ProfitPress Mega CDROM2 Shareware Freeware (MSDOS)(1992)(Eng)

home *** CD-ROM | disk | FTP | other *** search

/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / TBSCAN33.ZIP / TBSCAN.DOC < prev next >

Wrap

Text File | 1992-03-10 | 131.1 KB | 3,448 lines

Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Table of Contents 1. COPYRIGHT, LICENCES AND DISCLAIMER................ 2 1.1. Copyright................................... 2 1.2. Distribution and usage...................... 2 1.3. Disclaimer.................................. 3 1.4. Trademarks.................................. 3 1.5. Registration................................ 3 1.6. The registration key........................ 3 2. INTRODUCTION...................................... 5 2.1. Purpose of TbScan........................... 5 2.2. A Quick start............................... 5 2.3. Historical overview......................... 5 2.4. Benefits.................................... 6 2.4.1. Speed................................. 6 2.4.2. Reliability........................... 7 2.4.3. Flexibility........................... 8 2.4.4. Smart scanning........................ 9 2.5. Limitations of scanners..................... 9 2.6. Who are we?................................ 10 3. USAGE OF THE PROGRAM............................. 11 3.1. System requirements........................ 11 3.2. Program invokation......................... 11 3.3. While scanning............................. 12 3.4. Detecting viruses.......................... 13 3.5. The warning marks.......................... 13 3.5.1. R - Suspicious relocator............. 14 3.5.2. T - Invalid timestamp................ 15 3.5.3. ! - Branch out of code............... 15 3.5.4. # - Decryptor code found............. 15 3.5.5. D - Direct disk access............... 15 3.5.6. N - Wrong name extension............. 15 3.5.7. M - Memory resident code............. 16 3.5.8. F - Suspicious file access........... 16 3.5.9. ? - Inconsistent header.............. 16 3.5.10. E - Read or open error.............. 16 3.5.11. J - Multiple jumps.................. 16 3.5.12. p - Packed or compressed file....... 17 3.5.13. w - Windows or OS/2 header.......... 17 3.5.14. h - Hidden or System file........... 17 3.5.15. i - Internal overlay................ 17 3.5.16. s - Unusual stack................... 17 3.6. Command line options....................... 18 3.6.1. -help................................ 18 3.6.2. -info................................ 18 3.6.3. -quick............................... 19 3.6.4. -more................................ 19 3.6.5. -mutant.............................. 19 3.6.6. -direct.............................. 19 3.6.7. -analyze............................. 20 Page i Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 3.6.8. -extract............................. 21 3.6.9. -valid............................... 21 3.6.10. -once............................... 21 3.6.11. -compat............................. 21 3.6.12. -nosnow............................. 21 3.6.13. -noboot............................. 22 3.6.14. -sector............................. 22 3.6.15. -nomem.............................. 22 3.6.16. -allmem............................. 22 3.6.17. -hma................................ 22 3.6.18. -nohmem............................. 22 3.6.19. -nosub.............................. 23 3.6.20. -sub................................ 23 3.6.21. -noavr.............................. 23 3.6.22. -delete or -del..................... 23 3.6.23. -rename or -ren..................... 23 3.6.24. -batch.............................. 23 3.6.25. -repeat............................. 23 3.6.26. -log................................ 24 3.6.27. -session............................ 24 3.6.28. -loginfo............................ 24 3.6.29. -logall............................. 24 3.6.30. -data............................... 24 3.7. Examples:.................................. 25 3.8. Environment variable....................... 25 3.9. The configuration file..................... 26 3.10. The TbScan.Msg file....................... 27 3.11. Residence of the signature files.......... 27 3.12. Residence of the AVR modules.............. 27 3.13. Error messages............................ 27 4. FORMAT OF THE DATA FILE.......................... 29 4.1. Format of a signature entry................ 29 4.2. Wildcards.................................. 29 4.3. Restrictions............................... 30 4.4. Defining new signatures.................... 30 5. A VIRUS, NOW WHAT?............................... 33 5.2. Confirmation............................... 33 5.3. Identification............................. 34 5.4. No Panic!.................................. 34 5.5. Recovering................................. 34 6. CONSIDERATIONS AND RECOMMENDATIONS............... 36 6.1. What should be scanned?.................... 36 6.2. The internals of TbScan.................... 37 6.2.1. How is that blazingly speed achieved? 37 6.2.2. The code interpreter................. 38 6.2.3. The algorithms....................... 39 6.2.3.1. Checking....................... 39 6.2.3.2. Tracing........................ 39 Page ii Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 6.2.3.3. Analyzing...................... 40 6.2.3.4. Browsing....................... 40 6.2.3.5. Skipping....................... 40 6.2.4. The -compat option................... 40 6.2.5. Recursing through directories........ 41 6.3. The Sanity check........................... 42 6.4. How many viruses does it detect?........... 42 6.5. Testing the scanner........................ 42 6.6. Scan scheduling............................ 43 6.7. Extensions to the format of the data file.. 43 6.8. Compressed files........................... 44 6.9. Other products............................. 45 7. MISCELLANOUS INFORMATION......................... 47 7.1. Distribution of the signature file......... 47 7.2. Notes...................................... 47 7.3. The TbScan.Sys driver...................... 47 7.4. Exit codes................................. 47 7.5. Updates.................................... 48 7.6. Thanks..................................... 48 8. OUR OTHER PRODUCTS............................... 49 8.1. TbScanX.................................... 49 8.2. TbRescue................................... 49 8.3. Thunderbyte................................ 50 9. NAMES AND ADDRESSES.............................. 53 9.1. Contacting the author...................... 53 9.2. ESaSS...................................... 53 9.3. Thunderbyte support BBS's.................. 53 9.4. Recommended magazines and organisations.... 53 Page iii Page 1 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 1. COPYRIGHT, LICENCES AND DISCLAIMER 1.1. Copyright TbScan is copyright 1989-1992 ESaSS B.V.. All rights reserved. The diskettes provided with TbScan are not copy protected. This does not mean that you can make unlimited copies of them. TbScan is protected by the the copyright laws which pertain to computer software. No part of the printed manual accompanying TbScan may be reproduced, transmitted, transcribed, stored in a retrieval system or translated into any language, in any form or by any means, without the prior written permission of ESaSS B.V.. 1.2. Distribution and usage Both TbScan and the accompanying documentation are SHARE-WARE. You are hereby granted a license by ESaSS to distribute the evaluation copy of TbScan and its documentation, subject to the following conditions: 1. The evaluation package of TbScan may be distributed freely without charge in evaluation form only. 2. The evaluation package of TbScan may not be sold, licensed, or a fee charged for its use. If a fee is charged in connection with TbScan, it must cover the cost of copying or dissemination only. Such charges must be clearly identified as such by the originating party. Under no circumstances may the purchaser be given the impression that he is buying TbScan itself. 3. The evaluation package of TbScan must be presented as a complete unit. It is not allowed to distribute the program or the documentation separately. 4. Neither TbScan nor its documentation may be amended or altered in any way. 5. By granting you the right to distribute the evaluation form of TbScan, you do not become the owner of TbScan in any form. 6. ESaSS accepts no responsibility in case the program malfunctions or does not function at all. 7. ESaSS can never be held responsible for damage, directly or indirectly resulting from the use of TbScan. 8. Using TbScan means that you agree on these regulations. Any other use, distribution or representation of TbScan is Page 2 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. expressly forbidden without the written consent of ESaSS. 1.3. Disclaimer Neither ESaSS B.V. nor anyone else who has been involved in the creation, production or delivery of TbScan or this manual makes any warranties with respect to the contents of the software or this manual and each specifically disclaims any implied warranties of merchantability or fitness for any purpose. ESaSS B.V. reserves the right to revise the software and the manual and to make changes from time to time in the contents without obligation to notify any person. 1.4. Trademarks. TbScan, TbScanX and Thunderbyte PC Immunizer are registered trademarks of ESaSS B.V.. All other product names mentioned are ackowledged to be the marks of their producing companies. 1.5. Registration. THIS IS NOT FREE SOFTWARE! If you paid a "public domain" vendor for this program, you paid for the service of copying the program, and not for the program itself. Rest assured that nothing ever gets to the originators of this product from such a sale. You may evaluate this product, but if you make use of it, you must register your copy. To register: fill in the file REGISTER.DOC and return it to us. We offer several inducements to you for registering. First of all, you receive the most up-to-date copy of the program that we have (we do update the product on a regular basis). You also receive support for TbScan, which can be quite valuable at times. You also receive complete printed documentation for the product. A "do-it-yourself" update service is offered to registered users through our own support BBS. And finally, we include an evaluation package of some of our other software products. This version of TbScan is fully functional, except for option -extract, which can be used to define your own signatures for yet unknown viruses. This advanced option is available for registered users only. Once you registered TbScan all future upgrades are for free. Thunderbyte users are automatically licensed to use TbScan on the machine where the Thunderbyte add-on card is installed. 1.6. The registration key Page 3 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Registered users receive a key file named TbScan.KEY. The key file contains some information like the license number and name of the license holder. It is NOT allowed to sell or give away the key file TbScan.KEY. TbScan searches for the key file in the current directory. If it does not find it it searches in the same directory as the program file TBSCAN.EXE itself is located (only DOS 3+). If the key file is corrupted or invalid, TbScan continues without error message, but in that case you are running a SHARE-WARE version instead of the registered version. If your key is only valid for TbScanX.Exe (the memory resident version), TbScan ignores it. Page 4 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 2. INTRODUCTION 2.1. Purpose of TbScan TbScan is a program that was developed to trace viruses, Trojan Horses and other threats to your valuable data. It is a so-called virus scanner. A virus scanner is a program that is able to search a virus signature that has been determined beforehand. Most viruses consist of a unique sequence of instructions, called a signature, so by means of checking for the appearance of this signature in a file we can see whether or not a program has been infected. By searching all your program files for the signatures of all viruses already identified you can easily find whether your system has been infected and, if that is the case, with which virus. Every PC owner should use a virus scanner frequently. It is the least he or she can do to avoid possible damage caused by a virus. 2.2. A Quick start Although we recommend to read this complete manual carefully, here are already some directions how to use TbScan: Type "TbScan C:\". This will be sufficient for a standard scan session. It is allowed to specify more drives: "TbScan C:\ D:\". The invokation syntaxis is: TBSCAN [@][<path>][<filename>]... [<options>]... If you experience any problems using TbScan, specify the -compat option: TbScan C:\ -compat For fast online help type "TbScan -?" or "TbScan -help". The latter will provide a more detailed description of the command line options. 