home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Aminet 49
/
Aminet 49 (2002)(GTI - Schatztruhe)[!][Jun 2002].iso
/
Aminet
/
util
/
virus
/
VirusZ.lha
/
VirusZ
/
VirusZ.doc
< prev
next >
Wrap
Text File
|
2002-04-01
|
24KB
|
549 lines
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*= *=
=* VirusZ III 0.99 Documentation =*
*= Copyright © 2002 by Georg Hörmann *=
=* =*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Last updated: 01-Apr-2002
----------------------------------------------------------------------------
LEGAL STUFF
----------------------------------------------------------------------------
The VirusZ software package is FREEWARE and copyright © 1991-1999/2002 by
Georg Hörmann and © 1999-2001 by Dirk Stöcker.
No parts of this package may be altered by any means (this includes editing,
reprogramming, crunching, resourcing etc.), except archiving. The author is
in no way liable for any changes made to any part of the package, or
consequences thereof as he is in no way liable for damages or loss of data
directly or indirectly caused by this software.
Neither fees may be charged nor profits may be made by distributing this
software package. Outside a single machine environment, you are not allowed
to reproduce single parts of the package, but you have to copy it
completely.
----------------------------------------------------------------------------
CONTACT ADDRESSES
----------------------------------------------------------------------------
For comments, bug reports, vector check snapshots or if you have found some
new virus, contact the author at the following addresses:
snail-mail: Georg Hörmann
Martinswinkelstraße 16c
82467 Garmisch-Partenkirchen
Germany
e-mail: ghoermann@gmx.de
ghoermann@epost.de
You will always find the latest updates of VirusZ and related files in the
Aminet (util/virus) or at the following places:
Virus Help Team Denmark homepage: www.vht-dk.dk
Dirk Stöcker's homepage: www.dstoecker.de
----------------------------------------------------------------------------
SYSTEM REQUIREMENTS
----------------------------------------------------------------------------
VirusZ will run on any (emulated or real) Amiga that comes with AmigaOS 2.04
(Kickstart v37) or better. The following disk-based libraries are required:
- commodities.library v37+ (part of AmigaOS)
- rexxsyslib.library v33+ (part of AmigaOS, for ARexx features)
- reqtools.library v38+
- xfdmaster.library v37+
- xvs.library v33+
- xadmaster.library v3+ (optional, for scanning inside archives)
- disassembler.library v40+ (optional, for disassembling bootblocks/memory)
None of these libraries will be distributed with the VirusZ package any
longer (because of copyright reasons and the exploding size of the archive),
get them from Aminet or the homepages mentioned above.
ATTENTION:
I received bug reports saying that VirusZ crashes immediately at startup.
These crashes only happen when both disassembler.library and mmu.library are
installed in your 'libs:' drawer, but mmu.library setup is not correct. In
those cases, either set up your mmu.library environment correctly (read the
manuals), or delete/rename mmu.library, so that disassembler.library cannot
find it at startup.
Thanks to Harry Sintonen for finding this 'bug' and its solution.
----------------------------------------------------------------------------
INSTALLATION
----------------------------------------------------------------------------
Installing VirusZ is nothing more than either dragging the icon to your
WBStartup drawer or adding the following line to your 'S:User-Startup' file:
[Path]VirusZ [Option(s)]
To make sure that you have received an original version of VirusZ and not a
fake, you can use my PGP key added at the end of this documentation together
with the signatures included in the archive to verify the files. You can
also download a 100% safe copy of my PGP key from the homepages mentioned
above.
Additionally, you should compare the file size of your VirusZ copy with the
one displayed in the 'Technical Info' information. They MUST match if you
didn't crunch VirusZ yourself.
----------------------------------------------------------------------------
SHELL TEMPLATE
----------------------------------------------------------------------------
VirusZ currently supports the following Shell template:
CX_PRIORITY/N/K,CX_POPKEY/K,CX_POPUP/K,PUBSCREEN/K,AREXX/K,QUIT/S
For more detailed information about Shell syntax, commodity usage and hotkey
definitions, please consult the manuals shipped with your Amiga.
