Otherware

home *** CD-ROM | disk | FTP | other *** search

/ Otherware / Otherware_1_SB_Development.iso / amiga / utility / disks / virusz_a.lha / VirusZ.doc < prev next >

Wrap

Text File | 1992-02-14 | 28.9 KB | 630 lines

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ /\/\ /\/\ \/\/ ## ### ### ###### ## ### ###### ####### \/\/ /\/\ ## ### ### ## ### ## ### ## ### /\/\ \/\/ ## ### ### ###### ## ### ##### ### \/\/ /\/\ ##### ### ## ### ## ### ### ### /\/\ \/\/ ### ### ## ### ##### ###### ####### \/\/ /\/\ /\/\ \/\/ THE ULTIMATE VIRUSKILLER WITH THE LICENSE TO KILL \/\/ /\/\ /\/\ \/\/ VIRUSZ 2.12 MANUAL \/\/ /\/\ (C) 1991,1992 GEORG HOERMANN /\/\ \/\/ \/\/ /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ SOME NOTES CONCERNING LAW AND ORDER ----------------------------------- 1. Copyright ------------ All parts of the VirusZ package are written and copyright (c) by Georg Hoermann with exception of the reqtools.libraries, explode.library and powerpacker.library. ReqTools.lib and PP.lib are written and copyright (c) by Nico Franτois who gave the permission to use the libraries and installation scripts in any freely distributable software package. Explode.lib is copyright (c) by Peter Struijk and A. J. Brouwer. 2. Disclaimer ------------- The executionable and non-executionable parts of this software package may NOT be altered by any means (including editing, reprogramming, crunching, and resourceing), except archiving. The author is in NO way liable for any changes made to any part of the package, or consequences thereof as he is in NO way liable for damages or loss of data directly or indirectly caused by this software. 3. Distribution --------------- Neither fees may be charged nor profits may be made by distributing this piece of software. Only a nominal fee for cost of magnetic media may be acceptable. Outside a single machine environment, you are NOT allowed to reproduce only some parts of the package, but you have to copy it completely. See this list of contents for verification: VirusZ (dir) Docs (dir) EarlyExplode.doc EarlyExplode.doc.info LibList.doc LibList.doc.info Library.doc Library.doc.info VirusZ.doc VirusZ.doc.info VirusZ.history VirusZ.history.info Libs (dir) explode.library powerpacker.library reqtools.library.13 reqtools.library.20 virusz.library Tools (dir) EarlyExplode LibList Docs.info Install Install.info Install.script VirusZ VirusZ.info VirusZ.info Note that the original package was released as 'VirusZ212.lha' archive. If any parts were already missing when you received this package, look out for another source to get your software in future. INTRODUCTION ------------ 1. VirusZ Philosophy -------------------- VirusZ is another try to make the perfect viruskiller. Although there are already hundreds of killers, none had to offer the, in my opinion, most important features. These are to be short, fast and not to keep the user from working by opening a big screen with hundreds of gadgets or locking the drives. If you like that type of killer, forget VirusZ. 2. Why Use VirusZ? ------------------ VirusZ detects over 280 bootblocks (146+ bootblock viruses). The file checker is one of the fastest available and not only detects 30+ file viruses and 35+ crunchers, but it also offers you the unbelieveable feature of decrunching files. The whole software is written 100% in assembly language for lightning speed. The memory checker removes over 140 viruses from memory without 'Guru Meditation' and checks memory for viruses regularly. VirusZ has easy to use intuitionized menus including keycuts for both beginners and experienced users. It performs a self-test on every startup to prevent link virus infection. VirusZ works in the background and uses less than 0.5% of your processing time (use Xoper to verify). Last but not least, VirusZ is regularly updated and hence offers you perfect protection against the latest viruses. GETTING STARTED --------------- 1. For The Very First Time -------------------------- VirusZ requires the 'reqtools.library' and the 'virusz.library' in order to work correctly. Included in this package are two versions of the 'reqtools.library', one for Kick 1.3 and one for OS 2.0. Chose the one that fits with your OS, copy it to the 'libs:' drawer of your boot disk and remove the suffix (simply rename it). The 'virusz.library' may be simply copied to the 'libs' drawer. If you don't want to do the copy work yourself, click on the 'Install' icon from WorkBench. This will start an installation script. If you use the decrunch feature, you'll additionally need the 'explode.library' to unpack libimploded files and the 'powerpacker.library' to decrunch libcrunched files (PP 4.0). 