CD-ROM Aktief 1995 #3

home *** CD-ROM | disk | FTP | other *** search

/ CD-ROM Aktief 1995 #3 / CDA3.iso / virus / vds30r.zip / VDS.DOC < prev next >

Wrap

Text File | 1994-12-19 | 111KB | 2,128 lines

V D S VIRUS DETECTION SYSTEM Professional Version 3.0 Copyright (c) 1992-1994 by VDS Advanced Research Group All Rights Reserved December 1994 WARNING THIS SOFTWARE AND MANUAL ARE BOTH PROTECTED BY U.S. COPYRIGHT LAW (TITLE 17 UNITED STATES CODE). UNAUTHORIZED REPRODUCTION AND/OR SALES MAY RESULT IN IMPRISONMENT OF UP TO ONE YEAR AND FINES OF UP TO $10,000 (17 USC 506). COPYRIGHT INFRINGERS MAY ALSO BE SUBJECT TO CIVIL LIABILITY. DISCLAIMER The developers of VDS make no warranty of any kind, either express or implied, with respect to this software and accompanying documentation. In no event shall the developers be liable for any damages arising out of the use of or inability to use the included programs. The entire risk as to the results and performance of this software package is assumed by the customer. We specifically disclaim any implied warranties of merchantability or fitness for any purpose. Use at your own risk. The developers of VDS reserve the right to revise the software and accompanying documentation and to make changes in the contents without obligation to notify any person of such revision or changes. ACKNOWLEDGEMENTS We would like to thank a few people who helped us test and improve all or parts of VDS. Specifically, Mike, Henri Delger, Paul Ferguson, Vesselin Bontchev, Ahmed Yahya, Bill Whittington, Daniel Perez, and Bill Lambdin. TABLE OF CONTENTS I. INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 A. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1. Do you need anti-viral programs?. . . . . . . . . . . . . . 1 2. Will scanners protect me? . . . . . . . . . . . . . . . . . 1 3. How is VDS different? . . . . . . . . . . . . . . . . . . . 1 B. What is VDS? . . . . . . . . . . . . . . . . . . . . . . . . . . 1 C. Why VDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 D. Components of VDS. . . . . . . . . . . . . . . . . . . . . . . . 3 E. Technical Help . . . . . . . . . . . . . . . . . . . . . . . . . 4 II. SYSTEM REQUIREMENTS. . . . . . . . . . . . . . . . . . . . . . . . . 5 A. Hardware & Software. . . . . . . . . . . . . . . . . . . . . . . 5 III. INSTALLATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A. INSTALL command line options . . . . . . . . . . . . . . . . . . 6 B. Installing VDS . . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Express Setup:. . . . . . . . . . . . . . . . . . . . . . . 7 2. Custom Setup: . . . . . . . . . . . . . . . . . . . . . . . 7 C. Uninstalling VDS . . . . . . . . . . . . . . . . . . . . . . . . 8 IV. OPERATION of VDS . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A. Operational Cycle. . . . . . . . . . . . . . . . . . . . . . . . 9 B. How does VDS work. . . . . . . . . . . . . . . . . . . . . . . . 9 1. VDS command line options. . . . . . . . . . . . . . . . . . 11 2. Configuration (VDSPRO30.INI) file . . . . . . . . . . . . . 12 C. VDS as a scanner . . . . . . . . . . . . . . . . . . . . . . . . 14 1. DUMPSIG and external virus signatures . . . . . . . . . . . 14 D. VDS Device Driver. . . . . . . . . . . . . . . . . . . . . . . . 16 E. VDSTSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 F. VDSFSCAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1. Command line options. . . . . . . . . . . . . . . . . . . . 18 G. VFSLITE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1. Options and default settings. . . . . . . . . . . . . . . . 19 2. Configuration (VDSFSCAN.INI) file . . . . . . . . . . . . . 19 3. Command line options. . . . . . . . . . . . . . . . . . . . 21 4. DOS errorlevels returned. . . . . . . . . . . . . . . . . . 23 5. Differences between VDSFSCAN and VFSLITE options. . . . . . 23 H. How to use VITALFIX. . . . . . . . . . . . . . . . . . . . . . . 24 1. Command line options. . . . . . . . . . . . . . . . . . . . 24 I. Scenarios and Messages . . . . . . . . . . . . . . . . . . . . . 25 J. Common Questions and Answers . . . . . . . . . . . . . . . . . . 26 K. Known Problems and Conflicts . . . . . . . . . . . . . . . . . . 30 V. VIRUS ATTACK METHODS. . . . . . . . . . . . . . . . . . . . . . . . . 31 A. Virus defined. . . . . . . . . . . . . . . . . . . . . . . . . . 31 B. Features of PC Viruses . . . . . . . . . . . . . . . . . . . . . 31 1. Stealth Virus . . . . . . . . . . . . . . . . . . . . . . . 31 2. Dumb Virus. . . . . . . . . . . . . . . . . . . . . . . . . 31 3. Encryptive Virus. . . . . . . . . . . . . . . . . . . . . . 31 4. Polymorphic Virus . . . . . . . . . . . . . . . . . . . . . 31 C. Types of PC Viruses. . . . . . . . . . . . . . . . . . . . . . . 32 1. MBR/BR Virus. . . . . . . . . . . . . . . . . . . . . . . . 32 2. Program Infector. . . . . . . . . . . . . . . . . . . . . . 32 a. Simple Infector. . . . . . . . . . . . . . . . . . . . 32 b. Companion Virus. . . . . . . . . . . . . . . . . . . . 32 c. System Infector. . . . . . . . . . . . . . . . . . . . 32 3. Multi-partite Virus . . . . . . . . . . . . . . . . . . . . 33 D. Some facts about viruses . . . . . . . . . . . . . . . . . . . . 33 VI. PARTITION/BOOT SECTOR INFECTIONS . . . . . . . . . . . . . . . . . . 34 A. Preliminary information. . . . . . . . . . . . . . . . . . . . . 34 B. How to recover with RESTORE option . . . . . . . . . . . . . . . 37 C. Manual Recovery Procedure. . . . . . . . . . . . . . . . . . . . 37 VII. HOW TO DEAL WITH VIRUSES. . . . . . . . . . . . . . . . . . . . . . 41 A. Recommended Guidelines . . . . . . . . . . . . . . . . . . . . . 41 I. INTRODUCTION A. Background 1. Do you need anti-viral programs? If someone had asked us this question five years ago, we would have probably said, "Yes, but if you're careful, only use diskettes from the factory, and don't use diskettes from other people, then you can probably get away without one." Unfortunately, the same is not true today. During the past few years we have seen an increase in the number of viruses from a few dozen to over 3000, and many of the new viruses are becoming more sophisticated. In addition, almost every major business that uses microcomputers has experienced a virus infection on some scale. Even some shrink-wrapped software from major software developers has been infected. It is just too much of a gamble not to have anti-virus protection these days. 2. Will scanners protect me? While there are many anti-viral products on the market, the PC world has yet to see a comprehensive solution based on both scientific analysis and the use of sophisticated techniques. A common feature shared by most anti-viral programs known as scanners is their pattern searching approach. They simply look for a sequence of identifying bytes (not necessarily consecutive) inside existing executable code such as that contained in program files and boot sectors. This approach works quite well for many viruses. The trouble is that a pattern searching approach requires fore-knowledge of specific viruses and their identifiers. This means that they are useless against new, unknown viruses. In addition, new viruses which mutate upon each infection have been developed. They make extraction of an easily discernible search pattern impossible. 3. How is VDS different? VDS Advanced Research Group would like to shift the focus from simple pattern matching to one of analyzing viral behavior. In this way, rather than keeping the market alive through forcing users to upgrade frequently as others have done, we can instead offer a more comprehensive solution. If others had taken this approach, computer viruses may have been less of a threat than they certainly are today. You must remember that scanners were first developed by well-meaning hackers who lacked a clear, long-term perspective in this matter. It was the most obvious and easiest thing to do at the time and scanners became popular over time. VDS (Virus Detection System) was developed in reaction to the limitations of existing anti-viral programs. Due to the large number of ways that viruses can exploit the DOS environment, the anti-viral methods employed in practice are often ad hoc and cannot easily be formalized. VDS makes a judicious choice of systematic approaches towards the detection of viruses. It uses sophisticated techniques to detect most possible viruses in the DOS environment. If you are faced with the problem of recurring virus infections, or have data that just cannot be replaced without significant loss, you are invited to try VDS on your system. VDS ensures easy detection and eradication with little user intervention. With VDS in place, viruses cease to be an impediment to productivity. B. What is VDS? VDS is a set of programs designed to contain the spread of computer viruses that target PCs running MS/PC DOS 3.0 or above. VDS works by providing early detection and quick recovery. The operation of VDS is not virus-specific. In addition, the current implementation does not rely on a memory-resident program which degrades the performance of your computer by verifying programs every time they are run; however, an independent memory-resident scanner is also provided. VDS installs itself on your system using a special process which checks first for known viruses, and then creates a fingerprint of all system areas and executable files. From then on, VDS will thoroughly check the system at scheduled intervals and will notify you of any suspicious modifications detected regardless of whether the virus is a known variant or a new virus altogether. C. Why VDS? - It is NOT virus-specific. - It does NOT need frequent upgrades. - It does NOT require much user expertise. - It is NOT a TSR (i.e. memory resident) with possible conflicts. This also means that it does not use up precious RAM. The An optional TSR module is provided. - It maintains an audit log to pinpoint how a virus entered the system. - It can use an external virus signature database for easy updates. - It works even when a stealth virus is ACTIVE in memory. - It can handle any size DOS disk. - It is compatible with DOS 3.0 and above. - It supports MS Windows 3.x. - It can CAPTURE some memory-resident viruses to speed up diagnosis. - It can recover a damaged partition table easily. - It can fix an infected boot sector on the fly. - It is blazingly FAST. - It includes an automated boot sector recovery tool. - It works on Novell Netware, Banyan, and Lantastic network drives. - It can usually HEAL itself even when infected. - It automatically updates the baseline database after additions/deletions. - It can identify most common viruses by name. - It can be set to run based on a user-defined schedule. - It can remove most known and unknown viruses generically. - It can create an emergency diskette for extra safety. - It sports a very intuitive object-oriented user interface. - It includes a robust integrity checker for ultimate defense against viruses. D. Components of VDS VDS package includes the following components: VDS.EXE An integrity checker that creates a fingerprint database for possible virus targets (programs, boot sectors) and verifies them later for suspicious modifications. In the case of such modifications, the integrity checker offers to restore the affected areas to their original state by using generic disinfection techniques, and backups (for system areas). If the restoration attempt fails, the integrity checker informs the user and requests permission to remove the damaged object by deletion. For example, some overwriting viruses do not preserve the functionality of their victims. To be able to restore such programs, one needs to use the original copies or good backups. In 95% of the cases that involve a virus that can successfully spread, restoration by generic disinfection is possible, and guarantees 100% recovery. Viruses that corrupt the operation of their victims get noticed easily and do not tend to get too far. VDSFSCAN.EXE A known and heuristic virus scanner that searches for patterns or code sequences and uses advanced algorithms to identify polymorphic and simple viruses inside executable code such as program files and boot sectors. It can also use a user-defined signature file to permit the addition of newly discovered viruses. VDSTSR.EXE A memory-resident (TSR) program that searches programs before they are run or optionally before they are copied. It also examines the boot sector of a floppy diskette that may have been left in drive A: before warmboot attempts. What's more, it can