Business & Presentations

home *** CD-ROM | disk | FTP | other *** search

/ Business & Presentations / Business and Presentations - Volume 1 (1995)(Sideface)(NL).iso / virus / vc50_jan / vc.doc < prev next >

Wrap

Text File | 1993-01-23 | 150.4 KB | 3,888 lines

VICTOR CHARLIE Ver 5.0 The World's First Generic Anti-Virus Program Copyright (c) 1988-1993 Bangkok Security Associates All Rights Reserved Protecting Individual, Corporate, Government and Business Computers Since 1988 By Bangkok Security Associates PO Box 5-121 Bangkok 10330, Thailand CompuServe: 76420,3053 _______ ____|__ | (R) --| | |------------------- | ____|__ | Association of | | |_| Shareware |__| o | Professionals -----| | |--------------------- |___|___| MEMBER Shareware Edition for Single-User Machines We feel computer owners and users should have a chance to see, use, and decide for themselves about a generic anti-virus program which requires no updates. This fully functional, non-crippled, shareware edition is dedicated to wiping out PC viruses throughout the world. VC will update itself by capturing virus signatures "in the wild." It offers itself as virus bait to do this. Viruses are made everywhere. You need to protect yourself against a virus made in your neighborhood, and stay ahead of the virus writers. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 1 USER NOTE: This on-disk documentation includes most of the text of the printed VC5 manuals provided to registered program users. Only a short description of the use of VC on a network has been omitted, since this is the single-user program version. Screen captures from VC programs are not available in this document. Victor Charlie - Ver 5.0 Victor Charlie is a set of generic utilities which detect present and future viruses on a PC running DOS. When a virus is detected, the program alerts the user. It then advises on the virus specifics, asks for permission to take the necessary action to wipe it out, and helps the user return to work as quickly as possible. VC5 is NOT "another anti-virus program." It is unique, and also is the first of its kind, able to detect viruses other programs cannot. The main ways it is different: o No updates. It detects current and future viruses. It always has done this and it will continue to do this. VC is NOT a virus scanner. o Bait Files. VC programs WANT to be attacked by viruses so they can capture a signature identifying that virus. o RTSC (TM). Real-Time Signature Capture means VC5 captures the identifying strings of the virus(es) on YOUR computer and keeps them in a library there. No downloading of a program or signature list update. VC does it for you. o Bitchecks. VC's unique Bitchecking creates two cryptographic checksums by random and secure algorithms. The tiniest change to any Bitchecked program or file will cause VC to alarm to the user. Viral replication causes change; Bitchecks detect that change, securely and reliably. o Generic. VC has no built-in information on any virus. It only knows what viruses MUST do. 1. A virus must replicate, or "jump" from program to executable program. This is the PRIME DUTY of a virus. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 2 2. Replication must cause change. Armed with this knowledge, certain other logical information, and high security integrity of its own, VC can detect more viruses, more often, than other programs. o No scanner. VC is able to look for a virus after it is attacked. But Victor Charlie is not a scanner, and does not include one. Scanners have encouraged virus-writers to make "new" viruses by changing a byte here or a bit there. Such "virus-hacking" has no effect on VC whatsoever. o DOS Check. The "system" of your computer is its heart. VC5 records your computer's system the first time it runs, and checks it for the slightest change EVERY time thereafter. Your partition and boot sectors, DOS files and Command.COM are in excellent hands with VC -- and will be fixed at a keystroke in case of ANY problem, not just a virus attack. ALL Victor Charlie programs are distributed in non-executable form. Programs should be made executable (.COM or .EXE files) during the installation or initialization processes. In case they are not, you can merely COPY the programs Bootfix, PTRESQ, and Get to workable programs. For example: COPY BOOTFIX BOOTFIX.COM, or, COPY GET GET.COM _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 3 TABLE OF CONTENTS +-------------------------------------------------------------+ | NOTE: Installation and initialization of Victor Charlie is | | an important and separate task from running the program. | | See INSTALL.DOC for details on getting VC5 started on your | | computer. INSTALL.DOC contains instructions for advanced | | (quick) and for standard installation. | +-------------------------------------------------------------+ Program Description ......................................... Page 5 System Requirements .............................................. 7 Copyright Notice ................................................. 8 Distribution Limitation ....................................... 8 Disclaimer of Warranty ........................................ 9 Introduction: What is a Virus? ................................... 11 Installation and Initialization .................................. 13 What Happens at Initialization ................................... 14 VC1.CFG (Special Program Protection) ............................. 16 Constructing VC1.CFG ............................................. 17 Mirror Files VC's Repair Kit ..................................... 21 VC Menu -- Virus Checks at a Keystroke ........................... 23 General Security ................................................. 27 Attack Simulations ............................................... 28 VC1 and VC2: VC's Bait Programs ................................. 29 VC.SIG: The Virus Signature Library .............................. 33 VCHECK: VC's Do-Everything Program ............................... 36 False Alarms (If VC Finds A Virus Which Isn't) ................... 42 VCHECK.CFG ....................................................... 43 Excluding Files From VCHECKing ................................... 44 VSEARCH -or- Audit Programs ...................................... 46 The Meaning of BITCHECKS ......................................... 46 VCOMP ............................................................ 51 Protecting Your Data: Baiting Virus Bombs ........................ 53 Renaming VC ...................................................... 57 VC Utilities BOOTFIX: Victor Charlie's Diskette Sterilizer ................ 59 PTRESQ: VC's Generic Partition Sector Utility ................ 64 GET.COM: Virus-resistant, Interactive Batch Files ............ 70 Some Questions about VC .......................................... 72 Index ............................................................ 74 _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 4 Program Description Ver 5.0 of VC detects today's and tomorrow's viruses on the fly, using a variety of inter-connected disk, program and self-monitoring techniques. The program includes a user-friendly interface, but can also be completely customized, and run by batch routines, even invisibly to the user (until a problem develops). Messages, help and instruction files and even menus can be localized and/or customized, partly or completely. In addition to viral detection on the fly, Victor Charlie includes semi-automated routines which are capable of detecting virus infections, and of monitoring data files for both infection and viral Bomb damage. Victor Charlie, used from the command line or the interface, uses several techniques to detect, track and wipe out PC viruses: o Bait: Victor Charlie's two front line programs (VC1 and VC2) actually invite viral infection. When infected, they halt the PC's activity. They also warn the user of infection. VC uses Real-Time Signature Capture (RTSC) to obtain meaningful code from the virus as a signature. Then, the VC program VCHECK is able to search out the virus signature on any disk or diskette. o System Monitoring. When Victor Charlie is initialized, or started up the first time, it makes BITCHECKS, or cryptographic checksums, of the computer system. These include items such as Partition and Boot sectors, DOS files and COMMAND.COM. Details of key DOS Interrupts are recorded. These then are encrypted again, and stored in a secure (random) area within Victor Charlie. Each time Victor Charlie runs, it checks its recorded information against the true system of the computer. If differences are found, VC alarms with context-sensitive information, help, and suggestions. o Searching. VC5's VCheck includes a sample Signature Library which detects many common and uncommon viruses. When VC discovers a new virus, it automatically adds this signature to the library. The sample library is not needed, but provided as a convenience. o Artificial Intelligence. VC5 includes some proprietary techniques able to detect viruses unknown to it. These include analysis of former virus code which has been included in the Victor Charlie program. Victor Charlie is based upon and designed around a simple fact -- viruses must change something when they replicate. As a generic utility, _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 5 able to detect present and future viruses, VC assumes that the threat to a PC, a user, programs and data comes only from an active virus. Thus, its primary task is to monitor viral activity. On a PC, viruses must perform replication in a finite number of ways. They must alter system specifics or actual executable files. Although there are many ways to perform replication, and some of these are invisible to the naked eye, change must take place. Bangkok Security Associates is positive that viruses will become even more sophisticated in the future. Programmers will take advantage of the definition of executable files to have viruses replicate other than through .COM and .EXE programs. We can expect to see variations on the theme of today's so-called stealth viruses, and tracking a virus to its source can be expected to become ever more difficult and, in some cases, tedious and time-consuming. Victor Charlie has been designed specifically with this scenario in mind. Preparation for the worst case has underlain the development of the program from the start. Today, in the real world, Victor Charlie detects most viruses in an almost routine matter. But it includes procedures able to detect the expected viruses of tomorrow. The most powerful and important of these is BITCHECKing. This is a proprietary method of cryptographic checksumming, using two random, bit-dependent algorithms to compile checksums, then combining these two results and, finally, encrypting the end output. Bitchecking is essentially secure from software tampering. An important part of this security involves distribution of many different versions of the program, each of which uses different algorithms for Bitchecking. This provides a type of "car-key security" for Victor Charlie users. By using Bitchecking in combination with such safe-computing techniques as cold-booting to a write-protected, clean DOS diskette, Victor Charlie can compile lists of program or bait data alike. This enables end users to compile an audit trail capable of back-tracking any viral infections, and in all likelihood discovering its source. VC's main operating -- monitoring and detection -- programs are written completely in assembler language. This enables the utilities to burrow beneath DOS and to detect change at the hardware and OS level. The Victor Charlie Ver 5.0 interface is written in a high-level language, but is programmed to "talk" to the VC programs to ensure a coherence and full security during all phases of viral detection and tracking. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 6 System Requirements Victor Charlie anti-virus software needs the minimum of the minimum to check, hunt for, find and, often, cure computer viruses. o DOS 3.0 or above o An IBM PC or compatible computer. It supports most PC, XT, AT, PS/2, 286, 386, 386SX, 486. o A hard disk. VC can be set up to run on floppy-only computers, but it is generally not practical to do so. o A minimum of 256K RAM for the standalone programs and a minimum of 512K for the shell. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 7 Victor Charlie Copyright (c) 1988 1989 1990 1991 1992 1993 Bangkok Security Associates All Rights Reserved Victor Charlie is distributed as a shareware product. It is not free, or public domain, software and must not be sold or used continuously past the licensed trial period. It is copyright in, and subject to the national laws and international copyright provisions of, the United States, Thailand and other signatory nations to the Berne Convention on International Copyright. You may not reverse engineer, decompile, disassemble, or create derivative works based on the software for any purpose other than as an essential step in its utilization for your own use. This software embodies valuable trade secrets proprietary to Bangkok Security Associates, the owner of the software and its copyrights. You may not disclose any information regarding the internal operations of this software to others. Permission is granted for individuals and companies to copy and use this software in order to try it out for 30 days or less. If you find Victor Charlie useful, you must purchase and register a license. Please note the following Distribution Limitation: ------------------------------------------------- The shareware evaluation edition of Victor Charlie may NOT be distributed by electronic or other means in the following countries or areas without permission in writing from Bangkok Security Associates: Australia New Zealand France Thailand Shareware distribution provides a full, working copy to users for evaluation on a "try before you buy" basis. If you choose not to register, then erase or pass your copy onto someone else. Please note that if you obtained your copy from a mail order distributor, the fee paid goes entirely to the distributor and does not cover the cost of the program license itself. To register Victor Charlie, please see the document ORDER.DOC. If you register Victor Charlie, you will receive: 1. The latest version of the program, in case of any updates/fixes. 2. A program version different from most other VCs and thus impervious to generic attack even by a dedicated virus which _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 8 might be aimed at Victor Charlie. 