Otherware

home *** CD-ROM | disk | FTP | other *** search

/ Otherware / Otherware_1_SB_Development.iso / amiga / utility / misc / virusz21.lha / VirusZ.Doc < prev next >

Wrap

Text File | 1992-07-17 | 33.4 KB | 705 lines

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ /\/\ /\/\ \/\/ ## ### ### ###### ## ### ###### ####### \/\/ /\/\ ## ### ### ## ### ## ### ## ### /\/\ \/\/ ## ### ### ###### ## ### ##### ### \/\/ /\/\ ##### ### ## ### ## ### ### ### /\/\ \/\/ ### ### ## ### ##### ###### ####### \/\/ /\/\ /\/\ \/\/ THE ULTIMATE VIRUSKILLER WITH THE LICENSE TO KILL \/\/ /\/\ /\/\ \/\/ VIRUSZ 2.17 MANUAL \/\/ /\/\ (C) 1991,1992 GEORG HOERMANN /\/\ \/\/ \/\/ /\/\ !!! DON'T FORGET TO PAY YOUR SHAREWARE FEES !!! /\/\ \/\/ \/\/ /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ IMPORTANT: This documentation still isn't of a very high quality both concerning contents and language. Therefore I'm interested in a guy (or even more in a girl :-) who would like to type really great docs for this really great program. Contact me if you think you are what I need. IMPORTANT: Due to lack of time, I couldn't add a list of all custom bootblocks, link viruses and bootviruses. You can see how many of them are recognized by VirusZ in the about request. Trust me on that and look out for the next update where I certainly will add the lists. SOME NOTES CONCERNING LAW AND ORDER ----------------------------------- 1. Copyright ------------ All parts of the VirusZ package are written and copyright (c) by Georg Hoermann with exception of the reqtools.libraries which are written and copyright (c) by Nico Franτois who gave the permission to use the libraries and installation scripts in any freely distributable software package. 2. Disclaimer ------------- The executionable and non-executionable parts of this software package may NOT be altered by any means (including editing, reprogramming, crunching, and resourceing), except archiving. The author is in NO way liable for any changes made to any part of the package, or consequences thereof as he is in NO way liable for damages or loss of data directly or indirectly caused by this software. 3. Distribution --------------- Neither fees may be charged nor profits may be made by distributing this piece of software. Only a nominal fee for cost of magnetic media may be acceptable. Outside a single machine environment, you are NOT allowed to reproduce only some parts of the package, but you have to copy it completely. See this list of contents for verification: VirusZ (dir) Docs (dir) VirusZ.doc VirusZ.doc.info VirusZ.history VirusZ.history.info Libs (dir) decrunch.library reqtools.library.13 reqtools.library.20 Docs.info Install Install.info Install.script VirusZ VirusZ.info VirusZ.info Note that the original package was released as 'VirusZ217.run' archive. If any parts were already missing when you received this package, look out for another source to get your software in future. 4. Shareware ------------ VirusZ is no longer Freeware, but Shareware. This means you are still allowed to copy the software freely, but you have to pay a fee to the author if you use VirusZ regularly. Not paying your fee is both immoral and illegal. If you already have registered for any former releases, paying the fee again is optional. Here is the table of possible fees and what you get for them: Fee (DM/US$) | What do you get? --------------+-------------------------------------------------------- 2 / - | Inside Germany, registered users get the latest update | of VirusZ (disk must be enclosed). | 5 / - | Inside Germany, registered users get the latest update | of VirusZ (including one of my disks). | - / 5 | Outside Germany, registered users get the latest update | of VirusZ (disk must be enclosed). | - / 7 | Outside Germany, registered users get the latest update | of VirusZ (including one of my disks). | 10 / 8 | Nothing, this is the nominal fee everybody who wants | to register for the first time has to pay. | 20 / 15 | You are now registered and will receive the next major | update of VirusZ for free (including disk and postage). | German users will receive 2 updates (don't think I'm a | racist, ask the clerk at your local post office why | postage is that expensive to foreign countries). | 50 / 35 | I will never forget you. You are allowed to hold the | title 'Honourable User Of VirusZ' a lifetime and you | get the exclusive 'VirusZ VIP-Club' member card. Anything else than the above will not be accepted. By now, I had more expense than profit by sending all you folks your disks back etc. If you want me to continue my work (and