home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Plus 2002 #11
/
Amiga Plus CD - 2002 - No. 11.iso
/
Tools
/
Virus
/
VirusZ
/
VirusZ.doc
< prev
next >
Wrap
Text File
|
2002-08-16
|
27KB
|
607 lines
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*= *=
=* VirusZ III 0.9b Documentation =*
*= Copyright © 2002 by Georg Hörmann *=
=* =*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Last updated: 07-Jul-2002
----------------------------------------------------------------------------
LEGAL STUFF
----------------------------------------------------------------------------
The VirusZ software package is FREEWARE and copyright © 1991-1999/2002 by
Georg Hörmann and © 1999-2001 by Dirk Stöcker.
No parts of this package may be altered by any means (this includes editing,
reprogramming, crunching, resourcing etc.), except archiving. The author is
in no way liable for any changes made to any part of the package, or
consequences thereof as he is in no way liable for damages or loss of data
directly or indirectly caused by this software.
Neither fees may be charged nor profits may be made by distributing this
software package. Outside a single machine environment, you are not allowed
to reproduce single parts of the package, but you have to copy it
completely.
Note that the xadmaster.library is SHAREWARE, so if you are using it, please
register. For more detailed information, read 'xadmaster.guide' from the
xadmaster.library software package.
----------------------------------------------------------------------------
CONTACT ADDRESSES
----------------------------------------------------------------------------
For comments, bug reports, vector snapshots or if you have found some new
virus, contact the author at the following addresses:
snail-mail: Georg Hörmann
Martinswinkelstraße 16c
82467 Garmisch-Partenkirchen
Germany
e-mail: ghoermann@gmx.de
ghoermann@epost.de
You will always find the latest updates of VirusZ and related files in the
Aminet (util/virus) or at the following places:
Virus Help Team Denmark homepage: www.vht-dk.dk
Dirk Stöcker's homepage: www.dstoecker.de
----------------------------------------------------------------------------
SYSTEM REQUIREMENTS
----------------------------------------------------------------------------
VirusZ will run on any (emulated or real) Amiga that comes with AmigaOS 2.04
(Kickstart v37) or better. The following disk-based libraries are required:
- commodities.library v37+ (part of AmigaOS)
- rexxsyslib.library v33+ (part of AmigaOS, for ARexx features)
- reqtools.library v38+
- xfdmaster.library v37+
- xvs.library v33+
- xadmaster.library v3+ (optional, for scanning inside archives)
- disassembler.library v40+ (optional, for disassembling bootblocks/memory)
None of these libraries will be distributed with the VirusZ package any
longer (because of copyright reasons and the exploding size of the archive),
get them from Aminet or the homepages mentioned above.
----------------------------------------------------------------------------
INSTALLATION
----------------------------------------------------------------------------
Installing VirusZ is nothing more than either dragging the icon to your
WBStartup drawer or adding the following line to your 'S:User-Startup' file:
[Path]VirusZ [Option(s)]
To make sure that you have received an original version of VirusZ and not a
fake, you can use my PGP key added at the end of this documentation together
with the signatures included in the archive to verify the files. You can
also download a 100% safe copy of my PGP key from the homepages mentioned
above.
Additionally, you should compare the file size of your VirusZ copy with the
one displayed in the 'Technical Info' information. They MUST match if you
didn't crunch VirusZ yourself.
----------------------------------------------------------------------------
KNOWN PROBLEMS & THIRD PARTY BUGS
----------------------------------------------------------------------------
DISASSEMBLER.LIBRARY & MMU.LIBRARY:
VirusZ might crash if both disassembler.library and mmu.library exist in
your LIBS: drawer, but the mmu.library setup is incorrect. In those cases,
either configure your mmu.library environment correctly (read the manuals)
or delete/rename mmu.library, so that disassembler.library cannot find it at
startup. Thanks to Harry Sintonen for this report.
STATRAM.DEVICE v37.11:
VirusZ might crash if you have installed a recoverable RAM-disk (eg. SD0)
based on the statram.device due to a bug in the command scheduler of this
device (doesn't handle NSD-commands correctly). There are two solutions for
this problem:
(a) If you are using NSDPatch (AmigaOS 3.5) or AmigaOS 3.9, uncomment the
entry for statram.device in the DEVS:NSDPatch.cfg file.
(b) In all other cases, patch statram.device yourself! Load the file in any
hex editor and go to offset $0000014c. If you find the byte value $6c here,
change it to value $64 (only guaranteed for v37.11) and save the file back
to disk.