Please note that the ARexx interface commands described below require VirusZ
to be active already. If it is not, it will first be started, the starter
process will wait until the ARexx port appears and then the commands are
sent to the port.
CX_PRIORITY:
Specifies the commodity priority of VirusZ's broker. Values may range from
-128 to 127, default is 0.
CX_POPKEY:
Defines the hotkey used to pop up the main window.
CX_POPUP:
Tells VirusZ whether to pop up on startup or not.
PUBSCREEN:
Tells VirusZ to open its windows on the defined public screen instead of the
Workbench screen.
AREXX:
The argument given to this option will be directly sent to VirusZ's ARexx
port as a command and the return code in the Shell will correspond to the
return code of the ARexx command.
QUIT:
Sends the ARexx command "QUIT" to an already running copy of VirusZ and thus
terminates it.
----------------------------------------------------------------------------
ICON TOOLTYPES
----------------------------------------------------------------------------
For more detailed information about tooltypes, commodity usage and hotkey
definitions, please consult the manuals shipped with your Amiga.
VirusZ currently supports the following tooltypes:
CX_PRIORITY:
Specifies the commodity priority of VirusZ's broker. Values may range from
-128 to 127, default is 0.
CX_POPKEY:
Defines the hotkey used to pop up the main window.
CX_POPUP:
Tells VirusZ whether to pop up on startup or not.
PUBSCREEN:
Tells VirusZ to open its windows on the defined public screen instead of the
Workbench.
----------------------------------------------------------------------------
AREXX COMMANDS
----------------------------------------------------------------------------
VirusZ has an ARexx port called 'VIRUSZ_III.REXX' that currently offers the
following commands:
HIDE:
This command makes VirusZ close its main window and work in the background.
To get the interface back you have to use the defined hotkey or the Exchange
utility.
QUIT:
This command terminates VirusZ.
As you can see, there are no really useful commands implemented at the
moment that might help you with virus scanning. This will certainly change
in the future.
----------------------------------------------------------------------------
PROGRAM STARTUP & SYSTEM SURVEILLANCE
----------------------------------------------------------------------------
VirusZ will perform a system scan at startup-time and afterwards survey your
computer for suspicious activities regularly. You can tell VirusZ what
exactly should happen on startup via the 'Startup' preferences and control
the surveillance mode via the 'Surveillance' preferences.
The following options appear in the 'Startup' preferences only:
'Perform Self-Test':
If enabled, the hunk structure of VirusZ will be checked. An alert appears
if there is something wrong (might be a link virus). Disable this option if
you intend to crunch VirusZ with a file packer because most of these modify
the hunks.
'Load Bootblock Brain':
If this option is enabled, the default bootblock brain (see 'Bootblock Lab'
preferences) will be loaded automatically.
'Pop Up Main Window':
If enabled, VirusZ opens the main window, otherwise it can be controlled via
the Exchange commodity or the ARexx port only.
'Activate Main Window':
This option tells VirusZ to activate the main window. This is useful for
all users that don't have VirusZ running in the background all the time and
want to start a scan without activating the window by-hand first.
The following options appear in both the 'Startup' and the 'Surveillance'
preferences (introduced by 'Check...' or 'Survey...'):
'...ColdCapture/CoolCapture/KickTags':
System pointers used by viruses (but also by useful utilities) to keep their
code reset resistant. Only disable these options if you really know what
you are doing.
'...CPU Interrupts/Exec Interrupts/Library Vectors/Process Fields':
Other system pointers often used by viruses. Please note that also lots of
harmless utilities use them, not every alert that VirusZ will send you means
there's a new virus in your system.
'...Bootblocks':
This will scan the bootblocks of all available disks, newly inserted disks
are detected if surveillance is activated.
'...Disk-Validators':
Scans all disk-validator files found in L: drawer of any inserted disk.
----------------------------------------------------------------------------
GENERAL INFORMATION ABOUT PREFERENCES
----------------------------------------------------------------------------
VirusZ uses the standard AmigaOS method to store/save preferences.