it isn't an easy one), don't try to cheat me. Submissions with new material (viruses/crunchers) are welcome. If you want your disks back, follow the rules above concerning registered users. If you send me useful stuff, you will additionally receive the latest update of VirusZ on your disk. Contact me at the following address: Georg Hoermann Am Lahnewiesgraben 19 W-8100 Garmisch-Partenkirchen Phone: +49-(0)8821-71978 Germany INTRODUCTION ------------ 1. VirusZ Philosophy -------------------- VirusZ is another try to make the perfect viruskiller. Although there are already hundreds of killers, none had to offer the, in my opinion, most important features. These are to be short, fast and not to keep the user from working by opening a big screen with hundreds of gadgets or locking the drives. If you like that type of killer, forget VirusZ. 2. Why Use VirusZ? ------------------ VirusZ detects over 426 bootblocks (180+ bootblock viruses). The file checker is one of the fastest available and not only detects 53+ file viruses, but it also offers you the unbelieveable feature of decrunching files. The whole software is written 100% in assembly language for lightning speed. The memory checker removes over 170 viruses from memory without 'Guru Meditation' and checks memory for viruses regularly. VirusZ has easy to use intuitionized menus including keycuts for both beginners and experienced users. It performs a self-test on every startup to prevent link virus infection. VirusZ works in the background and uses less than 0.5% of your processing time (use Xoper to verify). Last but not least, VirusZ is regularly updated and hence offers you perfect protection against the latest viruses. Some reasons why to use the latest update: This version of VirusZ detects and repairs the damage caused by the Cameleon (Little Sven) virus. This virus encrypts disk blocks similar to the Saddam virus. VirusZ is the first killer that does this... This relase can repair files infected by the Crime virus. This new one links itself to the end of the first hunk of an executable. 3. Some Notes About SHI ----------------------- Someday in April 1992, I got a big package from Denmark. As I couldn't imagine who sends me such a lot of stuff, I opened it immediately. And it was from Eric Loevendahl Soerensen. By now I already got the second pack with new viruses etc. and I want to thank Eric right now for his support. He also wanted me to become member of SHI, and I said 'ok'. I am member of SHI now. Eric asked me to include the following in my docs, and here it is: ABOUT SAFE HEX INTERNATIONAL If you know a virus programmer you can get a reward of $ 1000 for supplying his name and address. The fact is that the law punishes data crime very severely (5 years in jail in most countries). We are an international group with more than 250 members who have started trying to stop the spreading of viruses. Let me give you some example: 1. Our motto is: "Safe Hex, who dares do anything else today?". 2. A virus bank containing all well known virus killer programmes. 3. We help people to get money back lost by virus infection. 4. We write articles about virus problems for 8 magazines. 5. We release the newest and the best virus killers around. 6. We have more than 20 "Virus Centers" worldwide where you can get free virus help by phoning our "Hotline", and the newest killers translated in your own language at very little cost. For more information contact: SAFE HEX INTERNATIONAL (Please send a "Coupon-Response Erik Loevendahl Soerensen International" and a self addres- Snaphanevej 10 sed envelope, if you want infor- DK-4720 Praestoe mation about SHI by letter). Denmark Phone: + 45 55 99 25 12 Fax : + 45 55 99 34 98 GETTING STARTED --------------- 1. For The Very First Time -------------------------- VirusZ requires the 'reqtools.library' in order to work correctly. Included in this package are two versions of the 'reqtools.library', one for Kick 1.3 and one for OS 2.0. Chose the one that fits with your OS, copy it to the 'libs:' drawer of your boot disk and remove the suffix (simply rename it). If you don't want to do the copy work yourself, click on the 'Install' icon from WorkBench. This will start an installation script. If you use the decrunch feature, you'll additionally need the 'decrunch.library'. 