CLEAN72.DOC ·
DOC ·
18.2 KB ·
1990-12-13 ·
from PC-Shareware-Magazine_Vol-1_Number-5_Apr-1991
CLEAN-UP Version 6.3V72
Copyright (C) 1990 by McAfee Associates.
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
TABLE OF CONTENTS:
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2
- What CLEAN-UP is, system requirements
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2
- Verifying the integrity of CLEAN-UP
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .2
- Features, new viruses added in this release
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Detailed description of CLEAN-UP
OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . .4
- How to use CLEAN-UP
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .5
- Samples of frequently-used options
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .6
- How to register CLEAN-UP
TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .7
- Information you should have ready when calling
VERSION NOTES. . . . . . . . . . . . . . . . . . . . . . . . .7
- Program History
Page 1
CLEAN-UP Version 6.3V72 Page 2
SYNOPSIS
CLEAN-UP (CLEAN) is a virus disinfection program for IBM PC
and compatible computers. CLEAN-UP will search though the
partition table, boot sector, or files of a PC and remove a virus
specified by the user. In most instances CLEAN-UP is able to repair
the infected area of the system and restore it to normal usage.
CLEAN-UP works on all viruses identified by the current version of
the VIRUSCAN (SCAN) program.
CLEAN-UP runs on any PC with 256Kb and DOS version 2.00 or
greater.
AUTHENTICITY
CLEAN-UP runs a self-test when executed. If CLEAN has been
modified in any way, a warning will be displayed. The program will
still continue to remove viruses, though. If CLEAN reports that
it has been damaged, is recommended that a new, clean copy be
obtained.
CLEAN-UP is packaged with the VALIDATE program to ensure the
integrity of the CLEAN.EXE file. The VALIDATE.DOC instructions
tell how to use the VALIDATE program. The VALIDATE program
distributed with CLEAN-UP may be used to check all further versions
of CLEAN.
The validation results for Version 72 should be:
FILE NAME: CLEAN.EXE
SIZE: 86,077
DATE: 12-13-90
FILE AUTHENTICATION
Check Method 1: F087
Check Method 2: 19B3
If your copy of CLEAN.EXE differs, it may have been modified.
Always obtain your copy of CLEAN-UP from a known source. The
latest version of CLEAN-UP and validation data for SCAN.EXE can be
obtained off of McAfee Associates' bulletin board system at (408)
988-4004.
WHAT'S NEW
Version 72 of CLEAN-UP adds the removal of two new viruses,
the Liberty virus, widely being reported in Australia and the
southeastern United States, and the Plastique virus, which is being
reported in the United States, Asia, Australia, and Europe.
Additionally, handling of the removal of the Pakistani Brain virus
has been improved.
Beginning with Version 72, all McAfee Associates programs for
download are archived with PKWare's PKZIP Authentic File
Verification. If you do not see the "-AV" message after every file
is unzipped and receive the message "Authentic Files Verified!
# NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files
then do not run them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact McAfee Associates if your .ZIP file has been
tampered with.
CLEAN-UP Version 6.3V72 Page 3
OVERVIEW
CLEAN-UP searches the system looking for the virus you wish
to remove. When an infected file is found, CLEAN-UP isolates and
removes the virus, and in most cases, repairs the infected file and
restores it to normal operation. If the file is infected with a
less common virus, CLEAN-UP will then display a warning message and
prompt the user, asking to overwrite and delete the infected file.
Files erased in such a manner are non-recoverable.
Verify the suspect virus infection with the VIRUSCAN program
before running CLEAN-UP. VIRUSCAN will locate and identify the
virus and provide the I.D. code needed to remove it. The I.D. is
displayed inside the square brackets, "[" and "]." For example,
the I.D. code for the Jerusalem virus is displayed as
"[Jeru]". This I.D. must be used with CLEAN-UP to remove the
virus. The square brackets "[" and "]" MUST be included.
The common viruses that CLEAN-UP is able to remove
successfully and repair and restore the damaged programs are:
1260 1701 1704 4096
Alabama Alameda Ashar Dark Avenger
DataLock Disk Killer EDV Fish
Flip Invader Jerusalem A Jerusalem B
Jerusalem E Joshi KeyPress Liberty
Pakistani Brain PayDay Ping Pong B Slow
Stoned SunDay Suriv03 Taiwan 3
Taiwan 4 V800 VacSina Vienna
Violator Whale Yankee Doodle ZeroBug
Plastique
AN IMPORTANT NOTE ABOUT .EXE FILES: Some viruses which infect .EXE
files can not be removed successfully in all cases. This usually
occurs when the .EXE file loads internal overlays. Instead of
attaching to the end of the .EXE file, the virus may attach to the
beginning of the overlay area, and program instructions are
overwritten. Clean-Up will truncate files infected in this manner.
If a file no longer runs after being cleaned, replace it from the
manufacturer's original disk.
AN IMPORTANT NOTE ABOUT THE STONED VIRUS: Removing the Stoned
virus can cause loss of the partition table on systems with
non-standard formatted hard disks. As a precaution, backup all
critical data before running CLEAN-UP. Loss of the partition table
can result in the LOSS OF ALL DATA ON THE DISK.
