Power Utilities

home *** CD-ROM | disk | FTP | other *** search

/ Power Utilities / Power Utilities.iso / utility / pro11 / htscan.doc < prev next >

Wrap

Text File | 1992-11-11 | 49.6 KB | 1,439 lines

---------------------------------------------------------------------------- HTScan Version 1.19 Date 12-11-92 (C) 1990-1992 by Harry Thijssen ---------------------------------------------------------------------------- CONTENTS 1. INTRODUCTION.................................................... 1 1.1. Purpose of HTSCAN......................................... 1 1.2. A quick start............................................. 1 1.3. Benefits.................................................. 2 1.3.1. Flexibility....................................... 2 1.3.2. Reliability....................................... 2 1.3.3. Future use and speed.............................. 2 1.3.4. DOS 5.x and Upper-Memory-Blocks................... 2 1.3.5. Security.......................................... 2 2. USAGE........................................................... 3 2.1. Syntax.................................................... 3 2.1.1. Drive and path.................................... 3 2.1.2. Options........................................... 3 2.1.3. Advanced options.................................. 4 2.1.4. Explanation of some options....................... 5 2.2. Exit Codes................................................ 5 2.3. Configuration file........................................ 6 2.4. Message file.............................................. 6 2.5. Residence of HTSCAN.EXE................................... 6 2.6. Residence of the signature lists.......................... 6 - ii - 3. SIGNATURE FILES................................................. 7 3.1. VIRSCAN.DAT file.......................................... 7 3.1.1. Signature format.................................. 7 3.1.2. Recommended usage................................. 7 3.1.3. Checksum.......................................... 7 3.1.4. Where to find VIRSCAN.DAT......................... 7 3.2. ADDNSIGS.DAT file......................................... 8 3.2.1. Signature format.................................. 8 3.2.2. Recommended usage................................. 8 3.2.3. Where to find ADDNSIGS.DAT........................ 8 3.3. AVR modules............................................... 9 3.3.1. AVR format........................................ 9 3.3.2. Recommended usage................................. 9 3.3.3. Where to find AVR modules......................... 9 3.4. COMPRSCA.DAT.............................................. 9 3.4.1. Signature format.................................. 9 3.4.2. Recommended usage................................. 9 3.4.3. Where to find COMPRSCA.DAT........................ 9 3.5. HTSCAN.DAT file............................................ 10 3.5.1. Signature format................................... 10 3.5.2. Recommended usage.................................. 10 3.6. HTTROJAN.DAT file.......................................... 10 3.6.1. Signature format................................... 10 3.6.2. Recommended usage.................................. 10 3.6.3. Where to find HTTROJAN.DAT......................... 10 3.7. VIRUSBUL.DAT file.......................................... 11 3.7.1. Signature format................................... 11 3.7.2. Recommended usage.................................. 11 3.8. MCAFEE.DAT file............................................ 11 3.8.1. Signature format................................... 11 3.8.2. Recommended usage.................................. 11 4. MESSAGES........................................................ 12 4.1. Virus in memory........................................... 12 4.2. Compressed files.......................................... 12 4.3. Invalid date/time......................................... 13 4.4. EXE/COM extension exchanged............................... 13 4.5. Unusual values in boot-sector............................. 13 - iii - 5. TIPS............................................................ 14 5.1. Running HTSCAN............................................ 14 5.2. Routine scanning and /A................................... 14 5.3. Scanning when probably infected........................... 14 5.4. Compressed files and scanning from a .BAT file............ 14 5.5. Backups................................................... 14 6. WHAT TO DO IF YOU FIND A VIRUS?................................. 15 6.1. Recommended approach...................................... 15 6.2. If you don't have a backup and it is a known virus........ 15 6.3. If you don't have a backup and it is an unknown virus..... 16 7. HOW TO PREVENT A VIRUS INFECTION?............................... 17 8. LICENSES........................................................ 17 9. DISCLAIMER...................................................... 17 10. MISCELLANEOUS INFORMATION....................................... 18 10.1. Requirements............................................. 18 10.2. Copyrights and trademarks................................ 18 10.3. New versions............................................. 18 10.4. Questions, suggestions or problems....................... 