2. If You Already Have Used VirusZ ---------------------------------- Make sure that you only copy the latest library versions to your libs: drawer. Also verify the settings in the prefs menu if you have saved them with an old version of VirusZ because some of them have slightly changed. In sum let's say check everything out before starting the new version for the first time. 3. The First Step To Glory -------------------------- Starting VirusZ is nothing more than typing its name to any CLI/Shell or double-clicking its icon from WorkBench. There are several message alerts included in the startup module. If anyone of these flashes up, there is something wrong. These alerts are self explaining so we skip a detailed description. If the 'VirusZ's hunk structure has been modified!' alert comes up, your copy of VirusZ might be infected by a virus or might have been crunched with a bad cruncher (in fact most crunchers are bad). THINGS YOU CAN'T INFLUENCE -------------------------- 1. The Bootblock Check ---------------------- Every disk inserted will be checked for bootblock viruses and non-standard bootcode. This ensures that your bootblocks stay clean. Every known virus will cause a request asking you what to do with it. In the current release of VirusZ, you can install a standard bootblock to delete the virus, display the ascii-dump of the virus to look at possible texts, save the virus or ignore it. The last possibility is not recommended. If your disk contains anything else than a virus or a standard bootblock, it will be checked for known custom bootblocks. Whenever such a known bootblock appears, it's surely not a virus and can be ignored. However you can force a report by setting the 'Report Custom' flag in the prefs menu. But now let's go on. If the bootblock isn't a known custom one, VirusZ first checks its checksum. If this is not correct, VirusZ simply ignores it because it wouldn't be executed anyway. But if all conditions are met, the bootblock will be reported as unknown. This might happen with most bootload games or demos, so do NOT install anything you don't know. You might trash the program that depends on this boot. But if you are sure that it's a new virus, save the bootblock (you can use VirusZ for this) install the original bootblock and send me the copy for inclusion in VirusZ. 2. The Disk-Validator Check --------------------------- Currently there exist two viruses that link themselves to this program. You can find the Disk-Validator in the L: directory of most disks. It was originally thought to correct possible small errors on a disk and is called from the ROM if necessary. The viruses use the feature of being installed by the system itself by corrupting some data on the infected disks that causes the ROM to load the Disk-Validator. Instead of repairing the disk, they install themselves in memory. VirusZ finds both viruses in memory and on disk and offers you the possibility to delete them. Since the original Disk-Validator is copyright Commodore, I'm not allowed to include it in my program. You must copy it back to the cleaned disk from a heal one yourself whenever a virus was deleted. Note that this information is only valid for Kick 1.2/1.3 since under OS 2.0, the Disk-Validator is in the ROM. 3. The Virus Check in Memory ---------------------------- This is the real memory check looking for known viruses. It's executed once on startup, and whenever VirusZ finds a virus, you will get a request telling you which virus was removed. VirusZ removes them automatically. Viruses will not only be patched or disabled, but they will be removed from memory completely. In addition to the startup memory check, VirusZ installs an interrupt that repeats the memory check regularly. The time passed between two checks can be changed by the user, default is 10 seconds. This is the safest way to find and remove file- and linkviruses in memory. These viruses can appear in memory any time an infected file is executed. So whenever VirusZ reports a virus in memory, check the disks you are working with at the moment for infection. Note that the time passed between two checks will be slightly shorter on NTSC machines since VirusZ is PAL oriented and works with 50Hz. Also note that any virus using KickTagPtr will cause VirusZ to delete all resident modules. This means that you must save everything you haven't saved yet from your recoverable RAM disk (if used). My policy is better save than sorry. See a list of viruses in the appendixes. 