SCAN\SCANV61.DOC ·
DOC ·
27.4 KB ·
1990-04-22 ·
from PCToday_Vol-1_June-1990
VIRUSCAN Version 3.1V61
From: McAfee Associates (USA) 408 988 3832
Executable Program (SCAN.EXE):
SCAN contains a self test at load time. If SCAN has been
modified in any way, a warning will be displayed. The program will
still continue to check for viruses, however. In addition,
versions 46 and above are packaged with a VALIDATE program that
will authenticate the integrity of SCAN.EXE. Refer to the
VALIDATE.DOC instructions for the use of the validation program.
The validation results for V61 should be:
SIZE: 43,277
DATE: 3-31-1990
FILE AUTHENTICATION:
Check Method 1 - EA5F
Check Method 2 - 15E7
You may also call the McAfee Associates bulletin board at 408
988 4004 to obtain on-line SCAN.EXE verification data. The
VALIDATE program distributed with SCAN may be used to authenticate
all future versions of SCAN.
Notes on Version 61:
Version 61 is able to detect five new viruses reported since
March 1, 1990. The first virus was submitted by Dave Chess of IBM.
It is a destructive COM and EXE infector called the Saturday the
14th virus. The virus activates every Saturday that falls on the
14th of any month and causes the first 100 sectors of the A, B, and
C drives to be overwritten. The net result is loss of all of the
control information for the media assigned to those drives. The
Partition table, Boot Sector and FAT will be destroyed. The virus
is 685 bytes long and is memory resident.
The second new virus is the 1392 virus which was also
submitted by Dave Chess of IBM. The virus does little damage,
other than corruption of the infected programs, but it does display
the following message: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A."
No idea what this means. The virus changes the date of infected
files to the date of infection; it is memory resident; it infects
both COM and EXE files, including COMMAND.COM and is 1392 bytes
long.
The third new virus is the XA1, or Christmas Tree virus. It
was submitted by Christoff Fischer of West Germany. It is an
encrypted virus that only infects COM files. It activates on April
the 1st and destroys the partition table of the hard disk. From
December 24th till January 1st it will draw a full screen picture
of a christmas tree when an infected program is executed. It is
not memory resident.
The fourth and fifth new viruses were discovered in Spain and
are called the 1720 and 1210 viruses. The 1720 infects both COM
and EXE files, while the 1210 only infects EXE files. Little is
know of these viruses at this point other than that the 1720
appears to be destructive. The viruses were named after their
respective lengths.
In addition to the above new viruses, version 61 fixes a bug
which caused it to mis-identify the Korea Virus.
Introduction:
VIRUSCAN scans diskettes or entire systems and identifies any
pre-existing PC virus infection. It will indicate the specific
files or system areas that are infected and will identify the virus
strain which has caused the infection. Removal can then be done
automatically using the SCAN /D option. If the infection is
widespread, automatic disinfector utilities are available which
can remove the infected segment of files and repair and restore the
infected programs.
SCAN version 3.1V61 can identify 82 virus strains and
numerous sub-varieties for each strain. The 82 viruses include
the ten most common viruses which account for over 95% of all
reported PC infections. The complete list (in order of most recent
appearance) can be found in the accompanying file: VIRLIST.TXT.
It is important to note that existing virus strains can be
grouped and counted differently than the ordering indicated in the
VIRLIST.TXT file. DEN ZUK, for example has two separate versions.
Likewise, the STONED, VIENNA, ALAMEDA and JERUSALEM-B viruses have
been modified a number of times. Some researchers would define each
of these modifications, or sub-varieties, as separate viruses.
SCAN chooses to group them as the same virus, because the same scan
string can identify each of them. This is only done if
disinfection requirements for the different sub-varieties are
identical. If removal procedures differ for different varieties,
then SCAN will differentiate between them.
