home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Business Master (3rd Edition)
/
The Business Master (3rd Edition).iso
/
files
/
virution
/
fsp17
/
fsp.txt
< prev
next >
Wrap
Text File
|
1989-08-29
|
103KB
|
2,585 lines
FLU_SHOT+, Version 1.7
A Form of Protection from
Viral and Trojan Programs
by
Ross M. Greenberg
and
Software Concepts Design
594 Third Avenue
New York, New York 10016
BBS:(212)-889-6438 1200|2400|N/8/1
Member of the Association of Shareware Professionals
FLU_SHOT+ is a trademark of Software Concepts Design.
Copyright (C), 1988, 1989 by Software Concepts Design.
All Rights Reserved.
Not for Commercial Distribution without written permission by the
copyright holder. Noncommercial copying of this software and this
documentation is encouraged. Commercial Distribution is easily
defined: if you distribute this software, or the enclosed
documentation, for more than your cost of such distribution, then
you're a Commercial Distributor and require our written
permission. Not-for-profit organizations and computer user
groups, and their bulletin board systems (if any) are
specifically *not* considered commercial distributors.
By your using this software, you agree to the terms herein.
Specifically, that you do not have the right to copy this
software except as outlined above, and that you are granted a
license to use this software only by registering this software as
mentioned elsewhere in this document.
You also agree, and signify that agreement by using this
software, that Software Concepts Design and Ross M. Greenberg
will not be held liable for any reason for any cost you may
incur, or any potential income you might lose as a result of
using this software. Finally, this software is provided "AS IS",
meaning that what you see is what you get. If you use this
software and a tree falls on your house, or your spouse leaves
you for someone younger and more virile, please do not bother
having your lawyer call -- it isn't the fault of the software, no
matter what the lawyer tries to convince you! Maybe lawyers
should all work on a shareware basis: they only get paid if
you're satisfied with their work? One can dream....
Software Concepts Design can be reached by the following means
*by*registered*users* of FLU_SHOT+:
Telephone: Monday-Friday, 9am - 5pm (EST): 212-889-6431
RamNet BBS: 212-889-6438
MCI: 'greenber'
BIX: 'greenber'
CompuServe: [72461, 3212]
UseNet: ...uunet!utoday!greenber, greenber@utoday.uunet
Table of Contents
I. Introduction
a. What is a Trojan.....................................1
b. What is a Virus......................................4
c. The Challenge to the Worm............................6
II. About the FLUSHOT Series
a. A Brief History......................................8
b. FLU_SHOT+ Features and Enhancements..................9
c. Registering FLU_SHOT+................................10
d. Site Licensing of FLU_SHOT+..........................10
III. Using FLU_SHOT+
a. Down and Dirty Installation: Step-By-Step............12
b. The FLUSHOT.DAT file.................................14
1. Protecting files from Write Access..............15
2. Protecting files from Read Access...............15
3. Excluding files.................................15
4. Checksumming files..............................16
5. Registering a TSR program.......................17
6. Restricted Access...............................17
7. Protecting the FLUSHOT.DAT file.................18
8. Protection Recommendations......................18
9. Allowing "dangerous" programs to run............19
10. Protecting your Boot Track......................19
c. Running FLU_SHOT+....................................20
1. Checksumming the in-memory table................20
2. Intercepting Direct Disk Writes Through INT13...21
3. What about INT26................................21
4. Turning off the header message..................21
5. Disabling Triggering on Open With Write Access..21
6. Changing the Trigger Window Attributes..........21
7. Allowing trusted TSR's to work..................23
8. Disabling FLU_SHOT+.............................23
9. Disabling FLU_SHOT+ Toggle Display..............24
10. Forcing FLU_SHOT+ to only use the BIOS..........24
10. Defining the "Special" Keys.....................25
11. Putting FLU_SHOT+ to sleep when run.............25
IV. Interpreting a FLU_SHOT+ Trigger..........................26
V. How Good is FLUSHOT+, Really?.............................30
VI. Reward Offered............................................31
VII. Appendices
Appendix A: Common Questions and Their Answers...........33
Appendix B: How Does A Virus Work?.......................38
Introduction
What is a Trojan?
=================
Back in the good old days (before there were computers), there
was this bunch of soldiers who had no chance of beating a
superior force or of even making it into their fortress. They
had this nifty idea: present the other side with a gift. Once
the gift had been accepted, soldiers hiding within the gift would
sneak out and overtake the enemy from within.
We can only think of the intellectual giants of the day who would
accept a gift large enough to house enemy soldiers without
checking its contents. Obviously, they had little opportunity to
watch old WWII movies to see the same device used over and over
again. They probably wouldn't have appreciated Hogan's Heroes
anyway. No color TV's -- or at least not ones with reliable
reception.
Consider the types of people who would be thrilled at the concept
of owning their own rough hewn, large wooden horse! Perhaps they
wanted to be the first one on their block, or something silly
like that.
Anyway, you're all aware of the story of The Trojan Horse.
Bringing ourselves a bit closer to the reality we've all grown to
know and love, there's a modern day equivalent: getting a gift
from your BBS or user group which contains a little gem which
will attack your hard disk, destroying whatever data it contains.
In order to understand how a potentially useful program can cause
such damage when corrupted by some misguided soul, it's useful to
understand how your disk works, and how absurdly easy it is to
cause damage to the data contained thereon. So, a brief
technical discussion of the operation of your disk is in order.
For those who aren't concerned, turn the page or something.
Data is preserved on a disk in a variety of different physical
ways having to do with how the data is encoding in the actual
recording of that data. The actual *structure* of that data,
however, is the same between MS-DOS machines. Other operating
systems have a different structure, but that doesn't concern us
now.
Each disk has a number of "tracks". These are sometimes called
cylinders from the old type IBMer's. These are the same people
who call hard disks DASDs (Direct Access Storage Devices), so we
can safely ignore their techno-speak, and just call them tracks.
Tracks can be thought of as the individual little grooves on an
audio record, sort of.
Anyway, each track is subdivided into a number of sectors. Each
track has the same number of sectors. Tracks are numbered, as
1
are sectors. Any given area on the disk can be accessed if a
request is made to read or write data into or out of Track-X,
Sector Y. The read or write command is given to the disk
controller, which is an interface between the computer itself and
the hard disk. The controller figures out what commands to send
to the hard disk, the hard disk responds and the data is read or
written as directed.
The first track on the hard disk typically will contain a small
program which is read from the hard disk and executed when you
first power up your machine. The power up sequence is called
"booting" your machine, and therefore the first track is typical
known as the "boot track".
In order to read information from your disk in a logical
sequence, there has to be some sort of index. An unusual index
method was selected for MS-DOS. Imagine going to the card index
in a library, looking up the title you desire, and getting a
place in another index which tells you where on the racks where
the book is stored. Now, when you read the book, you discover
that only the first chapter of the book is there. In order to
find the next chapter of the book, you have to go back to that
middle index, which tells you where the next chapter is stored.
This process continues until you get to the end of the book.
Sounds pretty convoluted, right? You bet! However, this is
pretty much how MS-DOS does its "cataloguing" of files.
The directory structure of MS-DOS allows for you to look up an
item called the "first cluster". A cluster represents a set of
contiguous ("touching or in contact" according to Random House)
tracks and sectors. It is the smallest amount of information
which the file structure of MS-DOS knows how to read or write.
Based on the first cluster number as stored in the directory, the
first portion of a file can be read. When the information
contained therein is exhausted, MS-DOS goes to that secondary
index for a pointer to the next cluster. That index is called
the File Allocation Table, commonly abbreviated to "FAT". The
FAT contains an entry for each cluster on the disk. An FAT entry
can have a few values: ones which indicate that the cluster is
unused, another which indicates that the associated cluster has
been damaged somehow and that it should be marked as a "bad
cluster", and a pointer to the next cluster for a given file.
This allows for what is called a linked list: once you start
looking up clusters associated with a given file, each FAT entry
tells you what the next cluster is. At the end of the linked
list is a special indicator which indicates that there are no
more clusters associated with the file.
There are actually two copies of the FAT stored on your disk, but
no one really knows what the second copy was intended for.
Often, if the first copy of the FAT is corrupted for some reason,
a clever programmer could recover information from the second
copy to restore to the primary FAT. These clever programmers can
be called "hackers", and should not be confused with the thieves
2
who break into computer systems and steal things, or the "worms"
[Joanne Dow gets credit for *that* phrase!] who would get joy out
of causing you heartache!