4. The Vector Check ------------------- Mostly all viruses work in the same manner. Either they make themselves resident and/or corrupt some libraries or devices with their code. Therefore the vector check was designed to help you find new viruses that can't be recognized directly by VirusZ yet. The vector check window is divided in three main parts. First there is the reset vector display on the left top. Here the three most important vectors are displayed and can be set to zero by clicking the corresponding gadget. Related to the KickTagPtr is the second part of the window. This is the resident modules display on the right top. The names of all resident modules will be printed here (if set). Thus its easy to say whether you have something suspicious (no name) or an utiltity (most of them set their name). The last part of the window is the big status window at the bottom. The hardware configuration of your Amiga and the results of the library and device check will be printed here. ColdCapture and CoolCapture should be zero, they are only used by some programs, mostly viruses, because using Captures is easy. The only exception is the SetPatch command of Kick 1.2/1.3. Since these ROMs have a bug, it tries to repair them by using ColdCapture (1 MB of Chip). If you use it in your startup-sequence, don't clear the vector. The KickTagPtr is a bit more complicated. Nearly all resident programs like virus detectors, recoverable RAM disks or for example TurboPrint uses it to keep parts of their code resident. If this vector is set and you use such a program, do not clear it or you will lose it after the next reset. The library and device checker checks everything that is currently in the system lists. This works as follows: We simply count the library/device checksum and compare it to the one in the library/device base. This is enough for most viruses, because they don't SetFunction() their changes but do it in a incompatible way. Only very special viruses like the 'Lamer Exterminator' cannot be detected using this method. Note that especially the dos.library may have a wrong checksum without being virus infected because several utilities like the PowerPacker patches do their modifications the same way a virus does it (shame on you). USING ALL FEATURES OF VIRUSZ ---------------------------- To use more features offered by VirusZ, you have to use menu items to call special functions. These can only be used if VirusZ's window is active (activate it by clicking the left mousebutton). THE VIRUSZ MENU --------------- 1. Prefs -------- Selecting this item opens a window where you can change the VirusZ preferences. Finish the window by clicking one of the gadgets at the bottom. 'Use' will cause VirusZ to use the currently selected settings until the next reset, 'Save' saves them to a file called 'VirusZ.prefs' in your S: drawer that will be used on all following startups. Additionally to the options specified in the prefs window the current window position will be saved too. 'Cancel' ignores all changes made to the settings. Play Sound enables/disables the fantastic sound and screen flash that warns you when a virus has been detected on disk or in memory. Default is on. Ignore Vectors tells VirusZ not to check the resident vectors during startup. Useful if VirusZ keeps on reporting your recoverable RAM-disk or harddisk-device after every reset.This option does NOT disable the virus check. Default is off. Fake SnoopDos installs/removes a task called SnoopDos (only if the real SnoopDos isn't installed) for protection against PowerPacker 3.2 trojan horse. Fully compatible to the real SnoopDos, the option doesn't need any processing time since the task is running at a low priority and waits for a message that never arrives. Default: off. Report Custom will, if enabled, cause VirusZ to report known custom bootblocks while checking your disks. Useful if you want to find a certain bootblock and you simply can't remember where it was. Default is off. Decrunch Files enables/disables the outstanding mega-feature of decrunching files for virus checking. Note that you need 'decrunch.library' in your libs drawer if you intend to use this. Default is off. Skip Directories tells the file checker not to check subdirs. Useful for checking the root directory of a harddisk :-) Default is off. Memory Check Repeat Delay Enter 0 in this string gadget to disable the memory check, any other value between 10 and 120 will be accepted as a delay. Default is 10 seconds. 2. About -------- This displays all necessary information about VirusZ. 