SCANV72.DOC ·
DOC ·
28.3 KB ·
1990-12-13 ·
from PC-Shareware-Magazine_Vol-1_Number-5_Apr-1991
VIRUSCAN Version 6.3V72
Copyright (C) 1989, 1990 by McAfee Associates.
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A. (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
TABLE OF CONTENTS:
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2
- What VIRUSCAN is, system requirements
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2
- Verifying the integrity of VIRUSCAN
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Features, new viruses added in this release
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .4
- Detailed description of VIRUSCAN
OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . .5
- How to use VIRUSCAN
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .7
- Samples of frequently-used options
EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .8
- For running VIRUSCAN from batch files
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .8
- How to manually remove a virus
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .9
- How to register VIRUSCAN
TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .10
- Information you should have ready when calling
VERSION NOTES. . . . . . . . . . . . . . . . . . . . . . . . .10
- Program history
APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .12
- Creating a virus string file with the /EXT option
Page 1
VIRUSCAN Version 6.3V72 Page 2
SYNOPSIS
VIRUSCAN (SCAN) is a virus detection and identification
program for the IBM PC and compatible computers. VIRUSCAN will
search a PC for known computer viruses in memory, the boot sector,
the partition table, and the files of a PC and its disks. VIRUSCAN
will also detect the presence of unknown viruses.
SCAN works by searching the system for instructions sequences
or patterns that are unique to each computer virus, and then
reporting their presence if found. This method works for viruses
that VIRUSCAN recognizes. To detect unknown viruses, VIRUSCAN can
create a validation code or "CRC check" for .COM and .EXE files and
append it to them. If the file has been modified in any way, SCAN
will report that infection may have occurred. VIRUSCAN can also
look for new viruses from a user-supplied list of virus search
strings.
VIRUSCAN runs on any PC with 256Kb and DOS version 2.00 or
greater.
AUTHENTICITY
VIRUSCAN runs a self-test when executed. If SCAN has been
modified in any way, a warning will be displayed. The program will
still continue to check for viruses, though. If SCAN reports that
it has been damaged, is recommended that a clean copy be obtained.
VIRUSCAN versions 46 and above are packaged with the VALIDATE
program to ensure the integrity of the SCAN.EXE file. The
VALIDATE.DOC instructions tell how to use the VALIDATE program.
The VALIDATE program distributed with VIRUSCAN may be used to check
all further versions of SCAN.
The validation results for Version 72 should be:
FILE NAME: SCAN.EXE
SIZE: 61,841
DATE: 12-13-90
FILE AUTHENTICATION
Check Method 1: 5EF7
Check Method 2: 0A41
If your copy of SCAN.EXE differs, it may have been modified.
Always obtain your copy of VIRUSCAN from a known source. The
latest version of VIRUSCAN and validation data for SCAN.EXE can be
obtained off of McAfee Associates' bulletin board system at (408)
988-4004.
VIRUSCAN Version 6.3V72 Page 3
WHAT'S NEW
Version 72 of VIRUSCAN adds four new viruses and improves the
external virus data handling capabilities.
The ZeroHunt virus was uploaded to Homebase BBS by Paul
Ferguson of Washington, D.C., USA. It is a memory-resident
infector that attaches itself to the stack space in .COM files.
Since the virus is attaching itself inside a file, as opposed to
adding itself to the beginning or end, the size of the file will
not change.
The Bloody! virus has been reported in Massachusetts, USA as
well as Taiwan and Europe. It infects the boot sector of a floppy
disk and the partition table of the hard disk. After approximately
128 reboots, the virus displays the message "Bloody! Jun. 4, 1989"
which is the date of the Tiananmen Square Massacre in Beijing,
China.
The Jeff virus is a .COM file infector that destroys data by
writing garbage to the hard disk. It contains the text "Jeff is
visiting your hard disk."
The Music Bug virus has been reported in Woodland Hills,
California and Orlando, Florida as well as Taiwan. It infects the
boot sector of a a floppy disk and the partition table of the hard
disk. The Music Bug plays child nursery tunes after a specified
time. It contains the text "MusicBug v1.06. MacroSoft Corp."
Viruses added via the External Virus Data option are now
scanned for in memory, provided the /M switch is used.
Beginning with Version 72, all McAfee Associates programs for
download are archived with PKWare's PKZIP Authentic File
Verification. If you do not see the "-AV" message after every file
is unzipped and receive the message "Authentic Files Verified!
# NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files
then do not run them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact McAfee Associates if your .ZIP file has been
tampered with.