3. Printed and bound manual(s) on installation and use of VC. 4. Discounts on future versions of VC, which is under constant development to make generic anti-virus detection ever easier and less intrusive. The shareware, evaluation version of Victor Charlie functions only on single-user computers. Companies, businesses, schools or government offices wishing to register Victor Charlie for use on a site, or in multiple locations, should contact BSA or a BSA agent listed in the document in this shareware diskette or archive. Please refer to SITE.DOC for an overview of the range of network-compatible, site and customized versions currently available. You may make as many copies of this shareware evaluation copy of Victor Charlie as you wish, provided you copy, UNCHANGED, all files and included documentation, specifically including this document. Copies may be distributed freely to others electronically or via diskette. However, you may not sell or ask any consideration for Victor Charlie. Mail Order Vendors and BBSes may charge a nominal distribution fee NOT EXCEEDING $5.00 (five US dollars) or the equivalent in foreign currency to cover copying and distribution costs. The latest version of VC is always available for download at the BSA home BBS, the War on Virus. For fast access, log onto the War on Virus under the user name "Victor Charlie" and use the password "VC". Reliable, secure copies of the latest VC version also can be obtained from BBSes listed in the file ORDER.DOC included in this evaluation. War on Virus BBS: (An ASP-approved BBS) (66-2) 255-5982 -or- (662) 437-2085 These numbers operate at modem speeds up to 14400bps (V.32bis) 24 hours a day. War on Virus is the East Asian hub for U'NI-net, and a node BBS member of Smartnet BBS networks. A list of other official places to obtain the latest Victor Charlie programs is in both the VCSITE.DOC and ORDER.DOC files. Disclaimer of Warranty ---------------------- This software and documentation are distributed "AS IS" and without warranties as to performance of merchantability or any other warranties whether expressed or implied. Because of the various hardware and software environments into which this program may be put, no warranty of fitness for a particular purpose is offered. This program, like any new software, should be thoroughly tested with _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 9 non-critical data before relying upon it. The user assumes the entire risk of using the program. In no event will BSA be liable for incidental, consequential, indirect or other damages including any lost profits or lost savings arising from the use of, or inability to use the software even if BSA has been advised of the possibility of such damages, or for any claim by any other party. Association of Shareware Professionals Ombudsman Statement -------------------------------------- This software is produced by BSA, a member of the Association of Shareware Professionals (ASP). ASP wants to make sure that the shareware principle works for you. If you are unable to resolve a shareware-related problem with an ASP member by contacting the member directly, ASP may be able to help. The ASP Ombudsman can help you resolve a dispute or problem with an ASP member, but does not provide technical support for members' products. Please write to the ASP Ombudsman at 545 Grover Road, Muskegon, MI 49442, USA or send a CompuServe message via Easyplex to ASP Ombudsman 70007,3536. == LATE-BREAKING NEWS == !!! Edition Française !!! Victor Charlie parle français maintenant. A complete French-language Victor Charlie is available to anyone asking for this feature. This includes the entire program, help files, batch files, ALL documentation, etc. If you wish a registered VC that "speaks French," please send your registration DIRECTLY to Bangkok Security Associates (BSA) and be certain to request the French-language edition. !!! CompuServe On-Line Registration !!! You can register Victor Charlie directly via CompuServe At any CIS prompt, type "GO SWREG" and follow the screen prompts to register VC. CompuServe will bill you directly, as for any service. CIS also will notify us directly so we can ship VC directly to you. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 10 What is Shareware? ------------------ Shareware distribution gives users a chance to try software before buying it. If you try a Shareware program and continue using it, you are expected to register. Individual programs differ on details -- some request registration while others require it. Some specify a maximum trial period. With registration, you get anything from the simple right to continue using the software to an updated program with printed manual. In the specific case of this program, you are encouraged to evaluate it for a maximum of 30 days. After this period, please register it by sending us your license payment -or- delete the program from your disk -or- pass it along to someone else for evaluation. Copyright laws apply to both Shareware and commercial software, and the copyright holder retains all rights, with a few specific exceptions as stated below. Shareware authors are accomplished programmers, just like commercial authors, and the programs are of comparable quality. (In both cases, there are good programs and bad ones!) The main difference is in the method of distribution. The author specifically grants the right to copy and distribute the software, either to all and sundry or to a specific group. For example, some authors require written permission before a commercial disk vendor may copy their Shareware. Shareware is a distribution method, not a type of software. You should find software that suits your needs and pocketbook, whether it's commercial or Shareware. The Shareware system makes fitting your needs easier, because you can try before you buy. And because the overhead is low, prices are low also. Shareware has the ultimate money-back guarantee -- if you don't use the product, you don't pay for it. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 10A Introduction What is a Virus? We're not going to get overly technical here, but it's useful to know just what a computer virus is, and how it works. As you undoubtedly know already, a virus is just another computer software program. Most people naturally -- and correctly -- equate a virus with harmful effects. A virus is a program, or more commonly part of a computer program, capable of replication by attaching itself to a host. Like its medical namesake, a computer virus is most concerned with self-preservation. Generally, it replicates by finding an unwitting host and attaching itself, like a toadstool to a tree. Each time it spreads, it creates a self-contained unit that also is a functional virus. If a virus replicates by spreading to a non-executable host (such as data), it ceases to be a virus. In the computer world, as in the healing world, the spread of viruses is usually geometric. There is no master virus. The latest clone is as virile, and as able to attack a host, as the original. We classify computer viruses depending upon the host it seeks. Virus Types: Type 1 Virus A Type 1 Virus infects and spreads through actual programs on your disk, such as .EXE, .COM and Overlay programs. Infamous viruses in this category are the so-called Jerusalem, Dark Avenger and Friday the 13th viruses. (VC has no knowledge of specific viruses or their names.) Type 2 Virus A Type 2 Virus uses the computer's system to spread. The system on a PC is generally defined as two dedicated disk areas (the Partition sector and Boot sector), the two DOS hidden files, and the command interpreter, typically called COMMAND.COM. Both major types of viruses are actual computer programs capable of doing what any other software on your machine can do. But this is also the limit of a PC virus. A virus certainly is capable of such harmful tasks as formatting your _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 11 disk, destroying or changing your data or interrupting a printing task. But no virus can physically destroy a hard disk, infect Backup data diskettes kept in a separate box, or destroy a power line -- just as examples. Virus myths include stories about a virus writing to a write-protected diskette, operating through modem NRAM, or hiding in the computer's ROM. These are all impossible tasks for any software, including a virus. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 12 Installation and Initialization This is the most important part of operations with Victor Charlie. Before you use VC for the first time, read the document INSTALL.DOC included in the VC release. It explains the two methods of installing VC on a PC. "Initializing" VC means to run a fresh copy of the program VC1.COM one time to allow it to look at the specifics of the host machine. +---------------------------------------------------------------+ | NOTE: Any time you make changes to the basic computer setup | | (such as installing a new DOS or memory manager, for | | example), you will have to re-initialize VC. This can | | be done at any time with one command: | | | | VINIT [Enter] | +---------------------------------------------------------------+ Initializing Victor Charlie after VINSTALL is necessary because the program is specific to your computer. If you change your basic DOS setup, you will have to initialize VC again. This involves making a new copy of the programs, and running the main anti-virus program VC1.COM one time. This is when Victor Charlie records within itself the details of your DOS, including DOS System files, and specifics of your Command interpreter, Partition Table and Boot sector. NOTE: If you change your DOS in any significant way (such as by installing a new copy of DOS) it is likely that Victor Charlie will hang your computer the first time it runs, unless you re-initialize. You may have to boot to a DOS diskette to perform re-Initialization if you have forgotten this. No harm occurs to the computer or any program because of such a hang. Initializing or re-initializing Victor Charlie is handled automatically through the program batch file VINIT.BAT. You must Re-Initialize if you install a new DOS version. You must Re-Initialize if you make changes to the personal .CFG configuration files, VC1.CFG, where you choose specific files for VC to watch over. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 13 You should Re-Initialize if you change the location or name of your Command interpreter program (usually COMMAND.COM, in the root or C:\DOS directory). In case any of these three events, please read the following carefully. Most users will not have to worry about Re-Initializing if they VINSTALL VC according to the manual. Like most software today, Victor Charlie has a couple of qualms about certain TSR (memory-resident) programs and Drivers. But VC has a built-in method of dealing with such programs instead of simply crashing. In order to calm the program's distaste for these few examples, it is necessary to Initialize and Re-Initialize VC under clean conditions. By doing this, you will ensure compatibility. The brief process outlined below for Re-Initializing VC is unnecessary at Installation if you follow the VINSTALL procedure. What Happens at Initialization VC must make observations and records of your vital disk areas and programs while your system is running "clean." To be clean, a system must have no memory-resident programs running. Victor Charlie has built-in alarms in this regard. If you try to initialize outside our guidelines below, VC will halt and give you the advice you're paying for. Specifically, it will ding the computer bell and state on-screen: !!! CONDITIONS NOT SAFE TO INITIALIZE VC1 !!! It will add one line to tell you the problem. And it will provide context-sensitive help. The most common cause of the warning is a running TSR or special- purpose driver which has hooked a vector which VC needs to look at. In this case, you will be informed simply that you are Not Initializing with clean boot NOTE: VC requires a clean computer only during Initialization. Following this, you may resume computing with your normal setup. Here are the easiest steps to take in the event you ever have to Re-Initialize Victor Charlie after installing the program. (You also can cold-boot your computer to a known clean, write-protected DOS _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 14 diskette. This technique always will provide a clean environment for VC Re-Initialization.) 1. Go to the root directory of your boot drive, REName your AUTOEXEC.BAT file to a different name, and boot your computer. For example, perform the following steps: CD \ [Enter] REN AUTOEXEC.BAT A.B [Enter] and press the Ctrl-Alt-Del key combination. 2. The computer will start clean, that is without any active memory-resident (TSR) programs. Proceed to the VC Home Directory, to create (or re-create) the new program files, and initialize the anti-virus program with the batch file VINIT.BAT. For example, type: CD \VC [Enter] VINIT [Enter] That's all there is to it. VINIT will automatically initialize VC1.COM, by running this program once. You will receive an on-screen message informing you Victor Charlie has properly initialized: Initializing ... recording system signatures. Below this, you will watch VC1 clean up any previous Mirror Files, check out the system, and make new Mirror images. If the program runs into any problem here, information and help will be displayed on-screen. 3. Return to the root directory of the boot drive. Type: CD \ [Enter] Put your Autoexec.BAT file back the way it was: REN A.B AUTOEXEC.BAT [Enter] 4. Finally, reboot the computer again with Ctrl-Alt-Del, or by briefly turning it off and back on. This returns complete control of the computer back to you and your favored setup. For you, nothing has changed. But you have made Victor Charlie one happy program. It should reside in perfect harmony with any and all of _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 15 your TSR programs and drivers, including any new ones you wish to add. VC1.CFG - Special Program Protection This simple text file is a powerful tool. You can use it both to contain software-caused damage to your computer, and to help isolate a sub-class of viruses which infects programs in a seemingly mindless way. You will be offered to make your custom VC1.CFG when you VINSTALL Victor Charlie. You can change it or make a new one at any time, so long as you remember to re-initialize VC when you do so. The file itself is merely a list of up to 15 programs or other files you expect to use frequently, but never to change. For most users, this means program files. Some users may wish to include bait data in their routine anti-virus checking. VC1.CFG is a simple text (ASCII) file of up to 15 lines. Each line contains merely the location and name of one file on your computer. If you have a VC1.CFG file, Victor Charlie records details of it when it initializes, and on every subsequent anti-virus check. Upon Initialization, it checks the list against the actual existing program or file. Thereafter, each time it runs, Victor Charlie's VC1 will monitor each of the programs listed in VC1.CFG. If any changes are made to the files on the list, Victor Charlie takes appropriate action. This action depends on the makeup of your own VC1.CFG file. o The first five lines of VC1.CFG are reserved for files you wish checked and backed up. For each program listed on each of these five lines, Victor Charlie will make a Mirror file in the Home Directory, give it a special, random name, and record all details internally. o If, at any future time, Victor Charlie finds changes in one or more of the files listed in these first five lines, it will stop and warn you of the change. It will provide specific help, and finally will ask you if you wish to replace the changed program with the Backup it has kept. Unless you have made changes to the program yourself, you probably should accept this option. o Lines 6 through 15 of VC1.CFG are reserved for the names and locations of programs which you do not wish to be backed up. Backups take disk space, remember, and the fewer Backups kept, the more space you have available for productive or personal work. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 16 o For these 10 or fewer files, VC1 will conduct specific BITCHECKing each time it runs. Again, if it finds any changes, it will stop, tell you what is happening and provide advice. It cannot, of course, replace any damaged program or file since it has no Mirror file from which to work. VC1.CFG Strategy The obvious (and perfectly acceptable) method of using VC1.CFG is to provide the names of your most-used and valuable programs. VC1 will automatically check the originals each time you check for viruses. In case of a virus or any other problem, it will give you immediate replacement at a single keystroke. The single drawback to this is the size of such programs. While you may well have 15 programs and Overlays which are vital to you, these might occupy several megabytes of disk space. Mirror file Backups are highly secure and improbable targets of virus infection. But remember that the Mirror files will take up as much disk space as the original. We recommend for your VC1.CFG, therefore, a thoughtful mix of obvious (big application) programs and smaller files -- particularly utilities -- which you use fairly often. Viruses can seem to be mindless and entirely random in their infection process. Many viruses already infect multiple programs far away (in computer terms) from your present workspace. It is entirely possible, for example, to be working in your word processing application and directory, and trigger a virus which would infect several files on another drive and in another directory -- or even several different directories. While it is not necessary to have 15 different files listed in VC1.CFG (see Constructing VC1.CFG, below), we recommend you consider the following when you make or edit this file for Victor Charlie: o Choose, by all means, one or several of your large application programs you use often. Specifically because you use it frequently, it will be more likely to become infected or damaged. o Bear in mind the amount of available disk space you have. In many cases, it may be better to copy a dependable, configured program to a floppy diskette, write-protect the disk, and keep it available in case VC detects changes. On-disk Backups are wonderfully convenient. But remember that Mirror files take the same disk space _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 17 as the original. NOTE: If any Mirror File created by Victor Charlie should itself become damaged or changed, VC1 will know this and tell you. In such a case, the program will refuse to use the changed Mirror File to attempt to fix the original. VC1 does not monitor Mirror Files as a matter of course, but checks them only when you wish to use them. o Fixing an infected program is important, but not as important as detecting the viral activity in the first place. VC1.CFG is a wonderful opportunity to provide Victor Charlie with a broad spectrum of program types to keep extra-close watch over. These might range from a 650K .EXE program to a 600-byte .COM utility. In fact, we recommend you have such a range, if possible. Constructing VC1.CFG The VC1.CFG text file may be changed or edited at any time. There only is one hard-and-fast rule about this: If you change VC1.CFG, you must re-initialize Victor Charlie. This may require a cold boot without an active Autoexec.BAT (see INSTALL.DOC for details of this). If you change VC1.CFG, and do not re-initialize the program, VC1 will warn of changes to this file each time you conduct an anti-virus check. In some special cases, the program may malfunction and even hang your computer. The VC1.CFG file is an ordinary text (ASCII) file. It may be made in several ways. The easiest is with a text editor, or with your word processor (in non-document or ASCII mode). DOS wildcards are not legal in VC1.CFG. You must provide Victor Charlie with the exact location and file name for each entry. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 18 +----------------------------+ | Here is a sample VC1.CFG | | ------------------------ + | C:\WORD\WP.EXE | | C:\DBASE\DATABASE.EXE | | C:\SHEET\SPREAD.COM | | C:\UTILS\ARCHIVE.EXE | | ** | | C:\COMMS\COMM.EXE | | C:\DOS\COUNTRY.SYS | | C:\SHEET\DATA\BAIT.WK1 | | C:\UTIL\COMPARE.COM | | C:\DOS\MORE.COM | | D:\ASM\COMPILER.EXE | | C:\EDITOR\ED.EXE | | C:\BIN\ETC\UTILS\SHOW.COM | +----------------------------+ VC1 has been trained to ignore the standard wildcards, * and ?. These can be used, as in the example, to mark unused lines in VC1.CFG which can have files added to them later. A quick glance will tell you how many such files you can add. However, a blank line (carriage return and line feed) performs the same duty so far as VC1 is concerned. The only point here is to count the lines because of the different actions by VC1 on the first five and last 10 files which may be listed. Each line in VC1.CFG must contain a unique filename, including its exact location on your computer. If you provide a false name or location, VC1 will stop and tell you. In standard computer terms, the form for each line is: d:\path\filename.ext where d: is the drive, \path\ is the name of one or more directories from the root to the location of the program, and filename.ext is the full name of the program. VC1 will ignore any blank spaces before or after this full designation, if you want to make VC1.CFG look somehow more aesthetic to you. But there must be no spaces in the actual designation. In the VC1.CFG, an "average" user has chosen two fairly large application programs (the main word processor and database programs), the far smaller spreadsheet loader and an often-used archive utility to be backed up and Bitchecked on every anti-virus inspection. (S)he has chosen to leave the fifth line blank, but has marked it for easy reference with two asterisks. This mythical user has chosen eight other programs for special BITCHECKing attention from Victor Charlie. Big or small, these will be Bitchecked every time (s)he conducts an anti-virus watch through VC. Victor Charlie cannot provide virus cure at a keystroke, but our average user will be informed automatically if any change has been made to these eight files. This user has selected a device driver for checking. The idea is to watch this file, because it is vital -- if ever infected by a virus, it could affect a system quickly because it is loaded by the computer before the user has any control. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 19 This mythical user has chosen eight other programs for special BITCHECKing attention from Victor Charlie. Big or small, these will be Bitchecked every time (s)he conducts an anti-virus watch through VC. Victor Charlie cannot provide virus cure at a keystroke, but our average user will be informed automatically if any change has been made to these eight files. This user has selected a device driver for checking. The idea is to watch this file, because it is vital -- if ever infected by a virus, it could affect a system quickly because it is loaded by the computer before the user has any control. The other example of good strategy is in Line 9. This user has selected an apparently typical spreadsheet, and laid it out as bait for a virus. If a viral Bomb or a special kind of virtual machine virus attacks this spreadsheet, the user will know about it as soon as (s)he runs VC. (For more details and ideas about laying bait for viruses on your computer, please see the Victor Charlie manual section on VBAIT.BAT. Strategy, technique and further samples are provided here.) In all cases, but particularly in the example of the Bait.WK1 file, it is important to choose files for VC1.CFG which should not change. VC only can note change. If you select files for VC1.CFG carefully, you can be almost certain that a virus is at work. If you list files in VC1.CFG which you expect to change, you will receive so many False Alarms it will reduce to almost zero the value of the special monitoring, BITCHECKing, and Mirror Files. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 20 Mirror Files - VC's Repair Kit In order to enable fast repair of damage caused by a virus or any other reason, Victor Charlie creates Mirror images of up to 11 disk areas, vital programs and user-selected files. Up to six of these are made automatically, and as many as five others are user-selectable. Briefly put, these Mirror-image files help Victor Charlie to monitor for viruses, and permit the program to wipe out an entire class of PC viruses at one keystroke if you are ever unlucky enough to suffer an attack. The files are placed on your disk automatically by VC whenever you initialize the program. Should you re-initialize Victor Charlie, any existing Mirror image files are erased, and replaced by new ones. (The provided batch program VINIT.BAT automates Initialization.) The Mirror-image files are given random alphanumeric names which are different each time you initialize VC1, to help make them invisible to possible attack. When VC creates these files, it also gives them the DOS attribute of read-only. This way, you can see the files with a simple DIR command, but you cannot accidentally erase them with a simple DEL. Typically, these files will have names beginning with the digits 0" or 1," but this depends entirely upon your own version of DOS. Victor Charlie uses these files, if they exist, as part of the process of checking a virus attack, curing or Wiping Out some viruses, and instantly restoring infected or damaged programs. You should never change these files under any circumstances. Like the VC programs, Mirror files are highly resistant to virus attack. If changed, they become useless to you and to Victor Charlie. They simply will take up disk space, but provide no help in the virus-curing process. Should you absolutely need the disk space, delete them by all means, but do not attempt to change them. Victor Charlie does not need these files to detect a virus attack. If you come under attack, VC and this manual can guide you through a cure of the virus. But if you delete or change these files, Victor Charlie cannot effect its simple, at-a-keystroke cure. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 21 Thus, we urge that you keep these files on your disk except in cases of the most dire space emergency. Details of the Mirror files depend upon your computer and its setup. On an average IBM-compatible, AT, 386, or 486 computer of the kind widely sold in the past few years, there will be six such files. Some users will find only five such files. In some cases, you may find fewer. If so, you probably are not booting the computer from the actual C: drive, and you should refer to the Questions section near the end of this manual. What's in the Mirror Files? The Mirror image files are copies of two vital disk areas and up to four important programs essential to your computer. o Boot sector disk area. o Partition sector, also called the Master Boot Record or Partition table. o Two DOS System files, or DOS kernel. o COMMAND.COM if located in the root directory and/or the \DOS directory of the boot drive. Up to five other Mirror files may be created according to your own wishes. These are made if a small text file called VC1.CFG is present in the VC Home Directory. Please see the manual section on VC1.CFG for details on configuring VC for more Mirror files. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 22 VC Menu -- Virus Checks at a Keystroke VC's Menu Interface is your Command Post for the War on Viruses. This is a battle you should be constantly waging as you operate your computer. The headquarters facilities which the menu provides, is the means of planning strategy and tactics for ensuring the security and safety of your computer and what is on it. The VC Menu Interface makes Victor Charlie probably the easiest to use and most flexible method of detecting and killing PC viruses. With no configuration or extra work, any computer user can check and search for -- and destroy -- active or latent viruses on a home or business computer. VC's Menu Interface, or simply menu, provides complete access to all functions of Victor Charlie. As you use the menus, full explanations are automatically provided, and context-sensitive help is given at any stage. The menu program has been specially designed and written to talk and listen directly to the various VC programs. This means that even in the case of a severe infection, VC can continue to stay active to help you kill the virus. The VC menu allows users to escalate their anti-virus alert status. If Victor Charlie senses real or suspected virus activity, the alert status will be raised automatically by the program and menu. Conditions Green (day-to-day), Yellow (real or suspected virus sighted) and Red provide an escalation of security to track down rogue software plagues, including viruses. In addition to viral checking, detection and tracking, the Menu Interface provides a range of Preventive Maintenance routines to help you defeat even a potential virus attack before it begins. Sharp Edged Tools allow you to sterilize floppy diskettes, Backup vital disk areas, and even simulate every type of virus attack possible on a PC. A Quick Tour This section of the Reference Guide gives only an overview of the VC User Interface. For more details on what each command or routine does, please refer to the chapters on VC Programs, which deal with the specific program(s) used by each menu function. These are noted below, and on your screen when you run the menu program. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 23 After you have VINSTALLed VC on your computer, starting up and using the menu is a simple command away. VC [Enter] Of course, this assumes you have added the VC Home Directory to your computer's path statement during VINSTALL. If not, you must be in that Home Directory for the above command to take effect. The VC Menu Interface and VC's specialized front-line programs -- VC1.COM and VC2.EXE -- begin their communications immediately after you issue the above command. Initial discussions among four separate VC components take place quickly. The point of discussion is crucial to you -- is there any sign of a current virus infection? You probably will note a brief pause while this occurs. Then the menu loads and runs like any computer program. Assuming no active virus has been detected, you will be presented with a menu of selections. You are placed by default into Condition Green, although you may if you wish upgrade this to Condition Yellow or even Condition Red. If the VC command results in detection of a virus, the Menu Interface takes a much different form. You will first be informed that a virus (or possible virus) has been detected. Immediately and automatically, you will receive context-sensitive help and explanations. In entering the menu from this state, you will be placed immediately in Condition Yellow. The Menu Interface has an identifying bar across the top of the screen which indicates that this is your command post for the war. Along the bottom is a line indicating when you started checking for viruses with Victor Charlie. This display will change if you encounter an actual virus. Condition Green This state of security assumes you have no particular reason to suspect you are under immediate virus attack or threat. You have two options. Quick Check If you press the Q hotkey, or cover the Quick Check option with the menu bar and hit Enter, VC will conduct a fast, system-wide anti-virus check. (Note that as you move the light bar over another item with the _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 24 computer's arrow keys, the help window changes automatically to give you information on each possible item). The Victor Charlie front-line programs VC1 and VC2 each will run twice. As they proceed, they will check your system, protected files, computer memory and other vital elements. In case a virus is detected, the VC programs will provide full information and help to allow you to track down and kill it. Search & Destroy Choose this Condition Green selection by touching the S key or by covering the menu item with the light bar and hitting Enter. The Menu will call VC's powerful VCHECK program to provide an anti-viral search of your hard drive, selected directories or programs, or a diskette. An arrow will appear at the edge of the menu window, and a sub-menu of Search & Destroy options now will appear. You may, again, choose one merely by tapping the highlighted letter or digit. Choices include: Current Directory: searches for signs of known viruses in the sub-directory where you were located when you started the VC Menu. Specify Directory: Allows you to specify a different sub-directory to search for viruses. Manual Parameters: This is the equivalent of using VCHECK from the DOS prompt. See the manual section on VCHECK and the Menu help screens for full details. CUrrent Drive: Searches all virus-vulnerable program files on an entire drive for signs of virus infection. 