3. Quit VirusZ -------------- Think twice and you'll figure out the function of this. THE BOOTBLOCKS MENU ------------------- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING W Since some guys kept on telling me that the bootblock functions don't W A work correctly with their HDs, I have to mention some things here. You A R can only use these functions if your harddisk uses a standard Commodore R N Rigid Disk Block or any similar type of 'bootblock'. If it doesn't work N I with yours, simply forget it! Be careful with loading and saving the I N bootblock of a HD. Wrong usage of this feature might mean the loss of N G all data on the HD and I am NOT reliable for this... G WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 1. Install Bootblock -------------------- Since installing a standard bootblock is only useful in connection with real diskdrives (df0-df3), I decided to create a special window for the install feature. Select the drive that should be installed by pressing the gadget labelled with the drive name. 'Cancel' terminates the window without any action. The 'FastFileSystem' switch enables/disables the installation of, well ehh.., a fastfilesystem bootblock (0x444f5301). You may also want to install the disk with a non-bootable bootblock. Therefore enable the 'Not Bootable' gadget. 2. Load Bootblock ----------------- Offers you the possibility to load former saved bootblocks and reinstall them on any disk. This is the counterpart of 'Save Bootblock' and can be used to restore destroyed bootblocks. VirusZ will first check the bootblock you want to install for virus infection (viruses cannot be installed with VirusZ). 3. Save Bootblock ----------------- Offers you the possibility to save a bootblock as file. This is useful in connection with games or demos that use special bootblocks. If you keep a copy of the bootblock on another disk, you avoid the risk of losing it by a virus or by accident. In such a case, simply restore the saved bootblock by using 'Load Bootblock'. This can also be used in connection with harddisks to save the Rigid Disk Block (if used). 4. Ascii-Dump ------------- Displays the ascii-dump of any bootblock. This function should help you to discover BB viruses which hold specific text in their code. You can also recognize whether the bootblock is standard or if it's a custom bootblock. Don't rely 100% on text like 'A2000 Memory Allocator v1.0', it might be a disguised virus. 5. Hex-Dump ----------- Displays the hex-dump of a bootblock. This is only interesting for experienced users or programmers. If you know something about OpCodes, this function might help you to find out what the displayed bootblock basically does (e.g. one can easily detect copperlists). THE MISCELLANEOUS MENU ---------------------- 1. Check Files -------------- Checks a whole disk or drawer for link and fileviruses. First you have to select the path in the file requester. Therefore the complete path must be included in the string gadget of the requester. Click 'Ok' and we start checking all files in the selected directory and its subdirectories. You can skip checking subdirs by enabling the 'Skip Dirs' gadget in the prefs window. All filenames will be listed with a short description. Crunched files will be reported as executables if you have disabled the 'Decrunch Files' gadget in the prefs window. Otherwise, they will be reported with the packer name and, if already supported, decrunched. Files that are not checked or already decrunched will be checked for linkvirus infection. VirusZ removes all links of viruses from a file, even if it's infected several times. After successfully removing all virus stuff, a requester will appear that gives you important information about the file and the virus. It may happen that a file is first infected and then crunched. If you want to save the cleaned file without having it decrunched, check it again with decrunching disabled. There are several messages and requesters in the file checker, but they should all be self-explaining, so we skip a description. You can abort checking at any time by pressing the right mouse button. Checking will be paused by pressing the left mouse button. 2. Check Blocks --------------- Checks a whole device for virus corruption and/or block/track errors. Damage caused by the following viruses will be recognized: Saddam, Lamer Exterminator, Warsaw Avenger, Fast Eddie, Cameleon. The damage caused by Saddam and Cameleon will be repaired, the others can only be detected. BlockChkSum errors will be repaired too. On harddisks, data blocks will be ignored cause they shouldn't exist anyway. You can abort checking at any time by pressing the right mouse button. Left button pauses checking. 3. Check Vectors ---------------- This performs the vector check described above. 