home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hall of Fame
/
HallofFameCDROM.cdr
/
util1
/
cleanp63.lzh
/
CLEAN63.DOC
< prev
next >
Wrap
Text File
|
1990-06-02
|
20KB
|
399 lines
CLEAN-UP VIRUS REMOVER Version 3.5 V63
Copyright 1989, 1990 McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832 (voice)
408 988 4004 (BBS)
Executable Program (CLEAN.EXE):
CLEAN contains a self test at load time. If CLEAN has been
modified in any way, a warning will be displayed. The program will
still continue to repair and clean infected programs, however. In
addition, versions 55 and above are packaged with a VALIDATE
program that will authenticate the integrity of CLEAN.EXE. Refer
to the VALIDATE.DOC instructions for the use of the validation
program.
The validation results for V63 should be:
SIZE: 58,835
DATE: 6-02-1990
FILE AUTHENTICATION:
Check Method 1 - 429C
Check Method 2 - 062E
You may also call the McAfee Associates bulletin board at 408
988 4004 to obtain on-line SCAN.EXE verification data. The
VALIDATE program distributed with CLEAN may be used to authenticate
all future versions of CLEAN.
Notes on Version 63:
Version 63 has been one of the most painful versions we have
put together. There have been 17 new viruses and virus sub-strains
discovered in the 35 days since the release of version 62. We have
also added a major feature to allow SCAN and CLEAN-UP to check
inside of programs compressed with LZEXE; we've added Yankee Doodle
and Vacsina to the list of recoverable viruses in CleanUp; we've
undertaken an accounting of the numerous sub-strains of each virus;
we've repaired over a dozen loopholes that allowed certain
sub-strains to slip through; and we've added a new program to the
product line called VCOPY that replaces the DOS copy command and
does automatic scanning during a copy function.
In addition, we've been struggling with the issue of how to
count viruses in a meaningful way that does not place us in a
seemingly disadvantageous competitive position. For example:
Numerous anti-virus programs advertise the number of viruses that
they are able to detect, and these numbers range from less than 50
to over 100. On analysis, these numbers included all of the known
sub-strains of the viruses, and their virus count by our
classification was always substantially less. We group viruses by
major type, where possible, to make it easier to manage, both from
an identification and removal basis. But on a sheer numbers
comparison, SCAN appears in a weaker light. After careful thought,
we decided to stick with our classification scheme, but in the
VIRLIST.TXT we will list the known variants detected in
parentheses. By the competition's counting scheme, we now identify
167 viruses. By our count, we identify 97.
The 17 new viruses and new sub-strains added for version 63
have come from a variety of sources. Vesselin Bontchev from
Bulgaria submitted three new variants of the 512, one new variant
of the W-13 virus and two entirely new viruses that have surfaced
in Eastern Europe. Dave Chess from IBM provided me with three new
viruses collected through the various IBM contacts. Patricia
Hoffamn provided one new virus and two new variants submitted from
users of the FidoNet network. The Icelandic virus researcher
Fridrik Skulason provided one new virus. The remaining four were
submitted directly by Homebase users. The VIRLIST.TXT document
describes the main operating characteristics of the new viruses.
To avoid duplication of effort, I am referring users to Patricia
Hoffman's most current VSUM document for a detailed description of
the new viruses.
OVERVIEW:
CLEAN-UP kills and removes computer viruses, and in most
instances it repairs infected files, re-constructs damaged programs
and returns the system to normal operation. CLEAN-UP works for all
viruses identified by the current version of McAfee Associates'
SCAN.
CLEAN-UP searches the entire system looking for the virus that
you wish to remove. When found, the infected file is identified,
the virus is isolated and removed, and for the more common viruses,
the infected file is repaired. If the file is infected with a less
common virus that cannot be separated from the file, the infected
file is wiped from the disk and deleted from the system. A warning
message is displayed by CLEAN-UP before erasing any files, and you
have the option of overriding the erase function.
The common viruses that CLEAN-UP is able to remove
successfully and repair and restore the damaged programs are:
Jerusalem B Alabama Jerusalem A Ping Pong
Jerusalem E Stoned Dark Avenger Pakistani Brain
Suriv03 Payday Alameda 1701
1704 Disk Killer Ping Pong-B Ashar
Sunday 1260 4096 Yankee Doodle
Vacsina
These viruses account for the overwhelming majority of
infection occurrences. All other known viruses will be identified
and isolated by CLEAN-UP and the infected files' area of disk will
be wiped clean and the files will be removed from the system.