18 10.5. Translations............................................. 19 10.6. Thanks................................................... 19 APPENDICES I. APPENDIX A. Signature file formats............................. 20 A.1. VIRSCAN format........................................... 20 A.2. HTSCAN format............................................ 21 A.3. VIRUSBUL format.......................................... 24 A.4. MCAFEE format............................................ 25 A.5. Switches in the signature files.......................... 25 II. APPENDIX B. Examples of HTSCAN style signatures................ 26 III. APPENDIX C. Examples of invoking HTSCAN........................ 27 IV. APPENDIX D. Addresses for experienced help..................... 28 D.1. If you have access to a modem............................ 28 D.2. If you don't have access to a modem...................... 28 V. APPENDIX E. Example batch file................................. 29 - 1 - 1. INTRODUCTION 1.1. Purpose of HTSCAN HTSCAN is a user programmable virus-scanner. It is designed to detect and identify known viruses within files, boot-sectors, main-boot-record(s) (partition-tables) and memory. You can use HTSCAN for scanning all your floppy-disks, hard-disks and network-drives. 1.2. A quick start First of all, the master rules when dealing with viruses: - Cold-boot the machine to be scanned from a clean write-protected floppy-disk. Control-Alt-Del is not enough! - Run HTSCAN from a write-protected floppy-disk after cold-booting your PC, before starting any other program! For a quick start, place HTSCAN.EXE, HTSCAN.OVR, HTSCAN.LNG, *.AVR, VIRSCAN.DAT and/or HTSCAN.DAT and/or VIRUSBUL.DAT on a clean system- diskette. Make the floppy-disk write-protected. (5,25 place a tab over the notch on the right side, 3.5 inch open the little hole by sliding away the tab) Now you can boot the PC you want to scan from this floppy-disk and start HTSCAN with: HTSCAN A:\ if the floppy with HTSCAN is in drive A: or: HTSCAN B:\ if the floppy with HTSCAN is in drive B:. If HTSCAN doesn't report any infections, you may scan your disk(s) with: HTSCAN C:\ or HTSCAN C:\ D:\ etc. - 2 - 1.3. Benefits 1.3.1. Flexibility HTSCAN is a flexible programmable virus-scanner. It uses the text files VIRSCAN.DAT, HTSCAN.DAT, HTTROJAN.DAT, VIRUSBUL.DAT and MCAFEE.DAT as signature lists. If a new virus is detected, all you have to do is adding its signature to one of the signature lists. Several types of wildcards in the scan-strings of the signatures are supported. 1.3.2. Reliability Reliability was, and still is, a major goal for HTSCAN. For this reason HTSCAN scans the whole file starting with the first byte, ending with the last. No trick is used to reduce the number of bytes to scan. 1.3.3. Future use and speed HTSCAN is designed to scan for a large amount of virus signatures in the future. The only limit is the amount of free memory and will be reached with about 4000 virus-signatures. Because of its design, HTSCAN will not slow down significantly when scanning for such large number of viruses. In fact it doesn't matter if you scan an item, e.g. *.COM, for 1 or 100 viruses. 1.3.4. DOS 5.x and Upper-Memory-Blocks Since DOS 5.x has been released, the Upper-Memory-Blocks and the High-dos-Memory-Area can be addressed with standard software. One of the negative side-effects is that a resident virus now may become resident within these memory parts. Of course HTScan fully supports the scanning of these areas. 1.3.5. Security HTSCAN will do a self-test with every startup to be sure HTSCAN is not altered. If it is altered, it will give a message and aborts. Although this is a benefit, realize that you can't scan your system with HTSCAN to know which virus causes the trouble after HTSCAN is got infected. So be sure to have at least a copy on a write-protected floppy-disk. - 3 - 2. USAGE 2.1. Syntax The call is: HTSCAN [@]<path>... [option]... or HTSCAN [&]<drive>[..<drive>] [option]... 2.1.1. Drive and path Path: disk or disk and path or disk, path and filename or @filename When the filename is preceded with a "@", it is a listfile with the names of files, directories or drives to scan. When the drive name is preceded with a "&", this means scan all drives starting with the named drive and, when specified, ending with the drive specified after the "..". When no ending drive is specified, HTSCAN will scan all drives starting with the specified one. (On some networks "&" will do nothing.) See appendix C for examples. 