Therefore the drawer 'VirusZ_III' will be created in your ENVARC: and ENV:
drawers. You can save the current settings, restore or load settings with
the corresponding menu items in the 'Preferences' menu of VirusZ.
Additionally, whenever you save your preferences, the positions and sizes of
all VirusZ windows will be stored/saved too. This means that you can
arrange all windows just as you like them, they will appear in the same
positions the next time you start VirusZ.
Settings that affect either VirusZ in general or influence several functions
can be found in 'Miscellaneous' preferences:
'Requesters Follow Mouse':
If enabled, all ReqTools requesters appear with the negative response under
the mouse pointer. If disabled, they pop up in the top left corner.
'Close Main Window = Exit':
If enabled, VirusZ quits when you click on the close-window button of the
main window, otherwise it will act as if you selected the 'Hide' item from
the 'Project' menu.
'Quit Immediately':
If enabled, VirusZ quits without verification.
'Report Known Bootblocks':
Usually, bootblocks recognized by the brain are not reported (that's the
main purpose of the whole brain system). But it may sometimes be useful to
get those already known bootblocks reported anyway. If this option is
enabled, that's excactly what will happen.
'Install SnoopDos Task':
If enabled, a task called 'SnoopDos' will be created which doesn't use any
processor time, but prevents several trojans from doing any harm.
'Center Main Window':
If enabled, VirusZ's main window appears centered at the top border of the
screen. Otherwise it will use the coordinates that have been last saved.
'Center Other Windows':
If enabled, all VirusZ windows appear centered on the screen. Otherwise
they will use the coordinates that have been last saved.
'Hotkey':
The default commodity hotkey used to pop up the main window.
----------------------------------------------------------------------------
FILE CHECK
----------------------------------------------------------------------------
You can start checking files at any time by selecting 'File Check' from the
'Project' menu. A file-request will appear where you select the files to be
checked.
The following settings can be adjusted in the 'File Check' preferences:
'Interactive Mode/Auto-Kill Viruses/Test-Only Mode':
Selects VirusZ's reaction whenever a virus has been found. Interactive mode
is recommended, test-only mode is useful if you want to scan a big harddisk
and just view the results afterwards. Currently not really useful, because
the reports cannot be saved yet!
'Skip Subdirectories':
Enable this option to skip any drawers that may exist in a selected drawer.
'Short Reportform':
Forces VirusZ III to create an output similar to the old one in VirusZ II.
'History Size':
The amount of output lines VirusZ should remember. You can scroll back to
review the checking results then.
'Decrunch Executables':
If this option is enabled, the file check decrunches executable files in
order to check them for viruses.
ATTENTION: Keep this option enabled as often as possible. VirusZ can only
detect ALL viruses if the file is totally decrunched.
'Decrunch Data Files':
If this option is enabled, the file check reads and decrunches data files in
order to check them. This is useful for data files that actually contain
executables, eg. XPK packed files.
'Skip Crypted Files':
If this flag is set, VirusZ will not ask you for passwords or keys if there
appears a crypted file. This might be useful if you have protected these
files yourself and know that there are no viruses in them. You don't have
to respond to all the requesters then.
'Don't Use Any External Slaves/Use External Exec Slaves Only/
Use All External Slaves':
These options control which external slaves of xfdmaster.library are allowed
for decrunching files. Usually, you should allow exec slaves to ensure that
really all executables get decrunched, only if some badly coded external
slaves crash your system, you can switch them off completely.
'Extract Archives':
This option makes VirusZ scan inside any archives that can be recognized and
extracted by the (optionally) installed xadmaster.library.
----------------------------------------------------------------------------
SECTOR CHECK
----------------------------------------------------------------------------
You can start checking disk sectors at any time by selecting 'Sector Check'
from the 'Project' menu. A device selector will appear where you select the
device to be checked. Use the 'Refresh' button to update the device list if
you have mounted new devices lately.