2. If You Already Have Used VirusZ ---------------------------------- Make sure that you only copy the latest library versions to your libs: drawer. Also verify the settings in the prefs menu if you have saved them with an old version of VirusZ because some of them have slightly changed. In sum let's say check everything out before starting the new version for the first time. 3. The First Step To Glory -------------------------- Starting VirusZ is nothing more than typing its name to any CLI/Shell or double-clicking its icon from WorkBench. There are several message alerts included in the startup module. If anyone of these flashes up, there is something wrong. These alerts are self explaining so we skip a detailed description. If the 'VirusZ has been modified!' alert comes up, your copy of VirusZ might be infected by a virus or might have been corrupted by somebody. You can start VirusZ from CLI with option -c then, but you were warned. Use the file check and check VirusZ itself. VIRUSZ DRIVE GADGETS -------------------- These are the ones you can see in the VirusZ window after startup. Use them to select the drive you want to work with. The selected drive will always be displayed in the titlebar. Here you can also see which drive is currently checked on startup and whenever you insert a new disk. The drive gadgets are only relevant for the menu functions you are selecting, but they are not used for internal checks. This means that VirusZ can check every inserted disk in every drive even if you have selected e.g. df0. THINGS YOU CAN'T INFLUENCE -------------------------- 1. The Bootblock Check ---------------------- Every disk inserted will be checked for bootblock viruses and non-standard bootcode. This ensures that your bootblocks stay clean. Every known virus will cause a request asking you what to do with it. In the current release of VirusZ, you can install a standard bootblock to delete the virus, display the ascii-dump of the virus to look at possible texts, save the virus or ignore it. The last possibility is not recommended. If your disk contains anything else than a virus or a standard bootblock, it will be checked for known custom bootblocks. Whenever such a known bootblock appears, it's surely not a virus and can be ignored. However you can force a report by setting the 'Report Custom' flag in the prefs menu. But now let's go on. If the bootblock isn't a know custom one, VirusZ first checks its checksum. If this is not correct, VirusZ simply ignores it because it wouldn't be executed anyway. But if all conditions are met, the bootblock will be reported as unknown. This might happen with most bootload games or demos, so do NOT install anything you don't know. You might trash the program that depends on this boot. But if you are sure that it's a new virus, save the bootblock (you can use VirusZ for this) install the original bootblock and send me the copy for inclusion in VirusZ. 2. The Disk-Validator Check --------------------------- Currently there exist two viruses that link themselves to this program. You can find the Disk-Validator in the L: directory of most disks. It was originally thought to correct possible small errors on a disk and is called from the ROM if necessary. The viruses use the feature of being installed by the system itself by corrupting some data on the infected disks that causes the ROM to load the Disk-Validator. Instead of repairing the disk, they install themselves in memory. VirusZ finds both viruses in memory and on disk and offers you the possibility to delete them. Since the original Disk-Validator is copyright Commodore, I'm not allowed to include it in my program. You must copy it back to the cleaned disk from a heal one yourself whenever a virus was deleted. 3. The Virus Check in Memory ---------------------------- This is the real memory check looking for known viruses. It's executed once on startup, and whenever VirusZ finds a virus, you will get a request telling you which virus was removed. VirusZ removes them automatically. Viruses will not only be patched or disabled, but they will be removed from memory completely. In addition to the startup memory check, VirusZ installs an interrupt that repeats the memory check regularly. The time passed between two checks can be changed by the user, default is 10 seconds. This is the safest way to find and remove file- and linkviruses in memory. These viruses can appear in memory any time an infected file is executed. So whenever VirusZ reports a virus in memory, check the disks you are working with at the moment for infection. Note that the time passed between two checks will be slightly shorter on NTSC machines since VirusZ is PAL oriented and works with 50Hz. Also note that any virus using KickTagPtr will cause VirusZ to delete all resident modules. This means that you must save everything you haven't saved yet from your recoverable RAM disk (if used). My policy is better save than sorry. See a list of viruses in the appendixes. 