scan programs being unzipped or de-archived by a compression utility regardless of the version or the maker of such software. In other words, you do not need to update the TSR just because you decided to use a newer release of your favorite file compression utility. It also provides mechanisms to render some stealth viruses inoperable. ISVDSTSR.COM A small (17 bytes) program that sets the DOS errorlevel to indicate the presence of the TSR component in memory. The purpose of this program is to allow system administrators in networked environments to enforce loading TSR anti-virus protection on workstations before they are permitted to access programs on a file server. DUMPSIG.EXE A virus signature extraction utility. It is useful when you need to add an external signature. VITALFIX.EXE A disk repair utility designed specifically to deal with boot sector infections. It provides the user with various options to eradicate a possible virus, to save and to restore important system information such as the partition table, and to search disks for a possibly relocated copy of the boot sector. It is much safer to use this utility than other disk sector editors since it performs sanity checks before overwriting important sectors on a hard drive. INSTALL.EXE An installation program that automates loading VDS on local and on network drives. It prepares an emergency diskette for your computer so that you can check and restore system areas and program files after booting from a clean floppy diskette. This emergency diskette is formatted as a bootable DOS diskette and the required VDS components and fingerprint and recovery information are copied over. VDSCATCH.BIN A device driver that implements several anti-stealth features and aids VDS integrity checker in maintaining reliable operation even when a stealth virus is active in memory. It also prohibits direct writes to the master and DOS boot sectors as well as low-level format attempts. E. Technical Help If you need technical assistance or have any questions, you can call VDS-BBS at (717) 846-3873. Please set your communications parameters to 8,N,1. Modem speeds up to 28.8K V.FC are supported. If you are a registered user, you can also download the latest virus scan strings from the VDS-BBS. There is also an area on the BBS to upload suspected files for analysis. II. SYSTEM REQUIREMENTS A. Hardware & Software VDS has the following minimum requirements and limitations to operate correctly: An IBM PC or compatible computer MS/PC-DOS 3.0 or higher 384K of available memory A hard drive (necessary only for integrity checks) Up to 4000 program files per integrity database (16000 if 192K of extended memory is available) Up to 32 integrity databases per catalog In addition, VDSTSR takes up about 30K of memory when loaded. It can be loaded into upper memory area under DOS 5.0 or later. VDSCATCH.BIN device driver takes up about 300 bytes, and it can also be loaded high. Some systems utilize disk compression software to increases the storage capacity of drives by compressing and decompressing data on the fly. On such systems, you must have the necessary device drivers loaded before VDS. MS-DOS 6.x now includes this optional feature by providing the DoubleSpace interface. The operation of DoubleSpace is well-integrated into DOS, and works in a transparent manner. VDS is tested and found to work as expected on drives compressed using DoubleSpace. III. INSTALLATION A. INSTALL command line options Here is the INSTALL command line options that you can use to set up VDS. INSTALL.EXE [{-|/}BDEH?MNRUXH] [src_path] [dest_path] -Debug Instruct VDS to create a debug trace. -Banyan Install on a Banyan server. -M Use monochrome screen attributes. -Help or ? To see the command line options with examples. -Emergency <path> Prepare an emergency diskette. -Xpress Install with default values. -Uninstall <path> Remove VDS from the given directory. -Refresh <path> Update the VDS emergency diskette for new files -Network <src> <dest> Install VDS from the server directory src to the workstation. The .INI files in the src directory will be copied over to the dest directory. B. Installing VDS on a hard drive You will need your bootable DOS diskette (preferably the original), VDS Distribution diskette, and at least one blank floppy diskette that can go in your drive A: for installation. The blank diskette will be formatted and prepared as a bootable DOS diskette by VDS. The emergency diskette will be used in the case of infections that affect the master boot/partition sector (if VDS cannot repair it on the fly). The floppy restoration process requires you to use this VDS emergency diskette. Some computers have a boot sequence setting in CMOS that allows booting from the hard disk even if there is a floppy diskette in drive A:. Before starting the installation, please change this setting to boot from drive A:. Here are the steps you should follow for proper installation: 1) Turn the computer off (NOTE: It is very important that you do not perform a warmboot by holding down Ctrl-Alt-Del keys since a virus can fake a warmboot and stay in memory). 2) Put the DOS diskette in drive A: (NOTE: The version of DOS on the floppy diskette must be the same as the one installed on your hard drive). Turn the computer on. It should boot from the floppy diskette. 3) If the boot was successful, you should now see the A:> prompt. If the system asks you for time and date, just press Enter until you are at the A:> prompt. 4) Remove the DOS diskette and replace it with the VDS distribution diskette. 5) Type A:INSTALL and press Enter. * INSTALL will now complete the installation process by asking you a few questions. 6) You will see two options: Express setup and custom setup. If you press the Enter key, INSTALL will use the default settings to configure the operation of VDS. Custom setup allows you to modify many parameters to suit your needs. * If you have chosen Custom setup, please skip to the next section. 1. Express Setup: 7) A configuration file will be created and the necessary files will be transferred to the hard disk in C:\VDSPRO30 directory. 8) If this is the first time you are installing VDS on your computer, INSTALL will modify your AUTOEXEC.BAT and CONFIG.SYS to add the lines needed to load, VDSCATCH.BIN, VDSTSR.EXE and run VDS.EXE every time you reboot the computer. VDSCATCH.BIN takes up a few hundred bytes. 9) You will next see the list of files on the hard drive scroll by as VDS scans for infections and creates the baseline profile of all executable files on the disk. There should be lots of disk activity. If VDS finds that there are infected files, you will be asked if VDS should remove them. 10) INSTALL will ask you if you would like to prepare an emergency diskette. Put a blank diskette in drive A:. MAKE SURE YOU DO NOT HAVE ANYTHING YOU NEED ON THIS DISKETTE. It will be formatted as a bootable diskette. INSTALL will copy fingerprint databases and the VDS programs to the emergency diskette. 11) INSTALL will ask you if you wish to view a tutorial to become familiar with the operation of VDS. If you answer Yes, you will see a few pages of explanation. 12) You can write-protect the emergency diskette at this time and store it in a convenient location. INSTALL will inform you that the computer will restart, please remove any floppy diskettes and then press a key. If VDS is installed correctly, you will see it verify the complete system after the computer boots up. This completes the install process (if you enabled floppy booting in CMOS, you can change it back to the hard disk). 2. Custom Setup: 7) INSTALL will ask you for the location of VDS distribution files and the home directory for VDS. If the home directory does not exist, INSTALL will ask you if you wish to create it. Type in the desired location where VDS should be installed. A configuration file will be created and the necessary files will be transferred to the hard disk in the directory you have specified. 8) If this is the first time you are installing VDS on your computer, INSTALL will ask you if it should modify your AUTOEXEC.BAT and CONFIG.SYS to add the necessary lines to load VDSCATCH.BIN, VDSTSR.EXE and run VDS.EXE every time you reboot the computer. VDSCATCH.BIN takes up a few hundred bytes. Your original AUTOEXEC.BAT will be saved in AUTOEXEC.VDS, and the original CONFIG.SYS will be saved in CONFIG.VDS. 9) INSTALL will ask you which drives you wish to protect. You should pick drive C: and any other drives you wish to protect. For each drive you picked, you will see the list of files on the hard drive scroll by as VDS scans for infections and creates the baseline profile of all executable files on the disk. There should be lots of disk activity. If VDS finds that there are infected files, you will be asked if VDS should remove them. 10) INSTALL will ask you if you would like to prepare an emergency diskette. Put a blank diskette in drive A:. MAKE SURE YOU DO NOT HAVE ANYTHING YOU NEED ON THIS DISKETTE. It will be formatted as a bootable diskette. INSTALL will copy fingerprint databases and the VDS programs to the emergency diskette. 11) INSTALL will ask you if you wish to view a tutorial to become familiar with the operation of VDS. If you answer Yes, you will see a few pages of explanation. 12) You can write-protect the emergency diskette at this time and store it in a convenient location. INSTALL will inform you that the computer will restart, please remove any floppy diskettes and then press a key. If VDS is installed correctly, you will see it verify the complete system. This completes the install process (if you enabled floppy booting in CMOS, you can change it back to the hard disk). C. Uninstalling VDS You can remove VDS from your hard drive by running the INSTALL program with the -Uninstall command line option: C:\> C:\VDSPRO30\INSTALL -U C:\VDSPRO30 <enter> If you have performed a custom setup and specified a different directory name, then you should substitute that name in the line above. INSTALL checks to see if there were other files in the directory before VDS was installed. If there were not any, it removes all the files in VDSPRO30 directory, and then the directory itself. If there were other files, it displays a warning message and aborts without removing any files. It is up to you to delete or keep any of those files. You need to perform a "manual" uninstall. Since VDS keeps almost all of its files in its own directory, removal is a simple procedure. You should also edit your CONFIG.SYS and AUTOEXEC.BAT to remove the lines loading VDS components. Your original CONFIG.SYS is renamed to CONFIG.VDS, and the original AUTOEXEC.BAT is renamed to AUTOEXEC.VDS during installation. You could use them as well; however, if you have installed any other programs after VDS, then they might have modified your AUTOEXEC.BAT. Be careful before you copy over the CONFIG.VDS and AUTOEXEC.VDS if that is the case. IV. OPERATION of VDS A. Operational Cycle After VDS has been installed on a known-to-be-clean system, a complete verification of the system areas is done each time the machine is started. A daily check of the entire hard disk will also be done, unless you have selected a specific frequency in which case a complete check will only be performed when the time period has elapsed. For best results, VDS should be run from the AUTOEXEC.BAT. It can also be run, just like any other program, at the user's discretion. The periodic checking requires a computer with a real-time clock that can keep track of date even after the computer is turned off. Most systems have this capability. On older machines without a real-time clock, the frequency of checks cannot be specified. The VDSTSR module provides users with the ability to scan programs before they are run or copied. Once loaded, the user does not need to specify which files to scan every time. VDSTSR will intercept requests to execute a program and will search for known viruses. If it finds an infection, it will post a simple warning message and prevent execution or copying of the infected file. VDSTSR also traps warmboot attempts (CTRL-ALT-DEL) and scans the boot sector of the floppy disk in drive A: if one is present. This prevents spread of common boot sector infectors such as Stoned and Michelangelo. B. How does VDS work? The first time VDS is installed, a baseline for all executable files and the system areas such as the master boot record (MBR), partition table, and the boot record (BR) is established. A unique signature is computed for all executable