2.1.2. Options /A ; Scan all files for all file-viruses /B- ; Don't beep when an infection is found /B+ ; Beep when an infection is found (default) /C[=]<cfg-file> ; Use the specified configuration file /D ; Delete/rename infected files ; (HTSCAN will prompt before deleting/renaming) /I ; License info /R ; Rename infected files ; (HTSCAN will prompt you before renaming) /M ; Scan all memory for all viruses /M- ; Don't scan memory for viruses /M+ ; Scan all memory for all viruses (same as /M) /N ; Do not include sub-directories /O[=]<log-file> ; Write logging to the specified file /O+<log-file> ; Append logging to the specified file /P- ; Don't prompt before scrolling the screen /P+ ; Prompt before scrolling the screen ; (default when /O is not used) /Q ; Quiet mode, don't display filenames /Q+ ; Semi quiet mode, display only directory names - 4 - /S ; Skip boot-record(s) /U- ; Don't scan upper memory blocks for viruses /U+ ; Scan upper memory blocks for all resident viruses ; (default when DOS 5.x or QEMM is used) /V[=]<sig. list>; Use the specified virus-signature list or directory /W- ; Don't warn when compressed/self-extracting files found /X ; Scan multiple floppies 2.1.3. Advanced options Miscellaneous /$F ; Display info on infected files. (Date/Time/Size) /$M=<directory> ; Specifies where infected files should be moved to /$U ; Run unattended. ; Don't prompt for renaming, deleting and moving files /$USlow ; Slow down upper-memory scan to avoid hardware errors /$W+ ; Use new errorlevel when ending the program (default) /$W- ; Use old errorlevel when ending the program /$? ; For help about the advanced options Screen related /$T=<n> ; Preserve the top n lines for a shell program /$B=<n> ; Preserve the bottom n lines for a shell program Network related /$NOE ; Suppress open-error messages Research related /$A ; Display all scanned files. Whether infected or not. ; (in log-file only) /$G ; Scan for all boot-record viruses in COM and EXE files. ; If /A is used also, boot-record all files are scanned ; for boot-record viruses. /$O ; Display the offset where the scan-string is found ; (in log-file only) /$Z ; Warn for compressed/sfx files on main screen - 5 - 2.1.4. Explanation of some options /$USlow On some computers HTSCAN scans the upper-memory-blocks to fast for the hardware. This may result in hardware-errors. With /$USLOW it is possible to slow down the scanning of the upper-memory-blocks. /$NOE A common problem on networks is the impossibility to open all files, resulting in a large number of error messages. HTSCAN has the switch /$NOE. (Which means -- No Open Error --) /$NOE suppresses the error message generated by an attempt to open an execute-only file, a busy file etc. 2.2. Exit Codes Default or when /$W+ is used, HTSCAN will exit with the following exit codes: 0 : Normal termination, no viruses found. 1..49 : One or more warnings issued. 50..74 : Program interrupted by user. 75..99 : A program error occurred. 100..149 : Operator error. 150..174 : Error in signature-file. 175..199 : One or more trojans/jokes found. 200..255 : One or more viruses found. When /$W- is used, HTSCAN will exit with the following exit codes: 0 : Normal termination, no viruses found 1 : One or more viruses found > 1 : Abnormal termination (Error) Note: The default in this release is /$W+. In earlier versions the default was /$W-. - 6 - 2.3. Configuration file Using HTScan should be done frequently. Although the defaults switch- settings are perfect for routine scanning, some people are always using some command-line switches. For those, it is boring to enter these switches over and over again. This is not necessary at all. It is possible to place your own command-line switches in the file HTSCAN.CFG in the current directory or in the same directory as HTSCAN.EXE. This configuration file may contain all command-line options delimited by spaces on the same line or you may place every option on a single line. A switch used on the command-line will overrule the switch in the configuration file. Have a look at HTSCAN.CFG in EXAMPLES.ZIP for an example of HTSCAN.CFG. 2.4. Message file In a company environment it is often useful if a scanner can produce a clear instruction in their native language. With HTSCAN it is possible to put such messages/instructions in the file HTSCAN.MSG. Different messages for different errorlevels are possible. Place HTSCAN.MSG in the current directory or the same directory as HTSCAN.EXE. The message corresponding to HTSCAN's errorlevel will be displayed when HTSCAN is ending. Have a look at HTSCAN.MSG in EXAMPLES.ZIP for an example of HTSCAN.MSG. 2.5. Residence of HTSCAN.EXE Like every other virus-fighter this program should be placed on a clean write-protected floppy before using it. Boot from a clean write-protected system-diskette and start HTSCAN. If you thinks it is awkward to use a program from floppy-disk like this, I agree. Unfortunately this is the only way to catch all viruses. 2.6. Residence of the signature lists If /V is not used to give the virus-signature filename or the directory where HTSCAN.DAT and/or VIRSCAN.DAT and/or VIRUSBUL.DAT can be found, HTSCAN looks first on the current directory for a file named HTSCAN.DAT and/or VIRSCAN.DAT and/or VIRUSBUL.DAT. If non is found, HTSCAN will look for these files in the directory where HTSCAN.EXE resides. HTSCAN will use all signature-files found in the same directory. E.g. if HTSCAN.DAT and VIRSCAN.DAT both in the current directory, both files are used. - 7 - 3. SIGNATURE FILES 3.1. VIRSCAN.DAT file 3.1.1. Signature format VIRSCAN.DAT uses by default the VIRSCAN format described in appendix A.1. 