2.3. Historical overview Some years ago the community was confrontated with a new phenomenon: Computer viruses. In the early days of computer viruses people had to look into an infected file to determine whether it has been infected by looking for a virus specific code pattern. It doesn't take long before programmers created little programs that were able to tell whether a specific program was infected or not. Enhanced versions of these programs were able to search automatically for all files. In a short time there were Page 5 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. dedicated scanner programs for every known virus. When the number of viruses increases, programmers started to combine several scan programs into one, the multi-string scanner was born. These scanners worked fine, but the amount of viruses was growing, and the need for frequent updates increased. The number of scanning programs also increased, and scanning programs detected the internal search patterns (signatures) of each other thinking they had found a virus, and a lot of people get confused by these false alarms. A solution to both of these problems was to separate the search engine and the signatures. Signatures can be distributed more quickly and via text media, and by separating the search patterns from the executable file, other scanners were no longer triggered by these search patterns. TbScan uses a file with the name Virscan.Dat, originally created for a program called Virscan.Exe. When Virscan.Exe was developed, the number of viruses was still little compared with the current situation. When the number of viruses increased, Virscan slows down for every signature added. At that time we developed the Thunderbyte add-on card, an universal anti-virus device. Since Thunderbyte recognizes virus activities rather than signatures, it can only tell whether a system is infected, but it will never be able to tell you the name of the virus. To overcome this, we decided to supply a virus scanner with our product, and we developed TbScan. We introduced many very sophisticated idea's in the first version of TbScan, and today, many competitive products have adapted some of these new idea's. Some of these idea's are: the use of wildcards in the signature, scanning the memory of the PC, scanning only specific parts of a file rather than the complete file, etc. 2.4. Benefits By now already lots of virus scanners have been developed. However TbScan has a number of important and unique characteristics. These are: 2.4.1. Speed Most virus scanners do not operate very fast. This is nevertheless very important because you are surely one of those people who do not like to stare at their display for a quarter of an hour. When a program works slowly it is used less often, that is a fact. And even the best virus scanner is worthless when it is not used. Our goal was to create a scanner even fast enough to be invoked from within the autoexec.bat file every morning. Page 6 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. The high speed is achived by many smart measures. For instance, it is not required to scan a complete file to find a virus, and TbScan will disassemble the file to locate the viral code. The search routine itself is highly optimized, TbScan has an internal scan-specific disk cacher, etc. For more information about the internals of TbScan read chapter 6.2. The speed depends on many system characteristics, so we will not tell you how many times faster TbScan performs, but you can easily test it by yourself. The speed of our program has been increased with almost every new release, and the current version is faster than every other scanner known to us. Try it yourself! TbScan is designed to scan for a large amount of virus signatures. The current version of TbScan is able to scan for over 2500 signatures (without additional memory requirements). Because of its design, TbScan will not slow down if the number of signatures increases. It doesn't matter whether you scan an item for 10 or 1000 signatures. TbScan carries some special routines to check a stack of diskettes at a high speed. You don't have to signal TbScan via the keyboard that a diskette has been changed: It determines this completely automatically. 2.4.2. Reliability TbScan checks itself immediately after invokation. If it detects that it is infected it aborts with an error. This reduces the chance that TbScan transfers a virus to another machine after being infected. TbScan can bypass viruses that are already active in memory. This is possible through a built-in interrupt debugger! TbScan detects even unknown viruses, because the built-in disassembler is able to detect suspicious instruction sequences and abnormal program lay-outs. A lot of viruses are memory resident, which means they lodge themselves in the memory of your computer. From there they can easily influence all active programs you use. There are already viruses that "desinfect" a program file, as soon an attempt is made to read it. When such a virus is active, a virus scanner, reading a program file in order to check it, finds that the file is not infected (which is true at that moment). But after the program file has been read the file is immediately infected again. So the virus scanner reports that no virus has been found, but in reality it is actually there. Page 7 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. TbScan offers a unique solution for this problem: it contains an automatic debugger that works its way through the chain of interrupts "single stepping" until it reaches the DOS program code. It saves the address which is then found and uses it for the communication with DOS. In this way most viruses will not see anything of the operations of TbScan. TbScan is able to scan Upper Memory and the HMA. Most of the other scanners (still) don't recognize this memory. TbScan scans the video memory of your PC. Most anti-virus products are not aware of the fact that it is possible to install TSR's (and also viruses) in the unused video memory. TbScanX (the resident version of TbScan) for instance even has a special mode to store the signatures in unused video memory. TbScan scans all memory, including the video memory, just to be sure. TbScan is able to search a complete disk at sector level. This way no virus can remain undetected. Even already killed viruses can be detected this way. TbScan is able to detect mutants of a virus. A mutant is a virus that has been modified slightly and therefore does not match the signature anymore. TbScan is able to detect such a mutant, even if no wildcards are used in the virus signature. TbScan is able to detect droppers of bootsector viruses. A dropper is a program that is not infected, but that is intended to install the bootsector virus on your system. 2.4.3. Flexibility TbScan is fully programmable by means of a data file. Most of the time viruses spread quickly. After a new virus has been found there is often no time to adapt your virus checker in order to make it capable of recognizing this new virus. That is why TbScan uses a data file in which the signatures of the viruses occur. This file can quickly be adapted, possibly by yourself, for example when you are informed of a new virus through the media. TbScan supports among other things the format which is used in the file "Virscan.Dat". This file is regularly updated and can be obtained at a lot of data banks. TbScan supports wildcards in the signature. Many viruses are adapted and converted to other viruses by the public. Such a modified virus -a mutant- looks the same as the original virus, but the part that contains the signature is often changed. Scanners don't recognize the mutant anymore, and a new signature must be extracted. TbScan is designed to approach this problem different: by replacing the modified parts of the Page 8 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. signature by wildcards TbScan can still recognize all instances of a virus. That implies that all mutants of for instance the Jerusalem/Plo virus are covered by just one signature rather than 25 as some other scanners require. This also explains why TbScan has "only" 300 signatures but still detects all 800 viruses. There are viruses that are so completely encrypted that it is no longer possible to define any signature for them, even if using wildcards. The "washburn" related viruses (like 1260 and Casper) are such viruses. The only way to detect these viruses is by doing an algorithmic recognition. TbScan is the first scanner that implemented the use of so called AVR (Algorithmic Virus Recognition) modules, which contain a dedicated routine to detect a specific virus. An AVR-module is extremely flexible, it can perform almost any operation necessary to detect a specific virus. TbScan offers registered users to define their own signatures by using the -extract option. You don't have to be an assembler programmer to define a signature in an emergency situation! 2.4.4. Smart scanning TbScan is not just a scanner, it is a disassembling scanner. This means that TbScan not only scans the file but also interpretes the contents and adjust the scanning algorithm to gain the highest reliability and speed. With reliability we not only mean a low "false negative" ratio, but also a low "false positive" ratio. The best scanner is not a scanner that yells "virus!" for every file, but a scanner that only yells "virus!" if there IS really a virus in the file. Besides the adjustment of the scanning algorithm, TbScan also displays additional information about the file. It can detect instruction sequences that are intended to write to disk directly, to make code resident, to decrypt code, etc. TbScan even flags files as being infected with an unknown virus if the disassembly shows that the file contains a virus but a matching signature can not be found. All this information is displayed while scanning, and all in the same scan pass! 2.5. Limitations of scanners Although TbScan is a very sophisticated scanner, it is a scanner, and all scanners have some disadvantages in common: + They cannot prevent infection. Virus scanners can only tell you whether or not your system has been infected and if so, whether any damage has already been done. By then only a good (non-infected) backup can still save you. Page 9 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. + They can only recognize viruses that have already been identified. When a new virus has been launched it will take a while before someone discovers it. After that it will take some time before a reliable signature is distilled from the virus and it will also take a while for you to get hold of the newest Virscan.Dat. All this means that there is a real chance that your system is infected at a moment virus scanners have not yet recognized "your" virus! + You will have to do an active operation in order to protect your system: namely executing the virus scanner. At least once a week one should boot from a trusted and write-protected diskette and execute the scanner, since some viruses can perfectly hide themselves once resident in memory. It is an illusion that employees perform this task correctly. For company use we recommend additional protection, like a permanently active immunizer such as the Thunderbyte add-on card. 2.6. Who are we? TbScan is developed by Frans Veldman, chief executive of the ESaSS company. ESaSS is the company that developed the well known Thunderbyte card, the first hardware PC immunizer, and has therefore a lot of experience and knowledge of viruses and assembler written system software. Of course we also have a large collection of viruses to test our products. Page 10 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 3. USAGE OF THE PROGRAM 3.1. System requirements TbScan runs perfectly on standard machines. "The limits are limited". + TbScan requires 184 Kb of free memory. If you use a log file TbScan needs an additional 16 Kb of memory for the log file buffer. TbScan also allocates memory to keep all AVR modules in memory. If there is still memory left it will be used for cache buffers to increase the scan speed. Note that the memory requirements are independend from the amount of signatures. The current memory requirements already incorporate memory to manage at least 2500 signatures. + DOS version 2.11 or later is sufficient to run TbScan. However, Dos 3.3 or higher is recommended, since TbScan is optimized and primary designed for use with these DOS versions. + Directories may be nested up to 20 levels. + The summed size of all AVR-modules should not exceed 64Kb. 3.2. Program invokation TbScan is easy to use. The syntaxis is as follows: TBSCAN [@][<path>][<filename>]... [<options>]... Drive and path show from where should be searched. To search the disk C:\ and disk D:\ you have to enter: TBSCAN C:\ D:\ When no filename has been specified but only a drive and/or path, then the specified path will be used as top-level path. All its subdirectories will be processed too. When a filename has been specified then only the specified path will be searched. Subdirectories will not be processed. Wildcards in the filename are allowed. It is allowed to specify "*.*". All executable files will be processed. If you want the non-executables to be processed too, then you have to specify the "-analyze" parameter in combination with the filename. "TBSCAN TEST.DAT" will always cause that no file will be processed: TEST.DAT is not an executable file. In this case you have to specify the -analyze parameter. (Since a .DAT file is not executable TbScan should be prevented from disassembling such a file because the results would not be reliable. The -analyze option prevents TbScan Page 11 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. from disassembling the file). You can also specify a list file to TbScan. A list file is a file that contains a list of paths/filenames to be scanned. Preceed the file with the character '@' on the TbScan command line: TBSCAN @TBSCAN.LST 3.3. While scanning TbScan divides the screen in two windows: an information window and a scanning window. The upper window is the information window and it initially displays the comments of the data file. If TbScan detects infected files the names of the file and the virus will be displayed in the upper window. The information will stack up and scroll off the screen if it doesn't fit anymore. The divider line between the two windows displays the directory containing the file being processed, the number of signatures scanning for, and the disk cacher hit-rate. The divider bar looks like this: C:\TEST\SUBDIR\ Virus families: 356^ Cache hit 73% The caret (^) after the number of virus families indicates that TbScan has linked in some AVR (Algorithmic Virus Recognition) modules. The amount of AVR modules are added to the virus family counter. The cache hit indicator displayes the percentage of fat- or directory information that has been retrieved from the cache buffers, or with other words, the percentage of disk access saved. Note that the cache hit only applies for the fat- and directory sectors, the contents of files will never be cached and will not be reflected in the cache hit indicator. The line directly below the dividor line is reserved for TbScan comments. It contains the rotating "I am still alive" indicator, and should normally display license information. The lower window displays the file being processed, the algorithm in use, info- and warning characters, the progress, and finally an OK-statement or the name of the virus detected. You will see one of the next five terms behind every file name: "Checking", "Tracing", "Browsing", "Analyzing" and "Skipping". This indicates the algorithm used to scan the file. Behind these terms TbScan can display some warning characters. Consult chapter "Warnings" for individual meanings of these characters. Page 12 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Behind these terms you will see that, dependent on size, structure and kind of file, a number of plus signs appear. These indicate the amount of code chunks that have been processed. The current version of TbScan processes data in chunks of 32 Kb. The process can be aborted by pressing Ctrl-Break. 