objects on the disk. File name, size, date, time and signature are combined to initialize the records in the database. A similar authentication scheme is also used for the VDS program itself. The MBR, partition table, boot sector, command interpreter, VDSCATCH.BIN, VDSTSR.EXE and VDS.EXE are backed up. The backups will be used if these areas need to be recovered. When VDS is run, it verifies the integrity of its own code. If it finds that no tampering has taken place, VDS introduces decoys (small executable programs created at run-time) to the system to see if an active virus will take the bait. Under normal circumstances, there is no legitimate reason why these decoys should be altered by any program. If the decoys are attacked, this indicates the presence of a virus with great accuracy. If an active virus is detected with this technique, VDS will tell you whether the attacker was of STEALTH or DUMB variety. If the modifications are masked by the virus, it is considered to be STEALTH, and DUMB otherwise. VDS uses a proprietary verification mechanism to detect if the virus attempted to mask the modifications it has made. Some viruses do not fall for decoys that easily. In fact, only memory-resident program infecting viruses will attack decoys. VDS uses different techniques to catch other types of viruses not caught by decoys. However, those viruses which do attack the decoys will be captured and placed in either POV.CCC or POV.XXX (an acronym for Prisoner Of VDS) depending on which decoy(s) they attack. POV files can later be used to analyze the captured intruder, or for legal purposes. The reason for the strange extensions (XXX instead of EXE and CCC instead of COM) is to prevent someone from accidentally activating the virus by executing the POV files. If you capture an intruder, please mail it to us on a diskette for interrogation, i.e. examination! This will allow us to keep track of what viruses are in the wild, and which areas are affected by certain viruses. You will have an opportunity to place the captured intruder in a file of your choosing, preferably on a floppy diskette so that you can maintain it for further evaluation on a test system without any further risk to the computer on which the virus was found. The captured intruder also makes it simple to extract a scan string if it turns out to be a new virus not identified by VDS. You can then put the extracted scan string into an external signature database and search for it on your other disks as well. VDS will verify the system areas and all executable files. It will generate a report of modified files and newly added files since the last time VDS was run. The user is given an opportunity to override any alarms that may be set off. If you have added new files to the machine, then VDS will scan each file for known viruses, and if clean, will ask you if you want to add the file's signature to the database. If any changes in the form of infection, software configuration or addition of files are encountered, VDS records them in VDS-STAT.LOG file in the C:\VDSPRO30 directory. This is an ASCII text file and can be printed or viewed easily. It contains a date and time line showing when VDS was run. It is very useful to check this log when an infection is discovered to find out how the virus was most likely introduced to the system. If suspicious modifications appear, VDS attempts to identify any virus(es) that may be responsible for the changes. A report of all identified viruses and the victims affected as well as the date and time of operation will be appended to VDS-STAT.LOG file. VDS looks for known viruses in all newly added files to provide early identification of viruses introduced to the system. If no known viruses are identified, then the names of scanned files will be written to VDS-STAT.LOG. If a file is determined to be modified, the user will be given a chance to restore it. If the restoration attempt fails, then you will be able to positively erase it. Positive erase means that the file will be overwritten to the end of the last cluster it occupies and then deleted. This operation is necessary since DOS leaves the contents of erased files intact allowing them to be recovered by a disk utility program. VDS prevents infected files from being recovered if you allow VDS to erase them. The user can examine reported files at his/her discretion, and take whatever action s/he deems necessary. When a possible viral attack is detected, our recommendation is to turn off the computer, boot from a clean write-protected floppy containing the same version of DOS as your computer (preferably the VDS emergency diskette prepared during installation), and replace the suspicious files with the originals. In many cases of actual virus infection, VDS restoration can easily fix program files completely. Note that this generic cleaning approach is very different from virus-specific cleaning. It has the capability to recover even from unknown virus infections. What's more, VDS double-checks to see if the restoration attempt resulted in a full recovery. If not, VDS will warn you about the problem. For most boot sector viruses, VDS will restore the partition or boot sector automatically using the backup it made during installation. This approach effectively takes the guesswork out of MBR/BR recovery. Many other programs look for a relocated MBR in a specific sector on the disk and then assume that they found the original without being certain. In some cases, they cause more damage than the virus could. Not so with VDS. If automatic restoration is not successful, VDS provides a RESTORE option that will repair the partition sector using the backup copy saved on VDS emergency diskette. If you did not prepare an emergency diskette, and the hard disk becomes inaccessible, then you should either use VITALFIX or try a manual recovery. In most cases, an experienced computer user can restore the disk by following the simple instructions which accompany VDS. As we have previously stated, we strongly suggest that you backup your master boot record on a floppy diskette so that your recovery will be simple. You can use VITALFIX to do this for you if you did not choose to backup your MBR and BR during the installation of VDS. 1. VDS command line options Here are the command line options that VDS integrity checker accepts: VDS.EXE [{-|/}BIRDESVY] [Drive: | Path] [{-|/}CX<path>] -Batch Drive: Check the system areas and the files depending on frequency. This option is the default used during Express installation. It must be followed by a drive letter. -Install Drive: Create fingerprint database for the system areas and the files for a given drive. This option is used by INSTALL program to start VDS during installation. It must be followed by a drive letter. -Rescue Use the emergency diskette in drive A: to check the specified drive. -Scan Drive: | Path Scan for viruses on the specified drive or path. -Verify Drive: | Path Perform integrity checks on the specified drive or path. -X<path> Use the specified external signature file, not the default XTERNAL.SIG. -C<path> Use the specified configuration file. -D C: D: Process multiple drives specified by drive letters. -E Use SCSI-compatible code. -Y Create \VDSDEBUG.LOG and report trace of operation. Examples: To check drive C: for modifications using a non-default configuration file, type the following: VDS -V C: -Cc:\integ\vds30.ini To check drive C: using the emergency diskette, type the following: VDS -R C: To scan DOS directory for viruses and use an external signature file, type the following: VDS -S -Xc:\virus\mysigs.txt C:\DOS To scan C: and D: drives for viruses, type the following: VDS -S -D C: D: To perform automatic integrity checks, include the following line in your AUTOEXEC.BAT VDS -B C: 2. Configuration (VDSPRO30.INI) file Many of the operational parameters for VDS are specified in a file named VDSPRO30.INI, which can be found in the VDS home directory. This is a simple text file and it can be viewed or edited easily using an ASCII text editor. Following is an explanation of each line that can be placed in this file. VDS configuration file contains sections marked by certain keywords inside square brackets. Currently, the following sections are supported: [HOMEDIR] [VERIFY] [EXT] [IGNORE_DIR] [IGNORE_FILE] [TREE] [REPORT] [MSG] [FLAGS] Each section has different requirements for the type of information you can enter. The INSTALL program automatically creates an appropriate configuration file for you. If you wish to change certain operational parameters such as the files that should be excluded from integrity checks, you can do so by editing the configuration file with a text editor. Refer to the explanation below for details. ; This configuration file specifies operational parameters for VDS Pro. ; VDS.EXE and the system backup files are located in the following directory. [HOMEDIR] C:\VDSPRO30 ; Integrity database files are located in the following directory. [VERIFY] C:\VDSPRO30 ; Files with the following extensions are processed. Adding ??? forces VDS to scan/check all files. [EXT] SCAN = COM,EXE,SYS,OVL,BOO, VERIFY = COM,EXE,SYS,OVL,BAT, ; Following directories are NOT processed. ; This is useful in development environments where programs are modified. [IGNORE_DIR] ; Following files are NOT processed. ; INSTALL defaults to excluding CONFIG.SYS and AUTOEXEC.BAT. [IGNORE_FILE] C:\CONFIG.SYS C:\AUTOEXEC.BAT ; Directory tree(s) are stored in the following directory. ; If you set it to A: or B:, VDS does not store trees. [TREE] C:\VDSPRO30 ; Messages are written to the following file. ; If you change it to PRN, all messages are sent to the printer. [REPORT] C:\VDSPRO30\VDS-STAT.LOG ; Optional message to be displayed if a virus is found [MSG] Call System Administrator x5112 ASAP! ; Operational flags [FLAGS] ; If you wish to maintain integrity information for data files ; set the QUICK_VERIFY to No. QUICK_VERIFY = Yes ; Look for virus-like code sequences. False positives are likely. HEURISTIC_CHECK = Yes ; Stop if an infected file is found during scan. PAUSE = No ; You can eliminate most of the beeps by setting it to No. BEEP = Yes ; Make sure VDSCATCH.BIN is loaded from your CONFIG.SYS. ANTI_STEALTH = Yes ; If a modified program file is found, you will need to confirm before recovery. AUTO_RESTORE = No ; Default is one complete check per day, and system area checks only any ; other time VDS is run with -Batch option. FREQUENCY = 1 ; ENTER key can be assigned to SCAN or VERIFY a file ENTER_KEY = Scan C. VDS as a scanner VDS integrity checker can serve as an easy-to-use virus scanner that works on DOS-compatible drives, including LAN server drives. It offers two modes of operation: Interactive and command-line. Interactive mode is based on a simple menu system that makes it very easy to access the advanced features of VDS, and it offers context-sensitive help (F1 key). Command-line mode can also be activated from batch files. VDS accepts various options to customize its operation. Once VDS is executed, you can scan multiple diskettes easily. VDS presents a very intuitive object-oriented interface based on simple menus. By picking the object you wish to work on, you can exploit the powerful features of VDS without any need to consult this manual at all. Function keys are assigned to activate certain operations such as scanning and verification. Each operation applies to the object currently selected. You can move between object selections using the up and down arrow keys. Pressing ENTER explores a finer level of detail for the members of the parent object. For example, by highlighting a drive and pressing the ENTER key loads the subdirectories found on that drive. The ESC key will get you out of a menu, or it will ask if you want to stop the search or integrity check operation. The CTRL-BREAK key combination will also result in a prompt asking if you want to stop the operation. We encourage users to start their computer with a clean, write-protected, and bootable DOS system diskette prior to using VDS to ensure that no viruses are active in memory while scanning. Some viruses manipulate file access and try to hide their existence or spread the infection to other programs. Although, VDS will attempt to check for such viruses, the only guaranteed way to do an untampered search is after booting the computer from a clean system diskette. VDS will also check its own program file to make sure it is not modified. If it is modified, it will warn you with a message, and it may abort its operation. VDS tries to ensure that it is unmodified to ensure correct operation. In the case of boot sector infections, VDS will ask you if you would like to remove an identified virus. This option applies to the master boot sector on hard disks and the boot sector on floppy diskettes. You should use the SYS program included with DOS to remove boot sector infectors from the DOS boot record of a hard drive or to keep a system floppy diskette bootable. When VDS removes a virus from the boot sector of a floppy diskette, it constructs a BPB (BIOS Parameter Block) for the diskette and adds instructions to display a message you would get from a non-bootable diskette. In any case, the viral code will be overwritten. In the case of the hard drive master boot sector, VDS keeps the partition table intact and replaces the loader code, again overwriting any viral instructions. It will also attempt to verify that the partition table actually corresponds to the disk layout. 