3.1.2. Recommended usage I recommend to use the signature file VIRSCAN.DAT unmodified. Collect your own signatures in the file HTSCAN.DAT. 3.1.3. Checksum HTScan checks the checksum in VIRSCAN.DAT to detect unauthorized changes in VIRSCAN.DAT. 3.1.4. Where to find VIRSCAN.DAT VIRSCAN.DAT contains a VERIFIED list of virus signatures. Several Bulletin Boards over the world have a copy of this file available for download or file-request under the name: VSIGyyxx.ZIP - latest VERIFIED version of VIRSCAN.DAT where yy is the year and xx a sequence number. The MASTER copy of this file is maintained and available on: Bamestra RBBS, The Netherlands (FIDO 2:512/10.0) phone: ++31 2998 3602 or ++31 2998 3603 (HST/CM) The signatures in VIRSCAN.DAT are collected by Jan R. Terpstra. (SysOp Bamestra BBS) See also 10.3 - 8 - 3.2. ADDNSIGS.DAT file 3.2.1. Signature format ADDNSIGS.DAT uses by default the VIRSCAN format described in appendix A.1. 3.2.2. Recommended usage To use ADDNSIGS.DAT, you have to place it in the same directory as VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. ADDNSIGS.DAT is an addition to other virus-signature files. It is not possible to use HTSCAN with ADDNSIGS.DAT only. 3.2.3. Where to find ADDNSIGS.DAT ADDNSIGS.DAT contains emergency additions of VIRSCAN.DAT. It will be distributed in case a rapidly spreading virus is discovered. ADDNSIGS.DAT will be distributed in ASIGyynn.ZIP where yy is the year and nn a sequence number. This file will have a rather short life, as all emergency updates will be moved over to VIRSCAN.DAT in the next release. The MASTER copy of this file is maintained and, if existent, available on: Bamestra RBBS, The Netherlands (FIDO 2:512/10.0) phone: ++31 2998 3602 or ++31 2998 3603 (HST/CM) The signatures in ADDNSIGS.DAT are collected by Jan R. Terpstra. (SysOp Bamestra BBS) See also 10.3 - 9 - 3.3. AVR modules 3.3.1. AVR format AVR's are algorithmic virus recognition modules. The format is not free for the public. 3.3.2. Recommended usage To use an AVR module, you have to place it in the same directory as VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. An AVR is an addition to other virus-signature files. It is not possible to use HTSCAN with an AVR file only. 3.3.3. Where to find the AVR modules The AVR modules are available in VSIGyynn.ZIP. For further information about VSIGyynn.ZIP see 3.1.4. 3.4. COMPRSCA.DAT 3.4.1. Signature format COMPRSCA.DAT uses by default the HTSCAN format described in appendix A.2. 3.4.2. Recommended usage COMPRSCA.DAT contains signatures to detect compressed files. It is not necessary for the virus-scanner, but could give you some info about the possible source of an infection. See also 4.2. for more information. To use COMPRSCA.DAT, you have to place it in the same directory as VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. COMPRSCA.DAT is an addition to other virus-signature files. It is not possible to use HTSCAN with COMPRSCA.DAT only. 3.4.3. Where to find this COMPRSCA.DAT COMPRSCA.DAT will be available in VSIGyynn.ZIP. For further information about VSIGyynn.ZIP see 3.1.4. - 10 - 3.5. HTSCAN.DAT file 3.5.1. Signature format HTSCAN.DAT uses by default the HTSCAN format described in appendix A.2. 3.5.2. Recommended usage I recommend to collect your own signatures in the file HTSCAN.DAT in the same directory as VIRSCAN.DAT. In this way, a new update of VIRSCAN.DAT can be copied over the old version without loosing your own collection of signatures. 3.6. HTTROJAN.DAT file 3.6.1. Signature format HTTROJAN.DAT uses by default the HTSCAN format described in appendix A.2. 3.6.2. Recommended usage HTTROJAN contains signatures of trojans and jokes. To use it, you have to place HTTROJAN.DAT in the same directory as VIRSCAN.DAT/HTSCAN.DAT/ VIRUSBUL.DAT. HTTROJAN.DAT is an addition to other virus-signature files. It is not possible to use HTSCAN with HTTROJAN.DAT only. 3.6.3. Where to find this HTTROJAN.DAT The latest update of HTTROJAN.DAT is always available within the HTTROJxx.ZIP archive at INFOdesk the Hague. Magic-file name HTTROJAN. - 11 - 3.7. VIRUSBUL.DAT file The fourth signature-file is VIRUSBUL.DAT. In this file you can type the signatures published by Virus-Bulletin in a format almost like published in Virus-Bulletin. 3.7.1. Signature format VIRUSBUL.DAT uses by default the VIRUSBUL format described in appendix A.3. 3.7.2. Recommended usage Collect the signatures published in Virus-Bulletin in the file VIRUSBUL.DAT. If you use VIRUSBUL.DAT and VIRSCAN.DAT, place them in the same directory. 3.8. MCAFEE.DAT format The fifth signature-file is MCAFEE.DAT. In this file you can type the signatures published in a McAfee style. 3.8.1. Signature format MCAFEE.DAT uses by default the MCAFEE format described in appendix A.4. 3.8.2. Recommended usage Collect the signatures published in a McAfee style in the file MCAFEE.DAT. To use it, you have to place MCAFEE.DAT in the same directory as VIRSCAN.DAT/HTSCAN.DAT/VIRUSBUL.DAT. MCAFEE.DAT is only an addition to other virus-signature files. It is not possible to use HTSCAN with MCAFEE.DAT only. - 12 - 4. MESSAGES 4.1. Virus in memory If a virus is found in memory, HTSCAN will stop, issues a warning and ask if it should continue. Don't continue unless you are absolute sure the virus will not harm your files and/or disks. If you are not sure, follow the instructions: - turn your computer off using the power-switch - wait at least 30 seconds - boot from a write-protected clean system-diskette - start HTSCAN again from clean write-protected floppy-disk 4.2. Compressed files. HTSCAN will give a warning when a