home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hall of Fame
/
HallofFameCDROM.cdr
/
util2
/
vscan50.lzh
/
SCANV50.DOC
< prev
next >
Wrap
Text File
|
1989-11-28
|
20KB
|
488 lines
VIRUSCAN Version 1.7V50
From: McAfee Associates (408) 988-3832
November 28, 1989
Executable Program (SCAN.EXE):
------------------------------
SCAN contains a self test at load time. If SCAN has been modified in
any way, a warning will be displayed. The program will still continue
to check for viruses, however. In addition, versions 46 and above are
packaged with a VALIDATE program that will authenticate the integrity of
SCAN.EXE. Refer to the VALIDATE.DOC instructions for the use of the
validation program.
Validation results for V50 should be:
-------------------------------------
SIZE: 45,616
DATE: 11-28-1989
FILE AUTHENTICATION:
--------------------
Check Method 1 - 528C
Check Method 2 - 1B4D
You may also call the McAfee Associates bulletin board at (408) 988-4004
to obtain online SCAN.EXE verification data. The VALIDATE program dis-
tributed with SCAN may be used to authenticate all future versions of
SCAN.
Notes on Version 50:
--------------------
Version 50 detects the Holland Girl virus. This virus was reported by
Jan Terpstra in the Netherlands. It infects .COM files and increases
their size by 1332 bytes. It contains the name and phone number of a
girl named Sylvia in Holland. Potential damage from this virus is not
yet known.
Notes on Version 49:
--------------------
A new file - VIRLIST.TXT has been added to the VIRUSCAN package. This
file lists the known viruses and describes, in table format, their crit-
ical characteristics.
Version 49 also checks for the following new viruses:
-----------------------------------------------------
- Do-Nothing virus. This virus was reported in October
by Uval Tal in Israel. It infects COM files but does
no other damage and does not affect the system in any
observable way.
- Lisbon Virus. This virus was discovered by Jean Luz
of Lisbon, Portugal in November. It infects COM files
and increases the size of infected programs by 648
bytes. It destroys 1 out of 8 infected programs by
overwriting - @AIDS over the first five bytes of the
infected program.
- Sunday Virus. This virus was discovered by multiple
users in the Seattle, Washington area. It activates
on Sundays and displays the message - "Today is
Sunday, why do you work so hard?". Damage to the FAT
has been reported from a number of infected sites.
Introduction:
-------------
VIRUSCAN scans diskettes or entire systems and identifies any
pre-existing PC virus infection. It will indicate the specific files or
system areas that are infected and will identify the virus strain which
has caused the infection. Removal can then be done automatically using
the SCAN /D option. If the infection is widespread, automatic
disinfector utilities are available which can remove the infected
segment of files and repair and restore the infected programs.
SCAN version 1.7V50 can identify 52 virus strains and numerous sub-
varieties for each strain. The 52 viruses include the ten most common
viruses which account for over 95% of all reported PC infections. The
complete list includes (in order of most recent appearance):
- HOLLAND GIRL VIRUS (New with V50)
- DO-NOTHING VIRUS
- SUNDAY VIRUS
- LISBON VIRUS
- TYPO .COM VIRUS
- DBASE VIRUS
- GHOST VIRUS / GHOSTBALL Boot Version
- GHOST VIRUS / GHOSTBALL COM Version
- NEW JERUSALEM
- ALABAMA
- YANKEE DOODLE
- 2930
- ASHAR
- AIDS / VGA2CGA
- DISK KILLER / OGRE
- 1536 / ZERO BUG
- MIX1
- DARK AVENGER
- 3551 / SYSLOCK
- VACSINA
- OHIO
- TYPO BOOT VIRUS
- SWAP / ISRAELI BOOT
- 1514 / DATACRIME II
- ICELANDIC-II / SYSTEM VIRUS
- PENTAGON
- 3066 / TRACEBACK
- 1168 / DATACRIME-B
- ICELANDIC
- SARATOGA
- 405
- 1704 FORMAT
- FU MANCHU / 2086
- 1280 / DATACRIME
- 1701 / CASCADE
- 1704 / CASCADE-B
- STONED / MARIJUANA
- 1704 / CASCADE / FALLING LETTERS
- PING PONG-B / FALLING LETTERS BOOT
- DEN ZUK
- PING PONG / ITALIAN / BOUNCING DOT
- VIENNA-B
- LEHIGH
- VIENNA / 648 / DOS-68
- JERUSALEM-B
- YALE / ALAMEDA
- FRIDAY 13th COM VIRUS
- JERUSALEM / 1813
- SURIV03
- SURIV02
- SURIV01
- PAKISTANI BRAIN
These viruses are described in the file VIRLIST.TXT.
