Simtel MSDOS 1992 December

home *** CD-ROM | disk | FTP | other *** search

/ Simtel MSDOS 1992 December / simtel1292_SIMTEL_1292_Walnut_Creek.iso / msdos / trojnpro / dc89scan.arc / DC89SCAN.DOC next >

Wrap

Text File | 1989-09-30 | 20KB | 388 lines

Dc89scan DataCrime Virus Detection Copyright 1989, Sector Technology Author: Michael Allen Introduction: ------------- Sector Technology is pleased to provide you with this FREE utility that will scan your PC for the presence of the "Columbus Day", "Datacrime 1(a) and 1(b)" or "Friday the 13th" virus. You are encouraged to make copies of this program and documentation to pass along to your friends and workmates. We only ask that you keep the package intact and do not modify the program or documentation. We welcome the opportunity to provide you with this utility, we cannot, however warrant detection of any other strains other than the two we have verified. We make no warranties implied or otherwise and assume no responsibility for any adverse effects which may be caused as a result of this software program. By the use of this program, the user accepts responsibility and understands that the use is at their own risk. Sector Technology, headquartered in Falls Church, Virginia, is in the business of providing security solutions to both the government and corporate organizations. We are not in the business of capitalizing on the fears of a particular virus scare. We specialize in solving problems in computer security and classified material handling, both in the collateral and special access arenas. Sector Technology's Computer Security Division offers a complete, totally compatible line of computer security products that range from a low cost, basic access control, anti-virus, encryption product (Port of Entry), up through a mainframe-like hardware/software security package (Sentinel) for the IBM PC/XT/AT, PS/2 and compatible computer systems. We also provide the ultimate security package for the Macintosh environment called Empower. These products are described in more detail below. Instructions: ------------- The Dc89scan program performs a very simple and straight forward task. It scans all the .COM files on the disk drive you specify looking for signs of the two known stains of the DataCrime virus. To run Dc89scan, enter the program name at the DOS prompt along with the disk drive letter and an optional path (if you want to check only those files in a particular sub-directory). For example, to check all the .COM files on your C: drive, enter: Dc89scan C: Dc89scan will read all the .COM files in all sub-directories on the C: drive. If you specify a sub-directory, such as: Dc89scan C:\DOS It will check just the .COM files in the DOS sub-directory and any sub-directories within and below the DOS sub-directory. When you run Dc89scan, it begins its checking. It lists the filenames of infected files along the left side of the screen as shown below: ┌────────────────────────────────────────────────────────────────────┐ │Infected files: ┌──────────────────────────────────────────────┐│ │ │ DC-SCAN ││ │IBMBIO.COM (1168) │ Copyright 1989, Sector Technology ││ │CHKDSK.COM (1280) │ ││ │DISKCOPY.COM (1168) │DC-Scan checks all your .COM files for the ││ │FORMAT.COM (1168) │DataCrime (Columbus Day) virus. ││ │MODE.COM (1168) │It checks for both the '1168' and the '1280' ││ │PRINT.COM (1168) │strains. All files listed should be deleted ││ │EDLIN.COM (1280) │from your system before October 12! ││ │ │ ││ │ │This program is provided free of charge by ││ │ │Sector Technology as a service to PC users. ││ │ │ ││ │ │Sector Technology is in the security business.││ │ │Our products are for all levels of business ││ │ │and government, including: Port of Entry, ││ │ │The Citadel Security System, and The Sentinel ││ │ │Security System. Please read the documents ││ │ │for details, or call: (703) 845-0323. ││ │ └──────────────────────────────────────────────┘│ │ │ │ Sub-directory: DOS │ │ File: MORE.COM │ │ │ │ Press [Shift-PrtSc] to print list of infected files │ └────────────────────────────────────────────────────────────────────┘ If more than 23 files are infected, Dc89scan will pause to allow you to print (PrtSc) the list before clearing the list from the screen. The number in parenthesis by the filename of each infected file indicates which strain of the DataCrime virus was found. The number refers to the number of bytes added to the .COM file by the virus. The two strains are known as the 1168 virus and the 1280 virus. The DataCrime virus infects only .COM files. When an infected .COM file is executed, the added virus code checks the system date. If the current date is after October 12, the virus displays: DATACRIME VIRUS RELEASED 1 MARCH 1989 It then formats the first eight tracks of the hard disk wiping out your master boot record, partition table, and the DOS partition boot record. Not a nice thing to have happen! The virus can infect .COM files on drive C:, D:, A: or B:. It skips COMMAND.COM (or any .COM file with a 'D' in the 7th place of its filename) and .COM files whose length is less than seven