VIRUSCAN Version 6.3V72 Page 4
OVERVIEW
VIRUSCAN scans diskettes or entire systems for pre-existing
computer virus infections. It will identify the virus infecting
the system, and tell what area of the system (memory, boot sector,
file) the virus occupies. An infected file can be removed with
the overwrite-and-delete option, /D which will erase the file.
The CLEAN-UP program is also available to automatically disinfect
the system and repair damaged areas whenever possible.
VIRUSCAN Version 72 identifies all 162 known computer viruses
along with their variants. Some viruses have been modified so that
more than one "strain" exists. Counting such modifications, there
are 251 virus variants. The ten most common viruses which account
for over 95% of all reported PC infections are identified by SCAN.
The accompanying VIRLIST.TXT file lists describes all new, public
domain, and extinct computer viruses identified by SCAN. The
number of variants of each virus is listed in parentheses after the
virus name.
All known computer viruses infect one or more of the
following areas: the hard or fixed disk partition table [also
known as the master boot record]; the DOS boot sector of hard disks
and floppy disks; or one or more executable files within the
system. Executable files include operating system files, .COM
files, .EXE files, overlay files, or any other files loaded into
memory and executed. A virus that infects more than one area, such
as a boot sector and an executable file is called a multipartite
virus.
VIRUSCAN identifies every area or file that is infected, and
indicates both the name of the virus and CLEAN-UP I.D. code used
to remove it. SCAN will check the entire system, an individual
diskette, sub-directory, or individual files for existing viruses.
VIRUSCAN will also check for new, unknown viruses with the Add
Validation and Check Validation options. This is done by computing
a code for a file, appending it to the file, and then validating
the file against that code. If the file has been modified, the
check will no longer match, and viral infection may have occurred.
SCAN uses two independently generated CRC (Cyclic Redundancy Check)
checks that are added to the end of program files to do this.
Files which are self-checking should not be validated since this
will "set off" the program's self-check. Files which are self-
modifying may have different values for the same program depending
upon the modifications. VIRUSCAN adds validation codes to .COM
and .EXE files only. The validation codes for the partition table,
boot sector, and system files, are kept in a hidden file called
SCANVAL.VAL in the root directory.
VIRUSCAN can also be updated to search for new viruses via
an External Virus Data File option, which allows the user to
provide the VIRUSCAN program with new search strings for viruses.
VIRUSCAN works on stand-alone and networked PC's, but not on
a file server. For networks, the NETSCAN file server-scanning
program is required.
VIRUSCAN Version 6.3V72 Page 5
OPERATION:
IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING
YOUR SYSTEM TO PREVENT INFECTION OF THE VIRUSCAN PROGRAM.
VIRUSCAN will check each area or file on the designated
drive(s) that could be host to a virus. If a virus is found, a
message is displayed telling the name of the infected file or
syste m area and the name of the identified virus. SCAN will
examine files for viruses based on their extensions. The default
executable extensions supported by SCAN are .BIN, .COM, .EXE, .OV?,
.PGM, .PIF, .PRG, .SYS and .XTP. Additional extensions can be
added to SCAN or all files on disk can be selected for scanning.
To run VIRUSCAN type:
SCAN d1: ... d10: /A /AV /CV /D /E .xxx .yyy .zzz /EXT d:filename
/MANY /NLZ /NOMEM /REPORT d:filename /RV /X
Options are:
/A - Scan all files for viruses
/AV - Add validation codes to specified files
/CV - Check validation codes for files
/D - Overwrite and delete infected file
/E .xxx .yyy .zzz - Scan overlay extensions .xxx .yyy .zzz
/EXT d:filename - Scan using external virus data file
/M - Scan memory for all viruses
(see below for specifics)
/MANY - Put SCAN into loop checking drive(s)
/NLZ - Skip scanning of LZEXE compressed files
/NOMEM - Skip memory checking
/REPORT d:filename - Create report of infected files
/RV - Remove validation codes from specified files
/X - Scan for extinct and research viruses
(removed for this version of SCAN)
(d1: ... d10: indicate drives to be scanned)
The /A option will cause SCAN to go through all files on the
referenced drive. This should be used if a file-infecting virus
has already been detected. Otherwise the /A option should only be
used when checking a new program. The /A option will add a
substantial time to scanning. This option takes priority over the
/E option.
The /AV option allows the user to add validation codes to the
files being scanned. If a full drive is specified, SCAN will
create validation data for the partition table, boot sector, and
system files of the disk as well. Validation adds ten (10) bytes
to files; the validation data for the partition table, boot sector,
and system files is stored separately in a hidden file in the root
directory of the scanned drive.