SORRY, THE SECTOR CHECK ITSELF IS NOT IMPLEMENTED YET !!
----------------------------------------------------------------------------
BOOTBLOCK LAB
----------------------------------------------------------------------------
The bootblock lab offers all bootblock-related functions that are necessary
to fight bootblock viruses and some more extras.
ATTENTION: Be careful with writing to / installing your harddisks. I'm not
reliable for your faults.
There are two cycle gadgets in the bootblock lab, one on each side of the
status line. The left one selects the device you want to work with, the
right one selects the display mode (ascii dump, hex dump or disassembler
mode if disassembler.library is installed).
Some words about the disassembler output:
The default output format of disassembler.library is not very usable for
looking at bootblocks as it shows the 32-bit addresses where the bootblock
is really located in memory and all pc-relative instructions point at those
addresses too. So I decided to modify the output internally to 16-bit
format with bootblock addresses from $0000 to $03ff. All pc-relative
instructions appear that way, the ones pointing outside the bootblock range
are marked as *-$0xxx or *+$0xxx, where * means either the start or the end
of the bootblock. Locations outside a range of +/- 1kB around the bootblock
nevertheless appear with their original 32-bit address.
Whenever there occurs an error, this will be displayed in the status line.
Then the name of the current bootblock in the buffer will be overwritten.
By clicking on the 'Name' gadget, the name is printed again.
Functions offered via the bootblock lab gadgets:
'Read':
Reads the bootblock from the currently selected device to the buffer. Only
DOS disks can be read.
'Write':
Writes the current buffer contents to the bootblock of the selected device.
The disk type and the checksum will be corrected automatically.
'Install':
Installs a standard AmigaOS 2.04 bootblock or an uninstalled bootblock (if
selected in the 'Bootblock Lab' preferences) to the currently selected
device. The disk type will be corrected automatically.
'Load':
Opens a file request to select a bootblock file that should be loaded to the
buffer. Only DOS bootblocks can be loaded. You can use this function with
ADF files and similar disk images too, only the bootblock will be loaded.
'Save':
Saves the current buffer contents to a file. This is useful to backup
important bootblocks of games etc.
'Learn':
This gadget will only be enabled if the bootblock in the buffer is neither a
virus nor any other known bootblock. Then you are able to make VirusZ learn
the unknown bootblock and give it a name. From now on, this bootblock will
be reported with the given name and the background check will no longer
report it as unknown.
Functions offered via the bootblock lab menus:
'Brain/New Brain':
Removes the currently loaded brain from memory.
'Brain/Load Brain':
Loads a new brain file from disk to memory.
'Brain/Save Brain':
Saves brain changes to file.
'Brain/Merge Brains':
Adds brain cells from a file to the currently loaded brain.
'Brain/Edit Brain':
Here you can rename or delete brain cells.
'Misc/Refresh Devices':
VirusZ is unfortunately not able to detect devices that have been mounted
after startup automatically. If you want to check such a device, you have
to refresh the device list with this function.
The bootblock lab offers the following settings in the 'Bootblock Lab'
preferences:
'Ask Before Write Access':
If enabled, a security request pops up every time you select 'Write' or
'Install' in the bootblock lab.
'Read Inserted Disks':
This enables the bootblock lab to read the bootblocks of inserted disks
automatically. Useful if you intend to check a whole box of disks for
bootblock viruses.
'Install Non-Bootable BB':
If enabled, 'Install' doesn't install a standard bootblock, but makes the
disk non-bootable.
'Brain':
The path and filename of the default bootblock brain. This will be used in
the file requests of the bootblock lab and for loading the brain at startup
(see 'Startup' preferences).
----------------------------------------------------------------------------
VECTOR CHECK
----------------------------------------------------------------------------
Mostly all viruses work in the same manner. Either they make themselves
resident and/or corrupt some libraries or devices with their code.
Therefore the vector check was designed to help you finding new viruses that
can't be recognized directly by the xvs.library yet.