1. DUMPSIG and external virus signatures To facilitate keeping up with new viruses, we have added an external signature capability to VDS. This external file is a simple ASCII text file and can be viewed or edited easily. You can also use the /Vfilename.ext command line option to specify a different path for the external signature file. This file can also be used by VDSFSCAN and VFSLITE. Here is the format you should use to add a virus signature entry in this file: ; This virus is not stealth Disk Muncher ; Seems to infect only COM files COM ; Here is the signature Joe extracted yesterday FA 00 23 75 ?? 33 40 B8 ?? 90 90 90 CD 21 Lines that start with a ; (semi-colon) are treated as comments and ignored. The order of each field is important. In other words, you should place the virus name before its type, and the type before the signature. The signature is assumed to be in hexadecimal. You can use spaces to separate each byte value, or have them in sequence next to each other. The number of bytes in the string must be no more than 16, and no less than 8. Wildcard characters are accepted. To indicate a wildcard byte, simply put ?? in the string. The first byte of the string cannot be a wildcard. The type field can have one of the following values: COM EXE BOTH BOOT FALSE BOTH implies that the virus signature can be found in either COM or EXE files. BOOT indicates that the virus attacks Master or DOS boot sectors. FALSE is used to temporarily deal with false alarms; it refers to the signature extracted from a program file that is known to trigger a false alarm. You should still report any false alarms to us so that we can update the internal signatures. VDS tries to read virus information for each entry. To memory requirements low, only 32 external signatures can be processed. We will usually provide an updated signature file to our customers. In some cases, you may need to add a signature yourself. For example, if a new virus infects your computer and VDS captures a sample for you, then you can extract a signature and put it in the XTERNAL.SIG. In this way you can identify the virus on your disks without upgrading the scanner program. If you cannot extract a signature, please send us a sample and we will analyze the virus and provide you with a signature and instructions on how to handle it. When you extract a signature for a virus, you should take it from the program entry point on; otherwise, you will need to specify QUICK_SCAN=NO option in the configuration file to force VDS to examine each byte of the files it scans. If a COM file starts with a JMP instruction, for example, you should go to the destination of that jump first. To simplify this process, you should use DUMPSIG utility provided in the VDS package. Note that some viruses (polymorphic) try to defy signature scanning by encrypting and changing themselves. In such cases, it may be necessary to update the scanner program. DUMPSIG <filename> You can redirect the output from DUMPSIG to a text file by using standard DOS redirection facility as follows: DUMPSIG sample.exe > sigfile.txt DUMPSIG outputs 256 bytes from the program entry point of a given file in hex format. You can then look at the output and pick a 16-byte search pattern; you should avoid using a pattern with many repeated values. By testing the selected pattern on a few infected samples, you can verify the reliability of your string. It is also important that the selected pattern does not trigger a false alarm on common files such as those included with DOS; so it is a very good idea to test it on DOS program files as well. D. VDS Device Driver VDS creates a device driver for your computer during installation. This device driver, named VDSCATCH.BIN, has a very simple purpose: Providing VDS with access to the operating system in a manner that is resistant to stealth viruses. This is necessary since some viruses have the capability to subvert the operating system calls to hide the modifications they have made to the programs. When such a beast is active in memory, it will look as though none of the programs are infected. By recording operating system access points very early in the startup process, VDSCATCH.BIN enhances the reliability of VDS scanner and integrity checker. The memory requirement for this device driver is quite frugal, about 300 bytes! Another function of this device driver is to disallow tracing certain key interrupts. Many stealth viruses use the trace mode available on the Intel 80x86 CPUs. This way, they can bypass monitoring software and spread undetected. VDSCATCH.BIN attempts to stop such tricks. Note that some anti-virus packages use tracing as well, and they may complain. E. VDSTSR VDSTSR provides memory-resident virus scanning before execution or copying of files as well as floppy diskette boot sectors before a warmboot attempt. If it determines that the file that is about to be run or copied contains a known virus, it will warn the user showing the name of the virus and then deny the request. The purpose of VDSTSR is to prevent introduction of viruses to PCs in a transparent manner. In other words, the user need not run a virus scanner manually every time he/she runs a program or copies new files to his/her hard/floppy disk. If there is a floppy diskette containing a boot sector virus in drive A: and the user attempts to warmboot the computer without opening the drive door first, VDSTSR scans the floppy diskette for boot sector viruses and issues a warning. This effectively prevents infections from common boot sector viruses such as Stoned and Michelangelo. As a side effect of this type of mechanism, copy operations will be slowed down by about 50% depending on the system configuration. The apparent time delay in program loading, however, should be negligible. Optionally, the user can specify not to scan upon copy operations but only before execution of programs. This approach is recommended since it provides most of the protection without overall performance degradation of the computer system. The default behavior is not to scan during copy operations. Another side effect is the memory required to keep all virus signatures and names in RAM. Although the code is barely 4K, the signature database takes up about 30K. The good news is that, VDSTSR can be loaded high under DOS 5.0 and above, therefore not using up any of the precious 640K conventional memory. To keep the program size to a minimum, VDSTSR only provides a simple message displaying the virus name and the program as well as producing a beep on the system speaker to get the user's attention. It does not provide any options to unload it from memory or support other fancy but rarely used features. VDSTSR does not scan for complicated polymorphic viruses, either. Following example illustrates a typical case: C:\TEST\FRODO.EXE <beep> 4096 virus found in FRODO.EXE Access denied <pause> The last message comes from COMMAND.COM since VDSTSR issued an error code as response to the request to execute the program file FRODO.EXE. During copy operations, the following message would be displayed: COPY C:\TEST\FRODO.EXE FRODO2.EXE <beep> 4096 virus found in FRODO.EXE Invalid function <pause> If the user hits the Ctrl-Alt-Del key combination in order to reboot, and there is a floppy diskette in drive A: with an infected boot sector, a message such as the following is displayed: <beep> Stoned-2 virus found in floppy diskette boot sector. Remove the floppy diskette from drive A: now! <pause> VDSTSR has only one command line option and does not require any special procedure to install. It requires DOS 3.0 or higher to operate. VDSTSR [/COPY] The default is not to scan during copy operations, but only before program execution and warmboot attempts. VDSTSR should be placed in the AUTOEXEC.BAT file before any other TSRs except network drivers and disk compression drivers. A small utility program called ISVDSTSR.COM is supplied to allow system administrators in LAN environments to check if VDSTSR is loaded on a workstation before granting permission to login. All this tiny program does is issue a request to VDSTSR and see if it is answered properly, indicating that VDSTSR is operational in memory. If everything is working fine, ISVDSTSR will set DOS error level to 1. This can be used in a batch file as follows: ISVDSTSR.COM if errorlevel == 1 goto LOADED echo You have not loaded VDSTSR on your system. You cannot login. logout :LOADED F. VDSFSCAN VDSFSCAN is an easy-to-use virus scanner that works on DOS-compatible drives, including LAN server drives. It comes in two flavors: Interactive and command-line. Interactive version is implemented by the VDSFSCAN.EXE, and the command-line version is provided by VFSLITE.EXE. Both programs share a common configuration file named VDSFSCAN.INI. This is an ASCII text file that modifies the operation of the scanner. You can edit the settings in the INI file to tailor it to your needs. VFSLITE is very useful in networked environments where a post-login scan is desired. It sets DOS error level so that the result of scanning can be checked in a batch file. 1. Command line options VDSFSCAN accepts the following command line options: VDSFSCAN.EXE [{-|/}Lcd] [{-|/}LRV<filename>] [{-|/}ABCDEGH?NPQUZ] [{-|/}Fnn] [drive: | Path] -A All files regardless of type -B Break/ESC is NOT allowed -C Complete file scan -D Scan all local drives starting with C: -E Erase infected files -Fnn Frequency of scanning in days (0-30). Default is 0, scan every time. -G Perform heuristic scan. Off by default. -H or ? Help for command line options -L Path of error log file. Default is C:\VDS-ELOG.TXT -N No memory scan. On by default. -P Do NOT pause. Default is pause. -Q Quiet scan. Do not beep. -R Output report. If no file is given, C:\VFS-STAT.LOG is used. -S Recursively scan subdirectories. Off by default. -U Upper memory scan (as well as base memory) -V Virus signature file. VFSLITE always looks for XTERNAL.SIG first. -Z OEM DOS compatibility mode If run without any command line parameters, VDSFSCAN offers a menu-driven interface. G. VFSLITE VFSLITE is the command-line-only edition of VDSFSCAN. It does not have the elaborate menus with different colors, context-sensitive help, and other features that the regular VDSFSCAN has. VFSLITE is light only in its user interface, not its capabilities. In fact, it detects the same number of viruses as VDSFSCAN. It is slightly faster in operation, and it makes an ideal anti-virus tool for networked environments where a post-login scan is desired. It sets the DOS errorlevel to 1 if it finds a virus, just like VDSFSCAN. You can test this in a batch file and take appropriate actions such as denying access to the file server. 1. Options and default settings The command line options are almost the same for VDSFSCAN. An INI file can be used to establish a consistent set of flag settings for everyone. When VDSFSCAN or VFSLITE starts, they look for an INI file named VDSFSCAN.INI in the same directory as the program. If it is not present, they look for the same file in the current directory. If it is not found in the current directory either, they use internal default settings. Since the INI file is processed first, the command line options can still override the settings in the INI file. The default internal flag settings for VFSLITE are as follows: LCD screen = No Pause = Yes Allow Break = Yes Memory scan = Yes Upper memory scan = No Beep = Yes Frequency of scan = 0 (every time) Quarantine infected files = No Generate report file = No Whole file scan = No Multiple floppy scan = No All files scan = No Erase infected files automatically = No Heuristic scan = No Note that the frequency of scan is also new. Before, only the integrity checker component of VDS allowed this. The frequency option works by creating and updating a file called C:\VDSFREQ.TXT. This text file has one line showing the last date and time of virus scan. It is updated as necessary. For this option to work correctly, the computer must have a hard drive and a battery-backed real-time clock. Most systems are equipped with such devices. If the frequency is set to 0, VFSLITE ignores the frequency file; otherwise, it will create or update it accordingly. 