But that heartache is exactly what can happen if the directory
(which contains the pointer to the first cluster a file uses),
the FAT (which contains that linked list to other areas on the
disk which the file uses), or other areas of the disk get
corrupted.
And that's what the little worms who create Trojan programs do:
they cause what at first appears to be a useful program to
eventually corrupt the important parts of your disk. This can be
as simple as changing a few bytes of data, or can include wiping
entire tracks clean.
Not all programs which write to your hard disk are bad ones,
obviously. Your word processor, spreadsheet, database and
utility programs have to write to the hard disk. Some of the DOS
programs (such as FORMAT), if used improperly, can also erase
portions of your hard disk causing you massive amounts of grief.
You'd be surprised what damage the simple "DEL" command can do
with just a simple typo.
But, what defines a Trojan program is its delivery mechanism: the
fact that you're running something you didn't expect. Typical
Trojan programs cause damage to your data, and were designed to
do so by the worms who writhe in delight at causing this damage.
May they rot in hell -- a mind is a terrible thing to waste!
Considering the personality required to cause such damage, you
can rest assured that they have few friends, and even their
mother doesn't like to be in the same room with them. They sit
back and chortle about the damage they do with a few other lowly
worms. This is their entire social universe. You should pity
them. I know that I do.
3
Introduction
What is a Virus?
================
Trojan programs are but a delivery mechanism, as stated above.
They can be implemented in a clever manner, so that they only
trigger the malicious part on a certain date, when your disk
contains certain information or whatever. However they're coded,
though, they typically affect the disk only in a destructive
manner once triggered.
A new breed of programs has the capability of not only reserving
malicious damage for a given event's occurrence, but of also
replicating itself as well.
This is what people refer to when they mention the term "Virus
Program".
Typically, a virus will spread itself by replicating a portion of
itself onto another program. Later, when that normally safe
program is run it will, in part, execute a set of instructions
which will infect other programs and then potentially, trigger
the Trojan portion of the program contained within the virus.
The danger of the virus program is twofold. First, it contains a
Trojan which will cause damage to your hard disk. The second
danger is the reason why everyone is busy building bomb shelters.
This danger is that the virus program will infect other programs
and they in turn will infect other programs and so forth. Since
it can also infect programs on your floppy disks, you could
unknowingly infect other machines! Pretty dangerous stuff,
alright!
Kenneth van Wyck, one of the computer folks over at Lehigh
University, first brought a particular virus to the attention of
the computer community. This virus infects a program, which
every MS-DOS computer must have, called COMMAND.COM. This is the
Command Line Interpreter and is the interface between your
keyboard and the MS-DOS operating system itself. Whatever you
type at the C> prompt will be interpreted by it.
Well, the virus subverts this intended function, causing the
infection of neighboring COMMAND.COMs before continuing with
normal functionality of the command you typed. After a certain
number of "infections", the Trojan aspect of the program goes
off, causing you to lose data.
The programmer was clever. But still a worm. And still
deserving of contempt instead of respect. Think of what good
purposes the programmer could have put his or her talents to
instead of creating this damage. And consider what this
programmer must do, in covering up what they've done. They
certainly can't tell anyone what they've accomplished.
Justifiable homicide comes to mind, but since the worms they must
4
hang around are probably as disreputable as they are, they must
hold their little creation a secret.
A pity. Hopefully, the worm is losing sleep. Or getting a sore
neck looking behind them wondering which of their "friends" are
gonna turn them in for the reward I list towards the end of this
document.
5
Introduction
The Challenge to the Worm
=========================
When I first released a program to try to thwart their demented
little efforts, I published this letter in the archive (still in
the FLU_SHOT+ archive of which this is a part of). What I say in
it still holds:
As for the designer of the virus program: most
likely an impotent adolescent, incapable of
normal social relationships, and attempting to
prove their own worth to themselves through
these type of terrorist attacks.
Never succeeding in that task (or in any
other), since they have no worth, they will one
day take a look at themselves and what they've
done in their past, and kill themselves in
disgust. This is a Good Thing, since it saves
the taxpayers' money which normally would be
wasted on therapy and treatment of this
miscreant.
If they *really* want a challenge, they'll try
to destroy *my* hard disk on my BBS, instead of
the disk of some innocent person. I challenge
them to upload a virus or other Trojan horse to
my BBS that I can't disarm. It is doubtful the
challenge will be taken: the profile of such a
person prohibits them from attacking those who
can fight back. Alas, having a go with this
lowlife would be amusing for the five minutes
it takes to disarm whatever they invent.
Go ahead, you good-for-nothing little
slimebucket: make *my* day!
Alas, somebody out there opted to do the cowardly thing and to
use the FLUSHOT programs as a vehicle for wrecking still more
destruction on people like you. The FLUSHOT3 program was
redistributed along with a companion program to aid you in
reading the documentation. It was renamed FLUSHOT4. And the
reader program was turned into a Trojan itself.
I guess the programmer involved was too cowardly to take me up on
my offer and prefers to hurt people not capable of fighting back.
I should have known that, I suppose, but I don't normally think
of people who attack innocents. Normally, I think of people to
respect, not people to pity, certainly not people who must cause
such damage in order to "get off".
They are below contempt, obviously, and can do little to help
6
themselves out of the mire they live in.
Still, a worm is a worm.
7
About FLUSHOT
A Brief History
===============
The original incarnation of FLU_SHOT was a quick hack done in my
spare time. It had a couple of bugs in it which caused it to
trigger when it shouldn't, and a few conditions which I had to
fix. A strangeness in how COMMAND.COM processed certain
conditions when I "failed" an operation caused people to lose
more data than they had intended -- certainly not my intent!
FLU_SHOT was modified and became FLUSHOT2. It included some
additional protections, protecting some other important system
files, and protecting against direct disk writes which can be
used to circumvent FLUSHOT's protection mechanisms.
Additionally, FLUSHOT2 forced an exit of the program currently
running instead of a fail condition when you indicated that an
operation should not be carried out.
FLUSHOT2 was also now distributed in the popular archive format
(have you remembered to send your shareware check into Phil Katz
for his efforts? You really should. It ain't that much money!).
Next came FLUSHOT3. A bug was fixed which could have caused
certain weird things when you denied direct disk I/O to certain
portions of DOS 3.x.
The enhancements to FLUSHOT3 included the ability to enter a 'G'
when FLUSHOT was triggered. This allowed FLUSHOT to become
inactive until an exit was called by the foreground task. So,
when you used some trustworthy program which did direct disk I/O,
you wouldn't be pestered with constant triggering after you enter
the 'G'. Primarily this was a quick hack to allow programs such
as the FORMAT program to run without FLUSHOT being triggered each
time it tried to do any work it was supposed to.
8
About FLUSHOT
FLU_SHOT+ Features and Enhancements
===================================
This release of FLU_SHOT has a new name: FLU_SHOT+. Because
FLUSHOT4 was a Trojan, I opted to change the name. Besides,
FLU_SHOT+ is the result of some real effort on my part, instead
of being a part-time quick hack. I hope the effort shows.
FLUSHOT is now table driven. That table is in a file which I
call FLUSHOT.DAT. It exists in the root directory on your C:
drive. However, I'll advise you later on how to change its
location so that a worm can't create a Trojan to modify that
file.
This file now allows you to write and/or read protect entire
classes of programs. This means that you can write protect from
damage all of your *.COM, *.EXE, *.BAT, and *.SYS files. You can
read protect all of your *.BAT files so that a nasty program can
not even determine what name you used for FLU_SHOT+ when you
invoked it!
Additionally, you can now automatically check programs when you
first invoke FLU_SHOT+ to determine if they've changed since you
last looked at them. Called checksumming, it allows you to know
immediately if one of the protected programs has been changed
when you're not looking. Additionally, this checksumming can
even take place each time you load the program for execution.
Also, FLU_SHOT+ will advise you when any program "goes TSR". TSR
stands for "Terminate and Stay Resident", allowing pop-ups and
other useful programs to be created. A worm could create a
program which leaves a bit of slime behind. Programs like
Borland's SideKick program, a wonderful program and certainly not
a Trojan or virus, is probably the best known TSR. FLU_SHOT+
will advise you if any program attempts to go TSR which you
haven't already registered in your FLUSHOT.DAT file.