Thanks to Jan Andersen for this bug report.
MUFORCE HITS:
xvs.library currently causes one hit (LONG READ from $000000c0) every time
the memory gets checked for viruses. I cannot fix this hit, because we MUST
test this memory location for a specific virus that will copy some of its
code there!
----------------------------------------------------------------------------
SHELL TEMPLATE
----------------------------------------------------------------------------
VirusZ currently supports the following Shell template:
CX_PRIORITY/N/K,CX_POPKEY/K,CX_POPUP/K,PUBSCREEN/K,AREXX/K,QUIT/S
For more detailed information about Shell syntax, commodity usage and hotkey
definitions, please consult the manuals shipped with your Amiga.
Please note that the ARexx interface commands described below require VirusZ
to be active already. If it is not, it will first be started, the starter
process will wait until the ARexx port appears and then the commands are
sent to the port.
CX_PRIORITY:
Specifies the commodity priority of VirusZ's broker. Values may range from
-128 to 127, default is 0.
CX_POPKEY:
Defines the hotkey used to pop up the main window.
CX_POPUP:
Tells VirusZ whether to pop up on startup or not.
PUBSCREEN:
Tells VirusZ to open its windows on the defined public screen instead of the
Workbench screen.
AREXX:
The argument given to this option will be directly sent to VirusZ's ARexx
port as a command and the return code in the Shell will correspond to the
return code of the ARexx command.
QUIT:
Sends the ARexx command "QUIT" to an already running copy of VirusZ and thus
terminates it.
----------------------------------------------------------------------------
ICON TOOLTYPES
----------------------------------------------------------------------------
For more detailed information about tooltypes, commodity usage and hotkey
definitions, please consult the manuals shipped with your Amiga.
VirusZ currently supports the following tooltypes:
CX_PRIORITY:
Specifies the commodity priority of VirusZ's broker. Values may range from
-128 to 127, default is 0.
CX_POPKEY:
Defines the hotkey used to pop up the main window.
CX_POPUP:
Tells VirusZ whether to pop up on startup or not.
PUBSCREEN:
Tells VirusZ to open its windows on the defined public screen instead of the
Workbench.
----------------------------------------------------------------------------
AREXX COMMANDS
----------------------------------------------------------------------------
VirusZ has an ARexx port called 'VIRUSZ_III.REXX' that currently offers the
following commands:
HIDE:
This command makes VirusZ close its main window and work in the background.
To get the interface back you have to use the defined hotkey or the Exchange
utility.
QUIT:
This command terminates VirusZ.
As you can see, there are no really useful commands implemented at the
moment that might help you with virus scanning. This will certainly change
in the future.
----------------------------------------------------------------------------
PROGRAM STARTUP & SYSTEM SURVEILLANCE
----------------------------------------------------------------------------
VirusZ will perform a system scan at startup-time and afterwards survey your
computer for suspicious activities regularly. You can tell VirusZ what
exactly should happen on startup via the 'Startup' preferences and control
the surveillance mode via the 'Surveillance' preferences.
The following options appear in the 'Startup' preferences only:
'Perform Self-Test':
If enabled, the hunk structure of VirusZ will be checked. An alert appears
if there is something wrong (might be a link virus). Disable this option if
you intend to crunch VirusZ with a file packer because most of these modify
the hunks.
'Load Bootblock Brain':
If this option is enabled, the default bootblock brain (see 'Bootblock Lab'
preferences) will be loaded automatically.
'Pop Up Main Window':
If enabled, VirusZ opens the main window, otherwise it can be controlled via
the Exchange commodity or the ARexx port only.
'Activate Main Window':
This option tells VirusZ to activate the main window. This is useful for
all users that don't have VirusZ running in the background all the time and
want to start a scan without activating the window by-hand first.
The following options appear in both the 'Startup' and the 'Surveillance'
preferences (introduced by 'Check...' or 'Survey...'):
'...ColdCapture/CoolCapture/KickTags':
System pointers used by viruses (but also by useful utilities) to keep their
code reset resistant. Only disable these options if you really know what
you are doing.
'...CPU Interrupts/Exec Interrupts/Library Vectors/Process Fields':
Other system pointers often used by viruses. Please note that also lots of
harmless utilities use them, not every alert that VirusZ will send you means
there's a new virus in your system.
'...Bootblocks':
This will scan the bootblocks of all available disks, newly inserted disks
are detected if surveillance is activated.
'...Disk-Validators':
Scans all disk-validator files found in L: drawer of any inserted disk.