3.4. Detecting viruses As soon as an infected program is found, the name of the virus will be displayed. If you did not specify one of the options -batch, -rename or -delete, TbScan will prompt you to delete or rename the infected file, or to continue. If you choose to rename the file, the first character of the extension will be replaced by the character "V". This prevents the file from being executed accidentially until further investigation. When TbScan detects a file it will display: Infected by [name of virus] It is however possible that TbScan detects a bootsector virus dropper. A dropper is a program that is not infected, but contains a bootsector virus and is able to install it on your bootsector. If TbScan detects a bootsector virus is some type of files it displays: Dropper of [name of virus] If the -mutant option has been specified, and TbScan detects a non-100% signature match it displays: Possibly infected by [name of virus] If the -mutant option has been specified and TbScan detects a combination of suspicious facts it displays: Possibly infected by an unknown virus TbScan needs to access the data file to get the name of a virus. If it can not access the data file it displays [Can not read datafile] instead of the virus name. 3.5. The warning marks TbScan is not just a scanner. It also disassembles the file being processed. This serves three purposes, by disassembling the file the scanner can restrict itself to the area of the file where the virus might reside, it makes it possible to use algorithmic detection on viruses that don't have a signature, and it makes it possible to detect suspicious instruction sequences. If TbScan detects suspicious instruction sequences it prints a warning mark or message. Page 13 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Warning marks consist of a single character that might be printed behind the name of the file being processed. There are two levels of warnings: the informative ones are printed in a lowercase character, and the more serious warnings are printed in an uppercase character. The "lowercase warnings" are intended to attent special characteristics of the file being processed, and the "uppercase warnings" may indicate a virus. If the -info option has been specified the important warnings will not only appear as a warning character, but there will also be a description printed in the upper window. How should you treat the warnings? The less important warnings can be considered as "information only". They indicate nothing special but provide you information you might be interested in. The warning marks printed in uppercase indicate more interesting information that MIGHT indicate a virus. It is quiet normal that you have some files on your system which trigger an uppercase warning. In fact, DOS 5.0 comes with at least two files that trigger a serious warning: FORMAT.COM and SORT.EXE. TbScan detects a "suspicious relocator" in FORMAT.COM and an "inconsistent header" in SORT.EXE. Both warnings are complete rightly. More about that later. Note that viruses infect other programs; it is highly unlikely to find only one of a very few infected files on a hard disk used frequently. You should ignore the warnings if only a few programs trigger the same warning. But, if your system behaves "strange" and many recently used programs cause TbScan to issue the same serious warning (or even combinations of serious warnings), your system might be infected by a (yet unknown) virus. Almost all viruses in our collection cause one or more serious warnings to be displayed. So, don't get upset if TbScan warns you about a few files on your system. But get suspicious if many files cause the same serious warning or combinations of serious warnings. 3.5.1. R - Suspicious relocator. The character 'R' warns for a suspicious relocator. A relocator is a sequence of instructions that change the proportion of CS:IP. It is often used by viruses, especially COM type infectors. Those viruses have to relocate the CS:IP proportion because they are compiled for a specific location in the executable file, and a virus that infects another program can almost never use its original location in the file (it is appended to the file). Normal programs "know" their location in the executable file, so they don't have to relocate themselves. On normal systems only a few percent of the programs should cause this warning to be displayed. Tests on a large collection of viruses shows that TbScan issues this warning for about 65% of all viruses. The DOS FORMAT.COM program causes this warning to be displayed too. This is rightly, because Microsoft did some strange things with this program. It appears that the file was originally a .EXE file which has been converted into a .COM file by adding a sort of shell. (What is actually the difference between infecting a file and converting it Page 14 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. this way?) Anyway, you should ignore this warning for the DOS FORMAT program. TbScan uses the "analyze" or "browse" algorithm on programs which contain a suspicious relocator. Just for sure! 3.5.2. T - Invalid timestamp. The timestamp of the program is invalid. The seconds of the timestamp are illegal, or the date is illegal or later than the year 2000. This is suspicious because many viruses set the timestamp to an illegal value (like 62 seconds) to mark that they already infected the file, preventing themselves to infect a file for a second time. It is possible that the program being checked is contaminated with a virus that is still unknown, especially if many files on your system have an invalid timestamp. If only a very few programs have an invalid timestamp you'd better correct it and scan frequently to check that the timestamp of the files remain correctly. 3.5.3. ! - Branch out of code. The program has an entry point that is located outside the file's body, or a chain of "jumps" traced to a location outside the program file. The program being checked is probably damaged, and can not be executed. Anyway, TbScan does not take any risk and uses the analyze or browse method to scan the file. 3.5.4. # - Decryptor code found. The file possibly contains a self-decryption routine. Some copy-protected software is encrypted so this warning may appear for some of your files. But if this warning appears a lot, or in combination with by example the T-warning, there could be a virus involved! Many viruses encrypt themself and cause this warning to be displayed. 3.5.5. D - Direct disk access. This warning is displayed if the program being processed has instructions near the entry-point to write to a disk directly. It is normal that some disk related utilities cause this warning to be displayed (like Undelete.Exe). As usual, if many of your files (which have nothing to do with the disk) cause this warning to be displayed your system might be infected by an unknown virus. Note that a program that accesses the disk directly should not always be reported with the D-indicator. Only when the direct disk instructions are near the program entry point it will be reported. In case of a virus the offending instructions are always near the entry point and so they will always be reported. 3.5.6. N - Wrong name extension. Page 15 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Name conflict. The program carries the extension .EXE but appears to be an ordinary .COM file, or it has the extension .COM but the internal layout of an .EXE file. TbScan does not take any risk in this situation, but scans the file for both EXE and COM type signatures. 3.5.7. M - Memory resident code. TbScan has found instruction sequences which could make the program to remain resident in memory or to hook into important interrupts. Almost all TSR (Terminate and Stay Resident) programs will trigger this warning, because hooking into interrupts or remaining resident belong to their normal behaviour. However if a lot of normal programs (not intended to be a TSR) have this warning mark it is suspicious. It is possible that the files are infected by a virus that remains resident in memory. Note that this warning does not appear for all TSR-programs, nor does it always mean that when this warning appears the program is a TSR program. With other words, the TSR detection is not 100% proof. 3.5.8. F - Suspicious file access. TbScan has found instruction sequences common to infection schemes used by viruses. This warning will appear for a few programs that are able to create or modify existing files. However, if this warning appears a lot, the files might be infected, especially if the warning is accompanied by other serious warnings. 3.5.9. ? - Inconsistent header. The program being processed has an exe-header that does not reflect the actual program layout. The DOS SORT.EXE program will cause this warning to be displayed, because the actual size of the program file is less than reported in the "size-of-load-module" field in the exe-header! Many viruses do not update the exe-header of an EXE file correctly after they have infected the file, so if this warning appears a lot it seems you have a problem. You should ignore this warning for the DOS SORT.EXE program. (Hopefully will MicroSoft correct the problem before the next release of DOS). 3.5.10. E - Read or open error. The file could not be opened or read. This can be the result of an error on the disk(ette), but the file could also be in use by another task (multitasking) or network user. The file has not been scanned. 3.5.11. J - Multiple jumps. The program did not start at the program entry point, but the code has jumped at least two times before reaching the final startup code, or the program jumped using a memory operand. This is rather Page 16 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. strange for normal programs. If many files cause this warning to be displayed you should investigate your system thorougly. 3.5.12. p - Packed or compressed file. The program is packed or compressed. There are some utilities that are able to compress a program file, like EXEPACK or PKLITE. If the file is infected after the file has been compressed, TbScan will be able to detect the virus. However, if the file has been infected before it was compressed, the virus is also compressed, and a virus scanner might not be able to recognize the virus anymore. Fortunately, this does not happen a lot, but you are warned! A new program might look clean, but can turn out to be the carrier of a compressed virus. Other files on your system will be infected in that case, but these infections will be normally visible for virus scanners. By the way, TbScan does not recognize specific compression utilities, but uses an universal way to detect any compression program. Probably TbScan does not require any modifications as soon as a new compression program pops up. 3.5.13. w - Windows or OS/2 header. The program can be or is intended to be used with Windows (or OS/2). TbScan does nothing special with these files, but that might be changed in the future as soon as Windows or OS/2 specific virusses occur. 3.5.14. h - Hidden or System file. The file has the "Hidden" or the "System" file attribute set. This means that the file is not visible at a normal directory display but will be scanned anyway. if you don't know the source and purpose of this file it might be a Trojan or "joke" program. Copy it on a diskette, remove it from your hard disk and check if some program is missing the file. If no program is missing it, well, you have freed some diskspace, and maybe your system saved for a future disaster. 3.5.15. i - Internal overlay. The program being processed has additional data or code behind the load-module as specified in the exe-header of the file. The program might have internal overlay(s) or configuration information appended behind the load-module of the EXE file. 3.5.16. s - Unusual stack. The EXE file being processed has an odd (instead of even) stack offset or no stack at all. Many viruses do not setup a legal stack. Page 17 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 3.6. Command line options It is possible to specify so-called options on the command line. Tbscan recognizes option-characters and option-words. The words are more easy to remember, and they will be used in this manual for convenience. -help, -h =help (-? = short help) -info, -i =display disassembly information -quick, -q =quick scan -more, -m =enable "More" prompt -mutant, -y =enable fuzzy search -direct, -d =direct calls into DOS/BIOS -analyze, -a =force analyze/all files -extract, +a =extract signature -valid, -u =force authorization -once, -o =only once a day -compat, -c =maximum-compatibility mode -nosnow, -t =avoid snow on CGA monitors -noboot, -s =skip bootsector -sector, +s =scan all disk sectors -nomem, -r =don't scan memory -allmem, +r =scan for all viruses in memory -hma, +e =scan HMA too -nohmem, -e =don't scan UMB/HMA -nosub, -n =don't scan in sub directories -sub, +n =process sub directories -noavr, -j =do not search for AVR modules -del[ete] -z =delete infected files -batch, -b =don't ask keyboard input -repeat, -x =scan multiple diskettes -loginfo, -w =log files with a lowercase warning too -logall, +w =log all files unconditionally -log [<filename>], +l [<filename>] =append to log file -session [<filename>], -l [<filename>] =create session log file -data <filename> -f <filename> =data file to be used -ren[ame] [<ext mask>], +z [<ext mask>] =rename infected files 3.6.1. -help If you specify this option TbScan displays the contents of the of the TbScan.HLP file if it is available in the home directory of TbScan. If you specify the -? option you will get the option summary as listed above. 