CLEAN-UP Version 6.3V72 Page 4
OPERATION:
IMPORTANT NOTE: POWER DOWN YOUR SYSTEM AND BOOT FROM A CLEAN
SYSTEM DISK BEFORE BEGINNING. RUN THE CLEAN-UP PROGRAM FROM A
WRITE-PROTECTED DISK TO PREVENT INFECTION OF THE PROGRAM.
Power down the infected system and boot from a clean,
write-protected system diskette. This step will insure that the
virus is not in control of the computer and will prevent
reinfection. After cleaning, power down the system again, reboot
from the system disk, and run the VIRUSCAN program to make sure the
system has been succesfully disinfected. After cleaning the hard
disk, run the VIRUSCAN program on any floppies that may have been
inserted into the infected system to determine if they have been
infected.
CLEAN-UP will display the name of the infected file, the virus
found in it, and report a "successful" disinfection when the virus
is removed. If a file has been infected multiple times by a virus
(possible if the virus does not check to see if it has already
attached to a file) than CLEAN-UP will report that the virus has
been removed successfully for each infection.
To run CLEAN-UP type:
CLEAN d1: ... d10: [virus ID] /A /E .xxx /MANY /REPORT d:filename
Options are:
/A - Examine all files for viruses
/E .xxx .yyy .zzz - Clean overlay extensions .xxx .yyy .zzz
/MANY - Put CLEAN into loop disinfecting drive(s)
/REPORT d:filename - Create report of cleaned files
d1: ... d10: - indicate drives to be cleaned
[virus I.D.] - Virus identification code, for a complete
list of codes, see the accompanying
VIRLIST.TXT file
The /A option will cause CLEAN to go through all files on
diskette. This should be used if a file-infecting virus is
detected.
The /E option allows the user to specify an extension or set
of extensions to clean. Extensions must be separated by a space
after the /E and between each other. Up to three extensions may
be added with the /E. For more extensions, use the /A option.
The /MANY option is used to clean multiple floppy diskettes.
If the user has more than one floppy disk to check for viruses, the
/MANY option will allows the user to check them without having to
run CLEAN multiple times.
CLEAN-UP Version 6.3V72 Page 5
The /REPORT option is used to generate a listing of
disinfected files. The resulting list can be saved to disk as an
ASCII text file. To use the report option, specify /REPORT on the
command line, followed by the device and filename.
EXAMPLES
The following examples are shown as they would be typed in on
the command line.
CLEAN C: D: E: [JERU] /A
To disinfect drives C:, D:, and E: of the Jerusalem
virus, searching all files for the virus in the process
CLEAN A: [STONED]
To disinfect floppy in drive A: of the Stoned virus
CLEAN C:\MORGAN [DAV] /A
To disinfect subdirectory MORGAN on drive C: of the Dark
Avenger, searching all files for the virus in the process
CLEAN B: [DOODLE] /REPORT C:YNKINFCT.TXT
To disinfect floppy in drive B: of the Yankee Doodle
virus, searching all files in the process, and creating
a report of disinfected files named YNKINFCT.TXT on drive
C:
REGISTRATION
A registration fee of $35.00US is requested for the use of
CLEAN-UP by individual home users. Registration is for one year
and entitles the holder to unlimited free upgrades for the duration
off of McAfee Associates bulletin board. Diskettes are not mailed
unless specifically requested. Add $9.00US for diskette mailings.
Registration is for home users only and does not apply to
businesses, departments, organizations, government agencies, or
schools, who must obtain a license for use. Contact McAfee
Associates for more information.
Outside of North America, registration and support may be
obtained through the agents listed in the accompanying AGENTS.TXT
text file.
CLEAN-UP Version 6.3V72 Page 6
TECH SUPPORT
In order to facilitate speedy and accurate support, please
have the following information ready when you contact McAfee
Associates:
- Program name and version number.
- Type and brand of computer, hard disk, plus any
peripherals.
- Version of DOS you are running, plus any TSRs or device
drivers in use.
- The exact problem you are having. Please be specific as
possible. Having a print out of the screen and/or being
at your computer will help also.
McAfee Associates can be contacted by BBS or fax twenty-four hours
a day, or call our business office at (408) 988-3832, Monday
through Friday, 8:30AM to 6:00PM Pacific Standard Time.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054 (408) 988-4004 BBS 2400 bps
U.S.A (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
VERSION NOTES
Version 71:
Version 71 of CLEAN-UP adds disinfection of six new viruses,
the Flip virus, KeyPress virus, DataLock virus, Taiwan-3, Taiwan-4
and the Violator. For summary information about these viruses,
please refer to the accompanying VIRLIST.TXT file. For a detailed
description of these viruses please refer to Patricia Hoffman's
VSUM document. VSUM is copyrighted by Patricia Hoffman. It is the
most comprehensive PC virus compendium available.