compressed executable file was found. The name(s) off the compressed file(s) and the compress utility are listed in the message window on the screen and in the log-file. In the final report, the message "x Compressed executable file(s) found." will appear on the screen. HTSCAN will NOT decompress these files. HTSCAN will look for executable files compressed with: DIET version 1.00d LZexe version 0.91 PKLite version 1.03/1.05 and self-extracting files compressed with: ARJ version 1.00/1.10/2.00/2.10 LHA version 2.10 LHarc version 1.13 PAK version 2.50 PKZip version 1.10 If a compressed file is found, HTSCAN can't scan within the compressed file. If it is a new file, decompress it and scan its contents with HTSCAN. If the warning was triggered on an old file which didn't change and there is no infection found in other files, don't bother about the compressed files. When a compressed file was found, the errorlevel will be > 0. - 13 - 4.3. Invalid date/time. HTSCAN will give a warning when it finds a file with an invalid date/time. (Year > 2000 will be treated as illegal!) The name(s) off the file(s) are listed in the message window on the screen and in the log-file. In the final report, the message "x File(s) with an illegal date/time found." will appear on the screen. Many viruses use an invalid date/time for self-recognition. When a file with invalid date/time was found, the errorlevel will be > 0. 4.4. EXE/COM extension exchanged. HTSCAN will give a warning when it finds an EXE file without EXE header or a COM file with EXE header. The name(s) off the file(s) are listed in the message window on the screen and in the log-file. In the final report, the message "x File(s) with an exchanged COM/EXE header found." will appear on the screen. When a file with an exchanged EXE/COM extension was found, the errorlevel will be > 0. 4.5. Unusual values in boot-sector HTSCAN will give a warning when it finds unusual values in a boot- sector. Unusual values are reported in the message window on the screen and in the log-file. Some boot-sector viruses will trigger this warning. Unfortunately, a floppy used by PcBackup will trigger this warning too. - 14 - 5. TIPS 5.1. Running HTSCAN It is necessary to cold-boot from a clean write-protected DOS system- diskette before running HTSCAN from a clean write-protected floppy. If you don't have such a floppy-disk, create it NOW. Believe me, going to a shop buying a clean DOS version after you get an infection takes more time and money. You can create a DOS system-diskette with "FORMAT A: /S". See appendix E for an example of a batch file which can be placed on this floppy and used in routine scanning. 5.2. Routine scanning and /A Unfortunately many users think option /A is best for routine scanning. This is NOT. Option /A is very time consuming and makes only sense if you scan an unknown floppy or if you know you are struck by a virus. Don't use it in routine scanning. 5.3. Scanning when probably infected When your system is probably infected you should absolutely run HTSCAN from a write-protected floppy after cold-booting using reset-button or the power switch. Again, Ctrl-Alt-Del is NOT enough. If you are one of those persons who insist in not creating a clean DOS system-diskette, you could save your self lots of trouble using the /M option. However, this is NOT recommended, this option will increase the chance on false alarms and it is NOT save. 5.4. Compressed files and scanning from a .BAT file When HTSCAN is used from a .BAT file to scan a hard-disk in a routine scan, check only on errorlevel 50 or greater. Don't bother on the compressed files when no infections where found in other files. When HTSCAN is used from a .BAT file to scan a incoming floppy, check on errorlevel 1 or greater. If a compressed file is found, decompress it and scan its contents with HTSCAN. 5.5. Backups Backups are the most important precaution that can be taken against computer viruses. Unduplicated data stored on a disk will be irretrievable lost in the event of an attack by a destructive virus. In english: BACKUP your data periodically! - 15 - 6. WHAT TO DO IF YOU FIND A VIRUS? STAY COOL, it is my opinion that most harm is done by users who panicky tried to disinfect there disk. If you find a virus by a virus-scanner the virus has done his job or will wait until some event. In both cases there is no reason to hurry. You have plenty of time. DON'T INSERT ANY OF YOUR BACKUP-DISKETTE'S IN YOUR PC BEFORE YOU ARE 100% SURE YOUR PC IS CLEAN! 