4. The Vector Check ------------------- Mostly all viruses work in the same manner. Either they make themselves resident and/or corrupt some libraries or devices with their code. Therefore the vector check was designed to help you find new viruses that can't be recognized directly by VirusZ yet. ColdCapture, CoolCapture and WarmCapture should be zero, they are only used by some programs, mostly viruses, because using Captures is easy. The only exception is the SetPatch command of Kick 1.2/1.3. Since these ROMs include some bugs, this command tries to repair them by using ColdCapture if option -r is specified (1 MB of Chip). If you use this in your startup-sequence, don't clear the vectors. The KickMemPtr and KickTagPtr are a bit more complicated. Nearly all resident programs like virus detectors, recoverable RAM disks or for example TurboPrint use these to keep parts of their code resident. If anyone of these vectors is set and you use such a program, do not clear vectors or you will lose it after the next reset. VirusZ always tries to print the name of the resident module so that you can see what's out there. Last but not least all libraries and devices that might be corrupted by viruses are checked. This works as follows: We simply count the library checksum and compare it to the one in the library base. This is enough for most viruses, because they don't SetFunction() their changes but do it in a incompatible way. Only very special viruses like the 'Lamer Exterminator' cannot be detected using this method. USING ALL FEATURES OF VIRUSZ ---------------------------- To use more features offered by VirusZ, you have to use menu items to call special functions. These can only be used if VirusZ's window is active (activate it by clicking the left mousebutton). THE VIRUSZ MENU --------------- 1. About -------- This displays all necessary information about VirusZ. Included are both the version numbers of VirusZ and the library, my address and some information about your system's hardware. 2. Quit VirusZ -------------- Think twice and you'll figure out the function of this. THE BOOTBLOCKS MENU ------------------- 1. Install Bootblock -------------------- Installs a fresh bootblock (Kick 1.2/1.3 and OS 2.0 compatible). You can use this feature either to kill a bootblock virus or to simply make an uninstalled disk bootable. Chose the filing-system that should be used via the preferences menu. VirusZ will always install the drive that is currently selected via the drive gadgets. 2. Load Bootblock ----------------- Offers you the possibility to load a former saved bootblock and reinstall it on any disk. This is the counterpart of 'Save Bootblock' and can be used to restore destroyed bootblocks. The bootblock will be written to the drive that is selected via drive gadgets. 3. Save Bootblock ----------------- Offers you the possibility to save a bootblock as file. This is useful in connection with games or demos that use special bootblocks. If you keep a copy of the bootblock on another disk, you avoid the risk of losing it by a virus or by accident. In such a case, simply restore the saved bootblock by using 'Load Bootblock'. And again VirusZ will work with the drive that is selected via gadgets. 4. Ascii-Dump ------------- Displays the ascii-dump of any bootblock. This function should help you to discover BB viruses which hold specific text in their code. You can also recognize whether the bootblock is standard or if it's a custom bootblock. Don't rely 100% on text like 'A2000 Memory Allocator v1.0', it might be a disguised virus. VirusZ displays the bootblock of that drive which is currently selected. 5. Hex-Dump ----------- Displays the hex-dump of a bootblock. This is only interesting for experienced users or programmers. If you know something about OpCodes, this function might help you to find out what the displayed bootblock basically does (e.g. one can easily detect copperlists). THE MISCELLANEOUS MENU ---------------------- 1. Check Files -------------- Checks a whole disk or drawer for link and fileviruses. First you have to select the path in the file requester. Therefore the complete path must be included in the string gadget of the requester. Click 'Ok' and we start checking all files in the selected directory and its subdirectories. All filenames will be listed with a short description. Crunched files cannot be checked for virus infection unless you enable decrunching via the preferences menu. Since this procedure takes a lot of time, it's optional and should be used only once for every new disk. Crunched files can only be checked, but not repaired. Therefore you have to decrunch infected files yourself to repair them. Uncrunched files that are infected with viruses can be repaired and saved back to disk without the virus. Depending on the nature of the virus, it will either be deleted or removed from the infected file. You can abort checking at any time by pressing CTRL-C. If you want to skip a single directory while checking, press CTRL-D and VirusZ will climb up to the next directory. 