Aminet 49

home *** CD-ROM | disk | FTP | other *** search

/ Aminet 49 / Aminet 49 (2002)(GTI - Schatztruhe)[!][Jun 2002].iso / Aminet / util / virus / VirusZ.lha / VirusZ / VirusZ.doc < prev next >

Wrap

Text File | 2002-04-01 | 23.4 KB | 549 lines

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* *= *= =* VirusZ III 0.99 Documentation =* *= Copyright © 2002 by Georg Hörmann *= =* =* *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* Last updated: 01-Apr-2002 ---------------------------------------------------------------------------- LEGAL STUFF ---------------------------------------------------------------------------- The VirusZ software package is FREEWARE and copyright © 1991-1999/2002 by Georg Hörmann and © 1999-2001 by Dirk Stöcker. No parts of this package may be altered by any means (this includes editing, reprogramming, crunching, resourcing etc.), except archiving. The author is in no way liable for any changes made to any part of the package, or consequences thereof as he is in no way liable for damages or loss of data directly or indirectly caused by this software. Neither fees may be charged nor profits may be made by distributing this software package. Outside a single machine environment, you are not allowed to reproduce single parts of the package, but you have to copy it completely. ---------------------------------------------------------------------------- CONTACT ADDRESSES ---------------------------------------------------------------------------- For comments, bug reports, vector check snapshots or if you have found some new virus, contact the author at the following addresses: snail-mail: Georg Hörmann Martinswinkelstraße 16c 82467 Garmisch-Partenkirchen Germany e-mail: ghoermann@gmx.de ghoermann@epost.de You will always find the latest updates of VirusZ and related files in the Aminet (util/virus) or at the following places: Virus Help Team Denmark homepage: www.vht-dk.dk Dirk Stöcker's homepage: www.dstoecker.de ---------------------------------------------------------------------------- SYSTEM REQUIREMENTS ---------------------------------------------------------------------------- VirusZ will run on any (emulated or real) Amiga that comes with AmigaOS 2.04 (Kickstart v37) or better. The following disk-based libraries are required: - commodities.library v37+ (part of AmigaOS) - rexxsyslib.library v33+ (part of AmigaOS, for ARexx features) - reqtools.library v38+ - xfdmaster.library v37+ - xvs.library v33+ - xadmaster.library v3+ (optional, for scanning inside archives) - disassembler.library v40+ (optional, for disassembling bootblocks/memory) None of these libraries will be distributed with the VirusZ package any longer (because of copyright reasons and the exploding size of the archive), get them from Aminet or the homepages mentioned above. ATTENTION: I received bug reports saying that VirusZ crashes immediately at startup. These crashes only happen when both disassembler.library and mmu.library are installed in your 'libs:' drawer, but mmu.library setup is not correct. In those cases, either set up your mmu.library environment correctly (read the manuals), or delete/rename mmu.library, so that disassembler.library cannot find it at startup. Thanks to Harry Sintonen for finding this 'bug' and its solution. ---------------------------------------------------------------------------- INSTALLATION ---------------------------------------------------------------------------- Installing VirusZ is nothing more than either dragging the icon to your WBStartup drawer or adding the following line to your 'S:User-Startup' file: [Path]VirusZ [Option(s)] To make sure that you have received an original version of VirusZ and not a fake, you can use my PGP key added at the end of this documentation together with the signatures included in the archive to verify the files. You can also download a 100% safe copy of my PGP key from the homepages mentioned above. Additionally, you should compare the file size of your VirusZ copy with the one displayed in the 'Technical Info' information. They MUST match if you didn't crunch VirusZ yourself. ---------------------------------------------------------------------------- SHELL TEMPLATE ---------------------------------------------------------------------------- VirusZ currently supports the following Shell template: CX_PRIORITY/N/K,CX_POPKEY/K,CX_POPUP/K,PUBSCREEN/K,AREXX/K,QUIT/S For more detailed information about Shell syntax, commodity usage and hotkey definitions, please