Finally, FLU_SHOT+ will also now pop-up a little window in the
middle of your screen when it gets triggered. It also will more
fully explain why it was triggered. The pop-up window means that
your screen won't get screwed up beyond recognition -- unless
you're in graphics mode when it pops up. Sorry, 'dems the
breaks!
This version, FLU_SHOT+, has some other substantial improvements
on the security side, has a couple of bug fixes here and there
and is generally the same program - just a little more reliable,
and a little more user friendly. And, more closely attuned to
what you, the user community, have asked me for.
More information about FLU_SHOT+ and its enhancements can be
found in the file "UPDATES.TXT", in the archive. My thanks to
Mr. Mark Hamilton of the UK for some enhancements ideas and code.
9
About FLUSHOT
Registering FLU_SHOT+
=====================
FLU_SHOT+ is not a free program. You're encouraged to use it, to
distribute it to your friends and co-workers. If you end up not
using it for some reason, let me know why and I'll see if I can
do something about it in the next release.
But, the right to use FLU_SHOT+ is contingent upon you paying for
the right to use it. I ask for ten dollars as a registration
fee, plus four dollars to meet my costs for shipping, handling,
and processing each order. This entitles you to get informed
when the next update is available, and to have someone available
to help support you with any problem you might have with the
program. And it allows you to pay me, in part, for my labor in
creating the entire FLU_SHOT series. I don't expect to get my
normal consulting rate or to get a return equal to that of other
programs which I've developed and sell through more traditional
channels. That's not my intent, or I would have made FLU_SHOT+ a
commercial program and you'd be paying lots more money for it.
Some people are uncomfortable with the shareware concept, or
believe that there ain't no such thing as Trojan or Virus
programs, and that a person who profits from the distribution of
a program such as FLU_SHOT must be in it for the money. Although
I sympathize with their feelings, I feel that a user of FLU_SHOT
simply *must* pay for their usage of the program -- using it for
free is paramount to stealing, and we know how wrong that is!
I've created an alternative for these folks. I'll call it
"charityware" [first called that, to my knowledge, by Roedy
Green]. You can also register FLU_SHOT+ by sending me a check
for $10 made out to your favorite charity. And a check made out
to me for $4 to handle my costs. Be sure to include a stamped
and addressed envelope. I'll forward the monies onto them and
register you fully.
Of course, if you wish, you can send me a check for more than
$14. I'll cash it gladly (I'm no fool!).
Site Licensing of FLU_SHOT+
===========================
So, you run the computer department of a big corporation, you got
a copy of FLU_SHOT+, decided it was wonderful and that it did
everything you wanted and sent in your ten bucks. Then you
distributed it to your 1000 users.
Not what is intended by the shareware scheme. *Each* site using
FLU_SHOT+ should be registered. That's ten bucks a site, me
bucko! Again, make the check out to charity if you're
10
uncomfortable with the idea of a programmer actually deriving an
income from their work.
However, if you've really got 1000 computers, you should give me
a call. As much as I'd like to get $10 for each site, that
wouldn't be fair to you. So, quantity discounts are available.
Here's out quantity discount schedule. Remember to add in the
four dollar charge for each order.
Quantity Price Each
============== ===============
1 - 49 $10
50 - 249 $ 9
250 - 499 $ 7
500 - 9999 $ 6
10,000+ No Charge (after paying for 9999!)
Site licensee's get a "gold" disk, and make their own copies at
their site, working on the honor system. Each site license does
require a separate agreement, so be sure to give us a call to
work out the details. End-user contact *must* be through a
single contact point in order for any of these discounts to
apply.
11
Using FLU_SHOT+
Down and Dirty Installation: Step By Step
=========================================
Consider this area of the manual to be the "I hate to read
manuals" approach. We encourage you to read the manual, since
about 90% of our tech support calls are answered by telling the
caller to turn to a given page in the manual. Some people,
however, just want the ability to use the product immediately,
without wading through the manual. So, if you're one of those
gung-ho'ers, here's a step-by-step approach:
1) If you received FLU_SHOT+ on a diskette, place that diskette
in the A: drive on your system. If you received FLU_SHOT+ from a
Bulletin Board System, then you've obviously figured out how to
de-arc and de-compress the files contained within the archive (if
not, how are you reading this?).
2) Type the following commands:
COPY A:FSP.COM C:\
COPY A:FLUSHOT.DAT C:\
3) Make C: your default drive by simply typing "C:", followed
by a carriage return. Make the root directory your default
directory simply by typing "CD \", followed by a carriage return.
4) Type "FSP", followed by a carriage return. This will invoke
FLU_SHOT+.
5) You should expect to see three error messages. These will
take one of two forms. One form will tell you that the checksum
for the listed file doesn't match the actual checksum for that
file. If you see this message, copy down the displayed number on
a separate piece of paper, along with the filename. Press any
key to continue on to the next file.
6) If you see a message indicating that a given file is not
found, then you'll have to remember what the names your computer
uses for the on-disk BIOS (FLU_SHOT+ expects "IBMBIO.SYS") and
on-disk Disk Operating System (FLU_SHOT+ expects "IBMDOS.SYS")
and edit the names in the FLUSHOT.DAT file appropriately. If,
for example, your system uses the name of "IOSYS.SYS" and
"MSSYS.SYS" for these files, replace the missing filenames within
the FLUSHOT.DAT file to reflect the actual names you use. When
you finish with these edits, reboot your system and start with
step 3), above.
7) At this point, you should have three files with their actual
checksums on a piece of paper. Edit the FLUSHOT.DAT file in your
C:\ directory to reflect these checksums. Replace the default
"[12345]" with the actual checksums you've written down. So, if
the actual checksum for your COMMAND.COM file is "32767", the
line in your FLUSHOT.DAT to reflect this should read:
C=C:\COMMAND.COM[32767]
12
8) Reboot your system. When you invoke FLU_SHOT+, by typing
FSP followed by a carriage return, everything should run to
completion, leaving you at your C> prompt.
9) If you wish to cause FLU_SHOT+ to run whenever you first
boot your computer, simply edit your AUTOEXEC.BAT file, found in
the root directory on your "boot" drive, to include "FSP" as the
last line.
10) For extra security, you might wish to rename the
FLUSHOT.DAT. To do so, read the section in this manual which
describes the FLU_POKE program.
11) If there are any problems in the installation procedure, it
probably means that you're using something a little unique in the
way of computer equipment or software packages. You'll have to
read the entire document. Sorry.
12) FLU_SHOT+, "out of the box", offers some pretty good
protection. If you want to substantially enhance the security
FLU_SHOT+ offers you, please read the rest of the manual?
Remember that we will *not* answer any tech support calls from
people who have not read the manual.
13
Using FLU_SHOT+
The FLUSHOT.DAT file
====================
FLU_SHOT+ is table driven by the contents of the FLUSHOT.DAT
file. This file normally exists in the root directory of your C:
drive (C:\FLUSHOT.DAT).
A little later in this document you'll see how to disguise the
data file name, making life tougher for the worms out there. But
for the purposes of this document, we'll assume that the file is
called C:\FLUSHOT.DAT.
The FLU_SHOT+ program will read this data file exactly once. It
reads the data from the data file into memory and overwrites the
name of the data file in so doing. A little extra protection in
hiding the name of the file.
This data file contains a number of lines of text. Each line of
text is of the form:
<Command>=<filename><options>
Command can be any one of the following characters:
P - Write Protect the file named
R - Read Protect the file named
E - Exclude the file named from matching P or R lines
T - The named file is a legitimate TSR
C - Perform checksum operations on the file named
The filename can be an ambiguous file if you wish for all
commands except the 'T' and 'C' commands. This means that:
C:\level1\*.COM
will specify all COM files on your C: drive in the level1
directory (or its sub-directories). Specifying:
C:\level1\*\*.EXE
would specify all EXE files in subdirectories under the C:\level1
directory, but would not include that directory itself.
You can also use the '?' operator to specify ambiguous characters
as in:
?:\usr\bin\?.COM
would be used to specify files on any drive in the \usr\bin
directory on that drive. The files would have to be single
letter filenames with the extension of 'COM'.
Ambiguous file names are not allowed for the 'T' and 'C' options.
14
Using FLU_SHOT+
Protecting files from Write Access
==================================
Use the 'P=' option to protect files from write access. To
disallow writes to any of your COM, EXE, SYS, and BAT files,
specify lines of the form:
P=*.COM
P=*.EXE
P=*.SYS
P=*.BAT
which protects these files on any disk, in any directory.