3.6.2. -info If you are an experienced user we recommend you to use this option. If you do so, TbScan will display the most important warnings with the complete pathname of the concerned file in the upper window. Page 18 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 3.6.3. -quick This option enables you to quickly scan the system. It is intended to be used in the "afternoon scan" of the system. It is recommended to invoke TbScan once a day without this option because this option does not offer you the highest security. .OVL, .BIN and .SYS files are skipped entirely since it is not likely that these files are infected, memory scan is skipped, the scan frame is reduced to 2Kb instead of 4Kb, and TbScan does not fall back to the analyze routine as often as usual. However, TbScan still detects 95% of the viruses if this option is specified. 3.6.4. -more When you enter the parameter -more TbScan will stop after it has checked the contents of one window. This gives you the possibility to examine the results without using a log file. 3.6.5. -mutant TbScan is able to detect mutants of viruses while performing a normal (default) scan, since many of the signatures contain wildcards. However, if you use the -mutant option TbScan does not restrict itself to the wildcard specification, but allows up to two extra changes anywhere in the signature. Needless to say, if you use this option false alarms may occur. Therefore this option is not recommended to be used in a normal scan session. However, you can use this option if you expect the system is infected but TbScan does not detect a virus. If you scan again and specify the -mutant option, and TbScan now reports many files to be "possibly infected" with one virus, it might be possible that the files are infected by an unknown variant of the virus. It is recommended to supply one such a possibly infected file to a virus expert before invoking a clean up operation. 3.6.6. -direct TbScan communicates with DOS through interrupt 21h. To prevent this from being "monitored" by viruses, option -direct can be entered. TbScan will use its built-in debugger to trace through the chain of interrupts until it has reached the DOS entry point. This address is shown on the display and after that moment it will be used for the communication with DOS. The same applies to the communications with the disk system: TbScan first searches for the entry point of the BIOS, and performs direct calls into it. Resident programs, such as viruses, are then excluded from taking part in the virus scan process. This implies however that the regular resident programs remain ignorant too with regard to the file access by TbScan. That is why it is not recommended to use this option when you use a multitasker or when you are connected to a local area network. Page 19 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Also note that many protection software packages will be fooled by TbScan when using the -direct option. Don't be surprised when TbScan scans files you don't actually have any access to... When you use this option do not popup resident programs while TbScan is active! This is because resident programs do not know that some foreground program performs file access and a machine hang might occur. When you have installed the Thunderbyte card in your PC, TbScan will not search for the DOS entry point, but for the entry point of Thunderbyte. Otherwise Thunderbyte should warn you (correctly) that a program performs direct calls into DOS and the BIOS. So only Thunderbyte remains between TbScan and DOS/BIOS. Since no viruses can be inserted between Thunderbyte and DOS/BIOS, this is completely safe. 3.6.7. -analyze Normally TbScan only uses the analysis method when the program to be checked is too complicated for the builtin interpreter. But through option -analyze you can force TbScan to use the analysis or browse method always. Keep in mind though that the program will perform more slowly and that false alarms may occur. Therefore it is recommended to refrain from this option while performing a normal scan session. Since this option also disables the internal disassembler of TbScan, most warning marks will not occur, bootsector virus droppers will not be detected, and the AVR modules will not be executed. The -analyze option can not be used if the -mutant option has been specified too. It would cause too many false alarms. If you expect a virus and TbScan does not find a virus, you'd better use the -mutant option rather than -analyze. The -analyze option does not increase the hit rate like the -mutant option. If you have the odd feeling that you have to increase the hit rate of TbScan you'd better use the -mutant option rather than the -analyze option. The -mutant option already detected some new unknown viruses, while the -analyze option did not and caused only false alarms. Without this option TbScan processes only executable files, even if a (wildcarded) filename has been specified. However, if you want to scan non-executable files you have to use the -analyze option. TbScan can only scan non-executable files if the -analyze option has been specified because non-executable files can not be disassembled. Since there are no specific signatures for non-executable files TbScan scans for all signatures in all files just to be able to find anything at all. So, if you use the -analyze option in combination with an explicite Page 20 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. filename specification, TbScan scans ALL matching files for ALL signatures. Needless to say that this combination is NOT recommended due to its low performance and exessive amount of false alarms. It is only provided to gain some compatibility with other scanners. 3.6.8. -extract This option is available for registered users only. See chapter "defining a signature" for usage of option -extract. 3.6.9. -valid TbScan checks the signature file for modifications. If you change the contents of that file TbScan will issue a warning. If you don't want the warning to be displayed, use the -valid option. 3.6.10. -once If you specify this option TbScan "remembers" that is has been used that day, and it will not run anymore a next time on that day if you specify this option again. This option is very powerfull if you use it in your autoexec.bat file in combination with a list file like: TbScan @Everyday.Lst -once -rename TbScan now scans every day the first time being invoked the list of files and/or paths specified in the file "Everyday.Lst". All other times the machine will boot that day, TbScan will return to DOS immediately. This option does not interfere with the normal use of TbScan: If you invoke TbScan without the -once option it will always run, regardless of a previous invokation with the -once option. The opposite is also true: if you use the option -once after TbScan has been executed before that day without the -once option, TbScan will still execute. Note that if TbScan can not write to TbScan.Exe because it is read-only or located on a write protected diskette, the -once option will fail and start the scanner always. 3.6.11. -compat If you specify this option, TbScan tries to behave somewhat more compatible. Use this option if the program does not behave as expected or hangs the machine. This option will slow down the scan process so it should only be used when necessary. Note that option -compat does not affect the results of a scan. 3.6.12. -nosnow If you use TbScan on a machine with a CGA video system TbScan Page 21 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. can cause "snow" on the screen. Option -nosnow can be used to eliminate the snow. TbScan will perform a little slower in that case. 3.6.13. -noboot If you specify this option TbScan will not scan the bootsector. 3.6.14. -sector This option is experimental. This option enables the feature to scan a disk at sector level. This way you can trace viruses that reside outside the files and bootsector and difficult stealth viruses. This option might also tell you that a virus ever resided on the machine in the past. If this option detects a signature it does not mean that the virus should be still active. Even if TbScan deleted the virus this option is still able to detect the signature for a while. This option is NOT recommended for a normal search. Note that TbScan is not able to detect suspicious facts anymore; it can not disassemble files with this mode. False alarms may occur frequently since everything is being searched for, and search is even performed in unused disk space containing garbage. 3.6.15. -nomem If you specify this option TbScan will not scan the memory of the PC for viruses. 3.6.16. -allmem If you specify this option TbScan will search for all viruses of the signature file in the memory of your PC, regardless of the virus type. This option is not recommended since many viruses have a different signature after they install themself in memory and a scan for non-memory specific viruses in memory makes no sense at all. It may cause a lot of false alarms. It is provided to maintain some compatibility with other scanners. 3.6.17. -hma TbScan detects the presence of a XMS-driver, and scans the HMA automatically. If you have a HMA-driver not compatible with the XMS standard you can use the -hma option to force TbScan to scan the HMA. 3.6.18. -nohmem By default TbScan searches for RAM above the DOS limit and scans that too. This means that even video memory and the current EMS pages are scanned. You can use the -nohmem option to disable the scanning of memory above the DOS limit. Page 22 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 3.6.19. -nosub TbScan will default search in subdirectories for executable files, except when a filename (or wildcards) are specified. If you use this option TbScan will never search in subdirectories. 3.6.20. -sub If you use this option TbScan will always search in subdirectories, even when you specify a filename or wildcards. Only subdirectories matching the filename mask will be scanned too. 3.6.21. -noavr If you specify this option TbScan will not search for AVR modules (Algorithmic Virus Recognition modules; .AVR files) at startup and will not perform any algorithmic searches on files. 3.6.22. -delete or -del If TbScan detects a virus in a file it prompts the user to delete or rename the infected file, or to continue. If you specify the -delete option, TbScan will not ask the user what to do but it just deletes the infected file. Use this option only if you already found out that your system is infected, and if you have a trusted backup, and wants to get rid of all infected files at once. 3.6.23. -rename or -ren If TbScan detects a file virus it prompts the user to delete or rename the infected file, or to continue. If you specify the -rename option, TbScan will not ask the user what to do but it just renames the infected file. By default, the first character of the file's extension will be replace by the character "V". A .EXE file will be renamed to .VXE, and a .COM file to .VOM. This prevents the infected programs from being executed, but the program can still be examined or repaired at a later time. You can also add a parameter to this option specifying the target extension. The parameter should always contain 3 characters, question marks are allowed. The default target extension is "V??". 3.6.24. -batch If TbScan detects a file virus it prompts the user to delete or rename the infected file, or to continue. If you specify the -batch option TbScan will always continue. This option is intended to be used in a batch file that would be executed unattended. It is highly recommended to use a log file in this situation, otherwise the scanning does not make very much sense. 3.6.25. -repeat Page 23 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. The option is very powerfull if you want to check a large amount of diskettes. TbScan does not return to DOS after checking a disk, but it waits until you inserted another disk in the drive. You don't have to press a key on the keyboard when ready, TbScan detects automatically when the drive is ready to be accessed. This way you can check a large amount of diskettes without touching the keyboard. One thing you will notice however is that the motor of the disk drive keeps spinning, and the light keeps burning. This does not harm your drive in any way, you can safely open and close the drive-door while the motor still runs. Many backup programs handle the drives the same way as TbScan does. 3.6.26. -log When you use this parameter, TbScan creates a LOG-file. The default filename is TBSCAN.LOG and it will be created in the current directory. You may optionally specify a path and filename. In the LOG-file all infected program files are listed. The filenames are specified including the complete path name. If the log file already exists the information will not be overwritten but instead appended to the file. If you use this option often it is recommended to delete or truncate the log file every month to avoid unlimited growth. 3.6.27. -session This option is the same as the -log option, except that if there already exists a log file the log information will be overwritten instead of appended. A log file created by the -session option only contains information of a single scanning session. 3.6.28. -loginfo If you use a log file and wants to log files with lowercase (informative) warnings too you should specify this option. 3.6.29. -logall If you use a log file and wants to get all files listed in the log file unconditionally you can use this option. 3.6.30. -data You can override the default path en name of the signature file by using this option. TbScan normally tries to locate a data file by itself. See chapter 3.10 for information how TbScan searches for a data file. If TbScan does not succeed in recognizing or locating the appropriate data file by default, or you want to override the default data search, you should use the -data option. Page 24 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 3.7. Examples: TbScan \ -data c:\TbScan.Dat -noboot Process all executable files in the root directory and its sub directories. Skip the bootsector scan. Use the signature file "c:\TbScan.Dat". TbScan \*.