The /CV option checks the validation codes inserted by the /AV
option. If the file has been changed, SCAN will report that the
file has been modified, and that viral infection may have occurred.
Using the /CV option adds about 25% more time to scanning.
VIRUSCAN Version 6.3V72 Page 6
NOTE: Some older Hewlett Packard and Zenith PC's modify the boot
sector or partition table each time the system is booted. This
will cause SCAN to continually notify the user of boot sector or
partition table modifications if the /CV switch is selected. Check
your system's manual to determine if your system contains
self-modifying boot code.
The /D option tells VIRUSCAN to prompt the user to overwrite
and delete an infected file when one is found. If the user selects
"Y" the infected file will be overwritten with hex code C3 [the
Return-to-DOS instruction] and then deleted. A file erased by the
/D option can not be recovered. Boot sector and partition table
infectors can not be removed by the /D option and require the
CLEAN-UP virus disinfection program.
The /E option allows the user to specify an extension or set
of extensions to scan. Extensions should include the period
character "." and be separated by a space after the /E and between
each other. Up to three extensions may be added with the /E. For
more extensions, use the /A option.
The /EXT option allows VIRUSCAN to search for viruses from a text
file containing user-created search strings. The syntax for using
the external virus data file is /EXT d:filename, where d: is the
drive name and filename is the name of the external virus data
file. For instructions on how to create an external virus data
file, refer to Appendix A.
NOTE: The /EXT option is intended for advanced users and computer
anti-virus researchers to add their own strings for detection of
computer viruses on an interim or emergency basis. When used with
the /D option, it will delete infected files. This option is not
recommended for general use and should be used with caution.
The /M option tells VIRUSCAN to check system memory for all
known computer viruses that can inhabit memory. SCAN by default
only checks memory for critical and "stealth" viruses, which are
viruses which can cause catastrophic damage or spread the infection
during the scanning process. SCAN will check memory for the
following viruses in any case:
1554 1971 1253 2100
3445-Stealth 4096 512 Anthrax
Brain Dark Avenger Disk Killer Doom-2
EDV Fish6 Form Invader
Joshi Microbes Mirror Murphy
Nomenclature Plastique Polish-2 P1R (Phoenix)
Taiwan-3 Whale Zero-Hunt
If one of these viruses is found in memory, SCAN will stop and
advise the user to power down, and reboot the system from a
virus-free system disk. Using the /M option with another
anti-viral software package may result in false alarms if the other
package does not remove its virus search strings from memory. The
/M option will add 10 to 40 seconds to the scanning time.
VIRUSCAN Version 6.3V72 Page 7
The /MANY option is used to scan multiple diskettes placed in
a given drive. If the user has more than one floppy disk to
check for viruses, the /MANY option will allows the user to check
them without having to run SCAN multiple times. If a system has
been disinfected, the /MANY and /NOMEM options can be used to speed
up scanning of disks.
The /NLZ option tells VIRUSCAN not to look inside files
compressed with the LZEXE file compression program. SCAN will
still check the programs for external infections.
The /NOMEM option is used to turn off all memory checking for
viruses. It should only be used when a system is known to be free
of viruses.
The /REPORT option is used to generate a listing of infected
files. The resulting list is saved to disk as an ASCII text file.
To use the report option, specify /REPORT on the command line,
followed by the device and filename [See EXAMPLES below for
samples].
The /RV option is used to remove validation codes from a file
or files. It can be used to remove the validation code from a
diskette, subdirectory, or file(s). Using /RV on a disk will
remove the partition table, boot sector, and system file
validation. This option can not be used with the /AV option.
The /X option is used to check for extinct viruses. An
extinct virus is defined as a virus from which there have been no
infection reports in the preceding twelve (12) months, or a virus
that was created as a research tool and does not exist outside of
a few tightly-controlled copies. Viruses that are extinct are
listed in the accompanying VIRLIST.TXT file preceded with an
asterisk "*" next to the virus name. It is recommend that VIRUSCAN
initially be run with the /X option but subsequent runs need not
use the /X option.
EXAMPLES
The following examples are shown as they would be typed in.
SCAN C:
To scan drive C:
SCAN A:R-HOOPER.EXE
To scan file "R-HOOPER.EXE" on drive A:
SCAN A: /A
To scan all files on drive A:
SCAN B: /D /A
To scan all files on drive B:, and prompt for erasure of
infected files.
SCAN C: D: E: /AV /NOMEM
To add validation codes to files on drives C:, D:, and
E:, and skip memory checking.