----------------------------------------------------------------------------
GENERAL INFORMATION ABOUT PREFERENCES
----------------------------------------------------------------------------
VirusZ uses the standard AmigaOS method to store/save preferences.
Therefore the drawer 'VirusZ_III' will be created in your ENVARC: and ENV:
drawers. You can save the current settings, restore or load settings with
the corresponding menu items in the 'Preferences' menu of VirusZ.
Additionally, whenever you save your preferences, the positions and sizes of
all VirusZ windows will be stored/saved too. This means that you can
arrange all windows just as you like them, they will appear in the same
positions the next time you start VirusZ.
Settings that affect either VirusZ in general or influence several functions
can be found in 'Miscellaneous' preferences:
'Requesters Follow Mouse':
If enabled, all ReqTools requesters appear with the negative response under
the mouse pointer. If disabled, they pop up in the top left corner.
'Close Main Window = Exit':
If enabled, VirusZ quits when you click on the close-window button of the
main window, otherwise it will act as if you selected the 'Hide' item from
the 'Project' menu.
'Quit Immediately':
If enabled, VirusZ quits without verification.
'Report Known Bootblocks':
Usually, bootblocks recognized by the brain are not reported (that's the
main purpose of the whole brain system). But it may sometimes be useful to
get those already known bootblocks reported anyway. If this option is
enabled, that's excactly what will happen.
'Install SnoopDos Task':
If enabled, a task called 'SnoopDos' will be created which doesn't use any
processor time, but prevents several trojans from doing any harm.
'Center Main Window':
If enabled, VirusZ's main window appears centered at the top border of the
screen. Otherwise it will use the coordinates that have been last saved.
'Center Other Windows':
If enabled, all VirusZ windows appear centered on the screen. Otherwise
they will use the coordinates that have been last saved.
'Hotkey':
The default commodity hotkey used to pop up the main window.
----------------------------------------------------------------------------
SOME WORDS ABOUT "JOBS"
----------------------------------------------------------------------------
Whenever you select files or sectors for checking (see below), there happens
nothing more but a corresponding 'Job' gets added to the internal job list.
As soon as there is one or more jobs in the list, the 'Job Monitor' opens
and the job gets processed.
The status line is the topmost part. Here you can see which file or sector
gets checked at the moment. It therefore also is some kind of progress
indicator.
Whenever there's something to be reported (virus/error/encoded file), this
happens in the report list in the middle. By selecting an item, more
information about this item appears below in the three info lines. You can
select the 'Statistics' during a check and they will be updated after every
checked file/sector. This is actually not recommended, because it slows
down checking.
The gadgets at the bottom have different functions:
'Pause' interrupts a running job, you then can 'Continue' or 'Quit'
checking. 'Quit' always removes all running jobs, even those that have not
been processed yet, so be careful with that.
'Delete' and 'Disinfect' will only be enabled for selected items from the
report list if this makes sense. Files infected by linkviruses only will be
disinfected, others (trojans etc.) will be deleted. Please note that these
actions can be selected even during a running job!
----------------------------------------------------------------------------
FILE CHECK
----------------------------------------------------------------------------
You can start checking files at any time by selecting 'File Check' from the
'Project' menu. A file-request will appear where you select the files to be
checked. You can repeat this action several times even while the first job
is still running, the others will be processed afterwards!
The following settings can be adjusted in the 'File Check' preferences:
'Skip Subdirectories':
Enable this option to skip any drawers that may exist in a selected drawer.
'Ask Before Deleting Files':
If this option is enabled, pressing the 'Delete' button will not directly
erase the selected file, but you will be prompted once again. Very helpful
to avoid accidental loss of data.
'Decrunch Data Files':
If this option is enabled, the file check reads and decrunches data files in
order to check them. This is useful for data files that actually contain
executables, eg. XPK packed files.
'Extract File Archives':
If enabled, files inside file-archives get extracted and checked. Very
useful to check software downloads quickly without hand-work.
'Don't Ask For Passwords/Keys'
If enabled, encoded files will be reported, but not analysed (completely).
Always switch on this option if you want to scan complete partitions and go
for a coffee in the meantime. It is guaranteed that VirusZ will not ask for
anything during a file check then.
'Ignore External Xfd-Slaves/Only Use Them For Executables/Use All External
Xfd-Slaves':
These options tell VirusZ which external slaves of xfdmaster.library should
be used for decrunching files. You should always allow external slaves for
executables to ensure that really all executables get decrunched, but if
some badly coded third party slaves crash your system, you can switch them
off completely.