* Process all executable files in the root directory. Don't process sub directories. TbScan Test.Dat -log c:\test.log No file will be processed. TEST.DAT is not an executable. A LOG file with the name c:\test.log will be created. TbScan Test.Dat Test.Tmp -analyze Search Test.Dat and testp for ALL viruses using the analyze method. TbScan c:\ -analyze -rename vi? Process all executable files in the root directory and its sub directories. Use the analysis method. Rename infected files to a file by replacing the first two characters of the extension by "VI". The last character remains the same. TbScan c:\*.* -analyze Process ALL files in the root directory. Search for ALL viruses in ALL files. The analysis-method will be used. Sub directories will not be processed. The last two examples shows the difference in behaviour of the -analyze parameter when a filename and when no filename has been specified. 3.8. Environment variable If you want to use certain options always, it can be handy to use the environment variable "TBSCAN" for this. For instance, if you always use the option -noboot and always specifies the signature file to be used, you can insert the following line into your autoexec.bat file: SET TBSCAN=-LOG -DATA C:\TBSCAN.DAT -NOBOOT TbScan now always acts like you specified the -noboot and -log option on the command line! Another good item to include in the environment variable is the Page 25 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. option -data, to specify which data file should be used by default. 3.9. The configuration file For people that like the use of configuration files: TbScan can be configured with a configuration file. The configuration file should be in the same directory as the file TbScan.Exe, and the name of the configuration file should be TBS.BAT (surprise, surprise). The format of this configuration file is as follows: tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 [<default options...>] Example: tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 -direct -data c:\virus\Virscan.Dat To use this configuration file you have to type "TBS C:\" on the DOS prompt. If you want to override the default options specified in the TBS.BAT file just type "TBSCAN". This configuration file is very powerfull. You can even define mnemonics like "DAILY" and "WEEKLY" to invoke a predefined scan session. However, it is still possible to specify additional options on the command line. If TbScan detects a virus the file Virus.Txt will be printed on the screen. The file should contain information like the phone number of the company helpdesk and the phone number of the security officer. An example: @echo off if '%1'=='daily' goto daily if '%1'=='weekly' goto weekly :help echo Type "TBS weekly" or "TBS daily" to start a scan event goto end :daily tbscan c:\system d:\ -quick %2 %3 %4 if errorlevel 2 goto help if errorlevel 1 goto virus goto end :weekly tbscan c:\ d:\ e:\ -log c:\logs\tbscan.log %2 %3 %4 if errorlevel 2 goto help if errorlevel 1 goto virus goto end :virus type virus.txt :end For more information about this kind of powerfull "configuration" files consult the DOS manual and search for the keyword "batch Page 26 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. files". Most people overlook the power of the DOS batch file features. But, why learning yet another configuration file language if a DOS batch file will suit your needs perfectly? You can predefine scan sessions, define default options, and branch to a specific routine if TbScan detects a virus. On the TbScan diskette you will find an example BATCH file with the name TBS.BAT. You can edit it to suit your needs. 3.10. The TbScan.Msg file TbScan prints the TbScan.Msg file on the screen after 15 seconds or when it finished scanning and it has not detected a virus. The file TbScan.Msg as supplied by us contains our address and registration information. However, you can edit this file as you like, it is possible to define your company logo in this file. 3.11. Residence of the signature files TbScan looks for the data file in this order: 1) If the -data option is used it will use the specified file. 2) It searches in the active directory for a file with the name TBSCAN.DAT. 3) It searches for TBSCAN.DAT in the same directory as the program file TBSCAN.EXE itself is located (only DOS 3+). 4) It searches in the active directory for a file with the name VIRSCAN.DAT. 5) It searches for VIRSCAN.DAT in the same directory as the program file TBSCAN.EXE itself is located (only DOS 3+). TbScan also looks for a datafile containing emergency update signatures. The file should be named ADDNSIGS.DAT. It should be either in the current directory or in the TbScan home directory. 3.12. Residence of the AVR modules The AVR modules are only searched in the directory where the program TBSCAN.EXE itself resides. 3.13. Error messages Errormessages that might be displayed: + Error in data file at line <number>. There is an error in the specified line of the data file. Page 27 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. + Failed to locate DOS entry point. TbScan has not been able to locate the DOS entry point, but continues as if option -direct has not been specified. + Limit exceeded. The total amount of internal signature information exceeded 64Kb. This message will be displayed if the number of signatures reaches 2500. You can either reduce the number of signatures or make them shorter. + Data file not found. TbScan has not been able to locate the data file. + Command line error. An invalid or illegal command line or environment option has been specified. + Can not combine -mutant with -analyze. It is not allowed to combine the options mentioned, it would cause too many false alarms, and does not make sense at all. + No matching files found. The path specified does not exist, is empty, or the specified file does not exist. + No matching executable files found. The path specified does not exist, is empty, or the specified file does not exist or is not an executable file. + Can not create logfile. The optional specified log file path is illegal, the disk is full or write protected, or the file already exists and can not be overwritten. + Sanity check failed! TbScan detected that its internal checksum does not match anymore. TbScan is possibly contaminated by a virus. Obtain a clean copy of TbScan, put it on a WRITE PROTECTED bootable diskette, boot from that diskette, and try again! Page 28 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 4. FORMAT OF THE DATA FILE 4.1. Format of a signature entry The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or modified with every DOS-text editor. All lines starting with ";" are comment lines. TbScan ignores these lines. When the ";" character is followed by a percent-sign the remaining part of the line will be displayed on the screen. A maximum of 8 lines can be printed on the screen. In the first line the name of a virus is expected. The second line contains one or more of the next words: BOOT SYS EXE COM HIGH LOW These words may be separated by spaces, tabs or commas. BOOT means that the virus is a bootsector virus. SYS, EXE and COM indicate the virus can occur in files with these extensions. Overlay files (with the extension OV?) will be searched for EXE viruses. BIN files will be searched for SYS viruses. HIGH means that the virus can occur in the memory of your PC located above the TbScan program itself. LOW means that the virus can occur in the memory of your PC located below the TbScan program itself. In the third line the signature is expected in ASCII-HEX. Every virus character is described by means of two characters. One entry in the signature file should look like: ; Test virus EXE COM ABCD21436587ABCD ; It is allowed to use spaces in the ASCII-HEX signature to increase the readability. The sequence of three lines should be repeated for every virus. Between all lines comment lines may occur. 4.2. Wildcards TbScan allows you to use wildcards in a signature. Wildcards can be used to define one signature that recognizes a couple of related viruses. - The ? wildcard. Page 29 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. The question mark specifies a wildcard nibble, which means that the corresponding half of the byte may have any value. Example: A5E623CB??CD21?883FF3E - The * wildcard. You can use the asterisk followed by an ASCII-HEX character to skip a fixed amount of bytes in the signature. The ASCII-HEX character specifies the amount of bytes that should be skipped. Example: A5E623CB*3CD2155??83FF3E?BCD This sequence of bytes will be recognised as a virus: A5E623CB142434CD21554583FF3E3BCD - The % wildcard. A percent sign (%) followed by an ASCII-HEX character indicates that the remaining part of the signature could be located a number of bytes away. The ASCII-HEX character specifies the maximum distance the remaining part should occur. - The ** wildcard. You can use the "**" -wildcard to skip an unlimited variable amount of bytes in the signature. 4.3. Restrictions. + The name of a virus may contain up to 30 characters. + The ASCII-HEX signature may contain up to 132 characters. + A signature must contain at least one sequence of two non-wildcard bytes. A sequence of four however is recommended. + The signature should start with one non-wildcard byte. + The %-wildcard should not be followed by any other wildcard. Examine the VIRSCAN.DAT or TBSCAN.DAT file for a "live" example of the format of the signature file. 4.4. Defining new signatures. This chapter is intended for advanced users only. You need to be registered (owning a TbScan.Key file or a Thunderbyte add-on card) to be able to use the following guideline. Page 30 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Although the supplied data file is updated frequently it might happen that your system is infected by a yet unknown virus. Next chapter indicates how to determine this is the case. If you are completely sure the system is infected by a virus, and TbScan does not detect it, it fails even with the -mutant option, TbScan can be used to define a temporary signature. - Collect some infected files and copy them into a temporary directory. - Boot from a clean write-protected diskette. The next steps you should NOT execute ANY program from the infected system, even when you expect the program to be clean. - Execute TbScan with the -extract option in the directory containing the infected files. TbScan will NOT scan but instead display the first instructions at the entry-point of the infected programs. It is recommended to use the -session option of TbScan. - Compare the "signatures" produced by TbScan. You should see something like this: VIRUS1.COM 1234ABCD5678EFAB909090ABCD123478FF VIRUS2.COM 1234ABCD5678EFAB901234ABCD123478FF VIRUS3.COM 1234ABCD5678EFAB9A5678ABCD123478FF If the "signatures" are completely different, the files are possibly not infected, or they are infected by a virus that requires an AVR module to detect it. - Replace all differences in the "signatures" by question marks ("?"). A signature to detect the "virus" in the example above could be: 1234ABCD5678EFAB9?????ABCD123478FF - Add the signature to the data file of TbScan. Give the virus a name and specify the EXE and COM keywords. - Run TbScan again in the directory containing the infected files. TbScan should now detect the virus. - Send a couple of infected files to a recommended anti-virus researcher, preferrable to us. Congratulations! You have defined a "do-it-yourself" signature! Now you can scan all your machines to search for the new virus. However, keep in mind that the signature is a "quick-and-dirty" solution. Some instances of the virus might not be recognised, and some innocent programs might be suspected from a virus. A signature that is guaranteed to detect all instances of the virus can be achieved only after complete disassembly of the new virus. For these reasons you should NOT distribute the "signature" to others. The final signature assembled by experienced anti-virus researchers will be completely different in most cases! Page 31 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Page 32 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. - The size of one or more programs has increased. - The screen behaves strangely, or you will find unusual information displayed here. 5.1. Prevention - ChkDsk detects many errors. Prevention is always better than cure. You can prevent an infection by using reliable software only, that is software of which the 5.2. Confirmation origins are known. Once you think your system may have a virus, try to get MAKE SURE YOU HAVE AN UNINFECTED WRITE-PROTECTED BOOTABLE DOS DISK confirmation. You can get confirmation by using a virus scanner, or STORED IN A SAFE PLACE. The disk will be needed in case of by booting from the uninfected write protected DOS diskette and infection. Without an uninfected bootable disk you will never be comparing the files on the hard disk to the known uninfected able to get rid of any virus! The disk should be write protected to original copies. DO NOT RUN ANY PROGRAM ON THE HARD DISK WHILE make sure it will remain uninfected. This is very important. AND BEFORE PERFORMING THIS TEST TO PREVENT THE VIRUS GOING RESIDENT IN MEMORY. If the files have not been changed there is no file Only boot from your hard disk or from your original DOS diskette. virus. If they all get changed in the same way, it is very likely NEVER use someone's else's disk for booting. Should you have a hard the files are infected by a virus. The bootsector is more difficult disk make certain that you have opened your floppy drive before to test. Use the DOS SYS command to replace the bootsector in case resetting or booting your PC. of doubt. Use the DOS program ChkDsk frequently (without the /F switch). Page 33 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. its cause. Some highly suspicious alterations are: Note that file viruses infect other programs. It is very unlikely - Programs do not operate as they used to, or cause the computer to find only one or a very few infected programs on a hard disk to "hang" or reboot after some time. used frequently. If TbScan reports a virus in only 1% of the files - Data disappears or gets damaged. on your hard disk, you should treat it as a false alarm. If you did not expect to find a virus but used the -analyze option of TbScan which detected a "virus", forget about it. The -analyze option has never caused a virus to be detected that remains undetected in normal scan sessions. It causes many false alarms instead. If you find a virus, do NOT use "your" TbScan to check other machines, except when you have copied it to a write protected diskette before the system became infected. Although TbScan performs a sanity check immediately after the invokation, there are some viruses that are able to fool every self-check, and TbScan migh carry such a virus without detecting it. 5.3. Identification Indentify the virus. Why is this so important? Because if you know which virus caused you the trouble you know what the virus has exactly done, and whether your data files are still reliable or damaged. You can use a virus scanner to identify a virus. Once you know the name of the virus you have to obtain additional information about the virus. You can log on to our support BBS, consult professional literature, or consult a virus expert. If the virus only infects executable files you have only to replace the executable files. But if the virus swaps some bytes on a random location of your hard disk everytime you execute a program, you have to replace your data files too, even when you didn't see any changes in your data files. 