2. Check Blocks --------------- Checks all sectors of a disk for virus corruption. This again uses the drive that is currently selected. Damage caused by the following viruses will be recognized: Saddam, Lamer Exterminator, Warsaw Avenger. The damage caused by Saddam will be repaired, the others can only be detected. You can abort checking at any time by pressing CTRL-C. 3. All Drives ------------- Checks all connected drives for viruses. This performs the same checks as the initial check on startup. I added this to get a disk checked again without removing and reinserting it. This function is mostly historical and not very useful in everyday use. 4. Check Vectors ---------------- This performs the vector check described above. 5. Clear Captures ----------------- Clears all Captures (Cold,Cool,Warm). Useful to remove some utilities as well as viruses. It's a good method to test whether a bootblock sets the vectors or not. If the vectors are set, kill them, reboot and check again. If they are still set, the bootblock is suspicious anyway. Send it to me then. 6.Clear KickPtrs ---------------- Same as above, but this clears KickMemPtr, KickTagPtr and KickChkSum. THE PREFERENCES MENU -------------------- 1. Save Prefs ------------- Saves the preferences file 'VirusZ.prefs' to disk. Additionally to the options specified in the prefs menu the current window position will be saved too. These prefs will be loaded on the next startup. 2. Set Delay ------------ Change the memory check repeat delay. Pressing this causes an string request in which you can enter the new delay. Entering 0 disables the memory check, every other value between 10 and 120 is accepted. Default is 10 seconds. 3. Play Sound ------------- Enables or disables the fantastic sound that warns you whenever a virus has been detected on disk or in memory. Default is on. 4. Decrunch Files ----------------- Enables or disables the unbelievable feature of decrunching a file for virus checking. Default is off. See list of packers in the appendixes. 5. Ignore Vectors ----------------- Tells VirusZ not to check the resident vectors on startup. Use this if VirusZ keeps on reporting your ram-disk or harddisk-device after every reset. This option does NOT disable the virus check. Default is off. 6. Install FFS -------------- This enables the installation of a fastfilesystem bootblock. Default is off. 7. Fake SnoopDos ---------------- This installs a task called SnoopDos (only if the real SnoopDos is not installed) for protection against PowerPacker 3.2 trojan horse. Fully compatible with the real SnoopDos, this option doesn't need any processing time since the task is running at a low priority and waits for a message that never arrives. 8. Report Custom ---------------- When selected, VirusZ will also report known custom bootblocks while checking your disks. Useful if you want to find a certain bootblock and you can't remember where it was. SPECIAL NOTES ------------- 1. About The Author ------------------- I'm a 18-year-old Bavarian student and 'Computaholic' who wants to help other users as much as possible. If you have any problems in using VirusZ, anything new concerning the next chapters, or if you want to honour my work (money will not be refused, MC68030 boards are welcome, but sending a letter or a postcard would be nice too), send me a letter or phone me in the evening (send me disks with new stuff and you'll get a new version of VirusZ in return): Georg Hoermann Am Lahnewiesgraben 19 W-8100 Garmisch-Partenkirchen Phone: 08821/71978 Germany 2. New Viruses And Packers -------------------------- Although VirusZ recognizes lots of viruses both in memory and on disk, this is NOT enough until also the very last virus is included. If you ever get a new virus, do not delete it before sending me a copy. Don't forget: I can only help you in your fight against these little bastards if you support me with all the necessary material. Killing a virus without knowing how it works is impossible. Additionally to new viruses I'm always searching for new crunchers for inclusion in my file checker. Your support decides over the future of VirusZ on its way to the top. 3. Bugs ------- There's only one known bug in VirusZ, but even this is not really a bug in VirusZ, but in a program called 'SourceTexter'. It seems that this editor doesn't free all resources on exit and so makes VirusZ crash (some other programs crash regularly too). There may still be some