It will display all system vectors that are not zero or do not point to
standard ROM locations and tell you whether the changes are caused by
utilities already known or by something unknown. But this will not
necessarily mean that every vector marked 'SUSPICIOUS' is corrupted by a new
virus, there are lots of system enhancers and other tools around that cause
such changes.
You should nevertheless be alarmed if you are sure that you didn't have
installed any programs that change vectors and suddenly something gets
reported by VirusZ.
You might have installed a lot of patches that already get reported by name,
and the output is awfully long, then you can disable the displaying of known
patches in the 'Vector Check' preferences.
You can also select every single line of the vector check report. The
following functions are offered depending if they can be applied on the
selected line or not:
'Monitor':
Starts the memory monitor of VirusZ and supplies it with the address of the
selected vector.
'Snapshot':
Creates a snapshot of an unknown vector and saves it automatically to the
'Snapshot Drawer' you have selected in the 'Vector Check' preferences. You
can send me all your snapshots and I will add them to the vector check.
IMPORTANT:
(a) Do not snapshot the same vectors several times, this causes me a lot of
work just for nothing!
(b) In addition to your snapshots, I need the program(s) that cause the
unknown vector(s). Snapshots without a program usually cannot be added! So
either send me the program (not its complete archive if possible) or tell me
where I can download it myself. All the programs will be deleted after
examination, so copyrights usually should not interfere with that method.
(c) To find out which programs cause changes in your system, disable all the
patches installed in your startup-sequence, user-startup or WBStartup drawer
and re-enable them one by one. Each time something new gets started, just
have a look at the vector check.
'Clear':
Clears the selected vector. Only use this if you know what you are doing!
'Remove':
Removes a single element out of a system list. Only use this if you know
what you are doing!
----------------------------------------------------------------------------
MEMORY MONITOR
----------------------------------------------------------------------------
The memory monitor has been invented to allow experienced users to snoop
around in RAM/ROM and have a look at suspicious vectors (directly from the
vector check or by entering the address). It actually is of no use for the
average user, so I will not explain it in detail.
Only memory areas from exec's memlist can be monitored, plus Kickstart ROM.
If you reach the start/end of an area, the memory monitor will automatically
wrap around to the end/start of that area, so you can never access forbidden
or non-existing addresses.
Some words about the disassembler mode:
Due to major problems with the calculation of a sensible 'Line -' / 'Page -'
address, these functions will just step backwards 2 bytes / 32 bytes each
time they get executed. Stepping forwards causes no problems, so this will
work properly in all cases.
The 'Memory Monitor' preferences currently contain only one, but very
important switch:
'Chip-Ram Start Address = $00000000':
If enabled, the memory monitor overrides the memlist entry for chip ram that
usually starts at location $00000400 and allows you to have a look at the
cpu's vectortable. This interferes with most debugging tools (eg. MuForce)
and will result in lots of annoying hits, so keep this option disabled
unless you really need it.
!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#
#! END OF DOCUMENTATION #!
!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQCNAzuzvG4AAAEEAKbvwOuWJSNZHJyNommciVkVj98H+O32pP42OM20WHy3CMuG
E2D2tSQwvkUZCBDMvdqYRDP7Jkfw+hHpbNAFls2x/ujMJ0u8FP7g2ivfg99W6cMp
PX6OXgqImTAMcxp5az6mbemZ0K4+FBMfBmDWs+226/IOWu3fdGUOxNgKgx13AAUR
tCFHZW9yZyBIb2VybWFubiA8Z2hvZXJtYW5uQGdteC5kZT6JAJUDBRA7s7xuZQ7E
2AqDHXcBAYghBACIpDzrTak/DA32mAJabo2D082o83MFTJTwSSft6k2VFY3jr2ia
2TckPkqEc0TKe24nQbhRZI6ehkMlJmKcsSmG38hwMXkIvEQc03jOv6dVmzqRPiR2
2Vtc7WnKdBh/FUbCmvuGqstEKonKrCfXKv8zBSp5wWVnlZKRhDUGsLyXlg==
=hPFP
-----END PGP PUBLIC KEY BLOCK-----