Version 67:
Version 67 is now disinfects the EDV, Invader, Slow, and Whale
viruses:
The EDV is a boot sector infector virus first reported in
Germany. It infects hard and floppy disks.
The Invader is a multipartite (two-part) virus that attaches
to both the files and boot sectors of hard and floppy disks. The
Invader shows up as being 4,096 bytes in length in infected files.
It is NOT related to the 4096 "Stealth" virus but rather is a
combination of the Jerusalem, Stoned, and Plastique viruses. At
random intervals, it plays Beethoven over the speaker. Poorly.
CLEAN-UP Version 6.3V72 Page 7
The Slow virus has been reported at several sites in
Australia. It is a file infector, attaching to .COM and .EXE files
and increasing them by 1,701 bytes. It is NOT related to the 1701
virus.
The Whale virus is a "stealth" type virus that attaches itself
to .COM, .EXE, and overlay files. It increases their size by
approximately 9.216 bytes, but this size increase will not show up
unless the infected PC is cold booted off of a clean system disk
because the virus masks its presence when resident in memory.
A report-generating option has been added to CLEAN-UP. When
the /REPORT option is used, it will generate a list of infected
files found when scanning an infected system. Such a report can
be used for pin-pointing the source of an infection, or for system
audits.
Version 66:
Version 66 is able to remove and repair four new viruses:
Joshi, Vienna, Fish6, and Zerobug. All of these viruses have been
reported at multiple sites. In addition, 27 new viruses have been
included in the Clean-Up detection and eradication processing. An
outline of the new viruses in included in the enclosed file -
VIRLIST.TXT. For a complete description of the viruses, please
refer to Patricia Hoffman's VSUM document.
Version 64:
Version 64 of CLEAN repairs a number of small bugs in version
63, including the inability to catch the Fish-6 virus in memory and
an infrequent false alarm with the Korea virus when running
AppleTalk. A re-structuring of CLEAN's scanning technique was also
required due to the appearance of another fully encrypted virus
(V2P2). This virus has no string that is common for all iterations
of the virus, so that a virus-specific search technique was
required.
In addition, 14 new viruses have surfaced from various parts
of the world. Of the 14 viruses, two appear to be fairly virulent.
The Joshi virus, from India, is a boot sector and partition table
infector which activates on the 5th of January. When activated,
it locks up the machine and displays the message "Type Happy
Birthday Joshi". The system stays locked until the user types the
happy birthday message. In addition the virus causes problems in
writing to or reading from 1.2Mb diskettes. The second virus is
from Taiwan and has been named the Taiwan-3 virus. It infects EXE
and COM files, including COMMAND.COM. It is memory resident and
randomly appears to garble the File Allocation Table of the hard
drive. Both viruses have been reported at multiple sites.
The twelve additional viruses are outlined in the enclosed
VIRLIST.TXT file. For a detailed description of each, please refer
to Patricia Hoffman's VSUM document.
The V800 virus has been added to the list of viruses that can
be removed without deleting the infected programs.
CLEAN-UP Version 6.3V72 Page 8
Version 63:
Version 63 has been one of the most painful versions we have
put together. There have been 17 new viruses and virus sub-strains
discovered in the 35 days since the release of version 62. We have
also added a major feature to allow SCAN and CLEAN-UP to check
inside of programs compressed with LZEXE; we've added Yankee Doodle
and Vacsina to the list of recoverable viruses in CleanUp; we've
undertaken an accounting of the numerous sub-strains of each virus;
we've repaired over a dozen loopholes that allowed certain
sub-strains to slip through; and we've added a new program to the
product line called VCOPY that replaces the DOS copy command and
does automatic scanning during a copy function.
In addition, we've been struggling with the issue of how to
count viruses in a meaningful way that does not place us in a
seemingly disadvantageous competitive position. For example:
Numerous anti-virus programs advertise the number of viruses that
they are able to detect, and these numbers range from less than 50
to over 100. On analysis, these numbers included all of the known
sub-strains of the viruses, and their virus count by our
classification was always substantially less. We group viruses by
major type, where possible, to make it easier to manage, both from
an identification and removal basis. But on a sheer numbers
comparison, SCAN appears in a weaker light. After careful thought,
we decided to stick with our classification scheme, but in the
VIRLIST.TXT we will list the known variants detected in
parentheses. By the competition's counting scheme, we now identify
167 viruses. By our count, we identify 97.
The 17 new viruses and new sub-strains added for version 63
have come from a variety of sources. Vesselin Bontchev from
Bulgaria submitted three new variants of the 512, one new variant
of the W-13 virus and two entirely new viruses that have surfaced
in Eastern Europe. Dave Chess from IBM provided me with three new
viruses collected through the various IBM contacts. Patricia
Hoffamn provided one new virus and two new variants submitted from
users of the FidoNet network. The Icelandic virus researcher
Fridrik Skulason provided one new virus. The remaining four were
submitted directly by Homebase users. The VIRLIST.TXT document
describes the main operating characteristics of the new viruses.
To avoid duplication of effort, I am referring users to Patricia
Hoffman's most current VSUM document for a detailed description of
the new viruses.