2. Configuration (VDSFSCAN.INI) file The VDSFSCAN.INI file is a simple text file with the following format and entries: 1. Lines that start with a ; (semi-colon) are comments, and they are ignored. 2. Each keyword should be flushed to left and followed by an = (equal) sign. 3. After the equal sign, an appropriate value should follow. The value depends on the type of the entry, such as log file name, or a YES/NO. 4. Upper or lower case can be used interchangeably. Spaces are ignored. 5. Value only entries for directories and files to be ignored. Another convenient feature is that you can include your own message in the .INI file. This message will be displayed if a virus is discovered. For example, the number to the help desk could be displayed. Here is a sample .INI file: ; This is an INI file for VDSFSCAN-Lite 3.0 ; It contains entries for flag settings that guide the program operation ; On laptops, set the following to Yes for easier-to-read screen output. LCDSCREEN = No ; Message to display when a virus is found. Leave blank after = if none. ALERTMSG=Call system administrator x5112 ASAP! You have a virus. ; Report should be sent to the following file. Leave blank after = if none. REPORT=C:\VFS-STAT.LOG ; File for the user-defined signatures. Leave blank after = if none. EXTSIGS=C:\XTERNAL.SIG ; Quarantine directory where the infected/suspicious files are copied QUARANTINE=C:\VDS-CELL ; Ignore the following directories IGNOREDIR=1 C:\CODE ; Ignore the following files IGNOREFILE=2 C:\CONFIG.SYS C:\AUTOEXEC.BAT ; Frequency of scanning in days. Must be between 1-30. 0 means scan every time. FREQUENCY=0 ; Files are scanned entirely or partially. Leave it at partial (No) normally. FULLSCAN=No ; Which files to scan. Normally, set it to No. ALLSCAN=No ; Scan all local drives starting with C: if no command line parameters are given. LOCALSCAN=No ; Scan base memory. MEMSCAN=Yes ; Scan upper memory. UMBSCAN=No ; Pause if a virus is discovered or an error has occurred. PAUSE=Yes ; Allow user to stop scanning. ALLOWBREAK=Yes ; Beep if a virus is discovered or an error has occurred. BEEP=Yes ; Remove infected files. If PAUSE is set to No above, it is automatic. ERASEFILE=No ; Heuristic scan is on by default. Set it to No if causes false positives. HEURISTICSCAN=Yes 3. Command line options VFSLITE accepts the following command line options: VFSLITE.EXE [{-|/}R|V<filename>] [{-|/}ABCDEGH?LMNPQUZ] [{-|/}Fnn] [drive: | Path] -A All files regardless of type -B Break/ESC is NOT allowed -C Complete file scan -D Drives to scan follows. If no drives given, scan all local drives starting with C: -E Erase infected files -Fnn Frequency of scanning in days (0-30). Default is 0, scan every time. -G Perform heuristic scan. Off by default. -H or ? Help for command line options -L LCD screen attributes should be used not color -M Multiple floppy diskettes will be scanned. Ask for the next disk. -N No memory scan -P Do NOT pause. Default is pause. -Q Quiet scan. Do not beep. -R Output report. If no file is given, C:\VFS-STAT.LOG is used. -U Upper memory scan (as well as base memory) -V Virus signature file. VFSLITE always looks for XTERNAL.SIG first. -Z Zoo-test. Log both infected and clean files during scan. Examples: To scan drive D: VFSLITE D: To scan drive C once every three days: VFSLITE -F3 C: To scan drives C: and D: VFSLITE -D C: D: To scan all local drives starting with C: VFSLITE -D To scan all files on drive C: VFSLITE -A C: To scan C:\DOS directory: VFSLITE C:\DOS To scan multiple diskettes in drive A:: VFSLITE -M A: To scan entire contents of files on C: VFSLITE -C C: To erase infected files on C: VFSLITE -E C: To disable beep sound and scan drive C: VFSLITE -Q C: To scan drive C: without pause (useful during "zoo" testing): VFSLITE -P C: To specify a non-default external signature file: VFSLITE -Vf:\vds30\mysigs.sig C: To specify a non-default report file: VFSLITE -Rc:\results.vds C: To scan drive C: and put the results in VFS-STAT.LOG file: VFSLITE -R C: To skip memory scan and scan drive C: VFSLITE -N C: To scan base and upper memory and drive C: VFSLITE -U C: To see this help message: VFSLITE -H 4. DOS errorlevels returned To facilitate use of VFSLITE in batch files, DOS errorlevel is set as follows: errorlevel = 0 No viruses found errorlevel = 1 Infected/suspicious files found errorlevel = 2 Self-check failed Here is an example batch file: VFSLITE C: if errorlevel = 2 goto PROBLEM if errorlevel = 1 goto VIRUS goto END :VIRUS echo You might have a computer virus. Call help desk at 5112 ASAP! pause goto END :PROBLEM echo Virus scanner is damaged. Call help desk at 5112 to get a new copy! pause :END 5. Differences between VDSFSCAN and VFSLITE options There are a few command line options that work differently in VDSFSCAN. Some of these options are available only in one or the other; while others have a completely different purpose. -M Instructs VFSLITE to scan multiple floppy disks, asking for the next disk after each one. VDSFSCAN does not have this option. -S Instructs VDSFSCAN to recursively scan subdirectories within directories. VFSLITE does not recognize this option, although it functions as if -S is specified. -L Instructs VFSLITE to use monochrome attributes. VDSFSCAN accepts this option as "Log errors". VDSFSCAN uses -LCD instead. -D VFSLITE allows drives to be specified following this option. VDSFSCAN interprets it as "Scan all local drives". Note that VFSLITE will also scan all local drives if no drives are specified. -Z Instructs VDSFSCAN to use compatibility mode for decoy launching. VFSLITE interprets it as "Zoo-test" option, which forces every scanned file to be reported in the log. This option is for testing purposes only. H. How to use VITALFIX VITALFIX is a utility program designed to automate recovery from an MBR (master boot record) infection, and to allow the user to perform low level operations on a hard disk such as sector editing. It can place a fresh copy of MBR code without disturbing the existing partition table. It can backup an MBR to a file on a floppy diskette. It even allows you to take a clean MBR from one computer, and a partition table from an infected one, combine them together and put it back on the infected system, effectively replacing the viral code while leaving the partition table intact. This is possible since most computers partitioned using the same FDISK program will contain similar code, and differ only in the contents of their partition tables. If you simply let VITALFIX construct an MBR for you, you will have our MBR code placed on your disk. Since this piece of code has to do "standard" stuff, there should not be any problems. Please let us know if it does not work on your system. We have tested it on several IBM computers and compatibles with a variety of hard disks. VITALFIX is a menu-driven program. You simply highlight the option you are interested in and press enter. You could also press the first letter of an option to activate it. Context-sensitive help is available by pressing the F1 key. VITALFIX has some interesting features such as the capability to search for a relocated MBR all over a hard disk and to view the contents of any given sector. You can also write contents of a file to a sector and vice versa. It also allows you to edit sectors. Please be very careful when doing any write operations since a simple mistake could damage your data. You should always boot the computer from a write-protected, clean system diskette before using VITALFIX. This will eliminate any memory resident viruses or programs that may interfere with disk operations. 1. Command line options VITALFIX has the following command line options: VITALFIX [{-|/}X | LCD | H | ?] -X Compatibility mode. Use INT 13h. -LCD Use monochrome attributes. -H or ? Display command line options. I. Scenarios and Messages During its operation, VDS may issue several warning messages. Following is a list of scenarios that will highlight common warnings, their reasons, and recommended actions to take. Message: Partition sector modified. Will attempt to restore. Reason: There is a good chance that either a partition sector infector has entered the system, or some other damage to the partition sector has occurred. Action: VDS will attempt to restore the partition sector and reboot the system. If the verification fails again, VDS will abort the restoration attempt and recommend a floppy recovery using the VDS emergency diskette. Message: No message, VDS simply hangs the machine. Reason: If VDS has been running just fine, but stopped functioning now, then VDS.EXE may be corrupted either by accident or by an overwriting virus which failed to preserve its victim's operation. It is also possible that some TSR program caused a conflict. Assuming VDS runs as the first program in your AUTOEXEC.BAT file, and CONFIG.SYS is not modified, you should assume the worst case: a virus attack. Action: Reboot the computer from VDS emergency diskette or a write-protected known-to-be-clean system diskette. If you have prepared the VDS emergency diskette, then run VDS from A drive with the CURE option: A:\VDS -C <enter> * You can simply run REPAIR.BAT Message: VDS requires DOS 3.0 or higher to run. Reason: The version of DOS installed on your computer was below 3.0. Action: You need to upgrade to DOS 3.0 or above. VDS will not run on systems with a lower DOS version. Message: Error occurred during installation. Reason: This is a generic message that indicates a malfunction during installation. Action: You should see some other error messages come up before this one. The cause can be determined based on those. Go back and check if you followed all the steps in the installation procedure. Message: Different DOS version. If you upgraded DOS, reinstall VDS. Reason: DOS version during installation was different from the current one. Action: The system floppy used during installation should have the same DOS version you have on the hard disk. Message: Need 1 megabyte free space on hard disk to install VDS. Reason: VDS found that there is not enough space on the hard disk. Action: You should delete some files to free up space and then run INSTALL again. J. Common Questions and Answers This section addresses some common questions about VDS. Q - Do I have to know a lot about viruses to be able to use VDS on my system? A - Not at all. One of the design goals was to create a program that can be easily used by novice computer users. Viruses present some unique complexities even to the experienced computer security experts. VDS can alleviate most virus-related problems automatically. You are, however, encouraged to become familiar with general guidelines to deal with computer viruses. Q - Can I run VDS under MS Windows 3.x? A - Yes, you can. We recommend that you either create a PIF file with full window option on, or shell to DOS first. Do not try to switch tasks while VDS.EXE is running. VDSFSCAN can run in the background in 386 enhanced mode. VITALFIX should never be run from inside Windows since it accesses the hard disk directly. Q - Is VDS compatible with DOS 6.x? A - Yes, indeed! We have tested VDS on various systems running MS/PC DOS 3.0. 