1. A: Drive: (and other available drives). Choose a floppy or hard drive for Searching. After you have made your selection of where you want to Search and (if necessary) Destroy, you then have one further choice: to Display All Files or only Infected Files. This selection affects only the screen display. If you choose to see All Files, a scrolling screen will let you see the results of each Bitcheck as it is made. If not, VCHECK will show only those files it finds to be virus-infected. Condition Yellow You may move to Condition Yellow at any time. Routines in this state of alert require more time and attention than those above. These _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 25 routines all involve the VC program VCHECK.COM. This is an extremely secure and sophisticated program. In brief, VCHECK compiles double-encrypted BITCHECKS of programs, files and even data on your computer. By comparing various such lists of BITCHECKS, made at different times, VCHECK can detect changes likely attributable to a virus or other hostile software, or even ill-intentioned human intervention. Audit Programs No security scheme can be successful without an audit trail, and this is your key. This menu choice is the equivalent of the provided batch program VSEARCH.BAT. Please see the manual section on this program for more complete details. Perform Audit This menu choice first determines if an auditing file called VSUM.REF exists in your Victor Charlie Home Directory. If not, it creates one. VSUM.REF is a base program for any auditing procedure. It consists of a list of all virus-vulnerable files on your computer's hard disk, with sizes and unique BITCHECKS. If you have previously created the summary reference file VSUM.REF, the Perform Audit Menu selection proceeds to make a comparison file, called VSUM.NEW. In this case, as with VSEARCH.BAT, it will compare the old and new auditing files and provide information and help if the lists differ. New Audit Reference From time to time during your computing life, you probably will want to file your base VSUM.REF away. The addition of new programs and versions to your computer will mean a large number of differences in your base and new auditing files, and analysis will become difficult. The New Audit Reference Menu choice will make a new base file, VSUM.REF. Compare BITCHECKS This Menu selection calls the VC program VCOMP to compare any two auditing lists you may have made, and displays any differences between them. Analysis of the VCOMP output can be a crucial aid in determining source and date of viral infection or other problems on your computer. Only you can order a Red Alert for the Victor Charlie Menu Interface. Condition Red requires that you have already made a VC Rescue Diskette _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 26 (see below). It is indicated by continual and seemingly untraceable growth of programs on your hard disk. Such a situation almost certainly means an exceedingly smart virus or an exceedingly dumb virus is at work on your computer. Tracking such viruses can be tedious and even frustrating. But the vital first step is to cold boot your machine before proceeding. Choosing Condition Red at the VC Menu checks to see if you have a safe diskette complete with the needed tools, and then reboots the computer to rid it of all traces of active virus activity. After this, you should proceed to try to track the virus with the provided VC tools and help. General Security Under this Menu choice lies a number of routines and programs, each of which is designed as Preventive Maintenance to help ward off a potential virus threat before it grows to attack state. Disinfect Floppies: Pressing the D hotkey or covering this choice with the menu light bar will call the VC program BOOTFIX, described separately in this manual. Briefly, BOOTFIX.COM makes data and Backup diskettes virus-free at a keystroke, and without danger to anything on the diskette. Make Rescue Disk: You must run this option prior to declaring a Condition Red alert on your computer. Victor Charlie strongly advises you perform this as one of your first tasks after installing your anti-virus program. This routine will make the most secure and reliable Rescue Diskette possible. The diskette will be bootable with your own DOS system, and thus will be able to start your computer even in the worst possible case of a virus which makes your hard drive temporarily inoperable. Partition Sector: This choice will allow you to view (but not to change) the Master Boot Record, or Partition sector, on the hard drive of your computer. While viewing this normally inaccessible disk area, you can back it up to a file or print a copy on any printer attached to your computer. Boot sector: Each disk and diskette on a computer has a Boot sector, a small _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 27 program which (in the case of a bootable disk or diskette) is capable of loading the machine's operating system. By selecting this choice at the VC General Security Menu, you may view the Boot sector of any available drive or diskette. You may make a Backup file, or print the Boot sector for later viewing. View Log: There are two possible sub-selections with this General Security Menu choice: a record of virus attacks suffered since Installation of VC, or the latest available list of files flagged as virus-infected by VCHECK. Both these logs (which can be viewed, saved to a file or printed) could prove invaluable when back-tracking a virus attack to its source, and in replacement of files deleted because of virus infections. False Alarms: On a tiny minority of computers, the intelligence built into VCHECK.COM may provide False Alarms, and detect a virus attack where none took place. Please read the Users Manual section on False Alarms before using this Menu choice. If you decide you wish to turn off VCHECK's programmed intelligence, this Menu choice will perform the action at a keystroke. Attack Simulations: All three VC main programs have Demo modes where they simulate virus attacks with startling realism. You can select and run these Demonstrations for each of the programs VC1, VC2 and VCHECK with this Menu choice. Exiting the Menu Interface The ESCape key is programmed completely logically in the VC Menu. At any point, hitting ESC takes you back one level from the operation you are conducting. At the Main Menu, ESC returns you to the DOS prompt or, if you insist, your running application. You also can quit from the VC Menu by touching the E-for-Exit key as indicated. In most relevant cases, the Menu program returns the screen to the exact condition it appeared when you started running it. As a final reminder, it displays a safe computing tip across the top of the screen. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 28 VC1 and VC2 - Victor Charlie's Front-Line Programs VC1.COM and VC2.EXE are the shock troops in the battle against viruses. They willingly volunteer to draw the fire of the enemy -- any virus -- and thus pinpoint its location for you. When ordered out on patrol by you, these two files invite ambush by any virus. They go about this quite methodically, like any trained soldier. An active virus generally cannot escape their quest. We provide three separate methods of ordering the two front-line anti-virus programs into action: o From the Command Line, or DOS prompt, type the command VC5 [Enter] This command runs each of the two main VC programs in succession, twice apiece. The programs should run twice for technical reasons. In brief, repeating the same commands in sequence assures no virus can hide in a DOS-provided buffer. VC5.BAT (the program run with the above command) provides a fast check for active viruses. Usually, it terminates with the happy news that no virus activity was detected. o A second way to check for viruses is to use VC's Interface Menu. The command to begin this program is simply VC [Enter] Once you have entered the User Interface program, you should select the Quick Check menu choice. This performs the same action as VC5.BAT, but also gives more information both before the fact, and -- on some unlucky day -- in case virus activity is detected. o The third method of Quick Checking is even faster, but requires some preparation. The first step is to run the provided program ALTV.BAT. Type, at the DOS prompt, the command ALTV [Enter] NOTE:In order to work correctly in setting up your keyboard for _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 29 ultra-fast virus checking, ALTV.BAT requires the presence of a driver or TSR in your computer's memory which can interpret ANSI. The program ANSI.SYS on your DOS diskette is one such program. If you have a question about ANSI, please refer to the DOS technical manual. ALTV.BAT performs keyboard remapping on your computer, so that when you press the Alt and V keys simultaneously, this serves the same purpose as typing VC and pressing the Enter key. If ALTV.BAT succeeds in correctly remapping your keyboard (success or failure will be noticeable immediately), you can order up almost-instant anti-virus checks simply by pressing Alt-V Remember, these keys must be pressed at the same time. VC1 and VC2 on Patrol The job of these programs is twofold. When you order either of these two programs into action (or, more typically, both in immediate succession, with the alternatives shown above) they first check your headquarters, the absolutely vital parts of your computer that make it run and work properly. Specifically, VC1.COM searches the sections of your disk and memory you normally never see -- but which a virus often attacks. You don't have to know a thing about your System files, Partition sector or Boot sector under normal circumstances. But if these are changed or deleted, your computer won't work. VC1 then makes a quick check of the vital file called COMMAND.COM if it is found. NOTE: By default, VC1 checks out COMMAND.COM in the root directory of the boot drive and/or in C:\DOS. Some advanced users place this program elsewhere; rename their COMMAND.COM for security reasons, or use a different or even second Command interpreter. If this describes you, please see the section on VC1.CFG. If you don't know, you needn't worry about this at all. If the slightest change is made to these essential disk areas or files, VC1 will immediately halt and report to you. It will specify exactly where the probable virus is located, and provide advice on what you should do next. Unless you have made a change to these disk areas or files, it is almost certain a virus or its Bomb has struck. No normal computer action or program changes these areas and files. You should halt your computing session immediately, and note VC's advice and recommendations. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 30 VC1 is the boss for a few minutes in such a case. Almost certainly, it will be able to cure this type of virus at a single keystroke. If you want, a full explanation will also be provided. (Victor Charlie never performs a change on your programs without asking for a go-ahead first.) If everything seems all right in those places (and usually it will) VC1.COM will truck on. A virus may be lurking elsewhere in your computer, settling down in ambush somewhere and preparing an attack against your machine, programs, precious data, and you. VC1.COM and VC2.EXE will find such lurking enemy. Their two-man patrol is generally irresistible to Type 1 (File infector) viruses. An active virus by its nature is unable to resist the urge to try to attack VC1 and/or VC2. Under normal circumstances, VC1 and VC2 will stand in harm's way and invite attack from any lurking viruses. If you have no viruses on your disks or in your computer system, they will flash you a message saying OK so far and stand down, allowing you to continue your work. But if you do have a virus present, that virus will attack one (or sometimes both) of these programs -- and kill them! Just before they die, they will send you a message in detail. The message will say something along the lines of VC CAUGHT A VIRUS FROM YOUR MACHINE! (SUICIDING NOW). A full-screen, context-sensitive help message will scroll to your screen if you ask for aid. This is a help screen you hope you never see. But if you do, you can be certain your computer has a virus. VC, this manual, and your computer provide the tools you need to sanitize your system in short order and get back to work. Such an attack would come from the type of virus which typically lurks unseen in your computer's memory, or RAM, (although there are other ways it can work). When it strikes, it is confident it can attach itself unseen to any program. Usually, this is a correct assumption. But when it opens its sights on either Victor Charlie program, the tables turn. The virus will have initial success. VC1 and/or VC2 will be hit in the ambush. One or both will die. But the death of the program will not be in vain. For when the virus kills VC1 or VC2, it must reveal itself. In their death throes, the Victor Charlie programs will expose the virus' camouflage. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 31 When VC1 and/or VC2 sense a virus attack upon themselves, they perform several actions in addition to deleting themselves from your computer disk for your safety: o They identify the presence of a virus. o They capture a unique virus signature. o They write this identifying virus code to your disk as a new or additional entry to the Virus Signature Library, a file called VC.SIG. o They warn you they are under virus attack, and present you with the help and prompt screens that could make destroying the virus a bit of a diversion rather than a frightening, uncertain, and potentially disastrous experience. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 32 VC.SIG - The Virus Signature Library Victor Charlie's power and usefulness both spring from the fact the program is a generic virus detector. But when you have the bad luck to encounter a Type 1 Virus, the kind that infects program files, Victor Charlie suddenly switches from generic virus checking to specifics. It works with you until you have Wiped Out every occurrence of the virus, and you can return to your work. This sudden switch occurs the moment that hapless Type 1 Virus tries to ambush Victor Charlie's VC1 or VC2 front-line programs. Instead of the willing host it expects to find in such apparently helpless programs, the virus becomes the victim. VC1 or VC2 (and, in rare instances, both of these programs) commit suicide during the attack. Their dying act is to capture a signature from the virus. This unique computer code is all Victor Charlie needs to identify every infection on every disk and diskette you own -- and Wipe Out each infected file cleanly enough that not even an expert hacker could revive it. The virus signature captured by VC is identified on your computer's disk or diskette by the filename VC.SIG. This is your Virus Signature Library, and it is created and maintained completely automatically. The Library contains one or more unique strings of computer code able, like a person's hand-writing, to identify the virus for Victor Charlie. Before we go on, there is one important point about the VC.SIG Virus Signature Library: These virus signatures are NOT viruses. They are only vital parts of viruses. They cannot replicate. They cannot infect. They cannot perform evil deeds on your computer, its disks, drives, programs or data. Not even that mythical hacker, if he got access to your computer, could use the Signature Library nor any part of it to make a virus. NOTE: The filename VC.SIG is the default identity for the Virus Signature Library. Advanced users who wish to rename the VC programs to provide invisibility to viruses must change the name of the Library to match the new name for VC. Please see the manual section on renaming VC for details. VC.SIG is crucial to the Victor Charlie program VCHECK. This powerful _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 33 program reads the VC.SIG files, and then searches all vital programs for the signature. Each time it finds it, VCHECK marks the infected program. Each time it finishes checking an entire drive or diskette, VCHECK halts with an offer to erase any infected files it finds. We strongly urge you to accept this offer. We allow a choice only because a few technically-minded users or supervisors may want to examine a virus specimen. This would be impossible after VCHECK finished Wiping Out each infected file. But 99.9 per cent of computer owners and users will be better off to Wipe Out infected files, and rebuild their disks and programs from uninfected Backup diskettes, or even original program floppies. Keeping an infected file on your disk is courting disaster of the worst kind. The VC.SIG file allows VCHECK to find every infected program you own. We provide a typical Virus Signature Library on every Victor Charlie Distribution Diskette. Each entry in the Library was captured by the relevant Victor Charlie program under real computing conditions, just like yours. Again, these are harmless signatures -- except to the viruses concerned. Each unique signature is as fatal to the virus as a forger's handwriting is in the hands of an FBI expert. What's In VC.SIG? As provided on the VC Distribution Diskette, the Virus Signature Library contains identifying code which will detect many so-called common viruses. This is merely a sample library. We provide these signatures purely for testing purposes. Victor Charlie doesn't need them. You may wish to operate VC with no such Library on your computer. If Victor Charlie detects an active Type 1 Virus on your machine, it will create a new VC.SIG Library, or append any new signature to the existing Library as the situation demands. But the provided Library allows a live Demonstration of VCHECK. We suggest you run such a Demonstration when you have a few minutes free. It allows you to see just how this program searches for specific viruses. Full details on VCHECK's many capabilities are in the manual section dealing with this Victor Charlie program. But to see VCHECK work out against known virus signatures, you need only do two things: 1. Ensure that the provided files VC.SIG Library is in your Victor Charlie Home Directory, and, _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 34 2. Type the following command at your DOS prompt: VCHECK - [Enter] That is the minus sign, - after VCHECK. With this command, VCHECK will search all your vulnerable program files across your entire hard disk (all drives) to see if any of these unique viruses is present. When it finishes, it will halt and offer to search diskettes. If it should find any of these common viruses, it will offer to wipe them out for you. There is no special reason to keep the provided Signature Library on your computer after this demonstration. Feel free to remove it if you wish. On the other hand, it won't hurt to keep it around either. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 35 VCHECK - VC's Do-Everything Program VCHECK.COM is the third major part of the Victor Charlie anti-virus software program. Like VC1 and VC2, it can range far and wide across your disks and through your directories, unerringly searching out every infected file. And like VC1 and VC2, VCHECK is a preventative as well as a cure. You should always use VCHECK in coordination with the shock troops to be certain you have no viruses on your disks. Here are the two ways in which you may do this. If you simply type VCHECK [Enter] at your computer's DOS prompt, or choose the Search and Destroy default option in the VC shell interface, the program will traverse through your entire disk, running three consecutive inspections of all programs and program parts susceptible to virus attack. These checks scrutinize: o The DOS-reported size (the file size you get when you type DIR) of all such virus-vulnerable files, and, o The actual size of these programs and program parts, and, o The BITCHECK of each checked file. BITCHECKS are VC's cryptographic checksumming procedures which produce unique reports on the state of a file. So specialized is this routine that VCHECK's BITCHECKS actually will vary from computer to computer throughout the world. Usually, the two file sizes reported by VCHECK will be identical. If they are not, VCHECK will tell you. Please bear in mind that in such a case, it is more likely that reported and actual file sizes differ for reasons other than a virus attack. Still, such a difference is always a danger signal. Some clever viruses, you see, are able to lie to DOS, making your computer think everything is all right even while it is being attacked by a virus. VCHECK works carefully to try to make this impossible. BITCHECKing employs proprietary algorithms to create a special, double-encrypted number for each file. (The numbers are created, in _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 36 ComputerSpeak, in hexadecimal form, and include letters as well as actual digits). This number depends on every computer bit in the file, and the order in which they occur. If so much as one bit of that file is changed or moved, for any reason, VCHECK will warn you (see below). Since viruses must change a file to hide and operate, BITCHECKing provides a method of finding them. You can watch VCHECK in action by typing VCHECK [Enter] any time you wish. By itself, however, this is merely a piece of information that soon will scroll by and out of sight. There is no way you can -- or should -- try to remember what VCHECK is showing you. This type of checking is somewhat interesting to techies, perhaps, but has little relevance to the real role of VCHECK in your attempts to defeat the spread of a virus on your computer. You have to harness VCHECK, rein in the program's enthusiasm to speed through dozens of sub-directories, gleefully checking programs and program parts at the rate of up to several per second. You say Whoa to VCHECK by invoking it from the VC menu interface, by using it in combination with other Victor Charlie programs, or by ordering permitted command-line parameters yourself. For a brief on-screen explanation or reminder of what VCHECK can do, enter one of the following at the DOS prompt: VCHECK ? [Enter] VCHECK HELP [Enter] This provides a summary of what we are about to describe here, and can be called at any time. You may also see this help screen while using VCHECK from the menu interface. Select Search and Destroy from the Green Alert menu. Then select Manual Parameters. Simply type Help or ? and hit the Enter key. Advanced or adventurous users will find the copious options of this powerful program useful in varied ways. Among the many, we use some of VCHECK's power to perform quick file-identity checks; provide indelible holographic serial numbers for groups of files, and to monitor changes in programs or data in general. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 37 A provided sample batch program, WI.BAT, harnesses VCHECK as a whereis utility. You can search across an entire hard disk in seconds for any lost file by providing its name or part of its name to WI.BAT. (Simply type WI.BAT for a brief explanation of how it is employed.) VCHECK, when reined in, serves three major, important purposes in the anti-virus battle. o As an on-line part of Victor Charlie's day-to-day anti-virus ability, it is the part of the program which will find infected files for you immediately after the suicide of VC1 or VC2, by searching every virus-vulnerable program for the captured virus signature. o As a rear-area virus defense, it compiles a list of vital statistics of your computer programs and program parts, storing them away for future Auditing and reference. This Audit List could turn out to be a vitally important step in curing a potential attack from a super-clever virus, several of which already exist. We have automated the compiling both of reference and comparison lists, and the actual comparison, with the Victor Charlie batch program VSEARCH.BAT. The equivalent to VSEARCH in the Menu Interface is Audit Programs. o As a friendly aid to you, VCHECK will monitor Data Files. Few anti-virus programs even attempt to do this, because it is incredibly difficult to monitor material that by definition changes. For our suggestions on how to do this, please see the manual section on VBAIT.BAT, a fully-automated method you can use to keep an eye on data which may be vulnerable to viruses. Usually, when you use VCHECK, you will want to redirect its output. That is, instead of having the program print all the information it assembles on your screen, you will want to put it in a file on your disk, so you or another Victor Charlie program can peruse it at a somewhat slower speed. You may do this yourself by typing: VCHECK parameter /filename.ext [Enter] at the DOS prompt. You don't use the actual words parameter or filename.ext. For filename, you may use any name that DOS accepts. (For examples of this, see the files and manual sections on VSEARCH.BAT and VBAIT.BAT). _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 38 For parameter, you substitute one or more of the following. VCHECK - [Enter] The "-" parameter is the minus sign. This command orders VCHECK to look at all virus-vulnerable files and check them against VC's Signature Library of common viruses, plus ones you may have suffered the misfortune to have contracted yourself. The library is updated if necessary, on the fly, each time VC1 or VC2 encounter a Type 1 virus. The signature library is called VC.SIG by default. It must be present in the Victor Charlie Home Directory for the - option to work. (We provided a basic Signature Library with signatures from so-called common viruses on your Victor Charlie distribution diskette. This allows you to test this facet of the VCHECK program at any time.) VCHECK d [Enter] This command will check your computer drive d where "d" may be any letter signifying an actual drive on your computer. If this parameter is not provided, VCHECK works on the current drive -- the drive indicated by your DOS prompt. Please note you need not enter the colon after the drive letter as you usually do with DOS-type programs. VCHECK . [Enter] VCHECK followed by a dot (period) and the Enter key further restricts VCHECK's actions to the current directory or sub-directory only. This specialty feature will not be of interest to you often. But in the event you have to go on a long, drawn-out search for a persistent virus -- a distinct possibility as virus programs become more sophisticated -- it is a potential time-saver of great magnitude. The "." option also could be useful for checking new programs before you run them. Any newly installed or updated program should be checked with this option immediately. Advanced users who wish to monitor Data Files on their own could use this option, plus a specialized VCHECK.CFG in the relevant sub-directory. VCHECK filespec [filespec] . . . [Enter] You can override all VCHECK's orders about which files to check with this command. Filespec can mean any part or whole name of a file _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 39 acceptable to DOS. That is, the filespec can be no longer than eight letters, numbers or certain symbols, followed by period and not more than three more such figures. The usual DOS wildcards ? and * are fully supported by VCHECK. You may enter as many filespecs as will fit on your command line (typically, 128 characters). Thus, if you wanted to VCHECK only .EXE programs, your COMMAND.COM and non-executable program files from a mythical software program called, say, Victor Charlie, you could type: VCHECK *.EXE COMMAND.COM VC*. [Enter] VCHECK only [Enter] The "only" parameter restricts VCHECKing to the current drive, that is the drive to which you are logged on. In effect, this is a negative parameter. It suppresses the default choice of VCHECKing other drives. After completion of the VCHECK only operation, the program stops and returns you to DOS or the VC Menu Interface after VCHECKing the single drive as ordered. This is most useful in automating Victor Charlie to your own needs. All of the above parameters may be chained. Let's say you are currently doing computer business in the sub-directory C:\DOS\BIN. You have a D: drive, and you know that the current directory on that drive is called D:\BACKUP\123. You want to see if any of the .EXE files in that directory have become infected with a virus whose signature has been left behind from a virus attack detected by VC. You would type: VCHECK - d *.EXE [Enter] This is an extreme case. Far more likely you would simply switch to the D: drive and run VCHECK with the - parameter. Nevertheless, it shows a potential ability of this Victor Charlie program. VCHECK HUSH [Enter] The hush parameter, which can be used with all VC programs except the Menu Interface, suppresses the normal screen output. This parameter should be used sparingly with VCHECK. The Hush order suppresses virus searches. Even if you have a virus Signature Library, use of the hush command will force VCHECK to ignore this library as it Scans the disk. This makes it useful for specialized operations such as in WI.BAT, where a user wishes to utilize VCHECK's speed in finding one or more files on the computer's disk. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 40 VCHECK's Default What checks does VCHECK check when VCHECK does check checks? The program has a built-in default to perform VCHECKing on typical programs and more-or-less typical program parts. This built-in list ensures that VCHECK looks at all files with the following DOS extensions in their names (the three letters after the period). COM EXE SYS BIN OV? PGM PRG APP LOD LD? CHN PIF DRV DLL These are only the most common of today's computer software programs. Many particular programs have program parts (Overlays) which carry other extensions. Before much more time goes by, you should have a look at your actual programs to see if this default list leaves any particular program parts vulnerable. VCHECK will check any program parts you alert it to. Such an alert is given in the adaptable text file called VCHECK.CFG. VCHECK will always look for this text file before it swings into frenzied action. If it finds the file, it substitutes the contents of VCHECK.CFG for its own built-in defaults. This is yet another Victor Charlie program fully adaptable by any user, yet functional as it stands. The VCHECK.CFG provided on your Victor Charlie Distribution Diskette is identical to the built-in default list given above. If you need further -- or, possibly, less -- VCHECKing than is provided by VCHECK's defaults, please see the section of this manual which deals specifically with VCHECK.CFG, and explains how it can be quickly changed, and used, on your specific computer. VCHECK uses the following precedence in determining which files it should check on any given command: 1. The DOS command line or Manual Parameters given from the VC User Interface, if any are given; 2. The file VCHECK.CFG, if found, in the current directory as indicated by your DOS prompt; 3. The file VCHECK.CFG if found in the VC Home Directory, and, finally, _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 41 4. The built-in defaults -- 14 program and Overlay extensions, shown above. Thus, for example, the specific command VCHECK *.COM *.EXE [Enter] whether given from the DOS command line, a batch program or the VC shell interface, would override all other orders or configuration files applicable to VCHECK. If VCHECK finds a VCHECK.CFG file in the current directory, it will take its search options from that file, and pay no attention to any other VCHECK.CFG or the internal defaults. If no command line parameters are given, and if no VCHECK.CFG is present in the current directory, VCHECK will follow the instructions from VCHECK.CFG in the VC Home Directory -- if it exists. If none of the above options are used, VCHECK will check only files with the 14 default filename extensions listed above. False Alarms - If VC Finds A Virus Which Isn't VCHECK, Victor Charlie's search-and-destroy program, uses proprietary, built-in routines to detect viruses. These include artificial intelligence, and examination of program code for known writing techniques of identified writers of viruses. These routines may cause False Alarms. If so, you may turn off VCHECK's built-in virus-searching intelligence by making and Initializing a new set of VC programs as outlined below. In its default state, VCHECK looks at each file it BITCHECKS and searches for certain tell-tale viral signs. These are in addition to the presence of viral signatures captured and stored in the Signature Library by VC1 or VC2. Occasionally (but seldom), perfectly legitimate programs will use such code themselves. This will cause VCHECK to assume the presence of a virus in a program which, in fact, is clean. If VCHECK alarms on programs which you are certain are virus-free, you probably will have to run Victor Charlie without its special routines. Please do not be hasty about making such a decision. Before you decide that VCHECK is causing False Alarms on your computer, run through the following checklist: _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 42 1. Run VCHECK, and note which programs it reports to be probably virus-infected. 2. Run one of those programs itself. 3. Run VC1, VC2 and VCHECK in succession. (From the VC Menu, simply run the two available routines at the Condition Green sub-menu, Quick Check and Search-and-Destroy). 4. Look again at the programs VCHECK has detected as probable viral carriers. See if any new files have been added to this list. 5. Replace one of the infected programs with a known, clean Backup copy. Do not run this program. 