consult the manuals shipped with your Amiga. Please note that the ARexx interface commands described below require VirusZ to be active already. If it is not, it will first be started, the starter process will wait until the ARexx port appears and then the commands are sent to the port. CX_PRIORITY: Specifies the commodity priority of VirusZ's broker. Values may range from -128 to 127, default is 0. CX_POPKEY: Defines the hotkey used to pop up the main window. CX_POPUP: Tells VirusZ whether to pop up on startup or not. PUBSCREEN: Tells VirusZ to open its windows on the defined public screen instead of the Workbench screen. AREXX: The argument given to this option will be directly sent to VirusZ's ARexx port as a command and the return code in the Shell will correspond to the return code of the ARexx command. QUIT: Sends the ARexx command "QUIT" to an already running copy of VirusZ and thus terminates it. ---------------------------------------------------------------------------- ICON TOOLTYPES ---------------------------------------------------------------------------- For more detailed information about tooltypes, commodity usage and hotkey definitions, please consult the manuals shipped with your Amiga. VirusZ currently supports the following tooltypes: CX_PRIORITY: Specifies the commodity priority of VirusZ's broker. Values may range from -128 to 127, default is 0. CX_POPKEY: Defines the hotkey used to pop up the main window. CX_POPUP: Tells VirusZ whether to pop up on startup or not. PUBSCREEN: Tells VirusZ to open its windows on the defined public screen instead of the Workbench. ---------------------------------------------------------------------------- AREXX COMMANDS ---------------------------------------------------------------------------- VirusZ has an ARexx port called 'VIRUSZ_III.REXX' that currently offers the following commands: HIDE: This command makes VirusZ close its main window and work in the background. To get the interface back you have to use the defined hotkey or the Exchange utility. QUIT: This command terminates VirusZ. As you can see, there are no really useful commands implemented at the moment that might help you with virus scanning. This will certainly change in the future. ---------------------------------------------------------------------------- PROGRAM STARTUP & SYSTEM SURVEILLANCE ---------------------------------------------------------------------------- VirusZ will perform a system scan at startup-time and afterwards survey your computer for suspicious activities regularly. You can tell VirusZ what exactly should happen on startup via the 'Startup' preferences and control the surveillance mode via the 'Surveillance' preferences. The following options appear in the 'Startup' preferences only: 'Perform Self-Test': If enabled, the hunk structure of VirusZ will be checked. An alert appears if there is something wrong (might be a link virus). Disable this option if you intend to crunch VirusZ with a file packer because most of these modify the hunks. 'Load Bootblock Brain': If this option is enabled, the default bootblock brain (see 'Bootblock Lab' preferences) will be loaded automatically. 'Pop Up Main Window': If enabled, VirusZ opens the main window, otherwise it can be controlled via the Exchange commodity or the ARexx port only. 'Activate Main Window': This option tells VirusZ to activate the main window. This is useful for all users that don't have VirusZ running in the background all the time and want to start a scan without activating the window by-hand first. The following options appear in both the 'Startup' and the 'Surveillance' preferences (introduced by 'Check...' or 'Survey...'): '...ColdCapture/CoolCapture/KickTags': System pointers used by viruses (but also by useful utilities) to keep their code reset resistant. Only disable these options if you really know what you are doing. '...CPU Interrupts/Exec Interrupts/Library Vectors/Process Fields': Other system pointers often used by viruses. Please note that also lots of harmless utilities use them, not every alert that VirusZ will send you means there's a new virus in your system. '...Bootblocks': This will scan the bootblocks of all available disks, newly inserted disks are detected if surveillance is activated. '...Disk-Validators': Scans all disk-validator files found in L: drawer of any inserted disk. ---------------------------------------------------------------------------- GENERAL INFORMATION ABOUT PREFERENCES ---------------------------------------------------------------------------- VirusZ uses the standard AmigaOS method to store/save preferences. Therefore the drawer 'VirusZ_III' will be created in your ENVARC: and ENV: drawers. You can save the current settings, restore or load settings with the corresponding menu items in the 'Preferences' menu of VirusZ. Additionally, whenever you save your preferences, the positions and sizes of all VirusZ windows will be stored/saved too. This means that you can arrange all windows just as you like them, they will appear in the same positions the next time you start VirusZ. Settings that affect either VirusZ in general or influence several functions can be found in 'Miscellaneous' preferences: 'Requesters Follow Mouse': If enabled, all ReqTools requesters appear with the negative response under the mouse pointer. If disabled, they pop up in the top left corner. 'Close Main Window = Exit': If enabled, VirusZ quits when you click on the close-window button of the main window, otherwise it will act as if you selected the 'Hide' item from the 'Project' menu. 'Quit Immediately': If enabled, VirusZ quits without verification. 'Report Known Bootblocks': Usually, bootblocks recognized by the brain are not reported (that's the main purpose of the whole brain system). But it may sometimes be useful to get those already known bootblocks reported anyway. If this option is enabled, that's excactly what will happen. 'Install SnoopDos Task': If enabled, a task called 'SnoopDos' will be created which doesn't use any processor time, but prevents several trojans from doing any harm. 'Center Main Window': If enabled, VirusZ's main window appears centered at the top border of the screen. Otherwise it will use the coordinates that have been last saved. 'Center Other Windows': If enabled, all VirusZ windows appear centered on the screen. Otherwise they will use the coordinates that have been last saved. 'Hotkey': The default commodity hotkey used to pop up the main window. ---------------------------------------------------------------------------- FILE CHECK ---------------------------------------------------------------------------- You can start checking files at any time by selecting 'File Check' from the 'Project' menu. A file-request will appear where you select the files to be checked. The following settings can be adjusted in the 'File Check' preferences: 'Interactive Mode/Auto-Kill Viruses/Test-Only Mode': Selects VirusZ's reaction whenever a virus has been found. Interactive mode is recommended, test-only mode is useful if you want to scan a big harddisk and just view the results afterwards. Currently not really useful, because the reports cannot be saved yet! 'Skip Subdirectories': Enable this option to skip any drawers that may exist in a selected drawer. 'Short Reportform': Forces VirusZ III to create an output similar to the old one in VirusZ II. 'History Size': The amount of output lines VirusZ should remember. You can scroll back to review the checking results then. 'Decrunch Executables': If this option is enabled, the file check decrunches executable files in order to check them for viruses. ATTENTION: Keep this option enabled as often as possible. VirusZ can only detect ALL viruses if the file is totally decrunched. 'Decrunch Data Files': If this option is enabled, the file check reads and decrunches data files in order to check them. This is useful for data files that actually contain executables, eg. XPK packed files. 'Skip Crypted Files': If this flag is set, VirusZ will not ask you for passwords or keys if there appears a crypted file. This might be useful if you have protected these files yourself and know that there are no viruses in them. You don't have to respond to all the requesters then. 'Don't Use Any External Slaves/Use External Exec Slaves Only/ Use All External Slaves': These options control which external slaves of xfdmaster.library are allowed for decrunching files. Usually, you should allow exec slaves to ensure that really all executables get decrunched, only if some badly coded external slaves crash your system, you can switch them off completely. 