****** I M P O R T A N T ******
* Note: EXE viruses cannot be successfully removed
from all infected .EXE files in 100% of the cases. A
few EXE programs will be damaged beyond repair by the
infection and they will have to be deleted. In all
cases, however, the virus in the file will be killed and
rendered harmless by CLEAN-UP. Additionally, removing
the Stoned virus can cause loss of the partition table
in systems with non-standard disk controllers or systems
that use special purpose device drivers for disk access.
If you are removing the Stoned virus, as a precaution
back-up all critical data before running Clean-up. Loss
of the partition table will cause -- LOSS OF ALL DATA
ON THE DISK.
******* FOLLOW THE REMOVAL INSTRUCTIONS CLOSELY *******
* POWER DOWN AND RE-BOOT FROM A CLEAN DISKETTE BEFORE BEGINNING *
RUNNING CLEAN-UP:
Before running CLEAN-UP, verify the suspected virus infection
by running VIRUSCAN (SCAN.EXE) Version 55 or greater. SCAN will
identify the virus strain and sub-strain and will display the I.D.
to be used as input to the CLEAN-UP program. CLEAN-UP uses this
I.D. to determine which virus to seek out and remove. The I.D. for
each virus is displayed inside a set of brackets - [ ]. For
example, the I.D. for the Disk Killer virus will be displayed by
SCAN as [Killer]. This identical identifier must be used in the
command line of CLEAN-UP in order to remove the Disk Killer
virus.
*** Important: Before you begin the disinfection process, you
MUST power down the infected computer and then re-boot the computer
from a clean, write-protected system diskette. This step is very
important. It will remove the virus from control in memory and
prevent the virus from continuing to infect during the clean-up
process. After Re-booting from the clean diskette, run SCAN on the
diskette to verify that it is indeed not infected.
To run CLEAN-UP type:
CLEAN d1: d2: ... dn: [virusname] /a /many
where:
dn: - Drive designators for drives to be cleaned.
(up to 10 drives may be cleaned with one command)
[virusname] - The virus I.D. (brackets must be included)
/a - Option to check all files
/many - Option to allow cleaning multiple floppies
Examples:
CLEAN C: D: [Jeru] will clean Jerusalem from C and D
drives
CLEAN C:\TEMP [Dav] /a Will clean Dark avenger from
C:\TEMP and will search all file
extensions for the virus
CLEAN-UP will display the name of each infected file as it is
found. When the virus has been removed from each file, a
"successful" message will be displayed.
NOTE: If a file has been infected multiple times by a
virus, clean will display the name of the file and
the "successful" message for each infection
occurrence. Thus, multiple lines will be displayed
for each file infected more than once.
After running CLEAN-UP, run SCAN again, this time with the /a
option, to ensure that all remnants of the virus have been removed.
After cleaning the fixed disk drives, SCAN all floppies and
if any infections are found, remove them with CLEAN-UP.
The clean-up I.D.'s for each of the known viruses are listed
in brackets below:
Oropax [Oro] Pakistani Brain [Brain]
4096 [4096] Chaos [Chaos]
AIDS Trojan [AIDS] Virus-90 [90]
Amstrad [Amst] Devil's Dance [Dance]
Holland Girl [Holland] Datacrime II-B [Crime-2B]
Do-Nothing virus [Nothing] Sunday virus [Sunday]
Lisbon virus [Lisb] Typo COM virus [Typo]
DBASE virus [Dbase] Ghost / Ghostball Boot
Ghost COM Version [Ghost-C] New Jerusalem [Jeru]
Alabama [Alabama] Yankee Doodle [Doodle]
2930 [2930] Ashar [Brain]
AIDS / Taunt [Taunt] Disk Killer / Ogre [Killer]
1536 / Zero Bug [Zero] MIX1 [Mix1]
Dark Avenger [Dav] 3551 / Syslock [Syslock]
Vacsina [Vacs] Ohio
Typo Swap / Israeli Boot
Datacrime II [Crime-2] Icelandic-II / System [Ice-2]
Pentagon 3066 / Traceback [3066]
Datacrime-B [Crime-B] Icelandic [Ice]
Saratoga [Toga] 405 [405]
1704 Format [170X] Fu Manchu / 2086 [Fu]
1280 / Datacrime [Crime] 1701 / Cascade [170X]
1704 / Cascade-B [170X] Stoned / Marijuana [Stoned]
1704 / Cascade [170X] Ping Pong-B / Cascade Boot [Ping]
Den Zuk Ping Pong / Bouncing Dot [Ping]
Vienna-B [Vienna-B] Lehigh [Lehigh]