Protecting files from Read Access
=================================
Similarly, you can use the 'R' command to protect files from
being read by a program (including the ability to 'TYPE' a
file!). To prevent read access to all of your BAT files, use a
line such as:
R=*.BAT
Combinations of R and P lines are allowed, so the combination of
the above lines would prevent read or write access to all batch
files.
Excluding files
===============
Programmers in particular should find usage for the 'E' command.
This allows you to exclude matching filenames from other match
operations. Assume you're doing development work in the
C:\develop directory.
You could exclude FLU_SHOT+ from being triggered by including a
line such as:
E=C:\develop\*.*
Of course, you might have development work on many disks under a
directory of that name. If you do, you might include a line
which looks like:
E=?:\develop\*.*
or
E=*\develop*
15
Checksumming files
==================
This line is a little more complicated than others and involves
some setup work. It's worth it though!
A checksum is a method used to reduce a files validity into a
single number. Adding up the values of the bytes which make up
the file would be a simple checksum method. Doing more complex
mathematics allows for more and more checking information to be
included in a test.
If you use a lie on the form:
C=C:\COMMAND.COM[12345]
then when FLU_SHOT+ first loads it will check the validity of the
file against the number in the square brackets. If the checksum
calculated does not match the number presented, you'll be advised
with a triggering of FLUSHOT, which presents the correct
checksum.
When you first set up your FLUSHOT.DAT file, use a dummy number
such as '12345' for each of the files you wish to checksum.
Then, when you run FLUSHOT, you should copy down the "erroneous"
checksum presented. Then, edit the FLUSHOT.DAT file and replace
the dummy number with the actual checksum value you had copied
down. Voila! If even one byte in the is changed, you'll be
advised the next time you run FLU_SHOT+.
But wait! There's more! Not available in stores!
Sorry. I got carried away.
Seriously, there is more. When a "checksummed" file is loaded by
MS-DOS, it will, by default, be checksummed again. So, if you
had a line such as:
C=C:\usr\bin\WS.COM[12345]
the venerable old WordStar program (still *my* editor of choice!)
would be checksummed each time you went to edit a file.
Of course, you might not want the overhead of that checksumming
to take place each time you load a program. Therefore, a few
switches have been added. The switches are place immediately
after the ']' in the checksum line:
C=C:\usr\bin\WS.COM[12345]<switch>
These switches are:
,n - will only checksum the file only 'n' times. Only
one digit allowed.
16
- - Only checksum this file when FLU_SHOT+ first
loads. ',1' and '-' are equivalent.
+ - Only checksum this file when it is loaded and
executed, not when FLU_SHOT+ first loads
Therefore, if you wished to only check your WS.COM file when you
first loaded the FLU_SHOT+ program, you'd specify a line as:
C=C:\usr\bin\ws.com[12345],1
or
C=C:\usr\bin\ws.com[12345]-
If you wished to checksum your program called "MY_PROG.EXE" only
when it was used, try:
C=C:\path\MY_PROG.EXE[12345]+
Registering a TSR program
=========================
Any unregistered TSR program which is run after FLU_SHOT+ will
cause a trigger when they "go TSR". You can register a program
so no trigger goes off by specifying it in a line such as:
T=C:\usr\bin\tsr_s\sk.com
which will keep FLU_SHOT+ from complaining about sk.com. Make
sure to take a look at the '-T' option, specified in the next
section.
Restricted Access
=================
Normally, when access to a file causes FLU_SHOT+ to trigger, the
user is given the option of hitting a 'Y' to allow the access, or
a 'G' to allow the access until program exit or a key is hit.
However, in some cases, access to a file should *never* be
allowed. If you end a line in your FLUSHOT.DAT file with an '!',
then the trigger will indicate that this is a restricted access
file, and the user will be asked to press a key to continue. In
any case, trigger accesses resulting from a line with a '!' at
the end will not be allowed to go forth. For example, if you
never want anyone to be able to read an AUTOEXEC.BAT file on any
of your disks, have a line of the form:
R=*AUTOEXEC.BAT!
in your FLUSHOT.DAT file. That's pretty easy! (Make sure,
however, to take a look at the FSP command line arguments for the
'--' switch.)
17
Protecting the FLUSHOT.DAT file
===============================
Obviously, the weak link in the chain of the protection which
FLU_SHOT+ offers you is the FLUSHOT.DAT file.
You would think that you'd want to protect the FLUSHOT.DAT file
from reads and writes as specified above. However this, too,
leaves a gaping security hole: memory could be searched for it,
and it could be located that way. A better alternative exists.
In the distribution package for FLUSHOT+ exists a program called
FLU_POKE.COM. This program allows you to specify the new name
you wish to call the FLUSHOT.DAT file. Simply type:
FLU_POKE <flushot_name>
where <flushot_name> represents the full path filename of your
copy of FLU_SHOT+.
You'll be prompted for the name of the FLUSHOT.DAT file. Enter
the name you've selected (remember to specify the disk and
directory as part of the name). Voila! Nothing could be easier.
Here's an example, assuming that you've already named your
FLUSHOT.DAT to FRED.TXT, and it resides in the C:\DOC directory.
Assume that FSP.COM is in the current directory and has been
renamed to MYFILE.COM. Here's the command line:
FLU_POKE MYFILE.COM
File opened ok...
Enter the FLUSHOT.DAT filename (full pathname): FRED.TXT
Protection Recommendations
==========================
Here's a sample FLUSHOT.DAT file, basically the same one included
in the archive. Your actual checksums will differ, and you may
want to modify what files and directories are protected.
Obviously, your exact needs are different than mine, so consider
this a generic FLUSHOT.DAT:
P=*.bat
P=*.sys
P=*.exe
P=*.com
R=*AUTOEXEC.BAT
R=*CONFIG.SYS
E=?\dev\*
C=C:\COMMAND.COM[12345]-
C=C:\IBMBIO.COM[12345]-
C=C:\IBMDOS.COM[12345]-
18
Allowing "dangerous" programs to run
====================================
In some cases, though, you'll still want the ability to let
"trusted" programs to run -- even if they are potentially
dangerous. A good example of this is the DOS FORMAT program:
here is a program specifically designed to overwrite the data on
your disk in such a way that it would be difficult, at best, to
recover. Yet, the program is a necessary part of your day-to-day
computer usage.
Therefore, the 'X=' switch has been added in to allow a program
such as FORMAT to run without interruption. THIS IS A POTENTIAL
SECURITY HOLE. To prevent an 'X=' program from being corrupted,
I suggest you also include any 'X=' program as both a 'C=' and a
'P=' program as well: any writes to the file would cause FLU_SHOT
to trigger, and you wouldn't be able to run a modified program
without first giving FLU_SHOT permission. Use 'X=' sparingly.
I'm rather uncomfortable with it myself.
Protecting Your Boot Track
==========================
Some of the virus writers out there are getting pretty devious:
they are creating viruses which will replace your "boot record"
with something of their own creation which will first create a
virus upon a system boot, then will run your actual boot program.
The "boot program" is a small program at the beginning of your
disk, telling the system what to do when you first turn the
system on. What makes these types of viruses particularly
dangerous is that they are run before FLU_SHOT+ can be run: by
the time FLU_SHOT+ is running, you're already infected!
Therefore, you might want to consider using the Boot Checksum
option line in your FLUSHOT.DAT file. It takes the form of:
B=<disk><checksum>
where <disk> is a single character (no ':') indicating which disk
drive you boot from, and checksum is the boot checksum. The boot
checksum is checked each time you exit a program and when you
first invoke FLU_SHOT+.
First, create a bogus boot checksum entry, as in:
B=C12345
then, run FLU_SHOT+. You'll be advised of what the actual boot
checksum is, and you should edit that checksum into the "B="
line.
That's it! You're now protected from some virus program somehow
getting around the protections FLU_SHOT+ offers and modifying the
boot record, and you'll be advised if something changed your boot
record while you weren't looking. Never boot off a floppy if you
can avoid it, though: that's how a lot of viruses spread!
19
Invoking FLU_SHOT+
Running FLUSHOT+
================
For extra protection, after you've run FLU_POKE, you should
rename the FLU_SHOT+ program is something unique and meaningful
to you, but not a worm.
