Black Box 4

home *** CD-ROM | disk | FTP | other *** search

/ Black Box 4 / BlackBox.cdr / virusers / clean93.arj / CLEAN93.DOC < prev next >

Wrap

Text File | 1992-06-24 | 17KB | 496 lines

CLEAN-UP Version 8.6V93 Copyright (C) 1990 - 1992 by McAfee Associates. All rights reserved. Documentation by Aryeh Goretsky. McAfee Associates (408) 988-3832 office 3350 Scott Blvd., Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054-3107 (408) 988-4004 BBS (32 lines) U.S.A USR HST/v.32/v.42bis/MNP 1-5 CompuServe GO VIRUSFORUM InterNet mcafee@netcom.com TABLE OF CONTENTS: SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2 - What is CLEAN-UP? - System Requirements AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2 - Verifying the integrity of CLEAN-UP WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .3 - New features and viruses added in this release OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3 - General description of CLEAN-UP OPERATION and OPTIONS . . . . . . . . . . . . . . . . . . . . .5 - How to use CLEAN-UP, detailed explanation of switches EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .7 - Samples of frequently-used options REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .8 - How to register CLEAN-UP TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .8 - Information to have ready when calling for tech support Page 1 CLEAN-UP Version 8.6V93 Page 2 SYNOPSIS CLEAN-UP (CLEAN) is a virus disinfection program for IBM PC and compatible computers. CLEAN searches through the partition table, boot sector, or files of a PC to remove viruses specified by the user. In most instances CLEAN repairs infected areas of the system, restoring them to their pre-infected state. CLEAN eradicates all viruses identified by the current version of VIRUSCAN (SCAN). CLEAN will also remove unknown (new) viruses from .COM and .EXE files, the partition table, and boot sector using recovery information stored by the VIRUSCAN program [See the VIRUSCAN documentation for more details]. CLEAN runs on any PC with 320Kb and DOS 2.00 or above. AUTHENTICITY CLEAN performs a self-test when run. If CLEAN has been modified in any way, a warning will be displayed. However, CLEAN is still able to remove viruses. If CLEAN reports that it has been damaged, a new, clean copy should be obtained. CLEAN is packaged with VALIDATE, a program that checks the integrity of the CLEAN.EXE file. The VALIDATE.DOC file describes its usage. The VALIDATE program distributed with CLEAN may be used to check subsequent versions. The validation results for Version 8.6V93 should be: FILE NAME: CLEAN.EXE SIZE: 96,606 DATE: 06-24-1992 FILE AUTHENTICATION Check Method 1: C830 Check Method 2: 06EA If your copy of CLEAN.EXE differs, it may have been modified. Always obtain CLEAN from a known source. The latest version of CLEAN and validation data can be obtained from McAfee Associates' bulletin board system at (408) 988-4004 or from the Computer Virus Help Forum on CompuServe (GO VIRUSFORUM). Beginning with Version 72, all McAfee Associates programs are archived with PKWare's PKZIP Authentic File Verification. If you do not see the "-AV" message after every file is unzipped and receive the "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" message when you unzip the files then do not use them. If your version of PKUNZIP does not have verification ability, this message may not be displayed. Please contact McAfee Associates if you think the .ZIP file has been damaged. CLEAN-UP Version 8.6V93 Page 3 WHAT'S NEW Version 93 replaces Version 91 which generated false alarms with some of the Vx Virus [Fx] generic strings in files written with MBP COBOL. V92 was skipped due to a Trojan horse of SCAN that appeared in New York. Version 91B of CLEAN fixes a bug with cleaning viruses from network drives, and adds a remover for the Multi-2 virus. Version 90 of CLEAN added the 696, 1339 and Troi viruses to the list of viruses that can be disinfected by CLEAN. One new option has been added, the /GRF option. When CLEAN is run with this switch it removes nonspecific (new or unknown) viruses using recovery information stored by VIRUSCAN program in a separate file. Please refer to the enclosed VIRLIST.TXT file for a short description of the new viruses. For more detailed descriptions, please refer to Patricia Hoffman's virus summary listing (VSUM). OVERVIEW CLEAN searches the system for viruses to remove. When an infected file is found, CLEAN isolates and removes the virus and in most cases repairs the infected file and restores it to normal operation. If the file is infected with an uncommon virus, CLEAN displays a warning message asking whether to overwrite and delete the infected file. Erased files are non- recoverable. Before running CLEAN, verify the infection with