bytes. PRODUCT LINE ------------ Sector Technology's Computer Security Division offers a complete, totally compatible line of computer security products, including: Port of Entry. A low cost, non-administrative solution to microcomputer security needs. Access to the system requires a verified user name, minimal 6-character password and a project name or number. Port of Entry provides two very strong anti- virus programs. The first, Safeboot, takes over the boot system sequence and verifies the boot sector, DOS and command.com are clean before the system boots. It will detect viruses like the Brain and Lehigh that infect the boot sector. The second program, Virwatch, is a device driver that monitors access to all .COM, .EXE and .SYS files and the boot record and will detect and prevent unauthorized modification, deletion or renaming of these files. Port of Entry also provides disklock protection (accessing the hard drive by booting from the A drive), file-by-file encryption, adjustable automatic logoff with screen blanking, audit trails, project billing feature and secure file transmission. Retail price-$75. Our Sentinel Microcomputer Security System provides the ultimate in micro-computer security. Sentinel is a hardware/software security system which has been successfully evaluated by the National Security Agency. Sentinel is the only security system to be granted a patent by the U.S. Patent and Trademark Office for concept and design. On-board storage of audit trails, encryption keys, passwords and access rights' table ensures a tamper proof and truly accountable method of tracking system usage and authorized access to files. DES or Sector's proprietary algorithm is handled via hardware so it is fast and virtually transparent. Encryption can be set globally, by application, by user, or may be user selected. In a network environment, Sentinel encrypts and decrypts at the workstation and ensures the confidentiality of all files going to and from the LAN file server. Read only, read/write and execute only options ensure proper access to specified files. Protection, audit trails, encryption and protection are handled on a file by file basis, not by directories or sub-directories. Two-tier administration allows delegation of responsibilities. Labels are attached to the files providing access and other information irrespective of where that file is stored. Sentinel also provides password expiration, secure file transmission, automatic logoff, project billing feature, copyright protection, memory purging and virus protection: Retail price - $465; $495 with DES. The Citadel Microcomputer Security System is the software version of Sentinel. Retail price - $195. Empower, the security system for the Macintosh world, offers a wide range of features. Empower provides transparent encryption, handles multi-user environments, provides for multiple access levels, optional guest access, hard disk protection and user- specified automatic logoff (also doubles as a screen saver). Empower also provides a complete set of controls for floppy, internal and external hard disks. Sector Technology's Security Division offers our proprietary Integrated Security Management System (ISMS). The ISMS is a comprehensive, modular, computer-based system that automates most security functions in a security office. ISMS uses bar code technology to manage and track U.S. Government classified material and personnel access information. ISMS is written in PROGRESS, a top-rated fourth generation language, that provides superior portability from PC-DOS personal computers to micros and minis running UNIX (XENIX on 286/386 PCs). Host architectures include IBM, compatibles, AT&T, NCR, Plexus and the VAX/VMS systems. ISMS is menu driven with on-line help. We offer automation for the following functions: * Classified Document Control * Organization Management * Visitor Control * Contract Management * PSQ preparation/Tracking * Storage Container Management * Security Suspense Tracking * Receipt Printing * Guard Tour Management * Personnel Security Records * Printing of DD48's, 49's and 254's * Vehicle Management * Outgoing Visitor Management * Incident/Violation Recording Sector Technology's Security Operations Division actually staffs and runs document and visitor control facilities for many Department of Defense agencies and Special Access Programs. Our personnel have clearances and the expertise to guide corporations or agencies active in the Defense Industrial Security Program through the ins and outs of this complex and ever changing program. Our Professional Services Division provides in-depth experience in system analysis, hardware integration and software design. Our business is Security, and whatever your security needs, we at Sector Technology are dedicated to supply your organization with the products and services needed to provide solutions. seminars/training Sector technology offers comprehensive series of security awareness seminars. These seminars may be structured as general in nature or designed to address specific security issues tailored to your organizational