Vienna / DOS-62 [Vienna] Jerusalem-B [Jeru]
Yale / Alameda [Alameda] Friday 13th COM virus [13]
Jerusalem-A / 1813 [Jeru] Suriv03 / Jerusalem-E [Jeru]
Suriv02 [jeru-D] Suriv01 [April]
Taiwan [Taiwan] Halloechen [Hal]
Perfume [Fume] Joker [Joke]
Icelandic-3 [Ice-3] 1260 [1260]
Virus-101 [101] V2000 [2000]
Saturday 14th [Sat14] 1720 [1720]
1210 [1210] Christmas Tree [XA1]
1392 [1392] Korea [Korea]
2000-B [Solano] Kennedy [Kennedy]
Yankee-2 [Doodle2] Eight Tunes [1971]
June 16th [June16] V800 [800]
Murphy [Murphy] Shake [Shake]
Fish-6 [Fish] Liberty [Liberty]
Frere Jacques [frere] Slow [Slow]
W-13 [W13] JoJo [JoJo]
Victor [Victor] 5120 [5120]
REGISTRATION:
CLEAN-UP is a required registration shareware product. It may
be use in a home environment for a registration fee of $35. Please
use the enclosed REGISTER.DOC file for registration information.
For corporate, organizational or agency use, however, a corporate
site license is required. For site license information please
contact:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832 (voice)
408 988 4004 (BBS)
408 970 9727 (Fax)
Version Notes
Version 62:
Version 62 identifies and removes four new viruses. The first
is a COM and EXE infector called the Eight Tunes virus (also called
the 1971 virus). This virus is memory resident and randomly plays
one of eight German folk songs on the system speaker. It appears
to have no destructive code within it. The virus adds
approximately 1975 bytes to infected files. A second musical that
appeared in the past two weeks is the Yankee Doodle-2 virus. This
virus is similar to the first Yankee Doodle, except that it plays
the Yankee Doodle tune as soon as an infected program is executed.
It infects EXE files only.
The third virus reported is a small non-memory resident COM
infector called the Kennedy virus. It appears to have no
destructive or disruptive code but it does contain a reference to
the Kennedy family inside the virus code. The fourth virus is a
destructive virus called the June 16th virus. It is a non-resident
virus that infects COM files, including the Command Interpreter
(COMMAND.COM). On every June 16th, the virus activates and
replaces all FAT entries with the word "ZAPPED".
Version 61:
Version 61 is able to detect five new viruses reported since
March 1, 1990. The first virus was submitted by Dave Chess of IBM.
It is a destructive COM and EXE infector called the Saturday the
14th virus. The virus activates every Saturday that falls on the
14th of any month and causes the first 100 sectors of the A, B, and
C drives to be overwritten. The net result is loss of all of the
control information for the media assigned to those drives. The
Partition table, Boot Sector and FAT will be destroyed. The virus
is 685 bytes long and is memory resident.
The second new virus is the 1392 virus which was also
submitted by Dave Chess of IBM. The virus does little damage,
other than corruption of the infected programs, but it does display
the following message: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A."
No idea what this means. The virus changes the date of infected
files to the date of infection; it is memory resident; it infects
both COM and EXE files, including COMMAND.COM and is 1392 bytes
long.
The third new virus is the XA1, or Christmas Tree virus. It
was submitted by Christoff Fischer of West Germany. It is an
encrypted virus that only infects COM files. It activates on April
the 1st and destroys the partition table of the hard disk. From
December 24th till January 1st it will draw a full screen picture
of a christmas tree when an infected program is executed. It is
not memory resident.
The fourth and fifth new viruses were discovered in Spain and
are called the 1720 and 1210 viruses. The 1720 infects both COM
and EXE files, while the 1210 only infects EXE files. Little is
know of these viruses at this point other than that the 1720
appears to be destructive. The viruses were named after their
respective lengths.
In addition to the above new viruses, version 61 fixes a bug
which caused it to mis-identify the Korea Virus.