VIRUSCAN. SCAN will locate and identify the virus and provide the I.D. code used by CLEAN. The I.D. is displayed inside the square brackets, "[" and "]." For example, the I.D. code for the Jerusalem virus is displayed as "[Jeru]". This I.D. must be used with CLEAN to remove the virus. The square brackets "[" and "]" MUST be included. If SCAN finds an unknown virus in a file that has had validation or recovery data stored for it, it will warn that an infection has occurred. It will not, however, display an I.D. code. NOTE: When CLEAN is run with the /GENERIC or /GRF options to disinfect files or system areas based on recovery information stored by SCAN, no I.D. code should be used. Please refer to the VIRUSCAN documentation for instructions in adding recovery information to your system. CLEAN-UP Version 8.6V93 Page 4 The common viruses that CLEAN-UP is able to remove while repairing and restoring the infected programs or system areas are: 555 696 730 748 855 1008 1024 1139 1241 1253 1339 1554 1575*+ 1992 2560 4096*+ Air Cop* Alabama+ Alameda Antitelefonica Azusa Beeper Black Monday+ Bloody! Boys Cascade*+ Curse Dark Avenger*+ DataLock+ December 28+ Devil's Dance Dir-2 Disk Killer* EDV* Empire* Enigma Fellowship+ Filler Fish+ Flash Flip*+ Form Generic Boot Generic MBR Ghost Haifa Holocausto Invader*+ Jerusalem*+ Joshi KeyPress*+ Korea* Lazy Lehigh Liberty+ Lisbon* Loa Duong M128 Maltese Amoeba Mardi Bro.'s Michelangelo Mosquito Multi-2 Murphy*+ Music Bug Nomenclature Pakistani Brain*Perfume Ping Pong* Plastique*+ Possessed Print Screen-2* R-11+ SBC Slayer Slow+ Stoned* Striker+ Sunday+ Sunday2+ SVC+ Taiwan 3+ Taiwan 4+ Tequila Tokyo Topo Traceback/3066 Troi Typo Boot V800 V-801 VACSINA*+ Vienna* Violator*+ Whale*+ Yankee Doodle*+ ZeroBug *Denotes virus with more than one strain +Denotes virus which attaches to overlays AN IMPORTANT NOTE ABOUT .EXE FILES: Some viruses infecting .EXE files may not be removed successfully if the .EXE loads itself as an internal overlay. Instead of attaching to the end of the .EXE file, the virus may attach to the beginning of the overlay area, and corrupt the program. CLEAN will truncate files infected in this manner. If a file no longer runs after being cleaned, replace it from the manufacturer's original disk or virus-free backups. AN IMPORTANT NOTE ABOUT PARTITION TABLE VIRUSES (e.g., Stoned): Removing a partition table-infecting virus like the Stoned can cause loss of the partition table on systems partitioned with programs other than DOS, e.g., Disk Manager or SpeedStor. As a precaution, back up all critical data before running CLEAN. Loss of the partition table can result in the LOSS OF ALL DATA ON THE DISK. CLEAN-UP Version 8.6V93 Page 5 OPERATION and OPTIONS IMPORTANT NOTE: TURN OFF YOUR PC AND BOOT FROM A CLEAN DOS SYSTEM-BOOTABLE DISK BEFORE BEGINNING. RUN CLEAN FROM A WRITE-PROTECTED DISK TO PREVENT INFECTION OF THE CLEAN.EXE PROGRAM FILE. Power down the infected system and boot from a clean, write-protected system-bootable diskette. This insures that the virus is not in system memory and prevents reinfection. After cleaning, power down the PC, boot from the system disk, and run VIRUSCAN to ensure the system has been successfully disinfected. After cleaning the hard disk, copy the SCAN and CLEAN programs on to it and and check all floppy disks that have been in contact with the system. CLEAN displays the name of infected files or system areas, the virus found, and reports a "successful" disinfection for each virus removed. If a file has multiple infections, CLEAN will report the virus has been removed successfully for each infection. Select valid options for CLEAN-UP from the list below: CLEAN d1: ... d26: [virus I.D.] /A /E .xxx .yyy. .zzz /FR /GENERIC /GRF filename /MAINT /MANY /M /NOEXPIRE /NOPAUSE /REPORT d:filename /SP /UNATTEND Options are: /A - Check all files for viruses /E .xxx .yyy .zzz - Clean overlay extensions .xxx .yyy .zzz /FR - Display messages in French /GENERIC - Clean unknown viruses (see below for specifics) /GRF filename - Clean unknown viruses using recovery data file /MAINT - Clean "invalid media" error (damaged) disk /MANY - Check multiple floppies /NOEXPIRE - Do not display expiration notice /NOPAUSE - Disable screen prompting /REPORT filename - Create report of cleaned files /SP - Display messages in Spanish d1: ... d26: - indicate drives to be cleaned [virus I.D.] - Virus identification code provided by SCAN when a virus is detected (See the VIRLIST.TXT file for a complete list.) NOTE: The square brackets "[" and "]" are required. CLEAN-UP Version 8.6V93 Page 6 The /A option checks all files on the disk. This should be used only if a file-infecting virus is detected. This option takes priority over the /E option. The /E option allows the user to specify an