All known viruses infect one of the following areas: The hard
disk partition table; the DOS boot sector of hard disks or
floppies; or one or more executable files within the system. The
executable files may be operating system programs, system device
drivers, .COM files, .EXE files, overlay files or any other file
which can be loaded into memory and executed. VIRUSCAN identifies
every area or file that has become infected and indicates the name
of the virus that has infected each file. VIRUSCAN can check the
entire system, an individual diskette, a sub-directory or an
individual file for an existing virus.
Operation:
IMPORTANT: Always place VIRUSCAN on a write protected floppy prior
to using it. This will prevent the program from becoming infected.
To run VIRUSCAN type:
SCAN d1: d2:...dn: [/M /D /A /E [EXTENSION LIST] /nomem /many]
(d1-dn indicate multiple drives that may be scanned)
Options are:
/D - Overwrite and Delete infected files
/M - Scan memory for all viruses
(See restrictions below)
/A - Scan all files
/E - Scan listed overlays
/nomem - Skip memory scan
/many - Scan multiple floppies
VIRUSCAN will check each area or file on the designated drive
that could be a host to a virus. If a virus is found, the name of
the infected file or system area will be displayed, along with the
name of the identified virus.
If the /D option is selected, SCAN will pause after each
infected file is displayed and will ask whether you wish to remove
the infected file. If <Y> is selected, the file will be
overwritten with the hex code C3 (the Return instruction), and then
deleted. This option is disallowed for boot sector and partition
table infections. Use the shareware M-DISK utilities to remove
boot sector or partition table viruses.
If the /M option is chosen, SCAN will search the first 640K
of memory for all known memory resident viruses. Selecting this
option may cause false alarms if you are running SCAN in
conjunction with any other virus detection utility. It will also
add from 12 seconds to 1 minute to the scanning time. If the /M
option is not chosen, SCAN will in any case check memory for the
Dark Avenger virus. If the Dark Avenger is found in memory, SCAN
will display a warning message, with instructions to power down and
re-boot from a clean floppy.
>>> Do not use the /M option if you are running SCANRES V42
or earlier. Please upgrade SCANRES to the current version
first. Otherwise false alarms will result.
Use the /E option to scan specified overlay files. Scan will
default to OVL, OVG, OV1, OV2, OVR, SYS, BIN and PIF. Scan will
search these overlay files for any viruses capable of infecting
overlays. If you are using an application with overlay extensions
other than the defaults, then specify the extension names (up to
three) using the /E option. Example:
SCAN C: /E .ABC .XYZ .123
It is important to note that viruses that infect overlays
always infect the original .COM, .EXE, .BIN or .SYS files that call
the overlay. So the virus will always be discovered whether or not
the overlay is scanned. To get rid of the virus, however, you must
identify and remove it from overlays. If you do not know whether
an application uses overlay files, and SCAN has discovered one of
the viruses capable of infecting overlays, then use the /A option
to search all files.
NOTE: The /A option will require a substantial amount
of time to complete the scan. Use it only after a .COM
or .EXE infection has been discovered by VIRUSCAN, or
when a new diskette or set of program files is to be
scanned.
VIRUSCAN can also scan individual directories or individual
files. The command:
SCAN C:\DIRECT\PROGRAM.EXE will scan the file PROGRAM.EXE
in subdirectory DIRECT.
VIRUSCAN will require approximately 3 minutes of run time for
each 1,000 files on the designated drive.
Exit Codes:
SCAN will exit with the following exit codes:
0 - Normal termination, no viruses found
1 - One or more viruses found
2 - Abnormal termination (Error)
Registration:
A registration fee of $25 is required for the use of VIRUSCAN
by individual home users. Please send registrations to the address
below. This registration covers the copy currently in use and
any future versions for one year, providing they are obtained from
the McAfee Associates bulletin board or other public or private
board. Diskettes will not be mailed unless specifically requested.
Add $9 for diskette mailings. The McAfee Associates board number
is - 408 988 4004 - 1200/2400, N,8,1; 5 lines.