other bugs in this release, but this depends on the configuration of your Amiga. I'm using an A1000 with Kick 1.2/1.3 and OS 2.0, 4MB of RAM, some external disk drives and a 105MB hard-disk and couldn't find any further bugs. It was not possible to me to test VirusZ on accelerator boards with other CPUs (MC68010+). But I already got several bug reports about this and hope that everything is fixed now. If NOT, please don't bother and send me a detailed description (if possible) including your system's configuration and when and how the bug appears. You can find some information about your hardware configuration in the 'About' request. If VirusZ crashes in connection with other software, I would be glad if you send me a copy of these programs (if the copyright allows it). Please DO NOT report things that I can't repeat on my machine without a detailed description of the circumstances. APPENDIXES ---------- 1. Viruses In Memory -------------------- All viruses mentioned below will be removed properly from memory. But not all of them will be recognized by name. This is because some clones (especially SCA clones) can be detected and killed all the same way. Including a routine to get their real names as an addition would cause the memory checking routines to get more than twice as large as they are now. And that's not worth it. AlienNewBeat Ass Protector Australian Parasite BGS9 BlackFlash BLF BlowJob BlueBox Bret Hawnes Butonic 1.31/3.00 ByteBandit Clone AmigaFreak, Morbid Angel, PowerBomb, Inger IQ, Forpib, ZAccess 2.0, Frity, Riska. ByteVoyager ByteWarrior (DASA) CCCP Centurions ClaasAbraham CLI-Manager CList Clonk! Coder's Nightmare (CODER) Darth Vader 1.1 DAT '89 Destructor Disaster Master 2 DiskDoktors DiskGuard 1.0 Divina Exterminator 1 Extreme F.A.S.T. F.I.C.A. Gadaffi Glasnost Gotcha Lamer Gremlin GXTeam Hilly Hoden 33.17 Incognito IRQ-Team 41.0 Joshua 1 Joshua 2 Julie (Virus Predator) Lamer Exterminator LameStyle UK M&U 5.5/6.1 MegaMaster MicroSystems Nasty-Nasty! Obelisk Opapa Paradox 1 (Logic Bomb) Paradox 2 Paramount Paratax PvL Protector Rene Return Of The Lamer Ext. Revenge Of The Lamer Ext. Revenge/Sendarian Revenge BootLoader Saddam Saddam Hussein SCA Clone 16BitCrew, Butonic 1.1, Graffiti, JITR, Kauki, LSD, Mexx, NorthStar 1-3, Pentagon Circle 1-3, Target, UltraFox, AEK, BS1, DAG, Digital Emotion, HCS 4220 1-2, ICE, Obelisk, Disk Herpes, SuperBoy, Vermin, Warhawk, ZAccess 1.0, 2001, AIDS-HIV, BladeRunners, Gyros, Future Disaster, BigBoss, Deniz Unal, Kefrens 1-2, Paratax etc. ScarFace Suntronic Switch Off TelStar Termigator Terrorists The Traveling Jack TimeBomb/Tomates GenTechnic Trabbi Traveller 1.0 Triplex Turk 1.3 Twinz Santa Claus ULDV 8 VirusHunter VirusSlayer 1.0 VKill 1.0 Warsaw Avenger Xeno 2. Utilities In Memory ---------------------- Since VirusZ only kills what it knows in memory, it's not necessary to add all the resident utilities like RAD:, VD0:, ZKick etc. If you ever have problems with these (it's not very likely that VirusZ thinks these might be viruses), let me know and I'll fix it. 3. Decrunchable Packers ----------------------- The following crunchers can be repacked in order to check the file for viruses if the decrunch option in the prefs menu is enabled. CrunchMania Normal CrunchMania Simple DragPack 1.0b Imploder 1.0-3.1 Imploder 4.0 Imploder Overlay Lib Imploded Lib Imploded 4.0 PowerPacker 2.1-2.3 PowerPacker 3.0 PowerPacker 3.0 Password PowerPacker 4.0 PowerPacker 4.0 Library Header PowerPacker 4.0 Password Supplex Cruncher Reloc ReloKit 1.0 Titanics Cruncher TNM Cruncher 1.1 Ultimate Packer 1.1b 4. Special Thanks ----------------- There are several people I wish to thank for their VirusZ support, but there's only one who could be called 'Mr. VirusZ': Ralf Thanner! He was the first who sent me his virus collection, tested VirusZ excessively and found almost every bug. Mostly all features of VirusZ are based on his ideas/suggestions. Additionally Ralf supported me with several useful routines (VBR 680x0, CRC16, Beep). Keep on being the best VirusZ user/spreader and we will face the unknown future with hope... Next to be mentioned is Steve/Silicon Designs 3003. Some crunchers and viruses would be missing without him. Third in the row of supporters is Flake/The Special Brothers who also sent me viruses and crunchers. We continue with Heiner Schneegold who donated some bootblock viruses (after I sent him some of mine). Now let's come to Holger Wessling. He phoned me several times and always had some ideas how to improve VirusZ (many thanks for your interrupt bug report). Last but not least there's Vader/Toxic Track who found the bug concerning SnoopDos. 5. The End ---------- That's all folks, wish you lots of successful anti-virus sessions with VirusZ, keep smiley'ing and have fun... Georg :-))