3.1, 3.2, 3.3, 4.01, 5.0, and 6.0. We did not encounter any problems. Please let us know if you do. Q - Can I run VDS under OS/2? A - Maybe on systems with FAT file systems, not HPFS. You can run it in OS/2 DOS box in a limited fashion. Extensive testing under OS/2 is not done. Q - I have a program that requires to be run before other programs in AUTOEXEC.BAT. Since VDS should be the first program to run, how can I resolve this conflict? A - There is no conflict from a technical point of view. The other programs that force you to run them first usually re-vector several interrupts to their memory resident code. If another program grabs these interrupts, then they would not be able to guarantee proper operation. Running VDS as the first program does not affect these programs since VDS is not memory-resident and it does not hook any interrupts. If you run other resident programs, however, they may conflict with the operation of VDS. The solution is to run VDS as the very first program in AUTOEXEC.BAT. Remember that the other programs need protection against viruses as well. If VDS runs first, it can check them before a possibly infected program is run. If VDS itself is infected, it will notice that fact and warn you. Q - Does VITALFIX work on IDE drives? A - Yes, it does. VITALFIX is compatible with all types of hard drives currently in use. This includes drives with MFM, RLL, IDE, SCSI, and ESDI controllers. The only problem we have come across was on disks that used a compression or security program that rendered the disk unreadable unless all access was done through the interface these programs provided. VITALFIX cannot tolerate such restrictions since it must have direct access to the bare drive. Anything less would open up a security loophole if a virus is active when VITALFIX is operating. It is always a good idea to boot the computer from the original DOS diskette before using VITALFIX. As a precaution, VITALFIX checks the partition table to find out if the drive has any non-DOS partitions, and will warn you if this is the case. In some cases, the partition table may not be available to make that determination. If you know you have non-DOS partitions or compressed partitions, we strongly suggest that you do not use VITALFIX to perform any of the functions that involve writes to the disk. Q - My computer is infected with a virus already. How can I use VDS to deal with this problem? A - The approach to this problem depends on what kind of a virus you are dealing with. VDS can help you locate which parts of the system are affected if it is a virus that can be identified using our search strings. If it is a boot sector infector, you can simply turn off the computer, boot from a write-protected floppy diskette and run SYS program to put a clean boot sector onto your hard drive. If it is a program file infector, you need to replace the infected files from the original distribution diskettes. In the case of partition sector viruses, we recommend that you use VITALFIX.EXE. This utility automates locating MBR, and even constructs one if necessary. You may be able to get the original partition sector back, if the virus relocated it to another sector on track 0, head 0 (as some do). You need to fire up a low-level disk editor, and look through head 0, track 0. The first sector contains the Master Boot Record (partition sector), and may have been replaced by the virus code. Look at each sector (17 of them on an MFM drive), and see if any one has AA55 as the last two bytes in the sector. These identification bytes are present on all legitimate partition sectors as well as boot sectors. Remember that this is a trial-and-error process, so it may not work. You may want to seek assistance from a local computer "guru" if necessary. Make sure you save the current copy of the partition sector on a floppy diskette first. If the hard disk is accessible after booting from a floppy diskette, then the partition table (64 bytes near the end of the master boot record) may still be valid. The code that loads the active boot sector may belong to the virus. If you can extract the partition table information from the current copy of the partition sector, you may even be able to place it into a good partition sector you get from a similar computer with a similar disk. You can then place this combination of partition table from the infected system and partition sector code from the clean system on top of the current partition sector on the infected system and reboot. This might just do the trick. Be very careful, however, and backup all your data files before starting this surgical operation. You might end up clearing the MBR and repartitioning the disk as a last resort. Q - Does VDS have a TURBO mode versus a SECURE mode? A - Yes. If you set QUICK_VERIFY=YES in the configuration file, VDS will operate in TURBO verification mode, which is faster but less accurate than VERIFY mode. Turbo mode is not recommended for data integrity. Q - How secure is VDS encryption scheme? A - Our purpose was not to come up with an unbreakable (if there is any such scheme) encryption method, but to use something more secure than good old XOR. Contrary to popular belief, the robustness of an anti-viral integrity system cannot be measured by the sophistication of the encryption algorithm it uses. Some people even believe that they can deal with stealth viruses easily if they use an encryption scheme that cannot be forged. That is not so. The stealth viruses intercept the verification routine's attempts to access the modified executables on the disk, and present them with a clean copy. No matter how sophisticated the algorithm used to generate a signature is, it will be fooled every time since the verifier is getting clean (the same as the original) input. While these people are perfecting the technique to compute a one-way cipher of extreme complexity, stealth viruses are having a ball on the disk they choose to invade. Of course, if a direct attack is a concern, then more secure encryption methods are very useful. In the DOS environment, manipulating the disk access is much easier and works in most cases. So, if someone tells you they got a superior multi-stage encryption routine that can come up with secure keys for their anti-viral product, just ask them why they chose to waste their time on such an endeavor! Viruses are not an attack to the secrecy but to the integrity and availability of computer systems. Unfortunately, many self-proclaimed experts seem to confuse these separate issues. Q - I heard some programs create hidden files on the disk. Does VDS create any hidden files? A - Absolutely not. We have nothing to hide from the end-users! Almost everything VDS creates is restricted to the VDS home directory. Decoys and report files may be created in the root directory as well. Q - Does the VDS authentication scheme eliminate the possibility of a trojan version of the program? A - To some extent. "Trojanization" has been a problem with many software packages in the market. VDS authentication scheme provides a reasonable amount of assurance that the copy you have is actually created by the original developers. It is possible to circumvent this mechanism and display a fake message. This can be considered a direct attack. Remember, a direct attack against any program is possible (you can safely ignore those who claim otherwise). The purpose is to provide another layer of security. If every software product in the market put in as much effort as VDS does, there would be less incidents of trojans. You should get your programs from reliable sources. If you see a program claiming to do major database work, and it is only 4K long, you should double-check on it! Q - I backup my hard disk regularly. Do I still need an anti-viral program to be safe? A - Yes, you still need a program such as VDS. Backups can help when recovering from damage. The problem is by the time you notice that the system is infected, the virus may have been transferred to the backup media. When you restore the system, you may very well restore the virus too! In some cases, the virus may corrupt the backup diskettes and render them useless. One person reported that Stoned virus corrupted all his backup diskettes while he tried to backup his hard disk to be able to perform a low-level format. Unfortunately, the Stoned virus was active in memory at the time. By the way, when was the last time you verified that you can actually restore from your backups? Q - What are "POV" files? A - POV stands for "Prisoner Of VDS". These files are created by VDS when it detects an active virus in memory that attacks upon file access. When VDS introduces decoys into the system, some viruses immediately attack them. VDS notices this fact and captures the intruder in a file. VDS will also capture a modified boot or partition sector in POVBOOT.BBB or POVPART.PPP file in the VDS home directory. This feature speeds up the diagnosis process. In other words, you will have the captured virus stored in a file that you can analyze (or have someone analyze it since this would require familiarity with the 80x86 assembly language). Remember that not every virus can be caught this way. If you catch a virus, you are encouraged to mail it on a diskette to us for analysis. Q - My company wants to purchase VDS for all our PCs, but we are not sure if there is an expiration date on use of VDS? Is it necessary to renew the VDS site license on a regular basis? A - We believe that the end-user has a right to run the version of a program he paid for as long as he is satisfied with its operation. For updated copies of VDS, we offer different licensing agreements. Q - Is it possible for a data file to become infected by a virus? A - The criteria for a virus to do anything at all is that it must gain control of the CPU. An ordinary data file will never have such control. The possibility exists for macro or script files that some application software packages provide to automate certain operations. There are no common viruses that exploit this feature. Another possibility is to cause damage as a side effect, for example, by redefining a key sequence as a substitute for a destructive command, assuming a driver such as ANSI.SYS is loaded. Again, these are very limited ways that a virus can propagate, if at all. Batch files can also be used to activate a program that contains a virus. The problem is that it is too obvious and will be detected easily. K. Known Problems and Conflicts This section addresses various conflicts or problems with the operation of VDS that we are aware of. You are encouraged to report any problems you discover. 1. SETVER.EXE that comes with MS/PC DOS 5.0 causes false alarms. SETVER.EXE program modifies itself to keep track of programs and the version of DOS they should get as a result of INT 21h, function 30h call. Many consider such self-modifying programs "ill-behaved". Until developers of DOS come up with a better way to accomplish the same task, you are likely to get false alarms. We do not intend to accommodate use of such a questionable practice. 2. When scanning a Netware volume, VDS reports an ERROR condition on some files. Certain files such as NET$OBJ.SYS are open and locked by the Netware operating system. They contain bindery information. Any attempt to open them will result in an error condition. You should not be concerned since this is a feature not a bug! 3. Some programs are reported to be suspicious when I enable the HEURISTIC_SCAN. Heuristic scan is a method that allows early recognition of viral code. Certain coding techniques are common to many viruses. By looking for such indications, VDS is able to recognize some new viruses. The problem is that there may be legitimate programs that also use such code. The only guaranteed way to establish whether a virus is present is by performing an analysis of the suspected program. We try to minimize such false alarms, and we would be interested in hearing from you if you come across a suspicious file. V. VIRUS ATTACK METHODS A. Virus defined A virus is a piece of programming code that has the ability to replicate itself by attaching to other executable objects, either by logical or physical means. In addition to its replication task, a virus may have a manipulation task in the form of a damage routine. Most PC viruses are written in the 80x86 assembly language to keep their size small and to gain greater flexibility in manipulating the operating system and other program files. Researchers classify PC viruses in several ways. We prefer to separate the structure of the implementation of viruses from the objects they attack. We classify them simply by their features and types. B. Features of PC Viruses There are several features of PC viruses: 1. Stealth Virus: A virus that has the capability to hide the modifications it has made to its victims to evade detection. For example, the virus may hide the file size increase when the user attempts to get a directory listing. Another example would be a boot sector virus that returns the original boot sector when a program attempts to read it. To accomplish such tricks, a stealth virus usually stays resident in memory and monitors disk access either at the DOS or BIOS level. This way, it can see each disk access request and alter the results to hide the modifications it has made. There are varying degrees of stealth capability. In other words, it may be possible to discover the presence of a virus using an alternate mechanism to examine the object that may have been affected. 