VIRUSCAN Version 6.3V72 Page 8
SCAN D: /M /A /X
To scan memory for all known and extinct viruses, as well
as all files on drive D:
SCAN C: D: /E .WPM .COD
To scan drives C: and D:, and include files with the
extensions .WPM and .COD
SCAN A: /CV
To check for known and unknown viruses (via the
validation codes) on drive A:
SCAN C: /EXT A:SAMPLE.ASC
To scan drive C: for known computer viruses and also for
viruses added by the user via the external virus data
file option.
SCAN C: /M /REPORT A:INFECTN.RPT
To scan for all viruses in memory and drive C:, and
create a text file called INFECTN.RPT on drive A:
EXIT CODES
VIRUSCAN will set the DOS ERRORLEVEL upon program termination
to:
ERRORLEVEL | DESCRIPTION
-----------+--------------------------
0 | No viruses found
1 | One or more viruses found
2 | Abnormal termination (program error)
If a user stops the scanning process, SCAN will set the ERRORLEVEL
to 2.
VIRUS REMOVAL
What do you do if a virus is found? You can contact McAfee
Associates for assistance with manually removing the virus, for
disinfection utilities, and for more information about the virus.
The CLEAN-UP universal virus disinfection program is available and
will disinfect the majority of reported computer viruses. It is
updated frequently to remove new viruses. The CLEAN-UP program can
be downloaded from McAfee Associates BBS.
It is strongly recommended that you get experienced help in
dealing with viruses, especially critical viruses that can damage
or destroy data [for a listing of critical viruses, see the /M
option under OPTIONS, above] and partition table or boot sector
infecting viruses, as improper removal of these viruses could
result in the loss of all data and use of the disk(s).
VIRUSCAN Version 6.3V72 Page 9
BOOT SECTOR INFECTORS
Power down the infected system and boot off of an uninfected,
write-protected diskette. Use the DOS SYS command to attempt
to overwrite the boot sector. This works in many cases. Run
VIRUSCAN to see if the virus has been eradicated. If this
does not work, do a file-by-file backup of the system (in
other words, do not backup the boot sector) and do a low-level
format of the disk. For a floppy diskette, copy the files off
of the infected diskette using the DOS COPY command, not XCOPY
or DISKCOPY which will transfer the virus. Reformat or
discard the infected floppy disk.
FILE INFECTORS
Power down the infected system and boot off of an uninfected,
write-protected diskette. Run VIRUSCAN with the /D and /A
options. Scan all original disks for viruses and replace
programs from them if clean.
PARTITION TABLE INFECTORS
Power down the infected system and boot off of an uninfected,
write-protected diskette. Proceed to do a file-by-file backup
of the system (in other words, do not backup the partition
table). Then do a low-level format of the disk.
Disinfection utilities are available for the majority of reported
computer viruses, these programs can be downloaded from McAfee
Associates' BBS at (408) 988-4004.
REGISTRATION
A registration fee of $25.00US is requested for the use of
VIRUSCAN by individual home users. Registration is for one year
and entitles the holder to unlimited free upgrades off of McAfee
Associates BBS. Diskettes are not mailed unless requested. Add
$9.00US for diskette mailings.
Registration is for home users only and does not apply to
businesses, corporations, organizations, government agencies, or
schools, who must obtain a license for use. Contact McAfee
Associates for more information.
Outside of North America, registration and support may be
obtained through the agents listed in the accompanying AGENTS.TXT
text file.
VIRUSCAN Version 6.3V72 Page 10
TECH SUPPORT
In order to facilitate speedy and accurate support, please
have the following information ready when you contact McAfee
Associates:
- Program name and version number.
- Type and brand of computer, hard disk, plus any
peripherals.
- Version of DOS you are running, plus any TSRs or device
drivers in use.
- The exact problem you are having. Please be specific as
possible. Having a print out of the screen and/or being
at your computer will help also.
McAfee Associates can be contacted by BBS or fax twenty-four hours
a day, or call our business office at (408) 988-3832, Monday
through Friday, 8:30AM to 6:00PM Pacific Standard Time.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
If you are overseas, the please refer to our AGENTS.TXT file for
a listing of International Agents for McAfee Associates product
support or sales.
VERSION NOTES
Version 71, 71-B
Version 71-B of SCAN fixes a problem with version 71 in
identifying viruses imbedded in files with non-executable
extensions.
Version 71 of SCAN now includes an option that allows users
to scan for new viruses by adding their own set of search strings
loaded from an external virus data file. When this /EXT option
is enabled, a user-specified set of scan strings will be scanned
for by the VIRUSCAN program.
