home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.wwiv.com
/
ftp.wwiv.com.zip
/
ftp.wwiv.com
/
pub
/
BBS
/
CHECK15.ZIP
/
CHECK.DOC
next >
Wrap
Text File
|
1995-06-06
|
12KB
|
324 lines
CHECK version 1.5
- integrity checker -
Copyright (c) 1995, Venzislav Iliev
Please read carefully before installing.
Contents:
1.INTRODUCTION
2.EASY INSTALLATION
3.CUSTOM INSTALLATION
4.USAGE
5.OPTIONS
6.EXAMPLES
7.REPAIR MANUAL
1.INTRODUCTION:
CHECK is an utility which can help detecting viruses. It's
not a virus scanner - it will not scan for viruses in the
memory or on the disks. It will try to detect suspisious
things like modified memory,files, boot records,interrupts,
etc. instead.
CHECK is not a replacement for a virus scanner- you should
use a good scanner too.
CHECK tests the integrity of the:
Master Boot Record
Partition Tables
Boot Sectors
Interrupts
Memory
Upper Memory
BIOS
CMOS
Files (CRC and code checks)
2.EASY INSTALLATION:
For easy installation use the script INSTALL.BAT. You must
specify path for the data files and all your hard drives
on the command line, then reboot your computer and run
INSTALL.BAT again with the same command line. Example:
INSTALL c:\tmp\chkdata c: d:
This will place CHECK at the end of your AUTOEXEC.BAT.
It's a good idea to make a CHECK boot disk as well and use
it to check your computer from time to time.This is needed
to improve security against stealth viruses which can be
detected only after clean boot. To create such disk make a
new system disk (use "format a:", "sys a:" ) and then use
MAKEBOOT.BAT. You must specify all your hard drives on the
command line. Example:
MAKEBOOT c: d:
Using such a boot disk together with CHECK in your
AUTOEXEC.BAT will almost sure detect the presence of
viruses (no matter if known or unknown) and you will be
able to recover your system using REPAIR without any
troubles. If you have backups of all your files as well
you don't have to bother about the most viruses anymore.
3.CUSTOM INSTALLATION:
The /Sx options are the install options which will store
values to the data files. You can specify filenames for
the data files, or use the default names.
The default installation will not include validating of
all your executables - you may wish to place such check
in your AUTOEXEC.BAT, or perform it manually from the
command line from time to time (I do not recommend that
you do that every time you boot your computer because it
could be time consuming).
4.USAGE:
check [options] [drives] ...
Typing just 'check' or 'check /?' will display short usage
info.
5.OPTIONS:
Here is a full list of all CHECK options. You can omit the
filenames - default filenames will be used instead.
/SI [file] - save all interrupt vectors. INTERRUPTS
/I [file] - compare the interrupt vectors to the
saved ones.
Depending on the current configuration these values may be
different - but if you run CHECK always at the same place
in your AUTOEXEC.BAT they must be always the same.
/SO [file] - save the BIOS data area. BIOS
/O [file] - compare the BIOS data area to the saved
one.
The BIOS data area contains system information - it depends
again on the installed drivers, other resident programs,
etc. Not the whole BIOS data area will be checked - there
is data used by the timer, display, etc. - these values are
always different.
/SC [file] - save the CMOS. CMOS
/C [file] - compare the CMOS to the saved one.
The CMOS is the battery powered storage. If the check fails
it's probably due to batteries powerdown, but a few viruses
can destroy the CMOS contents or use it to store data.
/SB [file] - save the boot sector. BOOTSECTOR
/B [file] - compare the boot sector to the saved one.
If CHECK detects that a boot sector was modified, it's al-
most sure that a virus infection has occured. Use REPAIR to
remove the virus.
/SV [file] - save checksums for the files on the spe- VALIDATE
cified drives.
/V [file] - compare the checksums for each validated
file on the spec. drives
It will detect modified files.
CHECK uses CRC algorithms for checksums. It uses the same
polynoms as the McAfee VALIDATE and SCANV programs. Many
thanks to Gary P. Mussar for the algorithms. The data is
stored in a text file, so you can view it simply - each
line in the file consists of the filename, the both
checksums and the filesize.
/SJ [file] - save some code information for the files CODE CHECK
on the specified drives
/J [file] - check the code of the filenames in the
specified file
It will detect modifications in files.A virus cannot exist
without certain instructions - this option checks the code
of the executables for certain modified / new instructions.
This method is not as reliable as the validation, but it's
much faster and gives you additional security. Note that
this method will discover viruses, but possibly not dest-
royed or modified data. Also, note that unlike the /V op-
tion the /J option doesn't require drives to follow. It
will just check the files on the drives you specified with
the /SJ option.