Corporate and organizational use:
Corporate site licenses are required for corporate, agency and
organizational use. For site license information contact:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832
Scanning Networks:
VIRUSCAN works only on stand-alone PCs. If you are in a
corporate environment using local area networks you will need to
run NETSCAN. NETSCAN is not a shareware product. Site licenses
are available for NETSCAN through McAfee Associates - 408 988 3832.
Virus Removal:
What do you do if a virus is found? Well, if you are a
registered VIRUSCAN user, you may contact McAfee Associates for
free assistance in manually removing the virus or for information
on disinfection utilities. Automatic disinfectors are available
for the majority of the known viruses and are free to registered
users. We strongly recommend that you get experienced help in
dealing with many of the viruses, particularly partition table and
boot sector infections. If you are not a registered user, the
following steps should be followed:
Boot sector infections:
Power down the system. Power up and boot from an uninfected,
write protected floppy. Execute the DOS SYS command to
attempt an overwrite of the boot sector. This works in many
cases. If this does not work, backup all data files and
perform a low level format of the disk.
Executable file infections:
Power down system. Boot from clean, write protected floppy.
Remove all infected files. Replace from the original
distribution diskettes.
Partition table infections:
Without a removal utility, the only option is to low level
format the media.
Disinfecting utilities are available from McAfee Associates
for the majority of the common viruses. These utilities
remove the virus and repair the infected files. If you are
not a registered user of VIRUSCAN, you may purchase these
utilities from:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832
BBS: 408 988 4004
-----------------------------------------------------------------
VERSION NOTES
Version 60:
Version 60 identifies four new viruses that have been reported
from widely dispersed parts of the world. The first virus, the
Solano 2000, or Dyslexia virus, was widely and suddenly reported
in Solano County California in late February and Early March 1990.
The first person to isolate and submit the virus was Edward
Winters. The virus is 2000 bytes long, but bears no resemblance
to the V2000 virus from Bulgaria. The virus infects only COM
files, is memory resident, and infects each file as it is executed.
The virus randomly reverses contiguous numeric data in the video
buffer. No other damage has been observed.
The second virus, ItaVir, was submitted by Andrea Salvia and
Emilio Caravaglia of Milan Polytechnic in Milan, Italy. The virus
is 3,880 bytes long, infects only EXE files and is not memory
resident. The virus is activated based on the amount of time it
has been in the system (apparently a random time greater than 24
hours) and when activated, it sequentially writes all values
(between 0 and 255) to all I/O ports in the system. The result is
a dramatic confusion of all peripherals. The video monitor will
flicker and if the monitor is VGA, will also hiss. The boot sector
is also wiped out and the system will be non-bootable on power-up.
The third virus, Vcomm, was submitted by Yuval Tal from
Rehovot, Israel. It is a non-memory resident EXE infector and is
1074 bytes long. After the virus is first executed, it infects one
other EXE file and then modifies the in-memory Command Interpreter
so that the DOS COPY command no longer works. No other disruptions
have been reported from this virus.
The fourth virus is a boot sector infector submitted from
Korea. Limited analysis has been done so far on this virus other
than developing an identifier. The virus has been named the Korea
Virus.
Version 59:
Version 59 now catches a number of new variations of the
Vienna, Yankee Doodle and Vacsina. These variations were submitted
by researchers in Eastern Europe. The variations of the Yankee
Doodle and Vacsina appear to be earlier trial versions of these
viruses. They don't appear to be harmful, other than corrupting
the programs that are infected and there have been no reported
incidents of infection in the U.S. or Western Europe. The
variations of Vienna are likewise apparently harmless.
A completely new virus has also been added to the scan
list. Called the V2000 virus, it works as follows:
It installs resident in memory and then searches for and
infects the Command Interpreter (COMMAND.COM). It will then infect
any COM or EXE file whenever the file is opened. Thus, the
executable files are infected whenever they are executed, copied
or manipulated in any way. The virus hides the length increase of
infected files, much like the 4096, so the user will not see the
increased file lengths in the listing displayed by the DIR command.
The virus is very virulent and has caused system crashes and
lost data, as well as causing some systems to become non-bootable
after infection.