6.1. Recommended approach This will only work if you have a clean current backup. - Power down your system. Power up and boot from a clean write-protected system-diskette. - Low-level-format your hard-disk (check your hard-disk documentation on how to do that, or consult your supplier) - Restore your system from the last known clean-backup 6.2. If you don't have a backup and it is a known virus If the virus is in the boot-sector or a system-file: - get a virus killer for this virus and use it to clean-up your disk if you can't find a killer for this virus: - Power down your system. Power up and boot from a clean write-protected system-diskette. - Use the DOS command SYS to overwrite the infected spots. If the virus is in the main-boot-record (partition-table): - get a virus killer for this virus and use it to clean-up your disk if you can't find a killer for this virus: - Power down your system. Power up and boot from a clean write-protected system-diskette. if you have DOS 5.0 or higher: - you may try FDISK /MBR to fix the main-boot-record, although this will destroy your data in certain unusual circumstances if you don't have DOS 5.0: - Backup your system - Low-level-format your hard-disk - Restore your files. - 16 - If the virus is in your software: - Power down your system. Power up and boot from a clean write-protected system-diskette. - Use "HTSCAN <path> /R" from a clean write-protected floppy-disk. HTSCAN will ask you for every infected file if it should be renamed. - Reinstall your software from the original floppy-disks. - Delete the renamed infected files with "HTSCAN <path> /D /A". If you can't find the original software: - get a virus killer for this virus and use it to clean-up your infected (renamed) files. Be extreme careful when cleaning your software with a virus killer. A lot of killers are unreliable and may totally destroy your program's. In the worst case, such a destroyed program could act like a trojan and destroy your data the next time it is executed. Run "HTSCAN <path> /A" to be absolute sure your disk is clean. I strongly recommend that you get experienced help in dealing with viruses. You can find addresses of experienced help in the appendices. Get at least information on the virus. I only gave a description how to get rid off the virus. Maybe the virus has corrupted your data. In such a case you should use a clean backup to restore your data. 6.3. If you don't have a backup and it is an unknown virus If HTSCAN can't find a virus, first try the latest version available of of the data-file you use. If nothing is reported and you still believe you got a virus, because EXE/COM-files are growing and/or program's don't work anymore etc., send a sample of a possibly infected file to a well- known virus-researcher. Look at "Addresses for experienced help" for an address. - 17 - 7. HOW TO PREVENT A VIRUS INFECTION? In my opinion this is impossible. The only thing you can do is finding it before it can cause great damage. For this purpose you could run an alteration-searcher or checksummer with every system boot-up. 8. LICENSES You are free to use, copy and distribute HTSCAN for NONcommercial purposes if: 1) No fee is charged for such copying and distribution, 2) It is distributed ONLY in its original, unmodified state. If you share HTSCAN with others, please share the original HTSCAN19.ZIP file instead of sharing HTSCAN.EXE. If you find HTSCAN fast, easy, and convenient to use, a donation of Fl. 2,50 or more would be appreciated. Type "HTSCAN /I" for more information. Note, a donation for HTSCAN is not a donation for VIRSCAN.DAT. Site licenses and commercial licenses for HTSCAN are available. Type "HTSCAN /I" for more information. 9. DISCLAIMER In providing this software I disclaim all warranties, expressed or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and noninfringement, and shall not be liable for any direct, special, incidental or consequential damages related to the performance or no-performance of this software and/or documentation. - 18 - 10. MISCELLANEOUS INFORMATION 10.1. Requirements Memory: at least 350 Kb of available RAM Operating System: Dos version 3.0 or later 10.2. Copyrights and trademarks ARJ is a trademark of Robert K. Jung DIET is a trademark of Teddy Matsumoto LHA and LHarc are trademarks of Haruyasu Yoshizaki McAfee is a trademark of McAfee Associates PAK is a trademark of NoGate Consulting PKZip and PKLite are trademarks of PKWare Inc. QEMM is a trademark of Quarterdeck Virus-Bulletin is a trademark of Virus Bulletin Ltd. 10.3. New versions The newest versions of HTSCANxx.ZIP, HTTROJxx.ZIP, VSIGyyxx.ZIP and ASIGyyxx.ZIP are available at: INFOdesk BBS The Hague, 2:512/2 +31-70-3898822, up to 14.4K HST File-Requests allowed from 8.00 am - 3.00 am (GMT+1). All file-requests are allowed, including request of 4-D inbounds. Magic-file names: HTSCAN, VSIG, ASIG and HTTROJAN New versions of HTSCANxx.ZIP, VSIGyyxx.ZIP and ASIGyyxx.ZIP are also distributed through the VIRUSINF File-Echo. VIRUSINF is available all over the world. 10.4. Questions, suggestions or problems If you have questions, suggestions or even problems, feel free to contact me at one of the addresses below. Mail address: Netmail address: Harry Thijssen Harry Thijssen P.O. Box 662 INFOdesk The Hague 6400 AR Heerlen FIDO 2:512/2.7 The Netherlands +31-70-3898822 Please state the version of HTSCAN.EXE you are presently using. - 19 - 10.5. Translations Several language packets are available. The original distribution file HTSCAN19.ZIP includes the english language packet. Other languages are available in a file like: HTSC19<languages>.ZIP For dutch this file is: HTSC19NL.ZIP For german this file is: HTSC19D.ZIP Both files are available at INFOdesk the Hague. HTScan will at least be available in English and Dutch. If you are willing to translate HTScan in a currently not supported language, please contact me at the address mentioned above. 