┐ Independent
│ │ │ Shareware
└──┤ ■ │ Authors
│ ║ │
└────╨────┘
This program is produced by a member of the Society of Independent
Shareware Authors (SISA). The Society wants to ensure that all valid
shareware principles actually work for you and SISA members. The
principle behind shareware distribution is simple: try before you
buy. Society members agree to license all shareware for a minimum of
10 days, free of charge, to first-time users as an evaluation
period. After 10 days, buyers are then obligated to license their
copy with the Society member. Society members are obligated to
provide high quality, useful shareware, but are free to choose
whatever marketing methods suit their specific needs. SISA-
sanctioned marketing methods include: demonstration versions;
providing printed documentation after purchase; registration keys
that unlock additional features not necessary to determine basic
usefulness; and providing bug fixes free of charge. Any Shareware
author may become a member of SISA without cost by simply agreeing
to the above conditions and displaying, at their option, this logo
in their documentation.
====================================================================
WARRANTY:
Software:
Gary Raymond warrants that the software contained herein will
perform in substantial compliance with the documentation
accompanying the software. If you report, in writing, a significant
defect to us, and we are unable to correct it within 90 days of the
date you report the defect, you may return the software and
accompanying materials, and we will refund the purchase price.
Diskettes and Documentation:
Gary Raymond warrants all diskettes and documentation to be free
of defects in materials for a period of 30 days from the date of
purchase. In the event of notification within the warranty period
of defects in any materials, Gary Raymond will replace the
defective diskette or documentation.
Remedies:
The remedy for breach of the warranty shall be limited to
replacement and shall not encompass any other damages, including but
not limited to loss of profit, special, incidental, consequential,
or similar damages, losses, or claims.
DISCLAIMER:
Gary Raymond specifically disclaims all other warranties, expressed
or implied, including but not limited to, implied warranties of
merchantability and fitness for a particular purpose with respect to
defects in the diskette and documentation, and the program license
granted herein, in particular, and without limiting operation of the
program license with respect to any particular application, use, or
purpose. In no event shall Gary Raymond be liable for any loss of
profit or any other commercial damage, including but not limited to
special, incidental, consequential or other damages.
GOVERNING LAW:
This statement shall be construed, interpreted, and governed by the
laws of the State of Louisiana.
====================================================================
Registering your copy will help continue the competitive advantages
of providing economical shareware. Upon receipt of your payment I
will provide you with a copy of the latest version and notify you of
all future upgrades. Your patronage is appreciated.
My no-nonsense license:
------------------------
Your one-time registration fee will license you to use VALERT on
any number of personal computers owned directly and personally by you
in any non-commercial environment.
Re-distribution via electronic transmission, or down loading, is
allowed without further permission. Re-distribution of the Shareware
version of VALERT, for a fee, is also allowed without further
permission as long as that cost is limited to no more than two
dollars per copy, if supplied on any physical disk media.
The assembler source code for VALERT.COM is available for sale at
$50 per copy. The source is based on the A86 assembler / compiler
but is generic enough to be compatible with most all assemblers
with very minor changes.
Yes Gary, I can really make use of your program and would like to
register and obtain the latest version as well as get on your mailing
list for future upgrades and new releases!
Product:
--------
VALERT V2.0 Private User License ........(USA only)........ $5.00
Registered users will receive A-VALERT. Advanced V-Alert will not
only warn when vectors are altered but will give the vector offset
number as well as the new subroutine's (ISR) address! For information
about commercial and/or multiple site licensing, contact the
undersigned.
Name_____________________________________________________________
Mailing Address__________________________________________________
City & State ___________________________________________________
ZIP _____________________________ Phone _________________________
Send registration check or money order to:
Gary M. Raymond
P.O.Box 8184
New Orleans, La. 70182
504-288-6550
Compuserve 70613,3165
====================================================================
TECH DATA:
This utility monitors the system Vector table in low memory starting
at segment 0000, offset 0000 through offset 03FF. VALERT hooks into
the timer of the cpu at the moment it goes resident. Then it begins
to compare the current or active vectors with the original table
which was previously copied into memory before going resident. The
vector table is 1024 bytes in length and is completely scanned in
less time than it takes to blink your eye, even on the older, low
speed PC's. VALERT uses no DOS or BIOS services itself. It uses
direct writes to video memory to inform the operator when a vector
has been hooked (overwritten). Since VALERT makes a copy of the
active Vector Table, any TRS utilities you normally use should be
loaded first, BEFORE VALERT reads and copies the table. Otherwise,
if VALERT is loaded first it will give false warnings when you load
other TSR's behind it. The "V-ALERT: Vector Altered!" message will
continue to display (and change color) every few seconds as long as
the altered Vector remains changed. Once the Vector is restored, the
message will no longer change color and or appear. The registered
version (A-VALERT), will additionally provide information on what
vectors were changed as well as give you the SEG:OFF addresses for
new new or replaced vectors.
If for any reason you wish to validate that you have an unaltered
original copy of VALERT call me during normal business hours (cst)
and I will give you the 32 bit crc calculation which you can then
compare with PkZip or any other crc generator. The crc32 code is
automatically supplied with all registered versions.
ACKNOWLEDGEMENTS:
-----------------
To one of my best friends and machine code instructor, the Padre,
alias, Machine Man, whose many patient hours of coaching and prodding
over the years helped me learn assembler so that I could create this
and many other useful DOS utility. Also, to a handful of other
generous "Elmer's of Assembler" whose contributions over the years
have helped make my hack more efficient and elegant. Thanks guys!
<EOF>