In addition to the above new virus inclusions, a number of
reported bugs have been repaired. These bugs involved false alarms
with the Lehigh Virus and the inability to detect the Taiwan virus
in some circumstances.
Version 58:
Version 58 contains checks for a number of new viruses. The
EDV virus submitted by Dave Chess at IBM is a boot sector and
Partition table virus that was identified in mid-January. It is
a troublesome virus that causes program crashes and some data
destruction. Another new virus, the 512, is a sophisticated virus
from Bulgaria. It was discovered by Vesselin Bontchev and
forwarded through Fridrk Skulasson in Iceland. The virus infects
COM files, including COMMAND.COM, and can cause run time problems
including program crashes and hung systems. The third new virus
was sent out over the VALERT-L network accidently on February 13th
to about 600 people. It is a memory resident COM and EXE infector
that increases file size by 1559 bytes. It has not yet been fully
analysed but it has been included in this version of scan due to
the widespread distribution of the virus.
The VIRLIST.TXT file contains functional descriptions of each
of these viruses.
In addition to the three new viruses, the 12 Tricks Trojan
discovered by Kristoff Fischer in West Germany has also been
included for detection.
Version 57:
SCANV57 has been substantially modified to allow
identification of viruses that use variable encryption techniques.
Two such viruses surfaced for the first time in January. These
viruses cannot be accurately identified with simple I.D. strings.
The changes to SCAN now allow these two viruses to be positively
identified, and identification of future viruses that use similar
techniques has been simplified.
Both of these encrypted viruses were written as "experimental"
viruses. One surfaced on a number of bulletin boards in Minnesota
under the name of COM_AIDS.ZIP. I have named it the 1260 virus,
although it is based in part on the original Vienna virus. The
other was written by Patrick Toulme in Washington D.C. (author of
Virus-90). He has called the new virus Virus-101. Neither of
these viruses was designed to be destructive - they just attach
themselves to other programs. However, there is no such thing as
a "harmless" virus. All viruses corrupt the code of the host
programs, and none enter your system under invitation. And none
have yet successfully been contained. Even the most well designed
and coded "harmless" virus will cause problems in some mix of
hardware/BIOS/DOS-Version/Memory-resident-programs etc. The
Pakistani Brain is a prime example of this. For this reason we
oppose the public distribution of any kind of virus. Once
released, they cannot be controlled. In addition, many lazier
hackers can easily modify "harmless" viruses to become destructive,
and many instances of such modification exist. Thus, V57 of SCAN
includes identifiers for both of these viruses.
In addition to the above two viruses, V57 identifies the Joker
and Perfume viruses from Poland, the Icelandic-3 found by
Fridrik Skulason in Iceland and the Halloechen virus reported by
Christoff Fischer at the University of Karlsruhe in West Germany.
These are detailed in VIRLIST.TXT.
Version 56:
Version 56 includes a test for the Taiwan virus and fixes a
bug which caused some files infected with the Sunday virus to be
missed.
Version 55:
Version 55 contains a virus I.D. code for each virus. This
I.D. code is displayed whenever a virus is encountered. The I.D.
is used by the new CLEAN-UP program for cleaning and repairing
infected systems. The I.D. is placed within brackets at the end
of each virus description line. e.g. Jerusalem Virus [Jeru]. The
[Jeru] tells CLEAN-UP to search for and remove the Jerusalem Virus
from infected files.
Version 54:
Version 54 fixes a bug in version 53 that caused a false alarm
for the 4096 virus in a few instances. Version 53 should not be
used.
Version 53:
Version 53 now allows multiple drives to be specified in the
command line so that more than one drive may be scanned with a
single command. Files with PRG extensions have also been added to
the overlay extension list for automatic scanning. New viruses
that can be detected by Version 53 are: Virus-90, Oropax, 4096, and
Chaos. These viruses are outlined in the VIRLIST.TXT document.
Version 53 has undergone major re-structuring to make it
smaller and faster and to provide compatibility with our new
shareware Clean-Up disinfector that will be released January 15th.