2. Dumb Virus: A virus with no stealth capability. Such a virus makes no attempts to conceal its presence. The most apparent change is the increase in file size since the virus added its code to the program file. An alert user can notice such a change easily. This is the most common feature of PC viruses. 3. Encryptive Virus: A virus that keeps its code encrypted and includes a decryptor to restore itself. The purpose of encryption is to make it difficult to extract a scan string. The decryption routine is designed to contain variable sections so that it is not easily recognized. It is possible to detect such viruses using a wildcard pattern that matches the decryptor. 4. Polymorphic Virus: A virus that keeps its code encrypted and includes a highly variable decryptor to restore itself. It is not possible to extract a wildcard scan string to recognize the decryptor. One has to design an appropriate algorithm to detect it. We usually analyze the structure of the decryptor and identify its key features, and then use this information to implement a detection routine. C. Types of PC Viruses There are three major types of PC viruses: 1. MBR/BR Virus: A virus that attacks the master boot record or the DOS boot record of a disk. This type of virus usually moves the original contents of the boot sector and replaces it with its own code. Key data structures within the boot sector (partition table or BIOS parameter block) are almost always left intact not to mess up the operation of DOS. A boot sector virus reserves memory for itself by reducing the base memory size (e.g., 640K to 638K), and copies its code to the top of memory. There are a few boot sector viruses that remain in low memory as well. Almost all boot sector viruses monitor the BIOS disk interrupt (INT 13h) to spread or to hide themselves. Every time a disk is accessed, they get control and check if the disk being accessed is already infected. If not, they can infect it before returning control to the original interrupt handler. 2. Program Infector: A virus that attaches to program files. There are a few subcategories for this type of viruses: a. Simple Infector: A virus that modifies a program file physically to add its code. The program file entry point is adjusted so that the virus gets control when the program is executed. b. Companion Virus: A virus that logically inserts itself into the search path so that it gets control when the user attempts to run a program that has the same file name. The most common variety exploits the fact that DOS runs a program file with a COM extension rather than the one with an EXE extension if both of them exist. Another possibility is to insert the virus in the search path. If the user does not specify the exact location of the program, then DOS will use the path to look for it. If the virus program comes before the actual program in the search path, then the virus will get executed. This type of virus is rare indeed. c. System Infector: A virus that alters DOS system data structures so that it gets control instead of the program the user intends to run. For example, DIR-2 virus manipulates the directory entries to point the starting cluster to its location. When DOS reads the disk to load a program, the virus gets loaded. Another possibility is to insert the virus in a system location that DOS is known to always load. 3. Multi-partite Virus: A virus that can infect both program files and boot sector of a disk. Dealing with such a virus can be quite a nuisance since the first portion of the virus gets control of the system even before DOS is loaded. The virus can alter the system vectors to implement a potent stealth mechanism, for example. Removing this type of virus requires that all affected areas are restored. D. Some facts about viruses 1. PC-based local area networks are NOT immune to viral attacks. Network connections pose another question by making it easier for the virus to travel from one location to another. As long as the user has write access to the programs on a disk, it may be able to infect it. If the program file happens to be on a file server, all those that run it may cause the virus to jump to their local machines. Can you imagine what could happen if the superuser/supervisor runs an infected program on the LAN by mistake? It is a misconception that PC-based networks are less susceptible to viruses. The boundaries of information flow are not always well-defined. Although many popular LAN operating systems provide various control mechanisms that can be used to implement robust anti-viral measures, many sites do not take advantage of them. If the users allow each other to access one another's directories, for example, the risk of infection is very high, and the rate of infection may be even higher compared to spread via floppy diskettes. Since many common viruses employ "ill-behaved" programming techniques, they cannot infect network file servers even when write/modify access is granted. This does not eliminate the risk by any means, but simply makes it less evident. 2. Electronic bulletin boards do not necessarily contain infected software. There have been some extreme remarks about the dangers of down-loading software from electronic bulletin boards (BBS). In actuality, the sysop (the person that maintains the BBS) has to take pains to ensure his board is free of malicious software to be able to keep a good reputation. On the other hand, there are supposedly some hacker BBSs that provide viruses, even in source code. Your chance of bumping into one of these is very little. Please do not be afraid to explore what the BBSs in your area have to offer. Many useful programs such as VDS are available for the cost of a local phone call. There is no need to be paranoid about the situation, just be aware of the possibilities. It is always a good idea to get software only from well-recognized bulletin boards such as the ones maintained by user groups. It is a good practice to search the programs you down-load for known viruses. 3. Write-protected floppy diskettes cannot be infected by a virus as long as the floppy drive is working correctly. This is why you should always place a write-protect tab on all original diskettes if they are not already protected. The spread of viruses can be effectively slowed down by careful use of appropriate control mechanisms. VI. PARTITION/BOOT SECTOR INFECTIONS A. Preliminary information It seems that there is much confusion about the difference between a partition sector (Master Boot Record is another name for it) and a boot sector among many PC users. If you are already familiar with the organization of a typical hard disk, you can skip the rest of this section; otherwise, please read on. The very first sector on a typical hard disk stores the partition information for the disk. Within the partition sector, a 64-byte area contains enough information to locate all physical partitions on the disk, and shows which partition is the active partition. The active partition is used to boot the computer. There can be four physical partitions on a disk. The partition sector is located outside of any partition boundaries and has enough code to determine the active partition, load the boot sector in that partition and transfer control to it. The code in the partition sector does not care which operating system it is loading. In fact, one reason for having partitions is to allow coexistence of multiple operating systems on one hard disk. FDISK program that comes with DOS is used to manipulate the partition table. Each partition has a boot sector. The boot sector holds certain information about that partition (in an area called BIOS Parameter Block or BPB) such as the number of sectors and number of FATs (file allocation table). In the case of the active partition, it also contains some code that loads the operating system. DOS partitions can be either primary or extended (extended partitions were added in DOS 3.3). The extended partition can be further subdivided into logical drives. FORMAT program with the /S option is used to make the active DOS partition bootable by setting up the necessary operating system files. FORMAT must also be run on every partition to be able store files. This is called high-level formatting. Floppy disks do not have partition sectors, they only have a boot sector. That's one reason low-level and high-level formatting is combined into one procedure in the case of floppy diskettes. Since the partition sector contains vital information to access the drive, it is important that this information be protected. If you lose your partition sector, you might have to wipe out the MBR, and repartition the disk. Of course, this operation would make all files inaccessible. Fortunately, it is hardly ever necessary to take such an extreme step. If you have VDS in place, you should be able to restore your partition table information easily. Nevertheless, if you cannot reconstruct the partition table so that you can backup your files, or if you just want to get rid of a virus residing in the MBR, you should know a few important facts. 1. A complete low level format of the entire hard disk is not necessary. Using a low level disk editor, you can write zeroes over the contents of the MBR and repartition the disk. This will get rid of the virus. In fact, certain types of hard drives, namely IDE, are not designed to be low level formatted by the end-user. Low level format is necessary on brand new drives that do not come pre-formatted from the manufacturer. Getting rid of an MBR virus is just a matter of removing its code from MBR and putting a fresh copy of the standard MBR code. 2. FDISK will not put a fresh copy of the MBR code if the disk is already partitioned; therefore, an MBR virus can survive repartitioning by standard FDISK. This might surprise you, but it is a fact so dangerous to ignore. Worse yet, FDISK will destroy the boot records and FATs of any modified partitions. For example, if you repartition a drive with exactly the same parameters, you will still lose access to your files. *** MS/PC DOS 5.0 and higher includes an improved version of the FDISK program. It can replace the MBR code only, while leaving the partition table intact. Unfortunately, the DOS technical documentation does not mention this capability. The command is: FDISK /MBR 3. If the partition table is intact, as is the case in most infections, you can recover all your data easily. To do this, you should use a utility like VITALFIX, or do it manually following the instructions in this document. For details, see the section titled MANUAL RECOVERY PROCEDURE under HOW TO DEAL WITH VIRUSES. Following diagram illustrates the organization of a typical hard disk. ┌───────────────────────────────────┐ │ Master Boot Record │ Sec 1, Cyl 0, Head 0 ├───────────────────────────────────┤ │ │ ├───────────────────────────────────┤ │ Active Partition Boot Sector │ ├───────────────────────────────────┤ │ File Allocation Table 1 (FAT#1) │ ├───────────────────────────────────┤ Partition 1 │ File Allocation Table 2 (FAT#2) │ ├───────────────────────────────────┤ │ Root Directory │ ├───────────────────────────────────┤ │ │ │ Data Area for files │ │ │ ├───────────────────────────────────┤ │ Other Partition Boot Sector │ ├───────────────────────────────────┤ │ FAT#1 │ ├───────────────────────────────────┤ │ FAT#2 │ Partition 2 ├───────────────────────────────────┤ │ Root Directory │ ├───────────────────────────────────┤ │ │ │ Data Area for files │ │ │ └───────────────────────────────────┘ B. How to recover with RESTORE option If the partition table or the boot sector is modified, you can restore it as follows: 1. Turn off the computer. 2. Place the write-protected VDS emergency diskette in drive A. 3. Turn on the computer. 