'Extract Archives': This option makes VirusZ scan inside any archives that can be recognized and extracted by the (optionally) installed xadmaster.library. ---------------------------------------------------------------------------- SECTOR CHECK ---------------------------------------------------------------------------- You can start checking disk sectors at any time by selecting 'Sector Check' from the 'Project' menu. A device selector will appear where you select the device to be checked. Use the 'Refresh' button to update the device list if you have mounted new devices lately. SORRY, THE SECTOR CHECK ITSELF IS NOT IMPLEMENTED YET !! ---------------------------------------------------------------------------- BOOTBLOCK LAB ---------------------------------------------------------------------------- The bootblock lab offers all bootblock-related functions that are necessary to fight bootblock viruses and some more extras. ATTENTION: Be careful with writing to / installing your harddisks. I'm not reliable for your faults. There are two cycle gadgets in the bootblock lab, one on each side of the status line. The left one selects the device you want to work with, the right one selects the display mode (ascii dump, hex dump or disassembler mode if disassembler.library is installed). Some words about the disassembler output: The default output format of disassembler.library is not very usable for looking at bootblocks as it shows the 32-bit addresses where the bootblock is really located in memory and all pc-relative instructions point at those addresses too. So I decided to modify the output internally to 16-bit format with bootblock addresses from $0000 to $03ff. All pc-relative instructions appear that way, the ones pointing outside the bootblock range are marked as *-$0xxx or *+$0xxx, where * means either the start or the end of the bootblock. Locations outside a range of +/- 1kB around the bootblock nevertheless appear with their original 32-bit address. Whenever there occurs an error, this will be displayed in the status line. Then the name of the current bootblock in the buffer will be overwritten. By clicking on the 'Name' gadget, the name is printed again. Functions offered via the bootblock lab gadgets: 'Read': Reads the bootblock from the currently selected device to the buffer. Only DOS disks can be read. 'Write': Writes the current buffer contents to the bootblock of the selected device. The disk type and the checksum will be corrected automatically. 'Install': Installs a standard AmigaOS 2.04 bootblock or an uninstalled bootblock (if selected in the 'Bootblock Lab' preferences) to the currently selected device. The disk type will be corrected automatically. 'Load': Opens a file request to select a bootblock file that should be loaded to the buffer. Only DOS bootblocks can be loaded. You can use this function with ADF files and similar disk images too, only the bootblock will be loaded. 'Save': Saves the current buffer contents to a file. This is useful to backup important bootblocks of games etc. 'Learn': This gadget will only be enabled if the bootblock in the buffer is neither a virus nor any other known bootblock. Then you are able to make VirusZ learn the unknown bootblock and give it a name. From now on, this bootblock will be reported with the given name and the background check will no longer report it as unknown. Functions offered via the bootblock lab menus: 'Brain/New Brain': Removes the currently loaded brain from memory. 'Brain/Load Brain': Loads a new brain file from disk to memory. 'Brain/Save Brain': Saves brain changes to file. 'Brain/Merge Brains': Adds brain cells from a file to the currently loaded brain. 'Brain/Edit Brain': Here you can rename or delete brain cells. 'Misc/Refresh Devices': VirusZ is unfortunately not able to detect devices that have been mounted after startup automatically. If you want to check such a device, you have to refresh the device list with this function. The bootblock lab offers the following settings in the 'Bootblock Lab' preferences: 'Ask Before Write Access': If enabled, a security request pops up every time you select 'Write' or 'Install' in the bootblock lab. 'Read Inserted Disks': This enables the bootblock lab to read the bootblocks of inserted disks automatically. Useful if you intend to check a whole box of disks for bootblock viruses. 'Install Non-Bootable BB': If enabled, 'Install' doesn't install a standard bootblock, but makes the disk non-bootable. 