Version 52:
Version 52 adds detection for the Devil's Dance virus reported
by Mau Fragoso in Mexico City, and the AIDS Information Trojan
mailed to thousands of individuals and businesses throughout
Europe. The Devil's Dance virus is a memory resident COM infector
that ultimately scrambles all data on your hard drive. The AIDS
Trojan encrypts and locks the entire C drive when it activates
after 90 re-boots. Both of these new additions are highly
troublesome.
Version 51:
Version 51 provides two new scan options:
/nomem - skip memory scan
and
/many - scan multiple floppy diskettes
Version 51 also detects the Payday, the Datacrime II-B and the
Amstrad viruses. The Payday and Datacrime II-B viruses were
reported by IBM in the Netherlands. The Amstrad was reported by
Jean Luz in Portugal. The Payday virus is a variation of Jerusalem
that activates on every Friday except the 13th. The Datacrime II-
B is a modified version of Datacrime II that uses a different
encryption technique to avoid detection. The Amstrad virus is a
COM infector that carries a fake advertisement for the Amstrad
computer. Both the Payday and Datacrime II-B are damaging viruses.
The Amstrad appears to be benign.
Version 50:
Version 50 detects the Holland Girl virus. This virus was
reported by Jan Terpstra in the Netherlands. It infects .COM files
and increases their size by 1332 bytes. It contains the name and
phone number of a girl named Sylvia in Holland. Potential damage
from this virus is not yet known.
Version 49:
A new file - VIRLIST.TXT has been added to the VIRUSCAN
package. This file lists the known viruses and describes, in table
format, their critical characteristics.
Version 49 also checks for the following new viruses:
- Do-Nothing virus. This virus was reported in
October by Uval Tal in Israel. It infects COM files
but does no other damage and does not affect the
system in any observable way.
- Lisbon Virus. This virus was discovered by Jean Luz
of Lisbon, Portugal in November. It infects COM
files and increases the size of infected programs
by 648 bytes. It destroys 1 out of 8 infected
programs by overwriting - @AIDS over the first five
bytes of the infected program.
- Sunday Virus. This virus was discovered by multiple
users in the Seattle, Washington area. It activates
on Sundays and displays the message - "Today is
Sunday, why do you work so hard?". Damage to the
FAT has been reported from a number of infected
sites.
Version 48:
Version 48 identifies the TYPO .COM virus reported by Joe
Hirst in Brighton, U.K. The TYPO is a .COM infector that will
garble data sent to the parallel port. Version 48 enhancements to
VIRUSCAN are:
1. .PIF files have been added to the default overlay
file scan.
2. Overlay file extensions may be defined by the user.
3. An optional all-file scan may be selected.
4. .SYS and .BIN files have been included in the search
for VACSINA and FUMANCHU.
Version 47:
Version 47 identifies the DBASE virus discovered by Ross
Greenburg of New York. The DBASE virus is a COM infector that will
corrupt data in DBF files.
Version 46:
Version 46 now includes a test for the Ghost virus. This
virus was discovered in September by Fridrik Skulason at Icelandic
University. The virus infects .COM files and the boot sectors of
hard disks and floppies. The virus increases the size of infected
COM files by 2,351 bytes, and replaces the boot sector of infected
systems with a boot virus similar to Ping Pong. Random file
corruption by this virus has been reported. SCAN identifies both
the COM version and the boot version of this virus.
Version 46 enhancements include:
1. An option to remove infected files by overwriting
the infected file and then deleting it. The command
line option for removal, </D>, is described in the
operation section of this document.
2. Memory scan has been made optional for most memory
resident viruses. SCAN will continue to force a
memory check only for the Dark Avenger virus.
3. Scan strings have been changed once again to avoid
false alarms with some of the Jerusalem virus
detectors/removers.
Version 45:
Version 45 now identifies the new version of Jerusalem
discovered by FIDONET SysOps Jan Terpstra and Ernst Raedecker in
the Netherlands. It has been modified to avoid detection by
earlier SCAN versions.