requirements. Our business is Integrated Security and Systems; Whatever your security needs. For more information on the products and services provided by Sector Technology, please contact us at our Corporate Headquarters listed below: Sector Technology Integrated Security Management 6 Skyline Place, Suite 900 5109 Leesburg Pike Falls Church, Virginia 22041-3201 Tel: (703) 379-1800 FAX: (703) 845-0323 Additional products provided by Digital Dispatch, Inc. ------------------------------------------------------ DATA PHYSICIAN -------------- Data Physician is a set of programs designed to help protect your PC-DOS or MS-DOS computer system from software viruses and logic bombs. Together, they represent the state-of-the-art in handling these growing threats. Most of the Data Physician programs can be used alone or in concert, the latter which may result in some harmless overlap in protection. We include several different approaches to virus protection so that the user can find an approach that makes sense for his or her system configuration and the nature of the evolving virus threat. Below is a list of the major Data Physician programs, along with a brief description. The installation and use of each program is covered in more detail in later sections of this document. DATAMD is the original virus protection, detection, and removal program. It allows you to detect whether an unauthorized change has occurred in any file or system area on your disk, and also allows the removal of most types of viruses from previously protected programs. NOVIRUS works with the data created by DATAMD and runs virus detection in background mode while you perform other tasks on your system. This can be helpful if you have many files to monitor or if you want continuous security monitoring of the nature that DATAMD provides. VirALERT (same as VirWatch, included with Port of Entry) runs continually in the background to intercept changes to executable and operating system files (.EXE, .COM & .SYS files). VirALERT also watches for changes to the boot record, disk formatting attempts, TSR (terminate and stay resident) program installations, and other "sneaky" memory techniques used primarily by viruses. Unlike DATAMD, VirALERT catches changes before they occur on your system, but cannot remove an already present virus. The choice of which approach makes the most sense for your system depends on personal preference and the specifics of your system usage. SAFEBOOT (also included with Port of Entry) protects your operating system files and installs a custom DOS boot record that decrypts them into memory as needed. Many current viruses infect the operating system because it provides such a powerful vantage point. SAFEBOOT provides a critical layer of protection that should be used whenever possible. ANTIGEN allows DATAMD-like virus protection to be installed directly onto any executable program. Each time a protected program is run, it checks itself for tampering and is capable of removing certain types of viruses on its own. ANTIGEN is useful where the protected program needs to be widely distributed and you want it to continue to be protected. FILEPEEK allows you to inspect programs for suspicious-looking messages. Many viruses and other villainous programs contain messages that are used to taunt the hapless victim after it is too late for him or her to prevent damage. With FILEPEEK, you can preview new programs for material that seems out of context with their purpose. While it is impossible to predict the exact form that a software virus will take, there is one activity common to all viruses: they must write to the disk and change files or system areas in order to "infect". Data Physician is designed to detect these unauthorized changes. Even intelligent viruses that use file compression and/or checksum adjustment to try to hide their activity can be detected by the Data Physician algorithms. There are four major approaches taken by Data Physician to detect or otherwise protect against viral activity: 1) The DATAMD and ANTIGEN programs save a "signature" on each protected file that consists of a cryptographic checksum plus additional proprietary profiling data that allows both the detection of a virus-like change, and the ability to remove certain types of viruses from the infected file. Even in cases where multiple generations of a virus have infected the same file, these programs are normally able to restore the original file. NOVIRUS uses the file protection data generated by DATAMD to provide the same features while running in "background" mode on your system. 2) VirALERT intercepts and warns you of attempts to manipulate files or system areas. You can control the conditions under which these warnings are generated, and also choose the subsequent action to take. 3) SAFEBOOT protects the operating system files and customizes the boot record. If any of these files are changed or replaced by a virus, the remaining protected files detect and report the change. 4) FILEPEEK allows you to inspect programs for suspicious messages that viruses commonly contain.