It is important to note that existing virus strains can be grouped and
counted differently than the above ordering. DEN ZUK, for example has
two separate versions. Likewise, the STONED, VIENNA, ALAMEDA and
JERUSALEM-B viruses have been modified a number of times. Some
researchers would define each of these modifications, or sub-varieties,
as separate viruses. SCAN chooses to group them as the same virus,
because the same scan string can identify each of them. This is only
done if disinfection requirements for the different sub-varieties are
identical. If removal procedures differ for different varieties, then
SCAN will differentiate between them.
The above viruses infect one of the following areas: The hard disk
partition table; the DOS boot sector of hard disks or floppies; or one
or more executable files within the system. The executable files may be
operating system programs, system device drivers, .COM files, .EXE
files, overlay files or any other file which can be loaded into memory
and executed. VIRUSCAN identifies every area or file that has become
infected and indicates the name of the virus that has infected each
file. VIRUSCAN can check the entire system, an individual diskette, a
subdirectory or an individual file for an existing virus.
Operation:
----------
IMPORTANT: Always place VIRUSCAN on a write protected floppy prior to
using it. This will prevent the program from becoming infected.
To run VIRUSCAN type:
SCAN d: [/M /D /A /E [EXTENSION LIST]]
Options are:
------------
/A - Scan all files
/D - Overwrite and Delete infected files
/E - Scan listed overlays
/M - Scan memory for all viruses
(See restrictions below)
VIRUSCAN will check each area or file on the designated drive that could
be a host to a virus. If a virus is found, the name of the infected
file or system area will be displayed, along with the name of the
identified virus.
If the /D option is selected, SCAN will pause after each infected file
is displayed and will ask whether you wish to remove the infected file.
If <Y> is selected, the file will be overwritten with the hex code C3
(the Return instruction), and then deleted. This option is disallowed
for boot sector and partition table infections. Use the shareware
M-DISK utilities to remove boot sector or partition table viruses.
If the /M option is chosen, SCAN will search the first 640K of memory
for all known memory resident viruses. Selecting this option may cause
false alarms if you are running SCAN in conjunction with any other virus
detection utility. It will also add from 12 seconds to 1 minute to the
scanning time. If the /M option is not chosen, SCAN will in any case
check memory for the Dark Avenger virus. If the Dark Avenger is found
in memory, SCAN will display a warning message, with instructions to
power down and reboot from a clean floppy.
>>> Do not use the /M option if you are running SCANRES V42
or earlier. Please upgrade SCANRES to the current version
first. Otherwise false alarms will result.
Use the /E option to scan specified overlay files. Scan will default to
OVL, OVG, OV1, OV2, OVR, SYS, BIN and PIF. Scan will search these over-
lay files for Jerusalem, Vacsina, FuManchu and Dark Avenger (the only
known viruses capable of infecting overlays). If you are using an
application with overlay extensions other than the defaults, then speci-
fy the extension names (up to three) using the /E option. Example:
SCAN C: /E .ABC .XYZ .123
It is important to note that viruses that infect overlays always infect
the original .COM, .EXE, .BIN or .SYS files that call the overlay. So
the virus will always be discovered whether or not the overlay is
scanned. To get rid of the virus, however, you must identify and remove
it from overlays. If you do not know whether an application uses
overlay files, and SCAN has discovered one of the viruses capable of
infecting overlays, then use the /A option to search all files.
NOTE: The /A option will require a substantial amount
of time to complete the scan. Use it only after a .COM
or .EXE infection has been discovered by VIRUSCAN.
VIRUSCAN can also scan individual directories or individual files. The
command:
SCAN C:\DIRECT\PROGRAM.EXE will scan the file PROGRAM.EXE
in subdirectory DIRECT.
VIRUSCAN will require approximately 3 minutes of run time for each 1,000
files on the designated drive.