Version 60:
Version 60 identifies four new viruses that have been reported
from widely dispersed parts of the world. The first virus, the
Solano 2000, or Dyslexia virus, was widely and suddenly reported
in Solano County California in late February and Early March 1990.
The first person to isolate and submit the virus was Edward
Winters. The virus is 2000 bytes long, but bears no resemblance
to the V2000 virus from Bulgaria. The virus infects only COM
files, is memory resident, and infects each file as it is executed.
The virus randomly reverses contiguous numeric data in the video
buffer. No other damage has been observed.
The second virus, ItaVir, was submitted by Andrea Salvia and
Emilio Caravaglia of Milan Polytechnic in Milan, Italy. The virus
is 3,880 bytes long, infects only EXE files and is not memory
resident. The virus is activated based on the amount of time it
has been in the system (apparently a random time greater than 24
hours) and when activated, it sequentially writes all values
(between 0 and 255) to all I/O ports in the system. The result is
a dramatic confusion of all peripherals. The video monitor will
flicker and if the monitor is VGA, will also hiss. The boot sector
is also wiped out and the system will be non-bootable on power-up.
The third virus, Vcomm, was submitted by Yuval Tal from
Rehovot, Israel. It is a non-memory resident EXE infector and is
1074 bytes long. After the virus is first executed, it infects one
other EXE file and then modifies the in-memory Command Interpreter
so that the DOS COPY command no longer works. No other disruptions
have been reported from this virus.
The fourth virus is a boot sector infector submitted from
Korea. Limited analysis has been done so far on this virus other
than developing an identifier. The virus has been named the Korea
Virus.
Version 59:
Version 59 now removes a number of new variations of the
Vienna, Yankee Doodle and Vacsina. These variations were submitted
by researchers in Eastern Europe. The variations of the Yankee
Doodle and Vacsina appear to be earlier trial versions of these
viruses. They don't appear to be harmful, other than corrupting
the programs that are infected and there have been no reported
incidents of infection in the U.S. or Western Europe. The
variations of Vienna are likewise apparently harmless.
A completely new virus has also been added to the scan
list. Called the V2000 virus, it works as follows:
It installs resident in memory and then searches for and
infects the Command Interpreter (COMMAND.COM). It will then infect
any COM or EXE file whenever the file is opened. Thus, the
executable files are infected whenever they are executed, copied
or manipulated in any way. The virus hides the length increase of
infected files, much like the 4096, so the user will not see the
increased file lengths in the listing displayed by the DIR command.
The virus is very virulent and has caused system crashes and
lost data, as well as causing some systems to become non-bootable
after infection.
The 4096 virus has been added to the list of viruses that can
be removed without erasing the infected program.
Version 57:
CLEAN57 has been substantially modified to allow removal of
viruses that use variable encryption techniques. Two such viruses
surfaced for the first time in January. These viruses cannot be
accurately identified and removed with simple I.D. strings. The
changes to SCAN now allow these two viruses to be positively
identified, and identification and removal of future viruses that
use similar techniques has been simplified.
Both of these encrypted viruses were written as "experimental"
viruses. One surfaced on a number of bulletin boards in Minnesota
under the name of COM_AIDS.ZIP. I have named it the 1260 virus,
although it is based in part on the original Vienna virus. The
other was written by Patrick Toulme in Washington D.C. (author of
Virus-90). He has called the new virus Virus-101. Neither of
these viruses was designed to be destructive - they just attach
themselves to other programs. However, there is no such thing as
a "harmless" virus. All viruses corrupt the code of the host
programs, and none enter your system under invitation. And none
have yet successfully been contained. Even the most well designed
and coded "harmless" virus will cause problems in some mix of
hardware/BIOS/DOS-Version/Memory-resident-programs etc. The
Pakistani Brain is a prime example of this. For this reason we
oppose the public distribution of any kind of virus. Once
released, they cannot be controlled. In addition, many lazier
hackers can easily modify "harmless" viruses to become destructive,
and many instances of such modification exist. Thus, V57 of CLEAN
removes both of these viruses.
In addition to the above two viruses, V57 removes the Joker
and Perfume viruses from Poland, the Icelandic-3 found by
Fridrik Skulason in Iceland and the Halloechen virus reported by
Christoff Fischer at the University of Karlsruhe in West Germany.
These are detailed in VIRLIST.TXT.
The 1260 Virus has been added to the list of viruses that can
be removed without erasing the infected program.