'Brain': The path and filename of the default bootblock brain. This will be used in the file requests of the bootblock lab and for loading the brain at startup (see 'Startup' preferences). ---------------------------------------------------------------------------- VECTOR CHECK ---------------------------------------------------------------------------- Mostly all viruses work in the same manner. Either they make themselves resident and/or corrupt some libraries or devices with their code. Therefore the vector check was designed to help you finding new viruses that can't be recognized directly by the xvs.library yet. It will display all system vectors that are not zero or do not point to standard ROM locations and tell you whether the changes are caused by utilities already known or by something unknown. But this will not necessarily mean that every vector marked 'SUSPICIOUS' is corrupted by a new virus, there are lots of system enhancers and other tools around that cause such changes. You should nevertheless be alarmed if you are sure that you didn't have installed any programs that change vectors and suddenly something gets reported by VirusZ. You might have installed a lot of patches that already get reported by name, and the output is awfully long, then you can disable the displaying of known patches in the 'Vector Check' preferences. You can also select every single line of the vector check report. The following functions are offered depending if they can be applied on the selected line or not: 'Monitor': Starts the memory monitor of VirusZ and supplies it with the address of the selected vector. 'Snapshot': Creates a snapshot of an unknown vector and saves it automatically to the 'Snapshot Drawer' you have selected in the 'Vector Check' preferences. You can send me all your snapshots and I will add them to the vector check. IMPORTANT: (a) Do not snapshot the same vectors several times, this causes me a lot of work just for nothing! (b) In addition to your snapshots, I need the program(s) that cause the unknown vector(s). Snapshots without a program usually cannot be added! So either send me the program (not its complete archive if possible) or tell me where I can download it myself. All the programs will be deleted after examination, so copyrights usually should not interfere with that method. (c) To find out which programs cause changes in your system, disable all the patches installed in your startup-sequence, user-startup or WBStartup drawer and re-enable them one by one. Each time something new gets started, just have a look at the vector check. 'Clear': Clears the selected vector. Only use this if you know what you are doing! 'Remove': Removes a single element out of a system list. Only use this if you know what you are doing! ---------------------------------------------------------------------------- MEMORY MONITOR ---------------------------------------------------------------------------- The memory monitor has been invented to allow experienced users to snoop around in RAM/ROM and have a look at suspicious vectors (directly from the vector check or by entering the address). It actually is of no use for the average user, so I will not explain it in detail. Only memory areas from exec's memlist can be monitored, plus Kickstart ROM. If you reach the start/end of an area, the memory monitor will automatically wrap around to the end/start of that area, so you can never access forbidden or non-existing addresses. Some words about the disassembler mode: Due to major problems with the calculation of a sensible 'Line -' / 'Page -' address, these functions will just step backwards 2 bytes / 32 bytes each time they get executed. Stepping forwards causes no problems, so this will work properly in all cases. The 'Memory Monitor' preferences currently contain only one, but very important switch: 'Chip-Ram Start Address = $00000000': If enabled, the memory monitor overrides the memlist entry for chip ram that usually starts at location $00000400 and allows you to have a look at the cpu's vectortable. This interferes with most debugging tools (eg. MuForce) and will result in lots of annoying hits, so keep this option disabled unless you really need it. !#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!# #! END OF DOCUMENTATION #! !#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!# -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use mQCNAzuzvG4AAAEEAKbvwOuWJSNZHJyNommciVkVj98H+O32pP42OM20WHy3CMuG E2D2tSQwvkUZCBDMvdqYRDP7Jkfw+hHpbNAFls2x/ujMJ0u8FP7g2ivfg99W6cMp PX6OXgqImTAMcxp5az6mbemZ0K4+FBMfBmDWs+226/IOWu3fdGUOxNgKgx13AAUR tCFHZW9yZyBIb2VybWFubiA8Z2hvZXJtYW5uQGdteC5kZT6JAJUDBRA7s7xuZQ7E 2AqDHXcBAYghBACIpDzrTak/DA32mAJabo2D082o83MFTJTwSSft6k2VFY3jr2ia 2TckPkqEc0TKe24nQbhRZI6ehkMlJmKcsSmG38hwMXkIvEQc03jOv6dVmzqRPiR2 2Vtc7WnKdBh/FUbCmvuGqstEKonKrCfXKv8zBSp5wWVnlZKRhDUGsLyXlg== =hPFP -----END PGP PUBLIC KEY BLOCK-----