home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Atari Compendium
/
The Atari Compendium (Toad Computers) (1994).iso
/
files
/
umich
/
utils
/
virus
/
vkiller.lzh
/
VKILLER.DOC
< prev
next >
Wrap
Text File
|
1991-05-22
|
25KB
|
465 lines
VKILLER Version 3.84 April, 1991
This Archive contains the most recent version of VKILLER, the virus
detect-and-kill utility for the Atari ST.
The program works in medium or high resolution, and is completely
mouse/icon driven. The program may also be controlled by the keyboard.
In this document, all the keyboard commands are indicated as capital
letters, but that is not mandatory. Lower case letters will provide the
same functions. In most cases, the first letter of the label under an
icon is the key that will accomplish the same function of as a click on
the icon.
**** To Check Disks for Viruses ****
Click on the FLOPPY A icon, or press the "A" key, to check the disk in
drive A for a virus. Click on the FLOPPY B icon, or press the "B" key,
to check the disk in drive B for a virus. When you access a disk, the
program reads in the boot sector, both copies of the File Allocation
Table (FAT), the disk's root directory, and the first few data sectors.
The disk's boot sector will be checked to see if it is executable, and
if it matches any known patterns. If it is executable, a warning
message will be posted in the display window. If it matches the
patterns of some known boot sector utility, such as a resolution
setter, that fact will be illustrated by a box in the lower right
corner. If it matches the pattern of any known virus, that fact will be
indicated by a box in the lower right corner. To see more information
on any recognized virus, click on the box in the lower right corner, or
press the 'D' key for details.
**** Capturing Disk Data ****
Once you have accessed a disk to check it for a virus, you can write the
data from the disk into a file, print it, or show it on the screen.
To write the disk data into a file, click on the "FILE" icon, or press
the "F" key. A file selector will appear. Use it to designate the file
you wish to write. The resulting file is not executable, even if the
boot sector of the floppy was an executable one. It is a data file with
an image of the significant portions of the disk. It can be treated
like any data file, compressed by an archiving utility such as ARC or
LZH, copied, transmitted via electronic mail systems, printed, or
examined.
To print the data, click on the PRINT icon, or press the "P" key. An
alert box will appear. You may choose to print either the same data
that is available in the "SHOW" window, or only the data from the boot
sector. The amount of data captured from the disk varies, depending
upon the disk's configuration. For a typical ST disk, it will usually
be about 20 sectors, or slightly over 20,000 bytes. The boot sector
only is 512 bytes.
To show the data on the screen, click on the SHOW icon, or press the
"S" key. The window will expand to nearly the full screen, and display
all the data read from the disk. Use the window's scroll bar to move
back and forth through the data. Close the data window, by clicking on
the close box, to return to the main screen. Pressing any of the active
keyboard keys will also close the data window and return to the main
screen.
**** Disk Basics ****
The boot sector of a normal ST disk is 512 bytes. Only a small portion
of this, about 30 bytes, are required to provide data to the ST. Those
initial data bytes contain the disk's formatting characteristics,
telling the ST's operating system how many tracks the disk has, how
many sides are used, how many sectors are on each track, and how much
of the disk is being used for the directory and the File Allocation
Table. The rest of the boot sector is not used unless the disk is "self
booting". In this case, normally found only on games, the boot sector
is "executable", and the normally unused portion of the boot sector
contains a small program. This program will be executed automatically
when the ST is powered on, or reset, and the disk with the executable
boot sector is in drive A. This is true even if your ST is configured
to automatically boot up from a hard disk. The boot sector of a disk in
drive A will still be checked to see if it is executable, and will be
executed if it is. Executable boot sectors, therefore, are the primary
method used by viruses to spread, and be run by unsuspecting ST owners.
If the boot sector is not executable, the space after the configuration
data is unused. While whatever is there is not normally important,
there is one virus which utilizes an obscure system characteristic to
hide in the boot sector, and not make the disk "executable". To be
safe, the unused portions of the boot sector of any non executable
disk should be set to zeroes. Some formatting programs do this, while
others do not. The ST desktop, for example, does not set the unused
portion of the boot sector to zero.
The boot sector also contains a serial number. That number is used by
the ST's operating system to determine when one disk has been removed,
and a different disk inserted. If a change is made between two disks
which have the same serial number, however, the ST does not believe
that there has been a disk change made. That usually results in the
destruction of the second disk, when the data written to it aligns with
the file structure of the removed disk. There are viruses which write
the same serial number to different disks, resulting in such
destruction. There is a similar problem using disks formatted by an
MS-DOS system. The serial number is not used by MS-DOS. Instead, MS-DOS
writes the version number in the space used for the serial number. This
results in all disks formatted on MS-DOS systems appearing to have the
same serial number, and becoming corrupted when they are used in an ST.
To warn of this possibility, VKILLER checks the serial number field. It
always displays the disk's serial number in the data window. If the
field contains printable characters, they are posted after the serial
number, in parenthesis. If you find the same serial number on more than
one disk, you can use VKILLER's Repair facility to renumber the disk,
without altering the disks contents in any other way.
The directory contains the names of any sub-directories (or "folders")
which are accessible from the main directory. Those sub-directories may
contain more subdirectories, and files. There may also be files in the
main directory. The directory size is specified when the disk is
formatted. The standard size for an ST directory is seven disk sectors,
large enough to hold 112 files or sub-directories. Few disks contain
that many files or folders in the main directory, so there is usually
some amount of unused space beyond the last entry in the directory.
There are viruses that will attempt to hide themselves in the end of
the directory. There is one that will place itself in the last two
sectors of the directory, whether that portion of the directory
contained entries or not. If that virus infects a disk which was using
the last two sectors of the dirctory, any file or directory which was
there will be lost.
All files, and sub-directories, rely upon the File Allocation Table to
be accessible. The File Allocation Table, or FAT, is a map of where
each file and sub-directory is recorded on the disk. The ST's operating
system relies upon the FAT to locate the proper portions of the disk in
order to read and write the sub-directories and files. The FAT,
therefore, is absolutely critical in using the disk. So critical, in
fact, that the ST's operating system normally writes two copies of the
FAT on the disk. That way, in case of an error in reading or writing
the first copy, the second copy may allow the data on the disk to be
recovered. The critical nature of the FAT also makes it a prime target
for virus attacks. Erasing the FAT usually results in the loss of all
files on a disk.
The size of the Directory and FATs may vary from disk to disk. The size
of the FAT must be large enough to record the layout of every portion
of the disk. The normal size of one copy of the FAT on an ST disk is
five sectors. This is more space than is n