10.6. Thanks I wish to thank all the Beta-testers of HTScan for their time and help. A special word of thanks goes to Erwin Lanting and Righard Zwienenberg ([RiZwi] of INFOdesk) for their comments on and help with HTSCAN. - 20 - I. APPENDIX A. Signature formats A.1. VIRSCAN format Format of a virus signature entry <Virus name> <Affected items> <Virus signature> Lines starting with ';' are treated as comment. Virus name Any name of 1 to 30 characters. Affected items BOOT/COM/EXE/LOW/HIGH separated by blanks item scanning LOW : Memory beneath HTSCAN (beneath PSP) HIGH : Conventional memory above HTSCAN BOOT : Boot-Sectors and Main-Boot-Records (Partition-Table) COM : *.COM files and, if at least 1 signature contains a EXE item, .EXE files without EXE header EXE : *.EXE files and, if at least 1 signature contains a COM item, .COM files with EXE header Virus signature Any hex string. The hex string should have a min. length of 8 and a max. length of 80 characters. ? means: everything in this nibble (half byte) is ok. %x means: ignore up to x bytes of garbage. %x after %x is allowed. For example: %F%F means ignore up to 30 bytes. *x means: ignore x bytes of garbage. x can be 1 to F. After a "*x" byte, the next byte may contain again "*x" but not "?". ** means: ignore up to 255 bytes of garbage. HTSCAN is only reliable if the virus-string is found in 1024 bytes or less. - 21 - A.2. HTSCAN format The syntax of HTSCAN is a superset of VIRSCAN. Format of a virus signature entry <Virus name> <flag line> <Affected items> <Virus signature> Lines starting with ';' are treated as comment by HTSCAN. Lines starting with ';%' are displayed on the screen. Virus name Any name of 1 to 80 characters. Flag line The flags are used to generate a better message when a matching signature is found. The recognized flags are: C -> Compressed D -> Dropper F -> Found I -> Infected J -> Joke O -> Overwritten S -> Self-Extracting T -> Trojanized The flag line is optional. If not used, a flag line with the flag I is assumed. - 22 - Affected items PART/BOOT/SYS/COM/EXE/OVL/BAT/PIF/LOW/HIGH/UMB and OFFSET/ENTRY separated by blanks item scanning LOW : Memory beneath HTSCAN (beneath PSP) HIGH : Conventional memory above HTSCAN UMB : Upper memory blocks. Usually 640 Kb up to 1 Mb. If available, HMA will be treated as UMB. MAIN : Main-Boot-Records (Hard-Disk only) (alias PART) (The Main-Boot-Record is also called Partition-Table) BOOT : Boot-Sectors and Main-Boot-Records SYS : *.SYS and *.BIN files COM : *.COM files and, if at least 1 signature contains a EXE item, .EXE files without EXE header EXE : *.EXE files and, if at least 1 signature contains a COM item, .COM files with EXE header OVL : *.OV* files (alias OV*) BAT : *.BAT files PIF : *.PIF files The entry-point is the first byte that is not equal to either a JUMP SHORT, JUMP LONG, CALL NEAR or CALL FAR. OFFSET : The signature starts directly at the entry-point. ENTRY : The signature starts in the range 128 before to 128 after the entry-point. - 23 - Virus signature Any hex string. A space as separator is allowed. The hex string should have a min. length of 8 and a max. length of 100 characters. ? means : everything in this nibble (half byte) is ok. %x means : ignore up to x bytes of garbage. %x after %x is allowed. For example: %F%F means ignore up to 30 bytes. %(x) : same as above. However x can be 1 to 254. For example: %(30) means ignore up to 30 bytes and is the same as %F%F *x means : ignore x bytes of garbage. x can be 1 to F. After a "*x" byte, the next byte may contain again "*x" but not "?". *(x) : same as above. However x can be 1 to 254. ** means : ignore up to 255 bytes of garbage. && means : the file should contain the part before this wildcard AND the part behind this wildcard || means : the file should contain the part before this wildcard OR the part behind this wildcard nn-x means : 1 of the values in the range nn up to nn + x should match this wildcard nn--xx means: 1 of the values in the range nn up to nn + xx should match this wildcard nn/x means : a match should been made with nn or nx nn//xx means: a match should been made with nn or xx $xxyy means : the compare value and xx should give yy Spaces within the virus-signatures are ignored. If you like, you can also specify a normal text as virus signature by putting the text between double quotation marks. When this syntax is used, wildcards are treated as normal text. HTSCAN is only 100% reliable if the virus-string is found in 1024 bytes or less. See appendix B for examples of HTSCAN style signatures. - 24 - A.3. VIRUSBUL format Format of a virus signature entry in VIRUSBUL style: <Virus name> <Affected items> <Virus signature> Lines starting with ';' are treated as comment by HTSCAN. Lines starting with ';%' are displayed on the screen. Virus name Any name of 1 to 80 characters. Affected items C/E/N/P/D/M/R/? ? Means CEDMR. Virus signature Any hex string. A space as separator is allowed. The hex string should have a min. length of 8 and a max. length of 100 characters. Wildcards are supported like in HTSCAN style. Look at the file VIRUSBUL.DAT in EXAMPLES.ZIP for examples of this format. Refer to Virus-Bulletin for further information and scan-strings. - 25 - A.4. MCAFEE format Format of a virus signature entry in MCAFEE style: "<Virus signature>"<Virus name> Lines starting with '#' are