NOTE: Older IBM clones using DOS 2.11 or earlier do not always
automatically indicate that a diskette has been changed in a floppy
drive. When scanning multiple diskettes on these machines, you should
press <Ctrl>-<C> after changing diskettes to allow DOS to reset the
drive. Otherwise VIRUSCAN may become confused.
Exit Codes:
-----------
SCAN will exit with the following exit codes:
0 - Normal termination, no viruses found
1 - One or more viruses found
2 - Abnormal termination (Error)
Registration:
-------------
A registration fee of $25 is required for the use of VIRUSCAN by
individual home users. Please send registrations to the address below.
This registration covers the copy currently in use and any future
versions for one year, providing they are obtained from the McAfee
Associates bulletin board or other public or private board. Diskettes
will not be mailed unless specifically requested. Add $9 for diskette
mailings. The McAfee Associates board number is - (408) 988-4004 -
1200/2400, N,8,1; 5 lines.
Corporate and organizational use:
---------------------------------
Corporate site licenses are required for corporate, agency and organiza-
tional use. For site license information contact:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
(408) 988-3832
Scanning Networks:
------------------
VIRUSCAN works only on stand-alone PCs. If you are in a corporate
environment using local area networks you will need to run NETSCAN.
NETSCAN is not a shareware product. Site licenses are available for
NETSCAN through McAfee Associates - (408) 988-3832.
Virus Removal:
--------------
What do you do if a virus is found? Well, if you are a registered
VIRUSCAN user, you may contact McAfee Associates for free assistance in
manually removing the virus or for information on disinfection
utilities. Automatic disinfectors are available for the majority of the
known viruses and are free to registered users. We strongly recommend
that you get experienced help in dealing with many of the viruses,
particularly partition table and boot sector infections. If you are not
a registered user, the following steps should be followed:
Boot sector infections:
-----------------------
Power down the system. Power up and boot from an
uninfected, write protected floppy. Execute the DOS SYS
command to attempt an overwrite of the boot sector.
This works in many cases. If this does not work, backup
all data files and perform a low level format of the
disk.
Executable file infections:
---------------------------
Power down system. Boot from clean, write protected
floppy. Remove all infected files. Replace from the
original distribution diskettes.
Partition table infections:
---------------------------
Without a removal utility, the only option is to low
level format the media.
Disinfecting utilities are available from McAfee
Associates for the majority of the common viruses.
These utilities remove the virus and repair the infected
files. If you are not a registered user of VIRUSCAN,
you may purchase these utilities from:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
(408) 988-3832
BBS: (408) 988-4004
Version Notes
Notes on Version 48:
--------------------
Version 48 identifies the TYPO .COM virus reported by Joe Hirst in
Brighton, U.K. The TYPO is a .COM infector that will garble data sent
to the parallel port. Version 48 enhancements to VIRUSCAN are:
1. .PIF files have been added to the default overlay
file scan.
2. Overlay file extensions may be defined by the user.
3. An optional all-file scan may be selected.
4. .SYS and .BIN files have been included in the
search for VACSINA and FUMANCHU.
Notes on Version 47:
--------------------
Version 47 identifies the DBASE virus discovered by Ross Greenburg of
New York. The DBASE virus is a COM infector that will corrupt data in
DBF files.
Notes on Version 46:
--------------------
Version 46 now includes a test for the Ghost virus. This virus was
discovered in September by Fridrik Skulason at Icelandic University.
The virus infects .COM files and the boot sectors of hard disks and
floppies. The virus increases the size of infected COM files by 2,351
bytes, and replaces the boot sector of infected systems with a boot
virus similar to Ping Pong. Random file corruption by this virus has
been reported. SCAN identifies both the COM version and the boot
version of this virus.
Version 46 enhancements include:
--------------------------------
1. An option to remove infected files by overwriting
the infected file and then deleting it. The
command line option for removal, </D>, is described
in the operation section of this document.
2. Memory scan has been made optional for most memory
resident viruses. SCAN will continue to force a
memory check only for the Dark Avenger virus.
3. Scan strings have been changed once again to avoid
false alarms with some of the Jerusalem virus
detectors/removers.