6. Run Steps 2 through 4 one more time. If VCHECK is no longer adding files to its list, and, If you yourself believe your program is uninfected, and, If only VCHECK continues to claim your clean program is infected, while VC1 and VC2 disagree and report no infection, then, You might now begin to assume VCHECK is, indeed, causing False Alarms. Please be very careful while you do the above. Viruses already exist which spread extremely secretively. If VCHECK continues to add infected programs to its Log file, it is very possible -- even likely -- that you have one of these viruses, and the alarm is true! If you conclude that you are receiving False Alarms, simply proceed immediately to your Victor Charlie Home Directory. There, you will find a small program called NOFALSE.BAT. If you do not have this file, copy it from your Victor Charlie Distribution Diskette. Issue the command: NOFALSE [Enter] This batch program will initialize a complete, and new set of Victor Charlie programs. In the process, it will turn off the VCHECK logic which has detected viral infections where none seem to exist. It is the nature of viruses to spread as secretively as possible. It is the nature of VCHECK to smoke out the viral spread. While false alarms are maddening and time-consuming, tracking down and killing a cunning virus programmed to spread covertly can be far more difficult _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 43 and far more frustrating -- and such viruses have enormous potential for destruction of your valuable data, information and time. NOTE: As we try to stress as often as possible, detecting and tracking viruses cannot reliably be performed with a single computer command on every occasion. Virus writers often are exceedingly and excruciatingly clever programmers able to circumvent and capitalize upon the belief that virus detection is simple. Sometimes, tracking a virus can take the patience of a saint, the observations of a first-class detective, and the planning of a battle strategy. Hint: In the event that VCHECK causes a false alarm on one, two, or even three programs, you should consider living with these. Often, you can remember a couple of False Alarms during any Search-and-Destroy or Audit operation. You may be glad in the future you refused the temptation to remove VCHECK's intelligence when it begins to detect new infections which are not False Alarms. Excluding Files From VCHECKing An alternative to switching off VCHECK's built-in intelligence is to exclude certain, specific files from the program's scrutiny. This is performed by adding program names to the VCHECK.CFG text file. The primary purpose of VCHECK.CFG is to add, by use of wildcards, to the list of virus-vulnerable files you have on your computer. However, it also is possible to exclude explicit files from VCHECKing. You should consider this if you have several known-clean files which VCHECK insists contain dangerous computer code. Although it is unlikely you ever would consider excluding so many files from VCHECKing, it is possible to segregate several hundred files from VCHECK's scrutiny through this list. To exclude a file from virus searching and checking by VCHECK: 1. Load or create the file called VCHECK.CFG with your text editor or word processor. (This file must be created in pure ASCII text. Most word processors have an ASCII, or non-document, mode for creating and saving such files.) _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 44 2. Each file to be excluded from VCHECKing must be listed on a separate line in VCHECK.CFG, and must be completely identified in the form: -d:\path\filename.ext 3. Please note in the above example that each line must begin with a minus sign (dash). This is the signal to VCHECK to ignore the file during virus searching. 4. The d: is the drive letter where the false-alarming file resides. The \path is the full DOS path to the file. Filename.ext is, of course, the full name and DOS extension of the pesky false alarm. 5. Save the new or edited VCHECK.CFG to your disk in the VC Home Directory, and exit your word processor or editor. 6. From that moment, VCHECK will ignore the file(s) you added to VCHECK.CFG with the leading minus sign. No further action is required. It is not necessary to make a new copy of VC programs, or to reinitialize. Again, please do not be hasty in applying Nofalse to your Victor Charlie program. Extensive testing and research prior to release of this software revealed that in more than 90 per cent of cases, VCHECK's programmed logic detects viruses rather than causes False Alarms. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 45 VSEARCH - Audit Programs VSEARCH.BAT and its Menu Interface equivalent, Audit Programs, may be the most important routine in your anti-virus computer arsenal. If you use them as directed here, you may detect any virus attack possible on a personal computer running under DOS. NOTE: Comparisons of lists of BITCHECKS can detect all viruses on a PC. This is subject to several conditions. These include the necessity to perform BITCHECKing immediately after a cold boot to a known-clean DOS diskette. In addition, the results of list comparisons must be correctly analyzed by the computer user. There are two default methods of employing BITCHECKing on your computer. Imaginative users can come up with many others. We provide a sample of such thinking with the provided batch program VBAIT. Please see this manual's chapter on VBAIT.BAT for an example. You may use BITCHECKing to your advantage with the provided program VSEARCH.BAT, and with the selections Audit Programs at the Condition Yellow choice in the VC Menu Interface. We would like to take a moment for a brief explanation of these foolproof harnessings of Victor Charlie's VCHECK program. The computer you save may be your own. The Meaning of BITCHECKS A checksum is a mathematical computation of every bit and byte in any single file on your computer. Checksums may be computed of data or programs, text or computer language. In the real world, they require a program to make. In turn, the program consists of one or more algorithms which are used as the basis for the calculation. There is no standard or regular way of computing checksums. Any group of 100 good computer programmers may literally have 100 different methods of computing checksums. And while those same 100 programmers might very well agree on what makes for bad checksumming algorithms, it is unlikely they ever would agree on a unique, good algorithm. Victor Charlie's proprietary method of checksum computation is top-of-the-line. Because of this, we have replaced the generic term "checksum" with our own term: BITCHECK. Without going into detail, VCHECK uses more than one method to compute a BITCHECK. The _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 46 methods used on any given occasion are entirely random. Not even we can predict in advance which of many possible algorithms will be utilized by VCHECK in its computations. Each VC program set uses different algorithms from others (a good reason to register your shareware version of the program). Each Bitcheck produced is bit-dependent upon what went before. Results are double-encrypted. This provides bulletproof security against even a mythical (so far) intelligent virus which might try to figure out BITCHECKing as part of its operation. The thousands of possibilities of Bitcheck computations at any time effectively rules this out. The VSEARCH batch program and the Audit Programs menu selection at the VC menu uses these facts about VCHECK and BITCHECKing to your advantage. Foolproof Virus Disabling No virus on a PC under DOS can survive actively if you cold boot your computer with an uninfected, write-protected DOS diskette. This is unequivocal. A fresh start for your computer with that DOS diskette will absolutely disable any virus. Naturally, it will not eliminate any viral code, but no virus can remain active or regain control of your computer if you turn off the machine, stick a clean, write-protected DOS diskette in the A: drive and turn the computer back on. This operation renders inactive even the hypothetical virus with artificial intelligence. This is the point where virus detection begins to become absolutely certain. Using VSEARCH VSEARCH.BAT (and the equivalent Menu selection Audit Programs) are illustrations that in the task of total virus detection and cure there is no free lunch." We have made these routines as easy as possible to run, use and interpret. But still, it makes two demands on you, the thoughtful computer user: 1. Time. VSEARCH will take several minutes to run on the average PC with a hard drive. 2. Attention. When the program finishes, it may require some interpretation on your part. Here is how we suggest you set up _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 47 program auditing for yourself. What follows is only a model and you can -- indeed you should -- adapt this to your own needs. First, we recommend you always run program auditing after cold-booting to a write-protected DOS floppy diskette. While this can be a bother, it makes the virus hunt certain, as we pointed out above. You can make a bootable floppy for this purpose. Or simply shut off your computer, insert your standby DOS diskette in the A: drive to restart the machine, and then begin your auditing. If you decide to play it very safe and conduct the auditing itself from a floppy diskette, this disk may have to include a copy of your Config.SYS file from your hard drive, and copies of any "driver" programs required by Config.SYS. To be extremely safe, also include: o The program VCHECK.COM, copied from your Victor Charlie Home Directory o The program VCOMP.COM, also copied from the Home Directory, and, o The batch program VSEARCH.BAT itself. This is all you need to conduct a full-scale, completely dependable anti-virus search. These three programs will interact to provide you with reference and comparison lists of files anywhere on your computer. They then will compare these lists, and finally strain out and show you any differences. This is where your logic must play a part. VSEARCH is capable only of identifying to you the following: o Changes in the makeup of any program on your disk; o New programs added to the disk between runs of VSEARCH, and, o The absence of files between such runs. It is up to you at this point to apply your logic. If a program has changed its makeup, you must figure out whether you have changed it in some way. Perhaps you have upgraded to a new version. Or maybe you have reconfigured a self-modifying program. Either of these events will show up in VSEARCH as a flagged problem. And so will any program which has been changed by a virus attack. With VSEARCH, the up side is that you will detect all changes to your computer programs. Since a virus must change a program to infect it, _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 48 you will catch all viruses. The down side is that you must, to a certain extent, know what you have on your computer and whether you have changed what is there. VSEARCH itself is self-explanatory once it begins to run. And running it is as simple as issuing the following command: VSEARCH [Enter] In its provided, default mode, VSEARCH.BAT o will work from any drive on your computer (although, again, we highly recommend you use it only from a floppy drive after a cold boot). o search the entire C drive of your computer for program files and parts (Overlays). o record the results of this search in a special file in the VC Home Directory. The first time you run VSEARCH (you have an opportunity to do this right at VINSTALL stage) the program will create a file called VSUM.REF. On subsequent runs, it will create a file called VSUM.NEW. It will automatically compare these two files, and flag differences to your attention for possible action. (These two lists are plain text, although they never should be edited or modified in any way by you. As text files, however, they cannot be virus carriers.) Like all Victor Charlie Batch Programs, VSEARCH can be edited, changed and adapted to your own use. Whether you use VSEARCH or the Audit Programs menu selection, the routine will take some time to run. We can't predict how long, because it depends on how big your disk is, how many programs you have on it, and how fast your computer can run. Figure at least two or three minutes on an average machine with more than 1,000 total files, several major applications and various utilities. It is neither necessary nor worthwhile running VSEARCH often. Once a week on the "average" computer would be sufficient. If you add programs to your computer often, you will want to run VSEARCH more frequently. If you never add a new program, there is little to be gained from running VSEARCH more than every couple of weeks. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 49 We suggest you pick a specific time to run it, however, when the computer is not being used for a while. One of Victor Charlie's early users said he ordered BITCHECKing routines once a week as he went to lunch. When he returned, results of the program were awaiting him. This seems eminently sensible to us. However you wind up using this powerful BITCHECKing feature, we strongly advise you to run the program as soon after you obtain Victor Charlie as possible, to build a reference list of programs, their file sizes and BITCHECKS on your disk. Even if you do not use VSEARCH again for a while, having such a list easily at hand could be extremely valuable as you go about your computing. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 50 VCOMP This small program is part of your rear-area defenses. Its sole task is to compare two file lists made by VCHECK or by batch programs which use VCHECK automatically. VCOMP is programmed to detect differences in what in practice are reference lists and new lists of files and the Bitchecks. If there are no differences, VCOMP politely and quietly informs you. If differences exist, VCOMP will show you exactly what they are. Bear in mind differences in the lists are most commonly caused by your own actions, and not by viral activity. For example, let's suppose that two weeks ago, you performed an Audit Programs search of your virus-vulnerable files with VC. This list would be stored in the Victor Charlie Home Directory. Let's suppose further that last week, you added new software to your computer. You liked it and you intend to keep it around on your disk. Now, today, in the last stage of this scenario, you Audit Programs once again (or use VSEARCH.BAT for this purpose). In this hypothesis, VCOMP will show differences for sure. It will show the program and program-part (Overlay) files of your new program weren't there two weeks ago, with a note that the lists differ, although no files show known signs of a virus. This is absolutely true, of course. VCOMP cannot know when or if you have added or deleted virus-vulnerable programs. In the above case, for example, the proper procedure (detailed in the section on VSEARCH) is to delete the original reference list, and make a new one that included the added files. The VC User Interface Menu has a specific function, under Condition Yellow, to perform this function automatically. At the DOS prompt, this can be handled smoothly with the following command: VSEARCH NEW [Enter] VCOMP is useful in your final defense lines -- the point at which, in fact, you are attacking the virus instead of vice-versa. With VCOMP and advance planning, you will be able to spot files changed in size, or whose Bitchecks do not match. Now this is a sign of a virus attack _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 51 upon that file, possibly a certain sign unless you have changed the file yourself. VCOMP is not a program to be used daily. It is specialized, usually used in direct connection with VCHECK, and most effectively used in an automated process such as VSEARCH, VBAIT, or Audit Programs. To use VCOMP, at the DOS prompt on the command line or in a batch file of your own, you should type: VCOMP [Enter] The program will prompt for the names of two text files to compare. These files must be made by VCHECK, by the way. Otherwise, VCOMP will simply exit. More efficiently, however, you should use VCOMP with two parameters by typing: VCOMP file1 file2 [Enter] where "file1" and "file2" are two unique reference files made by VCHECK. Never attempt to edit, change or even save a disk file made by VCHECK. Certainly you can look at it in a word processor, a text editor, or even with the DOS TYPE command. But if you make any change, there is a good chance you will receive a string of false-alarm differences a mile long when VCOMP tries to read it. This is because different editors and word processors do different things to files, most commonly adding or deleting blanks at the ends of lines. This tiny, actually invisible change, can radically change the file to the point where VCOMP is incapable of figuring what is going on. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 52 Protecting Your Data Baiting Viruses with VBAIT.BAT In the war on viruses, there is nothing so feared as the virus Bomb which deletes or changes data. While programs can be replaced relatively easily and cheaply, data can involve weeks, months, even years of work. As Victor Charlie and this manual were being written, new viruses were being discovered daily. Some of these contained Trojans or Bombs aimed injurious to data. This is nothing new. In fact, the world of mainframe computers has suffered major problems of this type for years. Thieves and practical jokers have introduced viruses, Trojans, Bombs, and worms (a type of destructive program that, thank goodness, cannot exist in the PC-DOS world) into large computers. These programs on occasion were capable of changing data in almost indiscernible ways. Often, these are aimed at illegally transferring money or goods to the virus writer. In the PC world, a virus was discovered in 1989 that greatly troubled computer security experts. Its Bomb section worked like the worst nightmares of most computer users. The program was capable of searching out pairs of numbers, say 29 or 63, and reversing them. Reader-users who work with numbers can immediately see the possibly catastrophic results of such an action on a lengthy spreadsheet, database, or report in a word-processing program. Thus, before we even discuss how Victor Charlie can help you protect your data from a virus Bomb or Trojan, we must stress two basic computing rules: 1. Detect, and wipe out, viruses as quickly as possible. You can do this with VC if you use the program often. It takes only seconds. If you have no active virus, your data is safe from attack by a virus Bomb. 2. Back up your data. We recommend daily Backups. This can be done by 99.9% of users in minutes, as the second-last task of the computing day. (The last one is, of course, to run VC one more time before you shut down). Data that is backed up and stored cannot be touched by a virus Bomb. If it is on a write-protected floppy disk, it cannot be changed by any _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 53 software under any circumstances. Users who back up their data regularly have little to fear from a virus attack. While it might be frightening, annoying, and even time-consuming to recover from a severe virus attack, such a process is nothing compared with the months of work that go into building Data Files on your computer or, even worse, a computer network. Setting up Test Files That said, we now will proceed with some suggestions on how you provide security against a spurious software program trying to play tricks with your data. The first step in this process is to decide what kinds of files to give over to this process. This should be fairly simple. Bait files should contain typical data produced by the software programs with which you or your computer operators work. We suggest you pick two or three typical files from each of your major programs, or which come from programs you consider particularly important. These will serve as your virus bait on a fairly permanent basis, at least until you change the version or program you now are using. Copy each of these chosen bait files to a new name. Since they will serve only as bait, pick names which -- to you -- mark them as files you never will touch. We hope each VC user picks a different way to identify these bait files, but we recommend something along the following lines. Change to the directory where you keep (for example) your Lotus 1-2-3 Data Files and type commands something like the following. Naturally, you should use real filenames and bait names in place of the examples we give. COPY MAR90RPT.WK1 BAIT1.WK1 [Enter] COPY TAX1990.WK1 BAIT2.WK1 [Enter] Now go to the sub-directory where you keep your database files produced by, say, the dBase IV program. Perform a step something like this: COPY EMPRCDS.DBF BAIT3.DBF [Enter] COPY CARDLIST.DBF BAIT4.DBF [Enter] _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 54 You might next proceed to the sub-directory where you keep documents produced by your word processor. There, type commands along the lines of the following. COPY REPORT03.DOC BAIT5.DOC [Enter] COPY MOMLETT.PER BAIT6.DOC [Enter] You may see our theory. We are providing bait for a Bomb attack. We can provide fast, easy checking of the new files we just created, because we have given them similar names. But the names are also similar to existing files, so no virus Bomb, Trojan or data-changer can possibly be intelligent enough to avoid these files. Again, you need not use our suggested bait names. We hope you do NOT use these names. If every user selects different names for his Bomb-bait, no virus Bomb will be able to avoid attacking the data files. Our aim is to invite a Bomb attack, so we then can pinpoint the origin of the attack and effect damage control. Nor should you try to group these bait files in any special area. Leave them in the sub-directories with your day-to-day files. That way, to any virus Bomb, they look like harmless data that invite attack. Thanks to the VCHECK-VCOMP combination, they are lethal weapons. You then can adapt the program batch file VBAIT.BAT to your own files. With this program, VCHECK-VCOMP will detect so much as a one-bit change to any of these files. Normally, this batch file will produce the following message on your screen: Statistics compared OK! This means you can breathe easily. The original checklist you established has been compared with a new checklist, and the file sizes and checksums are exactly the same. No changes have been made to the files. If, however, you should come under a data-Bomb attack, you will get a message something like this: STATISTICS NOT SAME !!! This is your signal a Bomb may have been launched. Now you must go looking for a harmful program. If it is a virus, Victor Charlie can find it for you, possibly with the VSEARCH / Audit Programs routines. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 55 Once you create bait files, you never should touch them again. If you make any changes to them, you must run the VBAIT program again. Your first step then would be to delete the check files VBAIT.OLD and VBAIT.NEW created in the VC Home Directory by the VBAIT.BAT program. You are free to adapt or change VBAIT.BAT to your own needs or work habits. We provide such programs and explanations specifically so you can use VC in a manner that best helps you in the hunt for viruses and other hurtful software programs. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 56 Renaming VC It is possible to hide Victor Charlie and thus to make it "invisible" to generic attack by malicious software. Except for the shareware version of the program, VC is manufactured in small or unique program sets in which the dates, times, sizes and checksums of all VC programs are different. Site users always receive a unique program set, which can include renamed programs and other files. Users of any VC program can rename their own VC on any computer. Please, NOTE: VC programs cannot simply be given new names by using the DOS REName function. Victor Charlie programs must be able to "communicate" with each other, and can only be renamed as described here. Malicious programs already exist which search out certain software and "attack" it by name or location. A program which insists on installation in a certain directory, or which must have specific files using specific names is wide open to such attack. To give your VC programs new names and help to hide them from any such generic attack, you must first initialize Victor Charlie. You probably have done this if you have reached this point in the manual. If not, initialize VC with the command: VINIT [Enter] Following this, simply type: VC RENAME [Enter] The rename process is documented, with help, on the screen. You will be asked for new names for the VC programs and some other files. Others, such as the Signature Library and main help file, will be renamed to reflect your own chosen names. A list of old and new names is retained for your use. After renaming VC, be sure to change any batch files you may be using to reflect such changes. Don't forget Autoexec.BAT, which may include VC commands for starting up your computer. There are two "restrictions" on renaming VC. One is that names must _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 57 adhere to DOS rules, i.e. they must be no more than 8 characters (extensions such as .COM and .EXE are, of course, not changeable). In addition, VC has a couple of reserved characters for its own internal use. In the unlikely event you choose one of these, you will be informed and asked to change the "offending" name. VC programs can only be renamed one time. If you wish to rename Victor Charlie a second time, you must restore VC to its original names, initialize the program again, and then begin your second round of renaming. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 58 VC Utilities BOOTFIX: Victor Charlie's Diskette Sterilizer Type 2 Viruses often spread via the Boot sector of a disk or diskette. Typically, such a virus begins acting in the few seconds after a computer is turned on, or rebooted, either via the reset switch of the Alt-Ctrl-Del key combination. The boot sector virus is notably nefarious because it activates automatically. The user, apart from starting or rebooting his computer, takes no action at all. Type 2 Boot sector Viruses live and work in a reserved portion of a hard disk or diskette which is read automatically by the PC. It is from this dedicated disk area that the machine gets information to proceed. Through this area, the machine becomes ultimately capable of running DOS and, through it, your main applications. BOOTFIX is a Victor Charlie utility to help you to remove diskette-based boot viruses. Along the way it provides a few extra services. It will, simply, sanitize data and Backup diskettes, killing any virus it may find along the way, and help to remind all users in the future of the dangers of trying to boot from the wrong type of diskettes. What does BOOTFIX do? o Allows you to view the Boot sector of any diskette. By looking at this diskette area, you may even see a virus. o At your command, overwrites most of the Boot sector with a special message which will show on the computer screen if ever you accidentally do boot from the diskette. What is the value of this? o If you allow BOOTFIX to write a new Boot sector for your data and Backup diskettes, you can ensure immediately that any virus which might have been there will be wiped out. o Such a diskette will, in the future, remind you to be careful about booting from such diskettes, and lower the chance you ever will spread a possible virus. The Reason for BOOTFIX _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 59 A virus can hide on, and replicate from, a non-bootable diskette. Data and Backup diskettes can hide and launch viruses. Consider your recent computing habits. Have you ever accidentally left a data diskette in the A: drive of your computer and then started or restarted the machine? If so, you probably saw a message that read something like: Non-System disk or disk error. Replace and strike any key when ready. Probably, if you're like us and most other users, this is exactly what you did, perhaps muttering briefly about the delay. But your machine started all right, and you went about your computing affairs. What Could Have Happened Tens of thousands of such users have discovered later, to their horror, that they had a virus infection. Where did it come from? Because true Type 2 Viruses affect only the computer's System files, they are difficult to track to their source. What happened was this. The virus was activated at the time the machine started and, almost immediately, looked for and ran the computer code you will be able to see when you use BOOTFIX. On a data diskette, such code usually only displays the message to replace the disk and no harm is done. But on an infected diskette, this code is manipulated by the virus immediately, typically spreading to all available disks and diskettes, certainly including the normal boot drive on the hard disk. Some infected the hard disk's Partition sector. This makes the virus difficult to eradicate since normal DOS tools are denied entry to this disk area. Thousands of hard disks had to be low-level formatted to cure such viruses. Starting BOOTFIX BOOTFIX.COM should be run from a diskette. We recommend you o use the original Victor Charlie Distribution Diskette or, even better, a working copy; o write-protect this diskette with the usual method -- write-protect tabs for 5-1/4" diskettes and the sliding tab on the 3-1/2" diskettes. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 60 BOOTFIX, if used as a standalone program, is virus-resistant. But it is not directly integrated with the main, Victor Charlie programs. Although it will detect most PC viruses and inform you, there is a remote chance that BOOTFIX itself may become infected if you fail to use a write-protected diskette. For safety's sake, BOOTFIX.COM has been programmed to run only one time from a hard drive, and then to delete itself. Because of this, BOOTFIX can never become a virus carrier itself. (You can always make another copy from the non-executable Backup file BOOTFIX.) Running BOOTFIX is simplicity itself. Type the command BOOTFIX [Enter] The program will load itself in memory. You may remove the diskette containing the program, as BOOTFIX no longer needs it. BOOTFIX now will present you with a screen of information about itself. This is a summary of the information above. You will immediately be presented with two options. Please select a drive by letter: [A] [B] or [Q] to quit now (The drive letters in this message should match what is available on your computer.) Place a data, Backup or scratch diskette in one of the drives BOOTFIX indicates, and press the keyboard letter to match. BOOTFIX now shows you another screen. It provides three choices: [Q]uit, [V]iew, or [W]rite the new Boot sector. You will probably want to see what is in the Boot sector of your diskette. When you press V on your keyboard, BOOTFIX will read the Boot sector of your diskette, and display it on your screen. You'll see something like the following, but please bear in mind that this is only a typical representation, and what you actually see may be somewhat different: [ Screen capture available in printed manual ] At the bottom of this display, you once again will be presented with the BOOTFIX choices to [Q]uit, [V]iew or [W]rite. [W]rite a New Boot sector _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 61 As you see, Victor Charlie recommends, for safety's sake, that you write a new Boot sector on your diskette. If you do, any virus hiding in the sector you just [V]iewed will be killed. The above message (seen in the printed manual) is inserted by BOOTFIX, automatically, between the only two tiny pieces of computer code actually required on the diskette's Boot sector. If, in the future, you should accidentally boot from this diskette, this special message is what you will see on your computer screen: Some viruses can spread by accidentally TRYING to boot from a data diskette! VICTOR CHARLIE once "sterilized" this diskette. But virus infection may occur at any time. Virus spread can not be prevented in such a case. Please run VC when you regain control of the computer. To reboot now: Remove this disk and hit any key ==> If you do see it, you'll know the diskette does not a Type 2 Virus. A virus could not leave this message intact when it infected your diskette. Instead, this message will serve to remind you of the dangers of booting from a diskette. Victor Charlie recommends you treat all data and Backup diskettes with BOOTFIX. To do this, simply [W]rite the new Boot sector with BOOTFIX, feed a new diskette into the indicated diskette drive, and hit the W-for-Write key again. DOS Boot Diskettes Every user, as we have said numerous times, should have two or more DOS system diskettes capable of starting the computer in case of trouble of any kind, including virus trouble. Such diskettes should not be treated with BOOTFIX. On top of this, such emergency DOS diskettes should be write-protected. If they are, BOOTFIX will not be able to change them anyway (nor could a virus). In such a case, BOOTFIX will note the diskette is write protected and prompt you with an appropriate message. You may safely [V]iew the Boot sector of such a diskette, since BOOTFIX performs no action in such a case. But if you present a DOS diskette to BOOTFIX, whether by accident or design, the program will warn you. Victor Charlie Advises _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 62 If you have a DOS diskette which you no longer wish to use as such, you should FORMAT it, rather than simply treating it with BOOTFIX. A full format will also remove the hidden-System files, and give you more space on the diskette if you wish to use it for storage purposes. After formatting, treat the diskette with BOOTFIX. Use in Batch Files Bootfix is a virus-resistant program you can use in batch files. A part of any batch file must be to copy a backup of Bootfix to executable form, since Bootfix will delete itself after each use from a hard drive. Bootfix will return the following errorlevels in case of incident: 0 = OK 1 = WRONG DOS VERSION (if 2.0, no return if 1.x) 2 = COULD NOT FIND MYSELF 3 = OTHER FAILURES 4 = TRIED TO RUN FROM HARD DISK, DELETED 9 = VIRUS DETECTED, FILE INFECTOR _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 63 PTRESQ: VC's Generic Partition Sector Utility PTRESQ.COM is a Victor Charlie specialty utility capable of fixing most damaged hard-disk Partition sectors including damage by a virus or other causes. Normally, you will use it only when the VC program itself recommends you do so. This will occur in a tiny percentage of cases, and almost always during installation or initialization of Victor Charlie itself. The Partition Sector Every hard disk on a PC contains a small, dedicated section called the Master Boot Record (MBR). It also is called the Partition Sector and often, slightly