4. All Drives ------------- Checks all connected drives for viruses. This performs the same checks as the initial check on startup. I added this to get a disk checked again without removing and reinserting it. This function is mostly historical and not very useful in everyday use. 5. Refresh Devices ------------------ If you start VirusZ already in your startup-sequence before mounting devices like RAD: or HD partitions, they won't be recognized by VirusZ unless you use this function. SPECIAL NOTES ------------- 1. New Viruses And Packers -------------------------- Although VirusZ recognizes lots of viruses both in memory and on disk, this is NOT enough until also the very last virus is included. If you ever get a new virus, do not delete it before sending me a copy. Don't forget: I can only help you in your fight against these little bastards if you support me with all the necessary material. Killing a virus without knowing how it works is impossible. Additionally to new viruses I'm always searching for new crunchers for inclusion in 'decrunch.library'. 2. Bugs ------- There may still be some bugs in this release, but this depends on the configuration of your Amiga. VirusZ has been tested on Kick 1.3, OS 2.0 and OS 2.1 (Locale) and worked just fine. It didn't complain about an MC68030/881 and a Fujitsu 105 MB harddisk. If you nevertheless find a bug, please don't bother and send me a detailed description (if possible) including your system's configuration and when and how the bug appears. You can find some information about your hardware configuration in the vector check. If VirusZ crashes in connection with other software, I would be glad if you send me a copy of these programs (if the copyright allows it). Please DO NOT report things that I can't repeat on my Amiga without a detailed description of the circumstances. APPENDIXES ---------- 1. Viruses In Memory -------------------- All viruses mentioned below will be removed properly from memory. But not all of them will be recognized by name. This is because some clones (especially SCA clones) can be detected and killed all the same way. Including a routine to get their real names as an addition would cause the memory checking routines to get more than twice as large as they are now. And that's not worth it. AlienNewBeat AmigaDOS 2.1 Ass Protector ASV Australian Parasite BGS9 BlackFlash BLF BlowJob BlueBox Bret Hawnes Butonic 1.31/3.00 ByteBandit Clone AmigaFreak, Morbid Angel, PowerBomb, Inger IQ, Forpib, ZAccess 2.0, Frity, Riska, Hauke, MAD 1, Rude Xeroxx. ByteParasite 1-3 ByteVoyager ByteWarrior (DASA) Cameleon (Little Sven) CCCP Centurions Cheater Hijacker ClaasAbraham CLI-Manager CList Clonk! Coder's Nightmare (CODER) Crime Darth Vader 1.1 DAT '89 Destructor Disaster Master 2 DiskDoktors Hauke Exterminator 1 DiskGuard 1.0 Disktroyer Divina Exterminator 1 Dotty Extreme F.A.S.T. F.I.C.A. Fast Eddie Gadaffi Glasnost Gotcha Lamer Gremlin GXTeam Hilly Hoden 33.17 Incognito IRQ-Team 41.0 Joshua 1 Joshua 2 Julie (Virus Predator) L.A.D.S. (Gremlin) Lamer Exterminator LameStyle UK M&U 5.5/6.1 Mallander 1.0 MegaMaster Metamorphosis 1.0 MG's 1.0 MicroSystems Starlight 2 Nasty-Nasty! Obelisk Opapa Paradox 1 (Logic Bomb) Paradox 2 Paramount Paratax Rene Return Of The Lamer Ext. Revenge Of The Lamer Ext. Revenge/Sendarian Revenge BootLoader Sachsen 1 Sachsen 3 Saddam Saddam Hussein SCA Clone 16BitCrew, Butonic 1.1, Graffiti, JITR, Kauki, LSD, Mexx, NorthStar 1-3, Pentagon Circle 1-3, Target, UltraFox, AEK, BS1, DAG, Digital Emotion, HCS 4220 1-2, ICE, Obelisk, Disk Herpes, SuperBoy, Vermin, Warhawk, ZAccess 1.0, 2001, AIDS-HIV, BladeRunners, Gyros, Future Disaster, BigBoss, Deniz Unal, Kefrens 1-2, Paratax 1-3, Loverboy, Ripper, Starlight, Zombi 1 etc. ScarFace Suntronic Switch Off SystemZ Tai-Pan Chaos Tai-Pan LameBlame TelStar Termigator Terrorists TFC Revenge The Traveling Jack TimeBomb/Tomates GenTechnic Trabbi Traveller 1.0 Triplex Trisector 911 Turk 1.3 Twinz Santa Claus ULDV 8 Virus v1 VirusHunter VirusSlayer 1.0 VKill 1.0 Waft Warsaw Avenger Xeno 2. Utilities In Memory ---------------------- Since VirusZ only kills what it knows in memory, it's not necessary to add all the resident utilities like RAD:, VD0:, ZKick etc. If you ever have problems with these (it's not very likely that VirusZ thinks these might be viruses), let me know and I'll fix it. 4. Special Thanks ----------------- There are several people I wish to thank for their VirusZ support: Ralf Thanner Steve / Silicon Designs 3003 Flake / D-Tect Holger Wessling Vader / Toxic Track Control / Alcatraz Axel Folley Terminator / Destiny UK Eric Loevendahl Soerensen and of course all users who already paid their shareware fee. 5. The End ---------- That's all folks, wish you lots of successful anti-virus sessions with VirusZ, keep smiley'ing and have fun... Georg :-))