extension or set of extensions to clean. Extensions should include a period "." and each extension must be separated by a space. Up to three extensions may be added with the /E. If more extensions are required, use the /A option instead. The /FR option tells CLEAN to display all messages in French. This option cannot be used with the /SP (Spanish) option. The /GENERIC option is used to clean files or system areas that have been infected with a new (unknown) virus. For /GENERIC to work, recovery information must have been stored prior to infection by VIRUSCAN's /AG option. No virus I.D. code is required when using the /GENERIC switch. The /GRF option is used to clean files or system areas that have been infected by a new (unknown) virus. For /GRF to work, recovery data and validation codes must have been saved by VIRUSCAN's /AF option. The syntax is /GRF filename, where "filename" drive, path and name of the recovery file used. When using the /GRF option, no virus I.D. code is required for CLEAN. The /MAINT option is used to clean hard disks partitioned with MS-DOS 4.0 or above that have been damaged by a boot sector or partition table virus. Disks damaged in this manner give an "invalid media" message whenever accessed. The /MAINT option cleans the partition table and boot sector only. The /MANY option is used to clean multiple floppy disks. If you have more than one floppy disk to check for viruses, the /MANY option allows you to check them without running CLEAN multiple times. The /NOEXPIRE option disables the warning message from CLEAN displayed after seven months warning that it may no longer be current with respect to known viruses. The /NOPAUSE option disables the "More? (H = Help)" prompt displayed when CLEAN fills a screen with messages. This allows CLEAN to be run on PC's with severe infections sans operator assistance. The /REPORT option saves a list of infected files to disk in ASCII text format. If a report exists, it will be overwritten with the new report. The syntax is /REPORT filename where "filename" is the drive, path and name for the report file. CLEAN-UP Version 8.6V93 Page 7 The /SP option tells CLEAN to display all messages in Spanish. This option can not be used with the /FR (French) option. EXAMPLES The following examples show different option settings: CLEAN C: D: E: [JERU] /A To remove the Jerusalem virus from drives C:, D:, and E:, searching all files for the virus CLEAN A: [STONED] To remove the Stoned virus from the disk in drive A: CLEAN C:\MORGAN [DAV] /A To remove the Dark Avenger virus from subdirectory MORGAN on drive C:, searching all files for the virus CLEAN B: [DOODLE] /REPORT C:YNKINFCT.TXT To remove the Yankee Doodle virus from drive B: and create a report named YNKINFCT.TXT on drive C: CLEAN C: /GENERIC To remove an unknown virus from drive C: using recovery data stored by SCAN's /AG option. CLEAN C: D: /GRF A:\SCANCRC.CRC To remove an unknown virus from drives C: and D: using recovery data stored by SCAN's /AF option. CLEAN-UP Version 8.6V93 Page 8 REGISTRATION A registration fee of US$35.00 is required for the use of CLEAN-UP by individual home users. Registration entitles the holder to unlimited free upgrades from McAfee Associates' BBS or the Computer Virus Help Forum on CompuServe and technical support for one year. When registering, a diskette containing the latest version may be requested for an additional US$9.00. Only one diskette mailing will be made. Registration is for home users only and does not apply to businesses, corporations, organizations, government agencies, or schools, which must obtain a license for use. Contact McAfee Associates directly or an Authorized Agent for more information. TECH SUPPORT For fast and accurate help, please have the following information ready when you contact McAfee Associates: - Program name and version number. - Type and brand of computer, hard disk, plus any peripherals. - Version of DOS plus any TSRs or device drivers in use. - Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. - A printout of what is in memory from the MEM command (DOS 4 and above users only) or a similar utility. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at your computer be will helpful. McAfee Associates can be contacted by BBS, CompuServe, FAX, or InterNet 24 hours a day, or by telephone at (408) 988-3832, Monday through Friday, 7:00AM to 5:30PM Pacific Time. McAfee Associates (408) 988-3832 office 3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054-3107 (408) 988-4004 BBS (32 lines) U.S.A USR HST/v.32/v.42bis/MNP 1-5 CompuServe GO VIRUSFORUM Internet mcafee@netcom.com If you are overseas, there may be an Authorized McAfee Associates Agent in your area. Please refer to the AGENTS.TXT file for a listing of McAfee Associates Agents for support or sales.