5.4. No Panic! The most important thing to do is NOT PANIC! Panicking doesn't help you, as you need to be calm to deal with the situation properly. In most cases of virus infections in the past, most of the damage has been done by the operator of the system, not by the virus. Do nothing at all except for identifying the virus and obtaining information about the virus. Reformatting the hard disks immediately is the worst you can do. Once after you know exactly what the virus does, you can work out a strategy to recover. DO NOT MAKE A NEW BACKUP OF YOUR SYSTEM UNLESS YOU DON'T OVERWRITE AN ALREADY EXISTING BACKUP. In this case label the backup as being infected and unreliable. 5.5. Recovering Page 34 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. For all recovery activities it is important to boot from your uninfected write-protected DOS diskette. Do NOT run any program from your hard disk! The virus must stay out of your memory while cleaning the system. Restore the DOS system and bootsector by using the DOS SYS command. In case of a file virus, restore all executables. A virus removal utility is not recommended unless you don't have a backup of the uninfected executable files. Depending on the virus it might also be necessary to replace all data files. If the system has been infected by a virus that modifies the partition table it might be necessary to perform a low level reformat of your hard disks. If you used an utility to backup the partition table (like TbRescue) it isn't necessary to reformat the disks, just restore the partition table. Once the system has been cleaned, check all diskettes, backups, etc. One infected diskette can cause you the same trouble again. It is highly recommended to protect your system against re-infections, since it is possible that you forgot to clean one floppy. Use a virus scanner frequently, install a resident scanner (like TbScanX), or better, install the Thunderbyte PC Immunizer. Page 35 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 6. CONSIDERATIONS AND RECOMMENDATIONS 6.1. What should be scanned? In the early days of viruses, virus scanners just scanned everything. Today we know that this approach has serious disadvantages: the number of false alarmes is very high, the scan speed is very very slow, etc. Before we proceed, let's first establish some facts about viruses. A virus is just a program. Like any other program, if you don't execute it it will not do anything except for occupying disk space. This means that data files like text files can never spread a virus. Of course, it is possible to copy a virus into a .TXT file, but since the text file will never be executed, the virus will never be able to do anything. It is just a stream of bytes, like the text in the text file. A program and a boot sector however will be executed, and if they contain a virus the virus will gain control and perform its nasty operations. We now know that it doesn't make sense to scan non-executable files. Note that a batch file (.BAT) is just a text file, it can be "executed" in some way, buy it is not possible to make a virus in the batch file language. What we need to scan are files with the extensions EXE COM OV? SYS and BIN. What do these programs contain? Of course they contain program code, but they also contain data. The texts that will be displayed on the screen by that program are just data. They will never be "executed". The exe-header of an exe file does not contain any code, only data. The exe-header is only used by DOS to load the program, and it is thrown away before DOS passes control to the program. We don't have to scan it, that's easy enough. The same applies to the bytes after the so called load-module of the file. This area of a file will not be loaded in memory at first instance, so we can skip it also. Unfortunately, the remaining part of the executable file is most of the time the largest. The code-data ratio differs for each program, but on the avarage we can state that about one third of a program consists of data. However, it is hardly possible to divide a program into code and data. Even the operating system is not able to do this, only the program itself. What happens when you execute a program is that the operating system passes control to the file at a fixed location. The location is the first byte in case of a .COM file, or a location specified in the exe-header of a .EXE file. This location is referred to as ENTRY-POINT in this manual. This location is the only location in a file from which we can be 100% sure it contains code. For other locations we can only guess. How does a virus work? Page 36 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. A virus that wants to infect a file can not just throw its viral code at a random location in that file, it won't work. The virus has to be sure that its code will be executed before the host program gains control. Why? Because if the contaminated program finds itself altered it will behave unexpected. The program accesses internal resources that are overwritten by the virus and the program crashes. Besides, how does the virus know whether that random location will be ever executed? There is only ONE location that will always be executed, and that is the entry-point of the program. To infect a file the virus has to link itself onto the entry-point and store the original instructions of the program at another place. The virus is now sure it will gain control instead of the host program, and the virus has the possibility to restore the original instructions before passing control to the host program. There has never been any virus reported that does not link itself to the entry-point of a program. This brings us to a very important fact: if we scan the location where we can find the first instructions of the program we are sure we are scanning the area where the virus would reside. TbScan uses this knowledge and normally scans a window of about 4Kb around the program's entry point. This is called "Checking". If you want to know more about this process consult chapter "The internals of TbScan". Note that it is not "unsafe" to restrict the area where we search for viruses. If the signatures are assembled according to this knowledge it is always possible to detect the virus in the scanning area. This tackle has been adopted by many other competitive virus scanners. If TbScan is not completely sure about the entry-point of the file it just scans all the program code of the file using the "browse" or "analyze" algorithm. 6.2. The internals of TbScan 6.2.1. How is that blazingly speed achieved? The speed of TbScan is achieved by many measures. To avoid false alarms, TbScan already scans restricted areas of the file, and of course, this approach also affects the speed in a positive way. Disk access is minimized, and not much data has to be searched. TbScan is entirely written in assembly language. High-level languages like Pascal and Basic have an enormous overhead which not only affects the size of the program but also reduces the execution speed. The search routine is highly optimized. Every byte to be scanned is only accessed once, regardless of the number of Page 37 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. signatures. Execution time will hardly increase when it has to search for 3000 signatures instead of 300. The search algorithm used can be described as "rotating semi-double 16-bits hashing". The number of DOS function calls has been minimized. DOS is relatively slow, and access should be avoided as much as possible. For this reason TbScan walks just once through a directory instead of first processing the files and secondly the subdirectories or vice versa. TbScan writes directly to the screen instead of using DOS or the BIOS to do this. Although TbScan has a scrolling window, screen access is minimized as much as possible without affecting the visual appearance of the program. TbScan has a built-in disk cacher. A disk cacher is already installed on many machines, but a normal disk cacher slows down the scan speed of a virus scanner instead of increasing it! This slow down is caused by the disk cacher, that tries to make assumptions on what the program will read next, but fails doing so. The disk cacher fails because it doesn't know that every file is accessed just once, and it also doesn't know that the remaining part of a partial scanned file will not be accessed at all. The cacher wastes many clock cycles by reading ahead and maintaining megabytes of data which will not be accessed anymore by the scanner. On the other hand, the directories and the FAT are accessed a lot, and a disk cacher could increase the performace a lot if it would restrict itself to these areas. The solution is to disable the standard disk cacher and installing one that "knows" which data will be re-used and which not. TbScan disables any disk cacher and installs its own one. Depending on the hardware specifications of a machine, disabling the original cacher increases the scanning speed with about 10% and installing its own one with another 10%. TbScan dynamically optimizes the lookahead buffers of DOS (the Y parameter of the "BUFFERS=X,Y" command in the config.sys). Temporary disabling the DOS lookahead buffers increases the scanning speed for the same reasons as disabling a disk cacher increases the speed. 6.2.2. The code interpreter Viruses can infect program files only in certain ways. For a virus there is only one single point in a program file of which it is certain that it must be executed, namely the starting point of the program. It cannot be sure of any other point and that is why it will not try to put its first code on an arbitrary spot of the program that it is planning to infect. The virus will always have to put AT LEAST one instruction at the entry point of the program. Page 38 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. TbScan uses this knowledge to restrict the number of bytes that have to be read in of a file as much as possible. Just as the loader of DOS itself, it determines where the entry point of the program is located. (At the beginning of a COM-file and on an address, specified in the EXE-header of an EXE-file.) This is however not enough; there can also be a jump or another branch instruction on the located entry point of the program. TbScan will follow this jump until it does not come across a jump anymore. Then we have found the real starting point of the program or, in case it has been infected, the virus. There is a possibility however that on a certain moment TbScan has reached the end of a chain of jumps and then finds that there are new significant IP modifying instructions (calls, rets, irets, jumps) not far from the found starting point. Does this future jump point to the virus code, or are we already on the right location? TbScan does not take any risk and in such a case it will read in the whole file to search for viruses. Only when it is 100% sure to have found the real starting point of a file, where in addition at least 20 bytes of continuous code are situated (the code is "stable" then), TbScan will be satisfied with checking only the surrounding 4 Kb of the found code. (Almost all viruses use less than 4 Kb and of viruses using more than 4 Kb the signature in the first 4 Kb of the virus is used as the signature.) 6.2.3. The algorithms When TbScan processes a file it prints "Checking", "Tracing", "Browsing", "Analyzing" or "Skipping". 6.2.3.1. Checking "Checking" means that TbScan has successfully located the entry point of the program, and is scanning a frame of about 4Kb around the entry point. If the file is infected the signature of the virus will be in this area. "Checking" is a very fast and reliable scan algorithm. Checking will be used on most files if you run TbScan in default mode. 6.2.3.2. Tracing "Tracing" means that TbScan has successfully traced a chain of jumps or calls to locate the entry point of the program, and is scanning a frame of about 4Kb around the entry point. If the file is infected the signature of the virus will be in this area. "Tracing" is a fast and reliable scan algorithm. Tracing will be primary used for TSR-type COM files or Turbo Page 39 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Pascal compiled programs. 