'Ignore External Xad-Slaves/Use External Xad-Slaves':
These options tell VirusZ which external slaves of xadmaster.library should
be used for extracting archives. You should always allow external slaves.
----------------------------------------------------------------------------
SECTOR CHECK
----------------------------------------------------------------------------
You can start checking disk sectors at any time by selecting 'Sector Check'
from the 'Project' menu. A device selector will appear where you select the
device to be checked. Use the 'Refresh' button to update the device list if
you have mounted new devices lately.
SORRY, THE SECTOR CHECK ITSELF IS NOT IMPLEMENTED YET !!
----------------------------------------------------------------------------
BOOTBLOCK LAB
----------------------------------------------------------------------------
The bootblock lab offers all bootblock-related functions that are necessary
to fight bootblock viruses and some more extras.
ATTENTION: Be careful with writing to / installing your harddisks. I'm not
reliable for your faults.
There are two cycle gadgets in the bootblock lab, one on each side of the
status line. The left one selects the device you want to work with, the
right one selects the display mode (ascii dump, hex dump or disassembler
mode if disassembler.library is installed).
Some words about the disassembler output:
The default output format of disassembler.library is not very usable for
looking at bootblocks as it shows the 32-bit addresses where the bootblock
is really located in memory and all pc-relative instructions point at those
addresses too. So I decided to modify the output internally to 16-bit
format with bootblock addresses from $0000 to $03ff. All pc-relative
instructions appear that way, the ones pointing outside the bootblock range
are marked as *-$0xxx or *+$0xxx, where * means either the start or the end
of the bootblock. Locations outside a range of +/- 1kB around the bootblock
nevertheless appear with their original 32-bit address.
Whenever there occurs an error, this will be displayed in the status line.
Then the name of the current bootblock in the buffer will be overwritten.
By clicking on the 'Name' gadget, the name is printed again.
Functions offered via the bootblock lab gadgets:
'Read':
Reads the bootblock from the currently selected device to the buffer. Only
DOS disks can be read.
'Write':
Writes the current buffer contents to the bootblock of the selected device.
The disk type and the checksum will be corrected automatically.
'Install':
Installs a standard AmigaOS 2.04 bootblock or an uninstalled bootblock (if
selected in the 'Bootblock Lab' preferences) to the currently selected
device. The disk type will be corrected automatically.
'Load':
Opens a file request to select a bootblock file that should be loaded to the
buffer. Only DOS bootblocks can be loaded. You can use this function with
ADF files and similar disk images too, only the bootblock will be loaded.
'Save':
Saves the current buffer contents to a file. This is useful to backup
important bootblocks of games etc.
'Learn':
This gadget will only be enabled if the bootblock in the buffer is neither a
virus nor any other known bootblock. Then you are able to make VirusZ learn
the unknown bootblock and give it a name. From now on, this bootblock will
be reported with the given name and the background check will no longer
report it as unknown.
Functions offered via the bootblock lab menus:
'Brain/New Brain':
Removes the currently loaded brain from memory.
'Brain/Load Brain':
Loads a new brain file from disk to memory.
'Brain/Save Brain':
Saves brain changes to file.
'Brain/Merge Brains':
Adds brain cells from a file to the currently loaded brain.
'Brain/Edit Brain':
Here you can rename or delete brain cells.
'Misc/Refresh Devices':
VirusZ is unfortunately not able to detect devices that have been mounted
after startup automatically. If you want to check such a device, you have
to refresh the device list with this function.
The bootblock lab offers the following settings in the 'Bootblock Lab'
preferences:
'Ask Before Write Access':
If enabled, a security request pops up every time you select 'Write' or
'Install' in the bootblock lab.
'Read Inserted Disks':
This enables the bootblock lab to read the bootblocks of inserted disks
automatically. Useful if you intend to check a whole box of disks for
bootblock viruses.
'Install Non-Bootable BB':
If enabled, 'Install' doesn't install a standard bootblock, but makes the
disk non-bootable.
'Brain':
The path and filename of the default bootblock brain. This will be used in
the file requests of the bootblock lab and for loading the brain at startup
(see 'Startup' preferences).
----------------------------------------------------------------------------
VECTOR CHECK
----------------------------------------------------------------------------
Mostly all viruses work in the same manner. Either they make themselves
resident and/or corrupt some libraries or devices with their code.
Therefore the vector check was designed to help you finding new viruses that
can't be recognized directly by the xvs.library yet.
It will display all system vectors that are not zero or do not point to
standard ROM locations and tell you whether the changes are caused by
utilities already known or by something unknown. But this will not
necessarily mean that every vector marked 'SUSPICIOUS' is corrupted by a new
virus, there are lots of system enhancers and other tools around that cause
such changes.