treated as comment by HTSCAN. Lines starting with '#%' are displayed on the screen. Virus signature Any hex string. A space as separator is allowed. The hex string should have a min. length of 8 and a max. length of 100 characters. Virus name Any name of 1 to 25 characters. HTSCAN will scan all memory, boot-sectors, .COM and .EXE files for all signatures in MCAFEE style. Look at the file MCAFEE.DAT in EXAMPLES.ZIP for examples of this format. A.5. Switches in the signature files You can switch the HTSCAN format on with ";$HS+". You can switch the Virus-Bulletin format on with ";$VB+" and off with ";$VB-" on a separate line in the signature-files. You can switch the McAfee format on with ";$MA+" and off with ";$MA-" on a separate line in the signature-files. You can switch to the entry-point + 512 bytes mode ";$IP+" and off with ";$IP-" on a separate line in the signature-files. - 26 - II. APPENDIX B. Examples of HTSCAN style signatures Examples: (All example viruses don't really exist) Fantasy-Virus (Boot version) PART BOOT FF00 FF00 FF00 FF00 FF00 FF00 FF00 ; Hello World (OV* version) OVL "Hello World" ; Mean-Virus PART BOOT SYS COM EXE OVL 1F0A 2F0B ??0C 4F0D ?F0E 6?0F 7F00 The Mean-Virus would be recognized in the following string: 1F0A2F0BFF0C4F0DFF0E6F0F7F00 For the real hackers among you: Suicide-Virus LOW HIGH UMB BOOT SYS COM EXE OVL 1F0A 2F0B 3?** 6F0F 7F*3 9F0? AF03 ???4 CF%2 05 The Suicide-Virus signature scan's for 1F,0A,2F,0B followed by a byte of which the left nibble is 3 and the right nibble is unknown. Next there can be a string of garbage 0 to 255 bytes in length followed by 6F,0F. After this there is a string of garbage 3 bytes long followed by 9F. Next there is a byte of which the left nibble is 0 and the right nibble unknown. There after comes AF,03 followed by three unknown nibbles. The right part of the last byte of the two bytes containing these three nibbles is 4. The trailing part of this virus is CF followed by 0, 1 or 2 garbage bytes ending with 05 The Suicide- Virus would be recognized in the following string: 1F0A2F0B3F0C4F0D5F0E6F0F7F008F019F02AF03BF04CF05 And again, for readability below each other, the scan-string and de string in the file. 1F0A 2F0B 3?** 6F0F 7F*3 9F0? AF03 ???4 CF %2 05 1F0A 2F0B 3F0C 4F0D 5F0E 6F0F 7F00 8F01 9F02 AF03 BF04 CF 05 - 27 - III. APPENDIX C. Examples of invoking HTSCAN Examples: Scan drive C: HTSCAN C:\ Scan directory C:\USR without the subdirectories: HTSCAN C:\USR /N /O=LOG-FILE.TXT /V=C:\USR\VIRUS\HTSCAN.DAT /S Scan the file C:\USR\VIRUS\HTSCAN.EXE and delete it if infected: HTSCAN C:\USR\VIRUS\HTSCAN.EXE /D Scan all *.OV? and *.BIN files for all file viruses: HTSCAN *.OV? *.BIN /A Scan drive C:, D: and E: HTSCAN C:\ D:\ E:\ or HTSCAN &C..E or if drive E: is the last drive HTSCAN &C Scan a list of files: HTSCAN @TO-SCAN.TXT To-Scan.Txt is a listfile which could contain for example: C:\COMMAND.COM D:\UTIL\ ..\ \*.COM Scan all drives. Don't warn for compressed and/or self-extracting files. Use the signature lists in directory C:\SIGN and place the log-file in directory D:\TEMP in HTSCAN.LOG: HTSCAN &A /V=C:\SIGN /O=D:\TEMP\HTSCAN.LOG /W- - 28 - IV. APPENDIX D. Addresses for experienced help D.1. If you have access to a modem A good solution for getting experienced help is a message in a dedicated fido-echomail-conference. E.g. VIRUS or VIRUS_INFO. Also you can ask the sysop of your home BBS. Most of the Sysop's know where to ask for experienced help. Below are the addresses of several well-known virus-busters. INFOdesk The Hague (The Netherlands) FIDO 2:512/2 +31-70-3898822 Martin Roesler at Farmers Node Puchheim (Germany) FIDO 2:246/18.4 +49-89-807408 Paul Ferguson at SENTRY NET Centreville (USA) FIDO 1:109/229 +1-703-815-3244 D.2. If you don't have access to a modem You may send a letter to me or to: INFOdesk The Hague P.O. BOX 32395 2503 AB The Hague The Netherlands Don't forget to include a reply-paid envelope. - 29 - V. APPENDIX E. Example batch file The next batch file could be placed on a write-protected system-diskette together with HTSCAN. When this file is named AUTOEXEC.BAT, it will start a routine scan whenever your computer is booted from this floppy. The signature-files placed in the directory C:\SIGN are used. The log file will be written to C:\TEMP\HTSCAN.LOG. echo off rem ***************************************************************** rem * Before running this batch file, the directories * rem * C:\SIGN and C:\TEMP should exist. * rem * * rem * The signature files (VIRSCAN.DAT etc.) should been placed * rem * in C:\SIGN. * rem ***************************************************************** HTSCAN &C /V=C:\SIGN /O=C:\TEMP\HTSCAN.LOG /W- if errorlevel == 200 goto virus if errorlevel == 175 goto trojan if errorlevel == 150 goto signerror if errorlevel == 100 goto opererror if errorlevel == 75 goto progerror :ok erase C:\TEMP\HTSCAN.LOG goto end :virus echo Virus found by HTScan. Reported in C:\TEMP\HTSCAN.LOG pause goto end :trojan echo Trojan found by HTScan. Reported in C:\TEMP\HTSCAN.LOG pause goto end :signerror echo HTScan detected some problem with a signature file. pause goto end :opererror echo HTScan detected an operator error. pause goto end :progerror echo HTScan aborted. pause goto end :end