Assuming you didn't rename it, however, you could invoke the
program simply by typing:
FSP
when at the prompt. That's all there is to it. When you're
satisfied, you can add it to your AUTOEXEC.BAT file, after all of
your trusted programs have run.
But there are some options you should know about:
Checksumming the in-memory table
================================
Since the wily worm may well be able to thwart some of the
efforts of FLU_SHOT+ by playing nasty games with the in-memory
copy of the FLUSHOT.DAT file, FLU_SHOT+ will also check this
table against a checksum it generates on a regular basis. If the
table gets corrupted, you'll be advised of it. This table is
checked with each call to DOS, so the table must be in good shape
before any disk I/O is done.
20
Intercepting Direct Disk Writes Through INT13 and INT40
=======================================================
The default operation of FLU_SHOT+ is to intercept and examine
every call to the direct disk routines. You can *disable* this
by including the '-F' switch on your command line:
FSP -F
This is not recommended, but exists primarily for developers who
can't use the constant triggering one of their programs may
cause.
What about INT26
================
Similarly, the same exists for the direct writes which normally
are only made by DOS through interrupt 26. Again, I do not
recommend you disable the checking, but if you desire to do so,
use the '-D' switch.
Turning off the header message
==============================
If you've no desire to see the rather lengthy welcome message,
displayed when you first use FLU_SHOT+, use the '-h' switch.
Disabling Triggering on Open with Write Access
==============================================
Files which are opened with write access allowed are often not
ever written to. For example, a COPY A.COM B.COM will open
*both* files for write access, although DOS will not actually
write to the A.COM file. Programmer laziness is the most likely
excuse, and I'm as guilty of it as anyone else. However, this
can cause some false alarms, which can alarm you! If you specify
the '-W' switch on your command line, you won't have this
particular alert come up.
Since the actual write operation to this file is also protected
by FLU_SHOT+, there is no real danger with using the '-W' option
-- except that a "protected" file could be created anew without
you being triggered. That's not too big a deal. Future versions
of FLU_SHOT+ will most probably have the '-W' option as the
default operation.
Changing the Trigger Window Attributes
======================================
Certain displays, particularly monochrome displays which try to
emulate color displays, have a problem with the default selection
of attributed in the trigger window of FLU_SHOT+. If you use the
'-Axx:yy' switch, you can modify these attributes.
The xx:yy represent the hex values (as selected from the table
below) for the interior and the perimeter of the trigger window.
The 'xx' represents the interior attribute, the 'yy', the
21
perimeter. If you use the '-A' switch, you *must* select both of
these values - failure to do so may give a rather strange
display.
What follows is a table of color and characteristics associated
with the attribute byte. A byte has eight bits. Counting from
the leftmost bit, the first bit of the attribute byte, if set,
will cause the character to blink, regardless of other settings.
The next three bits represent the background color for a given
character position. The next bit indicates whether a character
should have high intensity turned on. Finally, the last three
bits represent the color of the character itself. To create the
color of your choice, simply combine the bits, then calculate
what they are in hexadecimal. If you're not sure of how to
create a hexadecimal representation of a binary number, have no
fear: that information follows, too.
Bkgrnd Frgrnd
B CLR I CLR
[] [][][] [] [][][]
Brightness----^ | | | | | | |
Background-------+-+-+ | | | |
Intensity---------------+ | | |
Foreground-----------------+-+-+
Value in hex
Bit Pattern Value Color if B or I set
====================================================
0 0 0 0 Black 8
0 0 1 1 Blue 9
0 1 0 2 Green a
0 1 1 3 Cyan b
1 0 0 4 Red c
1 0 1 5 Magenta d
1 1 0 6 Yellow e
1 1 1 7 White f
For example, to create an attribute byte that is high intensity,
blinking yellow characters on a green background, the attribute
byte would be:
Bkgrnd Frgrnd
B CLR I CLR
1 0 1 0 1 1 1 0
\--------/ \-------/
| |
A E
Attribute char: AE
IMPORTANT: If the value is less than 10 (hex), you *must* include
a leading zero or strange things will happen to the selected
value.
22
Allowing Trusted TSR's to Work
==============================
Normally, you'd load all of your trusted TSR's before FLUSHOT+ is
loaded from within your AUTOEXEC.BAT file. However, you might
want to use SideKick once in a while, removing it from memory as
you desire. This could cause some problems, since SideKick, and
programs like it, take over certain interrupts, and FLU_SHOT+
could get confused about whether this is a valid call or a call
that shouldn't be allowed. Normally, FLU_SHOT+ will trigger on
these calls, which is safer, but can be annoying. If you use the
special '-T' switch upon program invocation, then calls which
trusted TSR's (those specified with the 'T=' command in your
FLUSHOT.DAT file) make will be allowed. Understand, please, that
this basically means that calls made by a Trojan while a trusted
TSR is loaded may not be caught. Please, use this switch with
caution!
Disabling FLU_SHOT+
===================
There may be times when you're about to do some work which you
know will trigger FLU_SHOT+. And you might not want to be
bothered with all of the triggering, the pop-up windows and your
need to respond to each trigger. If you look in the upper right
hand corner of your screen, you'll see a '+' sign. This
indicates that FLU_SHOT+ is monitoring and attempting to protect
your system. Depress the ALT key three times. Notice that the
'+' sign' turned into a '-'? Well, FLU_SHOT+ is now disabled,
and will not trigger on any event. If you depress the ALT key
three more times, you'll see the '-' turn back into a '+' -- each
time you depress the ALT key three times, FLU_SHOT+ will toggle
between being enabled and disabled.
Disabling the Disabling of FLU_SHOT+
====================================
Yes, I know about the poor grammar used in the heading, but I
couldn't think of a better way of expressing it.
You can cause FLU_SHOT+ to ignore the "strike ALT three times"
function discussed above. If you'd rather that the people using
the machine FLU_SHOT is working on *not* be able to disable it,
then enter the '--' switch on the command line, as in:
FSP --
this is important when used in combination with the '!'
restricted file access option you may have opted to use in your
FLUSHOT.DAT file.
23
Disabling FLU_SHOT+ Toggle Display
==================================
Alas, there are graphics applications which will be screwed up be
the '-' or '+' in the upper right hand corner of your display.
Therefore, if you depress the CTRL key three times, you'll be
able to toggle the display capability of FLU_SHOT+. The default
configuration of FLU_SHOT+ is to "come up" with display turned
on. You can reverse this capability if you include the '-G' (for
graphics) switch on your command line when you run FLU_SHOT+.
When you toggle this function, the '-' or the '+' won't appear or
disappear immediately. Simply that the repainting of them will
no longer take place.
Defining Your Own "Special Keys"
================================
If you would like to, you can define your own "special keys" (as
in the default Alt and Ctrl keys in a similar way as you define
your attributes above. Use the '-Kxx:yy' option, which takes the
hexadecimal scan code value for the replacement Alt key as the
first argument (the 'xx') and the hexadecimal scan code value for
the replacement Ctrl key value. If you're not sure of what your
scan codes are, you should look them up in your BIOS tech ref
manual -- or there are a multitude of programs which will print
out the scan code for a given key. Most of these programs are
available on BBS's throughout the world, including the Software
Concepts Design, RamNet BBS at (212)-89-6438.
Due to extreme programmer fatigue, the "Welcome" message you see
when you first run FLU_SHOT+ with the '-K' option will not change
to reflect your selection. Maybe in the next version. And, of
course, it depends upon how much you, the end-user want such an
option.
IMPORTANT: If the value is less than 10 (hex), you *must* include
a leading zero or strange things will happen to the selected
value.
Forcing FLU_SHOT+ to only use the BIOS
======================================
Certain machines are not totally compatible with the IBM BIOS,
which is the BIOS for which FLU_SHOT+ was written. Because
FLU_SHOT has to be able to deal with the hardware in a pretty
direct manner in order to "pop-up" a screen, these machines were
not able to use FLU_SHOT. If you specify the '-B' switch in your
command line when you first run FLU_SHOT+, then only the BIOS
will be used for screen output. This is *drastically* slower
than direct screen memory writes (the method used unless you
specify to use the BIOS), but at least it works. However, the
"hit ALT and/or CTRL three times" options may not work in these
machines - only your experimentation will tell.
24
Putting FLU_SHOT+ to Sleep When Its First Run
==============================================
One of the idiosyncrasies of DOS is how a batch file is
processed. Basically, DOS opens the batch file, reads the next
command, closes the batch file, executes the command, and then
starts over again until the batch file is exhausted of commands.