We have also removed the extinct viruses from their extinct
category. The extinct category was less than enthusiastically
received by our users who relied on SCAN shell routines written by
third party authors. We will wait until these shell routines can
handle the additional /X switch before we place these viruses back
into the extinct category.
Version 71 of VIRUSCAN adds sixteen new viruses, bringing
the total number of known computer viruses to 160, and known
variants to 239.
VIRUSCAN Version 6.3 Page 11
The KeyPress virus was reported from numerous sites within
Australia, Indonesia, Saudi Arabia, and the U.S. This virus adds
approximately 1,475 bytes to .COM and .EXE files. The virus fills
the keyboard buffer, preventing the user from typing anything. It
is also known as the Jeddah and the 1475 virus.
The DataLock virus was first reported by a computer store in
Southern California. It is 920 bytes in length and attaches itself
to .COM files. This virus is also known as the DataLock V1.00 and
the 920 virus. It has been widely reported since first appearing
in Mid-October in Southern California.
The remaining viruses have been sporadically reported at one
or two sites. Please refer to the enclosed VIRLIST.TXT file for
outline information about these viruses. For a detailed description
of each of each virus please refer to Patricia Hoffman's VSUM
Listing. VSUM is copyrighted by Patricia Hoffman. It is the most
comprehensive PC virus compendium available.
Version numbers 68 through 70 were skipped because of the
appearance of trojan version 70 of SCAN in Israel. Rather than use
the next number in the series we are skipping to version 71.
Version 67, 67-B, 67-C:
Sorry about this third release of V67. 67B had problems
scanning floppy diskettes that were write-protected, bootable
system diskettes. 67-C fixes it.
Version 67-B fixes a minor bug that caused VSHIELD.EXE to
incorrectly CRC check the boot sector and partition table.
Our apologies for the delay in releasing V67. At the last
minute a major new virus -- the Invader -- was reported at multiple
sites across the U.S. and in Asia. We have included a detector and
remover for this virus in V67 SCAN and CLEAN.
Version 67 has added a report feature to allow the creation
of a report file containing a list of found infected files when
scanning an infected system. We have also implemented an EXTINCT
switch that defaults to not searching for viruses that have become
extinct or viruses that are exclusively research viruses. Any
virus that has not been reported in the public domain for more than
a year has been classified as extinct. Extinct viruses are marked
with an asterisk in the VIRLIST.TXT file that accompanies the SCAN
program. If you are a researcher and have any of the extinct
viruses, you must use the /X switch to force SCAN to search for
them. In addition, 10 new viruses have been added to the list of
viruses that are identified by SCAN.
VIRUSCAN Version 6.3V72 Page 12
APPENDIX A: Creating a Virus String File with the /EXT Option
The External Virus Data file should be created with an editor
or a word processor and saved as an ASCII text file.
NOTE: The /EXT option is intended for emergency and research use
only. It is an temporary method for identifying new viruses prior
to the subsequent release of SCAN. A sound understanding of
viruses and string-search techniques is advised as a prerequisite
for using this option.
The virus string file uses the following format:
"aabbccddeeff..." Virus_1_Name
"gghhiijjkkll..." Virus_2_Name
.
.
"uuvvwwxxyyzz..." Virus_n_Name
Where aa, bb, cc, etc. are the hexadecimal bytes that you wish to
scan for. Each line in the file represents one virus. The Virus
Name for each virus is mandatory, and may be up to 25 characters
in length. The double quotes (") are required at the beginning and
end of each hexadecimal string.
SCAN will use the string file to search memory, the Partition
Table, Boot Sector, System files, all .COM and .EXE files, and
Overlay files with the extension .BIN, .OV?, .PGM, .PIF, .PRG, .SYS
and .XTP.
Virus strings may contain wild cards. The two wildcard
options are:
FIXED POSITION WILDCARD
The question mark "?" may be used to represent a wildcard in
a fixed position within the string. For example, the string:
"E9 7C 00 10 ? 37 CB"
would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or any
other similar string, no matter what byte was in the fifth place.
RANGE WILDCARD
The asterisk "*", followed by range number in parentheses "("
and ")" is used to represent a variable number of adjoining random
bytes. For example, the string:
"E9 7C *(4) 37 CB"
would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and
"E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB"
would not match since the distance between 7C and 37 is greater
than four bytes. You may specify a range of up to 99 bytes.
Up to 10 different wildcards of either kind may be used in one
virus string.