You should nevertheless be alarmed if you are sure that you didn't have
installed any programs that change vectors and suddenly something gets
reported by VirusZ.
You might have installed a lot of patches that already get reported by name,
and the output is awfully long, then you can disable the displaying of known
patches in the 'Vector Check' preferences.
If SegTracker (part of the Enforcer package by Michael Sinz, see complete
description there) is installed on your system, you have the possibility to
use its collected information for the vector check output. Just enable the
corresponding option in the preferences. Then mostly all vectors will be
handed over to SegTracker for identification, and the program's name, hunk
and offset will be reported if available.
You can also select every single line of the vector check report. The
following functions are offered depending if they can be applied on the
selected line or not:
'Monitor':
Starts the memory monitor of VirusZ and supplies it with the address of the
selected vector.
'Snapshot':
Creates a snapshot of an unknown vector and saves it automatically to the
'Snapshot Drawer' you have selected in the 'Vector Check' preferences. You
can send me all your snapshots and I will add them to the vector check.
IMPORTANT:
(a) Do not snapshot the same vectors several times, this causes me a lot of
work just for nothing!
(b) In addition to your snapshots, I need the program(s) that cause the
unknown vector(s). Snapshots without a program usually cannot be added! So
either send me the program (not its complete archive if possible) or tell me
where I can download it myself. All the programs will be deleted after
examination, so copyrights usually should not interfere with that method.
(c) To find out which programs cause changes in your system, disable all the
patches installed in your startup-sequence, user-startup or WBStartup drawer
and re-enable them one by one. Each time something new gets started, just
have a look at the vector check.
'Clear':
Clears the selected vector. Only use this if you know what you are doing!
'Remove':
Removes a single element out of a system list. Only use this if you know
what you are doing!
----------------------------------------------------------------------------
MEMORY MONITOR
----------------------------------------------------------------------------
The memory monitor has been invented to allow experienced users to snoop
around in RAM/ROM and have a look at suspicious vectors (directly from the
vector check or by entering the address). It actually is of no use for the
average user, so I will not explain it in detail.
Only memory areas from exec's memlist can be monitored, plus Kickstart ROM
and RemAPollo's private area. If you reach the start/end of an area, the
memory monitor will automatically wrap around to the end/start of that area,
so you can never access forbidden or non-existing addresses.
Some words about the disassembler mode:
Due to major problems with the calculation of a sensible 'Line -' / 'Page -'
address, these functions will just step backwards 2 bytes / 32 bytes each
time they get executed. Stepping forwards causes no problems, so this will
work properly in all cases.
The 'Memory Monitor' preferences currently contain the following switches:
'Chip-Ram Start Address = $00000000':
If enabled, the memory monitor overrides the memlist entry for chip ram that
usually starts at locations $00000400/$00004000 and allows you to have a
look at the cpu's vectortable. This interferes with most debugging tools
(eg. MuForce) and will result in lots of annoying hits, so keep this option
disabled unless you really need it.
'Display SegTracker Info If Available':
If SegTracker (part of the Enforcer package by Michael Sinz, see complete
description there) is installed on your system and this option is enabled,
the status line will display SegTracker information whenever you monitor a
previously tracked memory area.
!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#
#! END OF DOCUMENTATION #!
!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#!#
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQCNAzuzvG4AAAEEAKbvwOuWJSNZHJyNommciVkVj98H+O32pP42OM20WHy3CMuG
E2D2tSQwvkUZCBDMvdqYRDP7Jkfw+hHpbNAFls2x/ujMJ0u8FP7g2ivfg99W6cMp
PX6OXgqImTAMcxp5az6mbemZ0K4+FBMfBmDWs+226/IOWu3fdGUOxNgKgx13AAUR
tCFHZW9yZyBIb2VybWFubiA8Z2hvZXJtYW5uQGdteC5kZT6JAJUDBRA7s7xuZQ7E
2AqDHXcBAYghBACIpDzrTak/DA32mAJabo2D082o83MFTJTwSSft6k2VFY3jr2ia
2TckPkqEc0TKe24nQbhRZI6ehkMlJmKcsSmG38hwMXkIvEQc03jOv6dVmzqRPiR2
2Vtc7WnKdBh/FUbCmvuGqstEKonKrCfXKv8zBSp5wWVnlZKRhDUGsLyXlg==
=hPFP
-----END PGP PUBLIC KEY BLOCK-----