This would, normally, not be a problem, but can become when you
opt to place the FLU_SHOT command line in your AUTOEXEC.BAT file
*and* you've opted to Read Protect (with the 'R=' option) the
AUTOEXEC file itself: you'll be advised that some program is
reading this protected file. Not a big deal, really, but
certainly a hassle when you fist boot up your system. Therefore,
protections within FLU_SHOT are not turned on a certain amount of
time. The default is set to ten seconds, or until you enter a
key. You can modify the default "sleep" time by entering a '-Sn'
option on the command line, where 'n' represents the number of
eighteenths of a second (1/18) you wish to have FLU_SHOT+ sleep
before becoming active. Since you will most likely have
FLU_SHOT+ as one of the final commands in your AUTOEXEC.BAT, you
probably won't have to modify this parameter, but the capability
exists, nonetheless.
25
Interpreting a FLU_SHOT+ Trigger
================================
So, you've run FLU_SHOT+, and you're at your C> prompt. Great!
Now stick a blank disk which you don't care about into your A:
drive and try to format it.
Surprise! FLU_SHOT+ caught the attempt! You have three choices
now: typing 'Y' allows the operation to continue, but the next
one will be caught as well. Typing a 'G' (for Go!) allows the
operation to continue, disabling FLU_SHOT+ until an exit from the
program is made. When FLU_SHOT+ is in the 'G' state, a 'G' will
appear in the upper right hand corner of your screen.
Any other key will cause a failure of the operation to occur.
When you've got FLU_SHOT+ running and you get signaled that there
is a problem, you should think about what might have caused the
problem. Some programs, like FORMAT, or the Norton Utilities or
PC-Tools, or DREP have very good reasons for doing direct reads
and writes to your hard disk. However, a public domain checkbook
accounting program doesn't. You'll have to be the judge of what
are legitimate operations and which are questionable.
There is no reason to write to IBMBIO or IBMDOS, right?
Wrong!
When you format a disk with the '/S' option, those files are
created on the target diskette. The act of creating, opening up
and writing those files will trigger FLU_SHOT+ as part of its
expected operation. There are many other legitimate operations
which may cause FLU_SHOT+ to trigger.
So will copying a COM or EXE file if you have those protected
with a 'P=' command. FLU_SHOT+ is not particularly intelligent
about what is allowed and what isn't. That's where you, the
pilot, get to decide.
Here's a fuller listing of the messages which you might see when
you're using FLU_SHOT+:
Checking ===><filename>
This message is displayed as FLU_SHOT+ checks the checksum on all
of the "C=" files when you first invoke FLU_SHOT+. The files
must be read in from disk, their checksum calculated and then
compared against the value you claim the checksum should equal.
26
If the checksum does *not* equal what you claim it should (which
means that the file may have been written to and might therefore
be suspect), a window will pop up in the middle of your screen:
+===============================================================+
| Bad Checksum on <filename> |
| Actual Checksum is: <checksum> |
|Press "Y" to allow, "G" to go till exit, any other key to exit.|
+===============================================================+
This message simultaneously advises you there is a problem with
the checksums not matching, shows you what the checksum should be
and then awaits your response.
Except for the initial run of FLU_SHOT+, if you type a 'Y' or a
'G', then the program will load and execute. Typing any other
key will cause the program to abort and for you to be returned to
the C> prompt. When FLU_SHOT+ is in the 'G' state, a 'G' will
appear in the upper right hand corner of your screen.
If this is the initial run of FLU_SHOT+, however, you'll be
advised of the program's actual checksum, but FLU_SHOT+ will
continue to run, checking all remaining "C=" files in the
FLUSHOT.DAT file.
If you're running a program and you see a screen like:
+===============================================================+
| ? WARNING! TSR Request from an unregistered program! |
|Number of paragraphs of memory requested (in decimal) are:<cnt>|
| (Press any key to continue) |
+===============================================================+
you're being advised that a program is about to go TSR. If this
is a program you trust (such as SideKick, of KBHIT, or a host of
other TSR programs you've grown to know and love), then you
should considering installing a "T=" line in the FLUSHOT.DAT file
so that future runs of this program will not trigger FLU_SHOT+.
However, if you get this message when running a program you don't
think has any need to go TSR (such as the proverbial checkbook
balancing program), you should be a little suspicious. Having a
TSR program is not, in of and of itself, something to be
suspicious of. But having one you don't expect --- well, that's
a different story.
Most TSR's "hook into" an interrupt vector before they go TSR.
These hooks might intercept and process key strokes ("hotkeys"),
or they might hook and intercept direct disk writes themselves.
In any event, FLU_SHOT+ (in this version!) doesn't have the
smarts to do more than advise you of the TSR'ing of the program.
If you're truly suspicious, reboot your machine immediately!
27
If a program attempts to write directly to the interrupts which
are reserved for disk writes, FLU_SHOT+ will also be triggered
and you'll see something like:
+===============================================================+
|====>Direct Disk Write attempt by program other than DOS! <====|
| Interrupt xx=> Drive: x Head: y Track: zzzzz Sector: zzzzz |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
where the <xx> represents either a 13 or 40 (indicating a direct
BIOS write to the disk) or a 26 (indicating a direct DOS write).
Again, pressing a 'Y' or a 'G' allows the operation to continue,
pressing any other key will cause the operation to return a
failed status to DOS, and the operation will not take place. When
FLU_SHOT+ is in the 'G' state, a 'G' will appear in the upper
right hand corner of your screen. FLU_SHOT+ will attempt to let
you know what program is actually attempting the write as well:
this is not always reliable, though, so don't count on it as more
than a hint.
Additionally, for the folks interested in the real techno-babble,
FLU_SHOT+ will also let you know what drive, head, track and
sector is the target of the supposed "illegal" access.
If an attempt is made to format your disk, which may be a
legitimate operation made by the DOS FORMAT program, you'll see a
message such as:
+===============================================================+
| ====>Disk being formatted! Are You Sure?<==== |
| Interrupt xx=> Drive: x Head: y Track: zzzzz Sector: zzzzz |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
which follows similarly to the direct disk write operations. You
should question whether the format operation is appropriate at
the time and take whatever action you think is best.
If one of your protected files is about to be written to, you'll
see a message like:
+===============================================================+
|Write access being attempted on: |
| <filename> |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
where <filename> represents the file you're trying to protect
from these write operations. Your red flag should fly, and you
should question why the program currently running should cause
such an operation.
28
You may also see the same type of message when one of your "Read-
Protected" files is being accessed:
+===============================================================+
|Read Access being attempted on: |
| <filename> |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
Again, the same red flag should fly, but it doesn't mean that
you're infected with some nasty virus program! It could be
something harmless or intended. You'll have to be the judge.
+===============================================================+
|Open File with Write access being attempted on: |
| <filename> |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
If you see the above message: Don't Panic! When a program opens
a file, it may open the file for different types of access. One
access method prohibits writing to the file. Another allows you
to write to the file. However, lazy programmers (myself included
in this category from time to time) will often open a file for
read *and* write access, even though they have no intention of
ever doing a write into the file. FLU_SHOT+ isn't smart enough
to be able to figure out what a program *might* do in the future,
so it will alert you to an attempt to open the indicated
protected file with write access allowed. Again, you'll have to
consider whether the program opening the file is a "trusted"
program or not and you'll have to then decide what action to
take.
+===============================================================+
|Handle Write Access being attempted on: |
| <filename> |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
If you see this message, it means that some program is trying to
write to a protected file through an access method known as
"handle access". This should normally never happen, with the
caveats raised above in the "Open With Write Access" section.
29
There are three separate messages you'll see if a program
attempts to rename a protected file (you'll only see one of these
messages at a time, though):
+===============================================================+
|FCB Rename being attempted on source file: |
|FCB Rename being attempted on target file: |
|Handle Rename being attempted on: |
| <filename> |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
This indicates what type of operation is attempting to rename a
protected file. FCB's are a relic of the older CP/M days, and
"handles" are a newer concept, a little more modern. In any
event, this tells you that a file is being renamed. It is
possible that a trojan or virus writer will attempt to rename an
existing protected file to some other name, then rename a
trojaned or virused program in its stead. FLU_SHOT will alert
you to this action: again, though, you'll have to decide what to
do about it.