/SR [file] - save the MBR of the default disk (0) MBR
/R [file] - compare the MBR to the saved one
/SR0 [file] - same as SR0
/SR1 [file] - same as /SR0 but for disk 1
/R1 [file] - same as /R0 but for disk 1
The MBR is the Master Boot Record of your harddisk. Each
physical harddisk has only one MBR. The MBR contains the
code to load the boot sector of the active (the bootable)
partition and the partition table. There can be more than
one partition table on your harddisk if you have extended
partitions. CHECK will save all partition tables, but you
should have only one extended partition per partition
table- the dos command FDISK will NOT allow you to create
second extended partition in the same table, but theore-
tically it's possible (suggest - another partitioning
programs, directly created with disk editor, ...).
/SM [file] - save the memory map MEMORY
/M [file] - compare...
You should run CHECK with this option always at the
same place. When you use /SM or if the memory map is
modified the map will be displayed - it has the following
format:
Block Type Owner Owner's-PSP Env Size Name
xxxx X XXXX (PSP xxxx:0) Env xxx bytes nnnnnn
Block is the segment address of a block, type should be
M or Z (Z means last block), owner shows who owns this
block, env shows if the block is used for program envi-
ronment, name is the name of the program taken from the
environment - note that programs are free to modify the
environment, so don't relay on this name. Also, if you
start a protected mode application (like QEMM386) it
could destroy the environment of some resident programs
(I don't know the reason for that), and COMMAND.COM
doesn't have a name.
If you use an EMS-manager (such as EMM386.EXE) you will
see total amount of memory 16 bytes less than 640K -
that's because the first UMB starts at 9FFF:0 (16 bytes
before the 640K limit).
If you don't use EMS the total amount of memory should
be exactly 640K (655360 bytes).
/SU [file] - save the upper memory map UPPER
/U [file] - compare... MEMORY
Just like /SM and /M but for the upper memory (640K to
1 MB). Note that you need a driver (such as EMM386.EXE)
to use UMBs (upper memory blocks). Without such driver
CHECK /SU and CHECK /U won't work.
/SD - same as using the options /SR /SB /SI
/SM /SO /SC
/D - same as using the options /R /B /I /M
/O /C
Some important files like command.com and the system
drivers will be validated/checked as well.
/N - warn about new files which are not
checked.
/A - validate/check all files (not only the
executables). You shouldn't need that.
/L [file] - log to file (write report).
6.EXAMPLES:
The following will use the directory c:\tmp\check for the
default data files, will create a logfile in the same dir
named DDMMhhmm.LOG (day, month, hour, min) and will store
the MBR of the physical disk 0 and the bootsectors of the
logical drives C: and D: in default files:
CHECK /W c:\tmp\check /L /SR /SB c: d:
This one will check all the files on the drives D: and E:
against the default file VALIDATE.DAT in C:\CHKDATA:
CHECK /W c:\chkdata /V d: e:
The following will store the interrupts and the memory
map in the files c:\ints.dat and c:\mm.bin:
CHECK /SI c:\ints.dat /SO c:\mm.bin
REPAIR version 1.2
REPAIR will restore values from files saved with CHECK.
CAUTION! Before using REPAIR to restore MBR or BOOT
SECTOR you should boot from a clean, write-protected
diskette ( REPAIR should be on a clean write-protected
diskette too)! You can use the disk created with the
MAKEBOOT.BAT for that purpose.
USAGE: repair [options]
Typing just 'repair' or 'repair /?' will display short
usage info.
OPTIONS:
/C <file> - restore the CMOS
/D <file> - restore the BIOS data area
/I <file> - restore the interrupt vectors
/F <hex> - free the memory block at <hex>:0
The options /I and /F can be used to remove TSRs
(Terminate but Stay Resident programs) from the memory
- some TSRs doesn't have an uninstall option, but it's
very unlikely that you can remove a resident virus
(Don't try it!). Example for removing a TSR:
C:\USR>check /si intr.dat
C:\USR>mouse
C:\USR>check /sm mem.dat
...
0900 M App. (PSP 090B:0) Env 160 bytes C:\DOS\MOUSE.COM
090A M App. (PSP 090B:0) 8880 bytes C:\DOS\MOUSE.COM
...
C:\USR>repair /i intr.dat /f 0900 /f 090A
Other options:
/B <file> <drive> - restore the boot sector of <drive>
Example: A:\>repair /B bs1.dat c:
/M <file> <drv-num> - restore the MBR and all partition
tables of <drv-num>. <drv-num> is
again your physical harddisk - it
must be 0 or 1.
Example: A:\>repair /M mbr.dat 0
REPAIR doesn't have an option to 'clean' infected
files. If CHECK detects that an executable file was
modified, and you're sure you have not modified this
file by yourself (installing a new version, re-compi-
ling the sources, etc.) I recommend deleting the file.
A good virus scanner could reckognize and remove the
virus (if it's a known virus) but possibly could not
be able to restore the file to it's original state. It
can happen that a scanner thinks to have reckognized
one virus but the file is infected with a different
virus or even a new version of the same virus and this
can lead to some serious problems (like, the virus
remains in the file). That's why it's reasonable to
keep backups of all your files.
Keep in mind that some programs are able to modify
itself or other executables - for example to write
configuration data, some antivirus programs add data
to the files, etc.