Notes on Version 45:
Version 45 now identifies the new version of Jerusalem discovered by
FIDONET SysOps Jan Terpstra and Ernst Raedecker in the Netherlands. It
has been modified to avoid detection by earlier SCAN versions.
I need to reiterate the warning against using earlier versions of SCAN
if the Dark Avenger virus is suspected. Both VIRUSCAN (pre-version 43)
and IBM's first release VIRSCAN cause the Dark Avenger to initiate a
runaway infection process when the virus is active in memory. Use only
version 43 and above if there is any question of the virus being
present.
Note on Version 44:
-------------------
This version is a fix for a bug in version 43. Version 43 misses a
number of viruses on some systems. DO NOT USE Version 43.
Notes on Version 43/44:
-----------------------
Version 43/44 now identifies the Alabama Virus. This virus was
discovered by Ysrael Radai at Hebrew University and forwarded to us
through Dave Chess at IBM. The virus infects .EXE files and increases
their size by 1560 bytes. It manipulates the file allocation table and
swaps file names so that files are slowly lost.
Version 43/44 now also checks for the presence of Dark Avenger in memory
prior to performing a disk scan. This prevents the virus from using
SCAN to multiply throughout the system while SCAN is doing a search.
URGENT: >>>>>> It is recommended that all earlier versions of SCAN not
be used if the Dark Avenger virus is suspected. It is also recommended
that people using IBM's VIRSCAN product wait until the new memory check-
ing version has been released before continuing its use, or at least
proceed cautiously with the existing program. IBM is aware of the
danger in scanning systems with Dark Avenger active and a fix should be
under way from IBM.
Additional Version 43/44 enhancements are:
------------------------------------------
- Fix to include EXE file searches for DataCrime II
- Identification of Pakistani Brain while virus is
active in memory
- Fix for duplicate reporting when Ashar virus is
identified
- Audible beep if any viruses are found (this was re-
quested by a visually impaired user) - Speedup of
searches for large subdirectories
**** Notice ****
----------------
1. If SCAN identifies the Dark Avenger active in memory, it will
stop and display a warning message. The scanning will not
continue. This is an extremely infectious virus and must be
treated cautiously. Power down the system and reboot from a
write-protected system master diskette. Then run SCAN to
determine the extent of infection. A disinfector -- M_DAV - is
now available on the McAfee Associates board that can remove
this virus. The board number is (408) 988-4004.
2. If you use the SCANRES infection prevention program, please
upgrade to Version 43/44 of SCANRES before using SCAN 43/ 44.
This will avoid potential conflicts with older versions of
SCANRES.
Notes on Version 42:
--------------------
Version 42 of VIRUSCAN includes an identifier for the Yankee Doodle
Virus. This virus was discovered in Vienna by Alexander Holy at the
United Nation's office on Sept 30th. The virus has reportedly been
transmitted to the U.S. through U.N. employees via the game - 'Outrun'.
The virus plays the tune - 'Yankee Doodle Dandy' on the system's speaker
17 hours after an infected program is loaded. Both COM and EXE files
can be infected, and infected files grow by 2899 bytes. No knowledge
yet of eventual damage potential.
Notes on Version 41:
--------------------
Version 41 of VIRUSCAN is a response to IBM's release of their own virus
scanning product. Their first release is able to check for 28 viruses,
two of which were not known by VIRUSCAN. I have worked closely with
David Chess of IBM in the past, and we have shared virus disassemblies
and live viruses freely. David has graciously sent me the viruses I was
not currently aware of, and which their program checks for. I, in
return, have sent Dave the viruses IBM was not aware of. Hopefully the
two scanning products will achieve and maintain a parity for future
releases. I have tried the IBM product and found it to be effective in
all cases for which the product claims to work. The architecture of my
own product, VIRUSCAN, and that of IBM's VIRSCAN are different, and with
the exception of the 1701 virus, our chosen scan strings also differ. I
have chosen to encrypt the VIRUSCAN I.D. strings to make it more
difficult for hackers to modify specific areas of viruses in order to
fool SCAN. IBM has chosen to make their strings available for easy
addition or modification. Both approaches have merit. I would like to
say that I consider the IBM entry into the virus scanning arena not as a
competitive move but as a helpful addition to the array of support tools
for protecting against viruses.
- John McAfee
- end -