+===============================================================+
|Delete being attempted on: |
| <filename> |
| By: <program> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
Pretty much self-evident as to what's happening here, there are
very few reasons why one of the files you've opted to protect
should be deleted.
30
How Good is FLUSHOT+, Really?
FLU_SHOT+ is a pretty handy piece of code. But, it can't
absolutely protect you from a worm. No software can do that.
There are ways around FLU_SHOT+. I'm of two minds about
discussing them, since the worms out there are reading this, too.
So I'll only discuss them in passing. And I'll tell you what I
use here to protect myself from worms. First, though, a little
story to tell you what it's like here, and how I protect myself
from getting wormed.
The RamNet Bulletin Board System site I run is open access. No
need to register, or to leave your phone number or address,
although a note to that effect is always appreciated. As
mentioned above, I dare the worm to try to affect the disk of
somebody who can fight back. A couple of of worms have tried and
I have a nice collection of Trojans and viruses. Obviously, I
run FLU_SHOT+ on my board, along with checking incoming files
with CHK4BOMB. My procedure for testing out newly uploaded code
involves me doing a backup, installing all sorts of software to
monitor what is going on, and doing a checksum on all files on
the disk. I then try out all of the code I get, primarily to
determine if the code is of high enough quality to be posted.
After testing out all of the weeks uploads, I run the checksum
program again to determine of any of my files might have been
modified by a worm's virus program.
Recently, what looked like a decent little directory lister was
posted to the board. For some reason I've yet to fathom,
directory aid programs seem to be the ones which have the highest
percentage of Trojans attached to them.
This directory aid program listed my directories in a wonderful
tree structure, using different colors for different types of
files. Nice program. When it exited, however, it went out and
looked for a directory with the word "FLU" in it. Once it found
a directory with a match in it, it proceeded to try to erase all
of the files in that directory. An assault! No big deal. That's
what backups are for.
But it brings up an interesting point: I was attacked by a
clever worm, and it erased a bunch of files which were pretty
valuable. All of the protection I had would have been for naught
if I didn't use the first line of defense from these worms: full
and adequate backup.
I've spent three years of my life developing one particular
software package. Imagine what would have happened if that had
been erased by a worm! Fortunately, I make backups at least once
a day, and usually more frequently than that. You should, too.
Now, I quarantine that machine as well. I spent a couple of
dollars and bought a bunch of bright red floppy disks. The basic
rule around here is that Red Disks are the only disks that go
into the BBS machine, and the Red Disks go into no other machine.
31
You see, I *know* that there is some worm out there who is gonna
find some way to infect my system. No matter what software
protection I use, there *is* a way around it.
You needn't be concerned though -- you're making backups on a
regular basis, right? And, you aren't asking for trouble. I am,
I expect to find it, and it is sort of amusing to see what the
worms out there are wasting their efforts on.
At this point, Trojans and Viruses are becoming a hobby with me:
watching what the worms try to do, figuring out a way to defend
against it, and then updating the FLU_SHOT series.
However, there is a possibility that the FLU_SHOT series (as well
as other protection programs which are just as valuable) are
causing an escalation of the terms of this war. The worms out
there are sick individuals. They must enjoy causing the damage
they do. But they haven't the guts to stand up and actually do
something in person. They prefer to hide behind a mist of
anonymity.
But you have the ultimate defense! No, not the FLU_SHOT+
program.
FULL AND ADEQUATE BACKUPS!
There are a variety of very good backup programs which can save
you more work than you can imagine. I use the FASTBACK+ program,
which is a great little program. I backup 30Megs once in a
while, and do an incremental backup on a very frequent basis.
There are a variety of very good commercial, public domain, and
shareware backup programs out there. Use them! Because, no
matter what software protection you use, somebody will find a way
around it once day. But they can't find a way around your
backups. And, if you (and everyone else) do regular backups,
you'll remove the only joy in life these worms have. They'll
kill themselves, hopefully, and an entire subspecies will be
wiped out -- and you'll be partially responsible!
My advance thanks for helping to exterminate these little
slimebuckets. But that brings me to something else.
32
Reward Offered
Somebody out there knows who the worms are. Even they must have
someone who is a friend. True, I can't think of any reason
someone would befriend a worm. But somebody who doesn't know
better has.
Well, I'm offering a reward for the capture and conviction of
these worms.
Enough already with software protection schemes, hardware
protection schemes, or any protection at all. It shouldn't be
required, dammit!
Here's the deal:
In this archive is a form called REWARD.FRM. If you're a
software or hardware manufacturer, or you have some software or
hardware you don't need, consider filling out that form, and
donating it to a worthy cause. I don't know what the legal and
tax ramifications of that donation would be. I'm not a lawyer
and we can cross that bridge when we get to it.
Anyway, if you know one of these worms, turn them in! Call me
up, send me a letter, a telegram, or leave a message for me on my
BBS. Indicate who you *know* is worming about. I'll keep your
name confidential.
It is surprisingly easy to get the authorities in on this --
they're as concerned about what is happening to our community as
we are. I'll presume that they'll end up putting a data tap on
the phone line of the accused worm. Then, when he next uploads a
Trojan or a virus to a BBS, he'll get nailed. The authorities
are pretty good about this stuff: they'll not tap a phone or take
any action whatsoever without adequate proof. Will your dropping
a dime on this worm be adequate proof? I don't know. Again, a
bridge to cross when we approach it.
However, assuming that this slimeball gets nailed, you'll get all
of the software and hardware which other people have donated. And
the satisfaction of knowing that you've done a Good Thing, that
you've helped an industry and community continue to grow. This
*is* your community, and the vast majority of people in it are
good people who shouldn't have to fear from your friend. Your
friend is not really a friend: he uses you to justify his own
existence. When someone uses you like that, they're not a
friend, they're a leach. And you've probably got better things
to do then let somebody use you like that.
Most importantly, the worm out there won't know if one of his
friends has already turned him in. So he won't know if his phone
is tapped. If *I* were a worm, and considering what kind of
friends I would have, I'd be sure that somebody dropped a dime on
me. And therefore an intelligent worm (perhaps I'm giving the
worm too much credit?) must presume that their line is tapped and
33
that they're gonna go to jail if they continue what they're
doing.
So just stop, you miserable little lowlife, huh? You're going to
be arrested. You're going to have to put up with indignities
which even you don't deserve! Your equipment will be
confiscated. You'll never get a job in the industry. You're
going to go to jail.
All because one of your friend's actually has a conscience and
knows what is right and what is wrong. And what you're doing is
wrong.
So, let me get back to the kind of programming I enjoy --
productive programming. And turn your programming to useful,
interesting, and productive programming. You have the talent to
do something useful and good with your life. What you're doing
is hurting the industry and hurting the community which would
welcome someone with your talents with open arms.
And the satisfaction of helping far surpasses the satisfaction
you must get from hurting innocent people.
So just stop.
Sincerely, Ross M. Greenberg
34
APPENDIX A: Common Questions and Their Answers:
Q: Why does FLU_SHOT+ not work with programs that use graphics
capabilities, such as Microsoft EXCEL?
A: FLU_SHOT+ is a TSR program, and uses up memory on your
computer even when there is no suspicious action taking
place. When such an action occurs, the current screen must
be saved to bring up the trigger window. In graphics mode,
this requires a great deal of memory to be set aside, and so
we considered it not worth the loss of memory
Q: So, then, what can I do if I use such graphics programs?
A: Try using the '-B' switch. You might lose a portion of your
screen, but you'll be able to see what is causing the trigger
to occur.
Q: Certain programs lock up when FLU_SHOT+ triggers -- I have to
reboot the system. What can I do?
A: Try resetting the Action Keys (with the -Kxx:yy option).
Chances are that your program is taking over the keyboard and
not passing keys over to FLU_SHOT+. You'll have to
experiment around with keys until you find a set that works.
Q: Certain programs, like WORDPERFECT, use temporary work files,
and then delete them with a call that triggers FLU_SHOT+.
What can I do?
A: Try excluding the class of files causing the trigger with the
'E=' option in your FLUSHOT.DAT file. Look for the pattern
of the target filenames in the trigger window, and then
install a line into FLUSHOT.DAT that corresponds to it. Or,
you could exclude that particular directory if you wish.
Q: Every time I run a program like "PRINT", I get a lot of Direct
Disk Access messages from FLU_SHOT+. Does this mean that
PRINT (for example) is infected with a virus?