I need to re-iterate the warning against using earlier
versions of SCAN if the Dark Avenger virus is suspected. Both
VIRUSCAN (pre-version 43) and IBM's first release VIRSCAN cause the
Dark Avenger to initiate a runaway infection process when the virus
is active in memory. Use only version 43 and above if there is any
question of the virus being present.
Version 44:
This version is a fix for a bug in version 43. Version 43
misses a number of viruses on some systems. DO NOT USE Version 43.
Version 43/44:
Version 43/44 now identifies the Alabama Virus. This virus
was discovered by Ysrael Radai at Hebrew University and forwarded
to us through Dave Chess at IBM. The virus infects .EXE files and
increases their size by 1560 bytes. It manipulates the file
allocation table and swaps file names so that files are slowly
lost.
Version 43/44 now also checks for the presence of Dark Avenger
in memory prior to performing a disk scan. This prevents the virus
from using SCAN to multiply throughout the system while SCAN is
doing a search.
URGENT: >>>>>> It is recommended that all earlier versions of
SCAN not be used if the Dark Avenger virus is suspected. It is
also recommended that people using IBM's VIRSCAN product wait until
the new memory checking version has been released before continuing
its use, or at least proceed cautiously with the existing program.
IBM is aware of the danger in scanning systems with Dark Avenger
active and a fix should be under way from IBM.
Additional Version 43/44 enhancements are:
- Fix to include EXE file searches for DataCrime II
- Identification of Pakistani Brain while virus is active
in memory
- Fix for duplicate reporting when Ashar virus is
identified
- Audible beep if any viruses are found (this was
requested by a visually impaired user)
- Speedup of searches for large subdirectories
**** Notice ****
1. If SCAN identifies the Dark Avenger active in memory, it
will stop and display a warning message. The scanning will not
continue. This is an extremely infectious virus and must be
treated cautiously. Power down the system and re-boot from a
write-protected system master diskette. Then run SCAN to determine
the extent of infection. A disinfector -- M_DAV - is now available
on the McAfee Associates board that can remove this virus. The
board number is 408 988 4004.
2. If you use the SCANRES infection prevention program,
please upgrade to Version 43/44 of SCANRES before using SCAN 43/44.
This will avoid potential conflicts with older versions of SCANRES.
Version 42:
Version 42 of VIRUSCAN includes an identifier for the Yankee
Doodle Virus. This virus was discovered in Vienna by Alexander
Holy at the United Nation's office on Sept 30th. The virus has
reportedly been transmitted to the U.S. through U.N. employees via
the game - 'Outrun'. The virus plays the tune - 'Yankee Doodle
Dandy' on the system's speaker at 5:00 P.M. each day. Both COM and
EXE files can be infected, and infected files grow by 2899 bytes.
No knowledge yet of eventual damage potential.
Version 41:
Version 41 of VIRUSCAN is a response to IBM's release of their
own virus scanning product. Their first release is able to check
for 28 viruses, two of which were not known by VIRUSCAN. I have
worked closely with David Chess of IBM in the past, and we have
shared virus disassemblies and live viruses freely. David has
graciously sent me the viruses I was not currently aware of, and
which their program checks for. I, in return, have sent Dave the
viruses IBM was not aware of. Hopefully the two scanning products
will achieve and maintain a parity for future releases. I have
tried the IBM product and found it to be effective in all cases for
which the product claims to work. The architecture of my own
product, VIRUSCAN, and that of IBM's VIRSCAN are different, and
with the exception of the 1701 virus, our chosen scan strings also
differ. I have chosen to encrypt the VIRUSCAN I.D. strings to make
it more difficult for hackers to modify specific areas of viruses
in order to fool SCAN. IBM has chosen to make their strings
available for easy addition or modification. Both approaches have
merit. I would like to say that I consider the IBM entry into the
virus scanning arena not as a competitive move but as a helpful
addition to the array of support tools for protecting against
viruses.
John McAfee