6.2.3.3. Analyzing "Analyzing" means that TbScan is scanning the entire file (except for the exe-header which can not contain any viral code). This algorithm will be used if "Checking" or "Tracing" can not be safely used. This is the case when the entry-point of the program contains other jumps and calls to code located outside the scanning frame. "Analyze" is a slow algorithm. Because it processes almost the entire file (also data area's) there is a greater chance of false alarms. In the past all reported false alarms occured with this algorithm. This algorithm can be forced on the command line with the -analyze option. It is however not recommended for a routine scan due to its tend to issue false alarms. "Analyze" or "Browse" will be used while scanning memory, bootsectors, SYS and BIN files. 6.2.3.4. Browsing "Browsing" is almost the same algorithm as "Analyzing", but it performs a little better on files containing long sequences of low ASCII, 00 or FF bytes. On other files (like compressed files) it performs worse, so TbScan selects the best algorithm for every file. "Browsing" is as reliable as "analyzing" but also has the same tendency to cause false alarms. In fact, every dumb scan algorithm (i.e. algorithm without intelligence) will suffer from this kind of unreliability. 6.2.3.5. Skipping "Skipping" will be performed on SYS and OVL files only. "Skipping" simply means that the file will not be scanned. As a matter of fact, there are many SYS files that contain no code (like CONFIG.SYS). It makes absolutely no sense to scan these files for viruses. The same applies to .OV? files. Only a few of them contain an EXE-header and are suitable for a virus. If a virus is reported to infect overlay files it means that the virus monitors the DOS exec-call (function 4Bh) and infects every program being invoked with this call. Overlay files without EXE-header will never be invoked via DOS, so no virus will be able to infect such an "overlay". If a file has the extension OV? but isn't really an overlay file it will be skipped. Surprisingly enough, most .OV? files are just named so by their programmers, but they are absolutely not real overlay files and a virus can infect them as much as it can do with a .TXT file, with other words: not at all. The -analyze switch forces TbScan to use "analyze" or "browse" on these files. 6.2.4. The -compat option Page 40 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. The -compat option is used to increase compatibility if the default behaviour of TbScan causes problems. The differences between default and compatibility mode are: - TbScan tries to bypass disk cachers in default mode. However, in compatibility mode TbScan does not interfere with the disk interrupts and will not disable any disk caching software. - In default mode, TbScan installs a disk cacher if enough memory is available. In the compatibility mode TbScan never installs the internal disk cacher. - In default mode, TbScan dynamically optimizes the DOS disk buffers (the Y-parameter of the BUFFERS=X,Y command) to achive the best performance while scanning. When TbScan terminates it restores the original DOS configuration. However, in the compatibility mode TbScan does not alter any internal DOS configuration. - While scanning memory, TbScan temporary disables the interrupts for each 32 Kb-block being scanned. In compatibility mode however TbScan performs a non-destructive scan and does not disable interrupts at all. It offers the highest compatibility, but memory scanning may slow down considerably in some circumstances. - If the -compat switch has been specified TbScan does not use AVR-modules to scan memory. Files are still processed by the AVR-modules. Memory AVR-modules might contain virus specific function requests that might interfere with resident software. 6.2.5. Recursing through directories Since you might be interested in a high scan speed rather than a well-organized scan order, TbScan digs into a subdirectory as soon as it detects one. This can result in a confusing screen output, files of subdirectories can be printed on the screen in a mixed order. root file.1 file.2 subdir1 subdir1 file.11 file.3 file.12 file.4 file.13 Files will be accessed in the following order: file.1 file.2 Page 41 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. file.11 file.12 file.13 file.3 file.4 Although file.2 and file.3 reside in the same directory the files of subdir1 will be inserted between them. 6.3. The Sanity check TbScan performs a sanity check when it fires up. However, to be honest, it is NOT possible for software to be sure for 100% it is not infected. If this was the case the virus problem could be solved by incorperating a self check in every program. Unfortunately, self-checking works as long as the program is not infected by a so called "stealth" type virus. A stealth virus is able to hide itself completely for every self check. This is not a TbScan bug, it applies to ALL software that performs a sanity check. Therefore, we recommend to put a clean TbScan on a write protected diskette. Use this diskette to check other machines once you find a virus in your own machine. 6.4. How many viruses does it detect? Some people think that TbScan recognizes only 300 viruses, based upon the fact that the signature file contains only 300 signatures. What they not realise is that the signatures are family signatures, and that means that just one signature covers multiple viruses. For instance, the Plo/Jerusalem signature detects over 25 viruses which are all based on the "original" Jerusalem virus! Only one (wildcarded) signature is used to cover all these mutants. Some competitive products count every virus mutant as a single virus, and it will not be suprising that they claim to detect over 800 viruses. However, TbScan detects the same amount (and often more!) of viruses with "only" 300 signatures. 6.5. Testing the scanner Many people like to test the product they are using. While it is very easy to test for instance a word processor, it is very difficult to test a smart scanner like TbScan. You can not extract 25 bytes of an executable and put it in the data file just to see whether TbScan finds the "signature". It is likely that TbScan does NOT find it because it only scans the entry-area of the file and the "signature" might be extracted from some other location within the file. Even the -analyze option will not always cause the "test-signature" to be detected. Page 42 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. But, you might think, how can I test the scanner if defining a "test-signature" does not work? I think you can't, unless you are an experienced assembler programmer. Sorry, but testing a disassembling scanner should be performed by virus experts only. Fortunately, you don't have to rely on our tests solely. There are some anti-virus magazines who regulary publice tests of all virus scanners. At the end of this document you will find some addresses of recommended magazines. Anyway, third parties tested our scanner amongs others, and they found TbScan to have a very high hit rate. It detects even more viruses than many populair scanners. 6.6. Scan scheduling Is is recommended to "plan" how and when you scan your system. Creation of a special TbScan boot-diskette is highly recommended. Boot from your original DOS diskette. Use the diskcopy command to copy the DOS diskette to a new diskette. Delete all files on this diskette, except the two hidden system files and command.com. Copy all TbScan files to the diskette. Make a new autoexec.bat file which should contain the line "TbScan C:\". Write protect the diskette with the write protect tab. The following scan sessions (listed in order of importance) are recommended: - Run TbScan once a week without the -analyze and without the -quick option from A WRITE PROTECTED BOOTABLE DISKETTE. Boot from this diskette before invoking the scanner. We agree that it is awfull to boot from a diskette, but it is the only way to be sure that no stealth virus is resident in memory. - It is recommended to invoke a daily scan without the -quick and without the -analyze option. You can invoke TbScan with the -once option from within the autoexec.bat file to perform the daily scan session automatically. It is not necessary to boot from the bootable TbScan diskette to perform the daily scan. - You can optionally run TbScan with the -quick option after the lunch. - It is recommended to use the -analyze option once a month. Note that this option disables disassembly and algorithmic search, so it should not be used on every scan session. The -sector and the -mutant option should never be used in a normal scan session but only when you expect the system to have a virus. 6.7. Extensions to the format of the data file Page 43 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. There are some other scanners which understand the data file format of TbScan. Some of these scanners understand certain extensions of the data file which can be considered really weird, and we will not implement them. These extensions include special signatures for upper memory, overlay files, and numerous specific confusing filename extensions, different keywords for the same items, and XOR-decryption directives. TbScan scans the upper memory for LOW-type viruses (since any LOW-type TSR can be loaded in upper memory with DOS 5.0), overlay files for EXE-type viruses (since overlays are just a special kind of EXE file), and XOR decryptions can be performed better from within AVR modules. 6.8. Compressed files Many executable files are compressed or packed. They contain an unpack routine which unpacks the executable in memory to the original program image. The simplest compressor is the Microsoft ExePack program. This compressor is even included in the link program itself (use the /E option while linking to pack the executable), so it isn't surprising that many files are compressed. Many programs have been compressed afterwards. If the program contained a virus the virus has been compressed too. The virus will still be able to execute, but a scanner will no longer recognize the virus because the signature is compressed too. Note that if the file becomes infected after it has been compressed the virus is not compressed and will be visible as usual. The problem only exists when a file has been infected first and compressed afterwards. However, you can consider this as a minor problem, since files are often compressed by the programmer of the product, and most programmers are aware of the existence of viruses. If the programmer did not compress the file, well, then the file is not compressed and the problem does not exist at all. At least, if you obtain the original version of a program. If you obtain a "copy from a copy, i.e. an illegal copy", well, one of the previous "owners" of the product might have compressed the file, and then you are in trouble. Anyway, if you have a virus inside a compressed file, the virus itself might not be visible on that file, but the other files that will be infected by this virus will carry the virus as usual, hence the signature will be visible for all the newly infected files. So, if you have a virus inside a compressed file, the scanner will still detect the presence of the virus on all other programs, except for the compressed file that brought the virus into your system. TbScan displays a "p" behind every file that might have been Page 44 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. compressed with ExePack or any other compressor. TbScan does not unpack files, since too many files are compressed, and uncompressing every file would only be possible for a limited number of compression schemes, would be very time consuming, and last but not least not necessary. Once a compressed file has proved itself to contain not a virus, it will not be possible for the file to get infected internally afterwards. It makes no sense to unpack these files every time. If there isn't a virus the first time, there isn't one at subsequent times. 6.9. Other products A virus scanner is just one of the tools that are available to defend your system against viruses. Other products that might help you in your battle against viruses are: - Checksummers. Calculating a cryptographic checksum (or CRC) of every file and comparing it with previously recorded information may tell you whether a file has been changed since the last checksum event. Keep in mind however that checksum programs work only reliable if the system is not infected while the initial checksum calculation is performed. Note also that no checksum program is able to detect stealth viruses, except if you boot from a clean write protected diskette before performing the checksum calculations. Note also that it is normal that some executables change, they might store configuration information inside the executable itself. It is up to the user to interpret the information of the checksummer. Checksummers should only be used as an indication, but you can never rely on them. They have a high false positive rate, and also a high false negative rate. They can however be a handy additional tool. - Memory resident scanners. Scanning a system should be performed often. However, if you extract a file from an archive, or download a file, or just copy a file from a diskette, you should re-invoke your scanner to check whether you brought a virus in your system. This is tedious, and not many people have the discipline to do this every time. A resident scanner that automatically scans every file being created or modified on your system will be a valuable additional tool. Most resident scanners however consume much of your precious memory and slow down system performance. A resident scanner you might consider is TbScanX. It does not use much memory if you configure it to utilize expanded or unused video memory, and it performs very fast. - Virus removal utilities. Virus removal utilities (also called cleaner software) can be used after a file has been infected, to separate the virus from Page 45 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. the file. Although the removal utilities are very populair we don't recommend to use them. You better restore the original files in case of infection. If you still don't have any backup, make it NOW! There are many viruses that look like known viruses but in fact they are a slightly different virus (a mutant). The removal utility might not recognise the virus as being a mutant, and the utility removes too many or too less bytes, causing all executables to get damaged inreversible. - Memory resident monitoring software. It is possible to install software that monitors all DOS and BIOS activity and traps attempts to modify exectuable files, attempts to install TSR's, attempts to modify bootsectors, etc. Although these systems can be very reliable, it is always possible to bypass software with software. Keep also in mind that the protection software has to be in memory before any virus. This is possible for TSR type viruses, but bootsector viruses install themself in memory before any protection software can be loaded. And if the virus is in memory before the protection software, the virus can reroute all interrupts and the protection software will not be able to detect anything suspicious. Another disadvantage is that resident monitoring software consumes a lot of you precious memory. - Hardware immunizers. Hardware immunizers are the best possible solution. They don't consume much memory, are guaranteed to be first in memory, they are even active before the machine tries to boot and they can not be bypassed. A disadvantage is that installing such a device is more difficult compared to other anti-virus tools, and requires a free expansion slot. Page 46 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 7. MISCELLANOUS INFORMATION 7.1. Distribution of the signature file The signature file (VIRSCAN.DAT) is updated every month. It will be distributed in an archive named VSIGYY##.ZIP (YY = Year, ## = release sequence number). Emergency updates are released in a file named ADDNSIGS.DAT which will be distributed in an archive named ASIGYY##.ZIP (YY = Year, ## = release sequence number). Most Bulletin Board Systems get a fresh copy of these files within 48 hours after the Master Copy on Bamestra BBS is updated. 