A: Not at all! PRINT is a TSR, which means that a portion of it
stays around after you get back your C:> prompt. Part of
that TSR takes over the Direct Disk Access Interrupts.
Therefore, whenever even a legitimate program makes a call to
do a legitimate disk operation, it appears to come from some
program other than the DOS operating system. Try putting
your PRINT (or other trusted TSR) command before the call to
FLU_SHOT+ in your AUTOEXEC.BAT file. This should solve the
problem.
35
Q: Will FLU_SHOT+ tell me if I have a virus on my disk and will
it remove a virus if found?
A: Nope. FLU_SHOT+ will check that files are what they appear to
be when you run them, if you wish. And, it will interrupt
the type of suspicious activity associated with a virus
attack. At that point, you have to consider whether or not
the program you're running is a virus or not, and take
appropriate action if it is.
Q: What kind of appropriate action?
A: First thing to do would be to load a new copy of that program
from your original distribution disk. Try using the program
again. If the trigger window pops up, then chances are the
program is violating one of the rules in your FLUSHOT.DAT
file, but isn't a virus. Change your FLUSHOT.DAT to reflect
whatever exceptions are needed to cause this program to no
longer trigger.
Q: What precautions should I take when reloading a program from
my original distribution disks?
A: You should power off your computer for about ten seconds.
Reboot with a clean, write-protected copy (stick a piece of
black tape over the write enable notch on the disk) in your
A: drive. Then, do a "SYS" onto your hard disk to play it
safe (see the DOS manuals for an explanation of what SYS does
and how to use it), then reinstall your software.
Q: I see a lot of copies of FLU_SHOT+ on the Bulletin Board
Systems I use. Are they the same as this version?
A: You'll have to check the version number to make sure -- but
there's no guarantee that the version you see out on a BBS is
going to be a clean copy of FLU_SHOT+ (unless you get it from
one of the BBS's the author uploaded it to himself). The
commercial releases have an installation program to aid you
your installing FLU_SHOT+ and have a printed manual.
Q: May I distribute this copy of the program onto BBS systems?
A: You may only distribute the .ARC file on the Distribution
Disk to BBS systems. Without any changes. If you distribute
any other files from that disk, you will be in violation of
copyright law -- and that's a federal offense!
Q: If I get a virus, what should I do with the infected program?
A: If you like, make a copy of the infected program and send it
to us so we can examine it and determine, if possible, who
might have released it and have them prosecuted. Otherwise,
simply delete the infected program - a deleted virus can hurt
no one.
36
Q: I'm interested in seeing what a virus is. Can you send me
one?
A: Sorry, we can't do that. Aside from the ethics of releasing
a virus to an unknown person (even if a customer!), there are
now some laws on the books making distribution of a virus a
federal offense.
Q: I ran out of space in my FLUSHOT.DAT file. Can I expand it
out at all?
A: Nope. It's of a fixed size in this release of FLU_SHOT+.
There's a big brother of FLU_SHOT+, called FLU_SHOT++, which
provides for an unlimited size for your Protections File.
Send in the card for more information on FLU_SHOT++ and the
additional protections it affords.
Q: Will FLU_SHOT+ stop every virus out there?
A: No. No software product can stop every virus attack, since
there are a variety of ways a virus can attack your system
and get around FLU_SHOT+'s protection mechanisms. However,
no virus can infect a program and not change the checksum of
the program. Therefore, use the C= option in your
FLUSHOT.DAT Protections File on all the programs you run.
That way, you'll know if the program you're running has
become infected since the last time you ran it.
Q: ????
A: 42
37
APPENDIX B: How Does A Virus Work?
A computer virus is actually a very simple program to write.
First, a little bit of terminology can help understand what they
are:
A computer virus has a number of different parts. First, some
viruses (some people consider the plural of 'virus' to be 'virii'
-- I don't) have what is called a 'pre-trigger'. If the pre-
trigger does not go off, then the infected program will work
normally, as if not infected. What makes a pre-trigger go off?
Almost anything the virus writer wants. It can be made to go off
when the disk is more than a certain amount full, or when more
than a certain amount of memory is in use by your programs. Or,
perhaps, when a certain date comes or has past. Or, if a certain
program exists on your hard disk. Fancifully speaking, it could
be set to go off on the correct phase of the moon.
Once the pre-trigger goes off (not many viruses have them, by the
way), the next phase, the 'replication aspect' phase, gets
initiated. Viruses seem to come in two flavors: the transient
virus, which is only active when you're running your code, and
the Terminate and Stay Resident kind, which stay active from the
time initiated until you reboot your computer. There's a third
kind, called a 'boot sector' virus, but that'll be discussed
below.
When you invoke a program, infected or not, your computer will
read the image of the program from the disk into the computers
memory, do a little bit of futzing with the program (if it's an
program, letting the program tell it what to do from that point
onwards. The computer's operating system, in this case MS-DOS,
is really stupid: it gives total control to the running program
from that moment until the program exits and you get back to your
command line prompt.
When you invoke an infected program, it is run just as any other
program. The virus portion of that program will typically be run
first. After passing the pre-trigger (if any), the replication
aspect will consider what types of files to infect. For the
standard transient virus, this usually means that a given
directory will have one or more of its .COM or .EXE files
infected. Some viruses will infect only one program each time
they are run, some will infect many. It's up to the virus
writer. Each virus has some characteristic about it which is
unique, and often the virus writer will examine the target .COM
or .EXE file for this characteristic to see if the target program
is already infected. If it is, then the program will be passed
over and the next one examined and potentially infected.
Since the computer simply passes control onto the program once it
is loaded into memory, and then basically forgets about it, if
the first few instructions of the program can be changed to cause
the computer to execute some new instructions, it will blindly do
38
so. And that's what a virus does. It takes the first few
instructions of the program, saves them someplace, and replaces
those instructions with a call to jump to the virus code. When
the virus infected program executes later, it will first run the
virus code, then restore the original code (unless the virus
"goes off", discussed below), and finally will jump to the
beginning of the reconstructed program. The infected program
executes as if nothing had happened at all.
So, when a virus goes to infect another program, it must add code
to it. And, must replace at least a few instructions, at least
temporarily, with some of its own.
Typically, a virus will add to the end of a program, although not
all viruses work that way.
This is how almost all transient viruses work.
Another, more sophisticated virus, is called the "TSR virus".
This infects a program similarly to the transient virus, but its
"action" involves leaving a little piece of itself behind (those
in the anti-virus field seem to always call that small part left
behind the "worm trail", or the "slime"). This piece becomes an
active, and permanent, part of your computers operating system.
Typically, it will look for instructions your computer sends in
response to you entering a run command. When you do, it infects
the program you've requested to run before it is actually
executed, then executes it.
Going back to the phases, the third phase is called the "trigger
aspect". Like the pre-trigger, it depends on how devious the
virus writer is when he or she creates the trigger, and can go
off on just about anything.
When it goes off, the final (and most dangerous) phase of the
virus is reached: the "Trojan aspect". This is the part that
deletes files, trashes your hard disk, or otherwise makes your
life miserable.
And, that's all there is a virus. An ingenious little piece of
code. Written by a warped person. Who could spend their time
better if they spent it doing something constructive instead of
destructive. We already know that, of course. When they mature a
bit, hopefully they'll find that out. Before they've hurt anyone
else.
Oh! Almost forgot about Boot Sector Viruses. Here goes:
When you turn your computer on, a small program is run before
anything else. That's called the Boot Sector, and it loads up
some of the important stuff you need to have on your computer in
order for it work. Little things, like the operating system.
Without the operating system (MS-DOS), your computer is an
expensive paperweight. Without the Boot Sector, and the program
thereon, you have an expensive paperweight with an inoperable
39
operating system on it.
A Boot Sector Virus replaces the current boot program with
itself, and sticks the original boot sector onto an unused
portion of your disk. After the Boot Sector Virus has run,
leaving behind a sleazy little worm trail of its own, it will
execute the original boot program. You'll have an infected
system even before an anti-virus program is run!
When you access some other disk, the worm trail of the Boot
Sector Virus will examine the boot sector of that disk. If not
infected, it will infect it. Very simple. And the infected
diskette waits for you to pass it on to one of your friends, who
will then (by booting on that disk) infect their own drive. And
so. The moral here: never boot up your system on anyone else's
disk and you'll be a much happier person.
40