4. Run VDS. A:\VDS -R <enter> VDS will attempt to use the backup copy of the affected area to restore it. If it detects that the backup copy is also modified, it will abort the restoration attempt so as not to do more harm than good! The restoration process involves the partition sector, boot sector on the active partition, and COMMAND.COM. 5. If all goes well, VDS will ask you to remove any floppy diskettes and press a key to reboot the system. All system areas should pass the verification tests this time. If they do not, the restoration attempt was unsuccessful, and a manual recovery is necessary. C. Manual Recovery Procedure This section assumes you have a standard system partitioned using FDISK, and running MS/PC DOS 3.0 or above. If you have a hard drive with a non-standard geometry, then the following procedure may be more complicated. Exercise caution during this recovery procedure, since you could accidentally render your disk unusable. If you can access the hard disk after booting the computer from a floppy diskette, you should backup all your data files first. If you know or suspect that your hard drive is infected by a virus, you can attempt to restore it by carefully verifying that each point in the execution path during start-up is clean. To do that, you need to know what points are in the execution path. Refer to the diagram below. First get a write-protected (preferably the original) DOS system diskette. You cannot format a diskette on a possibly infected system, and be positive that the diskette does not get infected. Some viruses stay in memory and infect the floppy diskettes whenever they are accessed. Turn the computer OFF. Place the system diskette in drive A: and close the drive door. Turn the computer ON. Never trust that a warm-boot (Ctrl-Alt-Del) will get rid of a memory resident virus. Some viruses are known to fake a warm-boot. Worse yet, some vicious viruses activate their damage routine when you press Ctrl-Alt-Del combination. The purpose of the following procedure is to clean the system areas of a computer with a hard disk so that it is safe to boot from the hard disk. Verification of other program files are not considered in this discussion. Recommended recovery procedure for infected program files is to replace them with the originals. A utility program such as VDSFSCAN that searches for infected programs can speed up the process. Virus cleaning utilities are NOT recommended. If you know or suspect that a program is infected, copy over the original from the distribution diskette. This is the cleanest and the safest approach. If you have installed VDS integrity checker on your system, it could restore most programs to their original state easily and reliably; even new viruses can be removed with this procedure. To attempt recovery, you will need a low level disk editor that allows you to read and write any sector on the disk. If you feel intimidated by manipulating your disk in this manner, please do not attempt a manual recovery without the help of a friend who has experience performing this type of an operation. Nevertheless, VITALFIX is very handy to do such low level manipulations. On a standard PC, the startup sequence looks like the following: Stage 1. point A point B ╔════════════╗ ┌────────────┐ ║ ROM ║ │ Master │ ║ ║ │ Boot │ ║ BIOS ║ │ Record │ ║ ║ │ Code │ ║ CODE ║ │ [0, 0, 1] │ ║ ║ │ │ ║ ║ │ │ ╚════════════╝ └────────────┘ Stage 2. point C point D point E ┌────────────┐ ┌───────────┐ ┌────────────┐ │ Boot │ │ IBMBIO.COM│ │ IBMDOS.COM │ │ Record │ │ or │ │ or │ │ Code in │ │ IO.SYS │ │ MSDOS.SYS │ │ Active │ │ │ │ │ │ Partition │ │ │ │ │ │ │ │ │ │ │ └────────────┘ └───────────┘ └────────────┘ point F point G point H ┌────────────┐ ┌─────────────┐ ┌───────────────┐ │ Device │ │ COMMAND.COM │ │ Programs │ │ Drivers │ │ │ │ in │ │ in │ │ │ │ AUTOEXEC.BAT │ │ CONFIG.SYS │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────────┘ └─────────────┘ └───────────────┘ Stage 1 is independent of any operating system. Point A is implemented in hardware and is not modifiable, therefore it cannot be infected. At point B, the code resides on the hard disk (head 0, cylinder 0, sector 1). The purpose of point B is to provide a mechanism to load different operating systems. You can have your disk partitioned so that one partition is for DOS, while another one is for some other operating system. By marking one of them as active in the partition table (located within the Master Boot Record), you can control which operating system will load upon bootup. The code in MBR simply locates the active partition by examining the partition table, loads the code in the boot sector of that partition and transfers control to it. The MBR is attacked by viruses such as Stoned since it provides very early control of the system. More sophisticated viruses can easily redirect BIOS disk access routines (the vector addresses reside in the first 1024 bytes of RAM and are modifiable) to evade detection. Stage 2 is where a specific operating system comes into play. In the case of DOS, the code at point C loads the first system file (IBMBIO.COM) and transfers control to it. After initializing the DOS kernel, IBMBIO.COM processes the CONFIG.SYS file. Each device driver listed in CONFIG.SYS is loaded and initialized. IBMDOS.COM is also loaded at this time. At point G, COMMAND.COM gets control and processes AUTOEXEC.BAT file if there is one. Except for point A, all other points in the execution path are modifiable. You must assume that any modifiable code is prone to viral infections. During recovery you must assume the worst case and handle each point as if it is infected by a virus. You must also remember that a higher point depends on a lower point. In other words, if you do not clean point B, you cannot guarantee that point C will not be compromised afterwards. The MBR code (point B) is easily replaceable. The key item at point B is the partition table which contains vital information to access the disk. If the hard disk is accessible after booting from a floppy (e.g., DIR C: works fine), then there is a good chance the partition table is intact. You should immediately extract the partition table information (64 bytes total) from the first sector on head 0, cylinder 0 and store it in a file on a floppy diskette. If you have a similar (uninfected) computer with a hard disk, you should make a copy of its MBR in a file. The next step is to combine the partition table that you stored away with the clean MBR you have taken from the uninfected computer. The result is an uninfected MBR that can be used to replace the infected one. Make sure when you combine the two pieces, you are editing at the correct offset within the MBR sector. Our VITALFIX utility automates this whole process (except swapping diskettes, of course!). Here is a simple picture to clear things up: Master Boot Record Sector 1 on head 0, cylinder 0 partition table 1 447 512 ╔═════════════════╤═══╤═══╤══╤═══╤══════╗ ║ │ │ │ │ │ AA ║ ║ MBR Code │ 1 │ 2 │ 3│ 4 │ 55 ║ ║ │ │ │ │ │ ║ ╚═════════════════╧═══╧═══╧══╧═══╧══════╝ Note that the partition table has four entries making it possible to divide the disk into four distinct areas. The MBR code is the same on most PCs as long as you use the same FDISK program. The partition table depends on how the disk is set up. The last two bytes must be AA55 by convention. Some viruses simply relocate the whole MBR sector to another location on the disk, then place their code in sector 1, head 0, cylinder 0. They also redirect disk access routines and present the original copy when someone attempts to access the MBR. This is an evasion technique used by certain viruses that target the MBR. Since you have booted from a clean floppy diskette, you do not have to worry about this. If you can find the original MBR on the disk (usually relocated to another sector on head 0, cylinder 0), then you could simply put it back to sector 1, head 0, cylinder 0 to recover. For example, one variant of Stoned virus places the original MBR to sector 7, head 0, cylinder 0. In that case, follow the procedure outlined above. Once you restore the MBR, you can move on to point C and verify it. The easiest way to accomplish that is to use SYS.COM program included with DOS. SYS will put a fresh copy of the boot sector code as well as replacing IO.SYS and MSDOS.SYS. This operation cleans points C, D, and E (three birds with one stone). Point F involves verifying each device driver listed in the CONFIG.SYS file. Unless you need a device driver to access the disk due to non-standard geometry, you can simply delete (or rename) CONFIG.SYS. Otherwise, you have to copy the device drivers from the original diskettes to the hard disk. Make sure you are copying over the ones that CONFIG.SYS activates. Point G is easy to take care of by copying COMMAND.COM from the original DOS diskette to the hard disk. If you have a shell statement in CONFIG.SYS that specifies a different command interpreter, then make sure you replace that one with the original. Point H can be handled by deleting (or renaming) AUTOEXEC.BAT since it is not required. Now the system is ready to be booted from the hard disk without reactivating a possible virus. Of course, the first time you run an infected program, everything you have cleaned so far might get reinfected. Did we say dealing with viruses can be a little tricky? VII. HOW TO DEAL WITH VIRUSES A. Recommended Guidelines When dealing with viruses, there are a few rules to go by, all of which make good common sense. These rules are: 1. If there is a possibility that your hard drive is infected, do not use a floppy diskette on that computer unless it is write-protected. Rationale: If you did NOT cold-boot the computer from a clean floppy diskette, the virus may be active in memory and it can infect the floppy diskettes used in the drives. This is, after all, a common way for spreading infections among computers. 2. Do not boot a hard drive system from a floppy diskette unless you are positive that the floppy is virus-free. Rationale: This follows from Rule #1. The virus can infect the hard disk. The result is a hard disk that passes on the virus to other floppies. The floppy can carry a boot sector virus even if it was not formatted to be a system diskette, because all DOS diskettes have a boot sector. 3. If your PC is connected to a local area network, and you detect that your system may be infected by a virus, disconnect your PC from the network immediately. Rationale: The purpose is to isolate the infection in order to minimize the spread, and reduce the time required to clean the system. Make sure you know how to disconnect only your PC. Pulling out the wrong cable may bring down a whole subsection of the network. 4. If you receive new programs (especially games), test them on a machine that does not have valuable data before installing these programs on other computers. Rationale: This precaution will help prevent the introduction of new viruses into the system. Even shrink-wrapped software may contain a virus. There have been some unfortunate incidents where major computer companies shipped infected diskettes to their customers by mistake. 5. If you do not feel technically competent to handle a virus attack, contact someone who can help. Rationale: Dealing with viruses can be a very tricky business. You cannot afford to leave a single infected file on your system. It takes only one infected program to continue the spread of the virus. 6. When you want to backup your hard disk, boot from a write-protected, clean floppy diskette. Preferably use file-by-file backup mode instead of image backup. Rationale: Some viruses remain active in memory and interfere with disk access. They are likely to corrupt the backup diskettes. File-by-file mode gives you a better chance to recover damaged backups. 7. Write protect all original diskettes as well as their backups before using them. Rationale: This would prevent infection of your program diskettes should they be used in an infected system. Besides, during recovery you can be assured that the originals are not corrupted. 8. Before using programs that came on floppy diskettes, search them for known viruses. Rationale: Many companies are just beginning to realize the threat the viruses pose. They may or may not have a virus-free program development environment. It is better not to take any chances and check the diskettes yourself. If you find a write-protected, original program diskette to be infected, first contact the company that sold you the disk and complain. 9. If your BIOS supports choosing a default disk to boot, set it to C:. Rationale: This will eliminate the possibility of inadvertently booting from an infected floppy diskette left in drive A:. Some modern BIOSes offer a setup option that allows you to always boot from your hard disk, even if there is a floppy diskette in drive A:. Many common boot sector infectors like the Stoned virus can infect your hard disk only if you boot your computer from an infected floppy diskette.