7.2. Notes Some people use a shell or batch file to extract a file from an archive and use TbScan to scan a file immediately. This works fine, except when you have a non-write-through disk cacher. In this case the just created file might not be written to the disk yet, and TbScan will not find the file because it bypasses the disk cacher. If this applies to you, write the files to a ramdisk, or use the -compat switch or flush the cacher before invoking TbScan. 7.3. The TbScan.Sys driver TbScan tries to bypass disk cachers and viruses, and it performs direct calls into the BIOS code. In some circumstances however this can cause problems. Although the -compat option always solves these problems it also decreases the scan speed. Most of the compatibility problems can be solved without the -compat option if you install the device driver TbScan.Sys. System configurations causing problems that can be solved by TbScan.Sys are: - Hard disks requiring a special device driver to operate. - 80386 based systems running in V86 mode (Qemm, Windows), equipped with a harddisk controller that requires a transfer buffer in conventional memory. These systems always have some kind of device driver that provides the buffering service, or the Qemm DiskBuff option is used. To solve the problem install TbScan.Sys into the Config.Sys file AFTER the hard disk device driver and/or memory manager, but BEFORE a disk cacher. TbScan.Sys uses only 64 bytes, and it can be loaded high. 7.4. Exit codes Page 47 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. TbScan terminates with one of the following exit codes: Errorlevel 0: no viruses found, no error occured. Errorlevel 1: some error occured. Errorlevel 255: sanity check failed. Errorlevel >1 and <128: one or more viruses detected. When a virus is detected the errorlevel is used as a bit field: bit 1 (02) SYS file infected. bit 2 (04) EXE file infected. bit 3 (08) COM file infected. bit 4 (16) virus found in LOW memory. bit 5 (32) virus found in BOOTsector. bit 6 (64) virus found in HIGH memory. An errorlevel of 26 means that a SYS, COM and LOW virus is found (26 = 02+08+16). 7.5. Updates If you use TbScan you will need updates of the data file. Depending on the appearance of new viruses, new signatures will be added. You can obtain the most recent data file on the Thunderbyte support Bulletin Board System and many other independent BBS's. The name of the file you should look for is VIRUSSIG.ZIP or TBVIRSIG.ZIP. On the same BBS systems you can also find the most recent update of the TbScan program. For a list of Bulletin Board System phone numbers you should consult chapter 9. 7.6. Thanks TbScan would not have been evolved to its current state without the contribution of numerous of peoples. Special thanks to: Jan Terpstra, for maintaining the signature file. Righard Zwienenberg, for testing TbScan on over 20Mb of viruses. John Lots, for beta-testing and technical advices. Alan Solomon, for testing and discovery of a FCB problem. Harry Thijssen, for stimulating the speed competition. Robin Bijland, for advisory of the user interface and manual. Page 48 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 8. OUR OTHER PRODUCTS 8.1. TbScanX There is also a (shareware) memory resident version of TbScan available with the name TbScanX. This version remains resident in memory and automatically scans every file immediately when it is going to be executed, copied, unarchieved, downloaded, etc. TbScanX performs even faster compared to TbScan, and uses not much memory. It is even possible to reduce the memory requirements of TbScanX to zero! TbScanX is by example able to make use of unused video-memory. TbScanX is available on many BBSses. It is of course also available at any Thunderbyte support BBS. At the end of this document you can find some phone numbers. 8.2. TbRescue Some viruses copy themself on the partition table of the hard disk. Unlike bootsector viruses, they are hard to remove. The only solution is to low-level the hard disk and to make a new partition table. TbRescue makes a backup of the partition table and bootsector, and this backup can be used to compare and restore the original partition table and bootsector once they are infected. You don't have to format your disk anymore. The program can also restore the CMOS configuration. If you don't have a backup of your partition table, TbRescue will try to create a new partition table, avoiding the need of a low-level format. Another important feature is that you can use TbRescue to replace the partition table code by code that is more resistant against viruses. The TbRescue partition code will be executed before the bootsector gains control, so it is able to check the bootsector in a clean environment. Once the bootsector is executed it is difficult to check it, because the virus is already resident in memory and can fool every protection. Instead of booting from a clean DOS diskette just to inspect the bootsector, the TbRescue partition code performs a CRC calculation on the bootsector just before control is passed to it. If the bootsector has been modified the Tbrescue partition code will warn you about this. The Tbrescue partition code also checks the RAM layout and informs you when it is changed. It does this every time you boot from your hard disk. Page 49 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 8.3. Thunderbyte Thunderbyte was developed to protect Personal Computers against computer viruses, Trojan Horses and other threats to valuable data. It is a hardware protection, consisting of an adapter card, an installation and configuration program and a clear manual. The working of Thunderbyte is not based on knowledge of specific viruses, so Thunderbyte also protects against future viruses. A hardware protection offers much more protection than a software protection. Thunderbyte is already active before the operating system is loaded, so the computer will be totally protected right after the starting of the PC. Because of the many configuration possibilities and the intelligent algorithms, the use of Thunderbyte will never become a burden: you will hardly notice the presence of Thunderbyte in an environment without any viruses. Of course Thunderbyte is Windows compatible and can be used in Local Area Networks. Advantages of a hardware protection: + The protection uses very little (1Kb) RAM + The protection is already active before the first boot attempt of the PC, and therefore protects also against bootsector viruses. A software protection can not protect you against bootsector viruses, since it has not been executed at boot time. + The hard disks can not be accessed directly anymore, because Thunderbyte is connected to the hard disk cable. + It is impossible to forget to start Thunderbyte, even if the machine is booting with a diskette. Thunderbyte offers you many kinds of protection: + Protection against loss of data. Thunderbyte is connected between the cable of the hard disk and the controller. It prevents the hard disk from being accessed directly. The only way to access the drive from now on is by using interrupt 13h. In addition Thunderbyte detects all direct disk writes which try to achieve a modification or damage of the data and it checks which program orders the execution of such operations. Only the operating system can preform these operations without Thunderbyte interception. Page 50 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. DOS already has the possibility of protecting files against overwriting and modification by means of the read only attribute. However, this protection can be very easily eliminated by software. Thunderbyte prevents this protection from being ruled out without this being noticed, so now it is possible to protect your files effectively via a standard DOS command. + Protection against infection. Thunderbyte protects programs (files with the extension EXE, COM or SYS) against infection by judging all modifications on their intention. The functionality is not influenced by this. Compiling, linking, etc., are not disturbed and neither are programs that save their configuration internally. Furthermore, software can be protected via the aforementioned read only attribute. Attempts to modify the bootsector of the disk are detected, so the dreaded bootsector viruses are also eliminated. Keep in mind that the bootsector can hardly be protected by software. Only Thunderbyte already becomes active before the system tries to boot! + Detection of viruses. In addition to the abovementioned ways of detecting the presence of viruses, Thunderbyte can also do so because viruses carry out a number of special operations. For example, the marking of already infected programs in order to recognize them, is detected by Thunderbyte. So are the attempts of viruses to reside in the memory in a suspicious way and the abnormal manipulations with interrupt vectors. + Password protection. Thunderbyte has the possibility of installing a password. There are two kinds of passwords: one that is always asked for or one that you only have to enter when attempts are made to start from a diskette instead of the hard disk. + Safety. A lot of attention has been paid to the safety of Thunderbyte The program code of Thunderbyte is located in ROM and there is no way it can be modified. There is not one method of eliminating Thunderbyte through software. All the important settings are realized with the help of dipswitches on the adapter card. And despite all their wasted intelligence, viruses will never be able to turn switches or to influence their read outs. Page 51 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Viruses that approach the controller of the hard disk directly will have a rude awakening: Thunderbyte will only pass disk writes when the write or format command has followed the normal (checked) course. There are a lot of different versions of Thunderbyte (functioning identically however) that are supplied randomly. Therefore is knowledge of the internal working of only one Thunderbyte system not sufficient to damage or destroy its protective working. Thunderbyte is constantly checking its own variables with a checksum different for each version. The locations of the memory where the variables are maintained are also different for each version. + Extra possibilities. Thunderbyte offers you some interesting bonuses, like booting from drive B:. Page 52 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. 9. NAMES AND ADDRESSES 9.1. Contacting the author. TbScan is written by Frans Veldman. You can leave messages on the Dutch support BBS. Registered users can also phone ESaSS for technical support. To register, see the file Register.Doc. 9.2. ESaSS For more information about Thunderbyte you can contact: ESaSS B.V. Tel: + 31 - 80 - 787 881 P.o. box 1380 Fax: + 31 - 80 - 789 186 6501 BJ Nijmegen Data: + 31 - 85 - 212 395 The Netherlands (2:280/200 @fidonet) 9.3. Thunderbyte support BBS's. TbScan, TbScanX and the signature files (TbVirSig) are available on Thunderbyte support BBS's: Thunderbyte headquarters in the Netherlands: +31- 85- 212 395 (2:280/200 @fidonet) Thunderbyte support Germany (Androtec): +49- 2381- 461565 (2:245/50 @fidonet) Thunderbyte support Italy/S.Marino/Vaticano/Malta: +39- 766- 540 899 (2:335/5 @fidonet) Thunderbyte support Australia (Calmer): +61- 2- 482- 1716 If you are running an electronic mail system, you can also file-request TBSCAN to get the latest version of TBSCAN.EXE, TBSCANX to get the resident automatic version of TBSCANX, and VIRUSSIG to obtain a copy of the latest update of the signature file. 9.4. Recommended magazines and organisations. Virus Bulletin. Virus Bulletin Ltd. 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel. +44-235-555139. Page 53 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. National Computer Security Association. 227 West Main Street. Mechanicsburg, PA 17055, United States. Tel. +1-717-258-1816 Virus News International. Berkley court, Millstreet, Berkhamsted, Hertfordshire, HP4 2HB, England. Tel. +44-442-877877. Page 54 Thunderbyte virus detector v3.3 (C) Copyright 1989-1992 ESaSS B.V. Page 55