incorrectly, the Partition Table (PT). By whatever name, this fixed-position area contains a small amount of computer code. This holds essential details of the hard disk. It tells the machine -- among other things -- what sort of disk is present, how many sectors it has, and what kind of Partitioning has been performed. This is a vital part of your PC equipment if you have a hard disk. It may be written in a number of automated ways, ranging from a low-level format and the DOS-provided FDISK program, through a large number of commercial programs. The PC user worried about viruses has a special concern about the Partition sector. In short, this is the only virus-vulnerable area in your entire computer to which you do not have easy access. You can not easily view this area and without special tools and knowledge, neither can you access it. Most especially, the average PC user cannot change this area -- i.e. wipe out a virus residing there -- with the normal tools provided by DOS. For most users, PTRESQ is the answer to this quandary. Partition Sector Warning PTRESQ, if you use it at all, it will likely be used only once in your computer's life. This will be during an attempt to VINSTALL Victor Charlie itself. (For the exception, see When Your Hard Disk Won't Boot near the end of this section.) During initialization, VC will examine the Partition sector. Should it see something unusual, it will immediately stop the Installation _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 64 process and present this advice: Victor Charlie has found something that appears dangerous in your hard disk Partition sector. [ Screen capture available in printed manual ] Victor Charlie takes a generic approach to all virus and possible virus-related problems. If you ever see this message from Victor Charlie's help file, please note the following: 1. Neither VC nor PTRESQ nor any other PC utility can know for sure if you have a virus in your Partition sector, or even whether you actually have a problem at all. 2. If you have what Victor Charlie calls an unusual Partition sector, you probably already know about it. Some hard disks and Partitioning (disk-managing) programs do make non-standard Partition sectors. This may include 5% or more of machines which are otherwise standard PCs. 3. Use of PTRESQ will not cause irreversible changes to your Partition sector. It will not touch any other part of your computer's disk. We recommend that you run PTRESQ if advised to do so by Victor Charlie, unless: o You know you have a non-standard Partition sector, or, o You have a specific tool to check and, if necessary, fix your own Partition table, or, o You are otherwise certain you wish Victor Charlie itself to back up and permanently protect your Partition sector as is. In the above cases, you may force Victor Charlie to continue its initialization, and to record and protect your non-standard Partition sector. If you do so, Victor Charlie will no longer complain about this problem. DO THIS ONLY IF YOU KNOW YOU HAVE A NON-STANDARD SETUP. Otherwise, you may be forcing VC to back up and protect a virus it has already warned you about. Starting PTRESQ PTRESQ should be run from a floppy diskette. Although it is virus- _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 65 resistant, it is not completely virus-proof. For this reason, the program will delete itself after each use if started up on any hard drive. If you must run it from a hard disk, make a backup: COPY PTRESQ.COM PTRESQ [Enter] Start up PTRESQ in the normal computing manner. For example, if the diskette with PTRESQ is in the A: drive, place your computer prompt at this drive. Then start the program: A: [Enter] PTRESQ [Enter] The program is virtually self-documenting. When it starts, a screen of help will appear first. Then, you will have a choice to [V]iew, [S]ave, or [R]estore the MBR, or to quit the program. [ Screen capture available in printed manual ] Probably, you will want to look at the Partition sector. [V]iew will perform no action except to display the Partition sector to your screen. Most "normal" Partition sectors will include a small amount of computer code and three or four error Messages in ordinary English. These Messages are part of the DOS contingency planning to alert you if something goes wrong. It is possible, if you have a virus, that you may see it here. A notorious Partition sector virus called the Stoned Virus, has readable English in this sector, which says "Your PC is now Stoned! LEGALISE MARIJUANA!" In such a case, you definitely will want to continue with PTRESQ. Putting PTRESQ to Work If you are using PTRESQ for a real problem, rather than out of curiosity, you will now want to put it to work for you. Here is the way the program works. If you press [S]ave, PTRESQ will make a copy of the existing Partition sector, which you viewed with the [V]iew choice. This copy will be called PT1.CPY. It will be placed automatically in the root directory of your C: drive, because every C: drive has a root directory. If PTRESQ finds more than one partition sector, it will save them under sequential numbers, such as PT1.CPY, PT2.CPY, etc. PTRESQ allows you to save either the first (256-byte) sector of the MBR, or the entire track (varies in size according to many variables). _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 66 The default choice is to save only the first sector. NOTE: PT1.CPY should never be changed. Do not erase it until you are certain you have a functioning Partition sector which is virus-free and able to boot your computer properly. At the same time, [S]ave will place a new and probably different Partition sector in place of the one you saw. This replacement of your Partition sector with a generic selection by PTRESQ probably will function perfectly for your computer. If it does, you may be certain of the following: You no longer have any active virus in the Partition sector. Please remember that the operative word in the preceding paragraph is probably. PTRESQ, to paraphrase Abraham Lincoln, will satisfy most of the people all of the time. Because of the huge variety of PCs, disks and software, no single utility, no matter how generic, can please all of the people all of the time. If [S]ave doesn't work for you, read on. Testing PTRESQ's Attempt As soon as PTRESQ has finished your order under Selection [1], it will signal you. This should take no more than a second or two. You must now test the result. o Remove the diskette or open the drive door on your A: drive. o Reboot your computer. Ctrl-Alt-Del is fine for the test. One of two things will occur: 1. Your computer will boot normally and leave you at the hard disk prompt, normally C>, or, 2. it will not boot normally, meaning the boot process most likely will hang your computer. If the boot is normal, you are a virus-free, satisfied user of PTRESQ. File the program away, but you'll probably never need it again. You simply return to installation of Victor Charlie. If the computer hangs during its initial boot, place your clean, write-protected DOS diskette in the A: drive and boot again. PTRESQ has not worked in your case on your computer. You should return to _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 67 Square 1 by reversing PTRESQ's unsuccessful rescue attempt. To do this, read on. Un-doing PTRESQ If you press [R]estore, the reverse of [S]ave will occur. PTRESQ will replace the Partition sector with the original Partition table from its Backup copy, PT1.CPY. [R]estore, in short, leaves you exactly where you started. A generic solution has not worked in your case on your computer. Most likely you now will need expert help and you should contact your computer salesman to find out the best way to get it. This is why it is vital that you neither change nor delete PT1.CPY until you are satisfied that PTRESQ has fixed your problem. Once your computer is working properly, but not before, you may delete PT1.CPY. It is of no use on a computer which is performing normally. When Your Computer Just Won't Start. Computers can be ornery machines, usually at the most awkward times. Often, computers seem to delight in presenting us with problems. One of the more common ones is failure to boot. You start or restart your machine, and it just hangs. Sometimes, an on-screen error message gives a clue to the problem, but more often the blank screen simply stares. Sometimes, even if it appears, the error message is as mystifying as the problem. If your computer just will not boot, it may be time to try PTRESQ. Running PTRESQ is easy, quick and painless. The worst that can happen is nothing. The best is that it will fix your computer for you. Victor Charlie Recommends: Do not run PTRESQ as a frequent event. VC itself allows users to view their Partition sector at a keystroke. There is no reason to access this absolutely vital part of your operating system, except in an emergency. Use in Batch Files PTResq will return the following errorlevels in case of incident: 0 = OK 1 = WRONG DOS VERSION (if 2.0, no return if 1.x) 2 = COULD NOT FIND MYSELF 3 = OTHER FAILURES _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 68 4 = TRIED TO RUN FROM HARD DISK, DELETED 9 = VIRUS DETECTED, FILE INFECTOR _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 69 GET.COM: Virus-resistant, Interactive Batch Files GET.COM is a standalone batch-file utility with great general usefulness. Most GET operations return both errorlevels AND environment information. If you are unclear about how to use errorlevels or environment variables, please refer to the batch file section of your DOS manual. GET can: o Obtain and use a wide variety of information about the computer, hard disk, drive, directory, floppies, environment, and DOS version, and return useable errorlevel and environment strings; o Wait for and act upon user instruction based either on a single key (such as in a custom menu) or on a full string; o Boot the computer by two different methods (cold boot or warm boot); o Pause the computer at any point for a variable number of seconds, and then branch to as many as dozens of possible operations including a default option, and, o Actually detect and warn of probable virus infection through self- checking every time it is run. Unlike the other virus-resistant VC utilities, GET.COM does not automatically delete itself after each use from a hard disk. This is for user convenience, despite a small danger that GET.COM could become infected by a "smart" or "stealth" virus. GET.COM is NOT a direct part of the overall VC program, and is not directly protected by VC. BSA encourages creative programming and batch-file techniques. GET.COM provides the means to provide a wide variety of methods and combinations of inventive batch programming. Several batch files provided with VC use GET, and can provide ideas. VINSTALL, VSearch and VBait are a few of the batch files which employ the VC interactive batch utility. GET.COM produces dozens of different errorlevel returns and environment variables. A two-screen help can be viewed by simply typing: GET [Enter] _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 70 Errorlevel 209 is one key return: this one means that GET has detected change to itself -- a likely virus attack. In such a case, GET.COM will delete itself to avoid becoming a virus carrier. To generate a new GET.COM, copy the non-executable backup GET to program form: COPY GET GET.COM [Enter] Do your batch files interactively -- and help detect and stamp out viruses at the same time! _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 71 Questions and Trouble-Shooting 1. Is VC compatible with DR-DOS Ver 6.0? Yes. VC is compatible with a wide variety of DOS versions. DR-DOS 6.0 and VC are compatible. 2. Will VC work with Windows? The shareware version of Victor Charlie will not work when Windows is running. You must exit Windows to use VC. For a Windows- compatible version of the program, please register your VC, and note that Windows is a specific concern. Note that VC will check your computer automatically during a boot. To check the machine at the end of a day or a computing session, you will have to Exit Windows to make that check. 3. Can VC work on a "stacked" disk? Yes, VC SHOULD be installed on a virtual disk such as those made by Stacker, AddStore, etc. Make certain that drivers and programs needed for such software are running before installing VC. NOTE: These programs work by "tricking DOS" into believing that a large file is actually a C: drive. This means that, via this trick, programs such as Victor Charlie are unaware that vital files and programs reside on a disk now called the D: (or other) drive. You should compensate for this by having VC check for these files on the "unstacked drive." Be certain that the first lines of your VCHECK.CFG file look something like this (depending on your DOS version and software setup): D:\COMMAND.COM D:\IO.SYS or D:\IBMBIO.COM D:\MSDOS.SYS or D:\IBMDOS.COM 4. VC is hanging my computer. What is wrong with it? Victor Charlie is an integrity program. This means one of VC's major tasks is the detection and analysis of CHANGE, to itself or to the computer and programs on which it is running. If you change important parts of the computer system, VC attempts to warn of this. In any case, if you make such changes (usually through startup configuration file CONFIG.SYS, Victor Charlie may hang the computer. If this happens to you, you must re-initialize VC. Do this with the single command: VINIT [Enter] _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 72 Victor Charlie depends upon the one look at your computer system it takes during initialization. Important changes to this cause unpredictable results from VC. If you use two or more basic and different setups during your normal computing, please run VC only when you are in the "standard setup" which VC looks at during initialization. If you often change these, we recommend you set up two or more VC Home Directories, and initialize the programs in each with those different setups. By adjusting the path statements in your respective Autoexec.BAT routines, you can be sure you will only use the Victor Charlie initialized with that setup. 5. Does VC work with Desqview and memory managers such as QEMM? Victor Charlie works smoothly under Desqview, but often will note that DV has "stolen" memory from DOS without reporting this. The condition will be reported by VC as a "memory parasite." The [H]elp screens note that this condition is normal with Desqview. If this is the only problem, it is safe to assume this is a Desqview quirk and not a danger to your computing. VC has been tested with a wide range of memory managers and no problems have been noted. In some cases, these proprietary systems may cause a VC alarm during initialization. If so, you should "assert," or force, this process as noted on the mandatory help screen which appears any time this problem is encountered. _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 73 INDEX ===== ALTV: 29, 30 AUTOEXEC.BAT: 15, 18, 57, 73 Audit : 6, 26, 38, 44, 46-49, 51, 52, 55 Audit Programs: 26, 38, 46-49, 51, 52, 55 BITCHECK: 2, 5-6, 17-20, 25-26, 36, 37, 46-51 BOOTFIX: 27, 59-63 Bait: 1-6, 16, 18, 20, 38, 46, 52-56, 70 Batch Programs: 49, 51 Bomb: 5, 20, 30, 53, 55 Boot sector: 3, 11, 13, 22, 27-28, 59, 61-62 COMMAND.COM: 3, 5, 11, 14, 22, 30, 40, 72 Checksum: 2, 5-6, 36, 46, 55, 57 Command interpreter: 11, 13-14, 30 Condition Green: 24, 25, 43 Condition Red: 24, 26, 27 Condition Yellow: 24, 25 Data Files: 38-39, 54 Demo: 28, 34-35 Drivers: 14, 16, 72 False Alarms: 20, 28, 42-44 File infector: 31, 63, 69 Home Directory: 15, 22-24, 26, 34, 39, 41-43, 48, 51, 56 Initialization: 13-16, 21, 64-65, 73 Installation: 9, 13-14, 28, 64, 67 (See also INSTALL.DOC) Interrupts: 5 Logs: 3, 9, 28, 37, 40, 43, 45, 48 Menu Interface: 23-29, 37-38, 40, 46-47, 49, 51 Messages: 5, 66 Mirror Files: 15, 17-18, 20-22 Monitoring Data: 5 NOFALSE.BAT: 43 Overlay: 11, 17, 41, 49, 51 PTRESQ: 64-68 Partition Sector: 11, 22, 27, 30, 60, 64-68 Quick Check: 24, 29, 30, 43 Rescue Disk: 26-27 Search for viruses: 2, 3, 25, 40, 44-45 (See also VC.SIG, VCheck) Search and Destroy: 36-37 System Requirements: 7 _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 74 System : 3-7, 11, 13-15, 19, 22, 30-31, 60, 62-63 System files: 13, 22, 30, 60, 63, 73 TSRs: 14-16, 30 Trojan: 53, 55 Type 1 Virus: 11, 33, 39 Type 2 Virus: 11, 59, 60, 62 User Interface: 23, 29, 51 VBAIT: 20, 38, 46, 52-56, 70 VC.SIG: 32-34, 39 VC1.CFG: 13, 16-22, 30 VC1: 24, 25-29 VC2: 5, 25-30, 42, 43 VC5.BAT: 29 VCHECK: 33-45, 46, 51-52, 55, 72 (See also VSearch) VCHECK.CFG: 41-45, 72 VCOMP: 26, 48, 51-52, 55 VINSTALL: 13-14, 16, 24, 49, 64, 70 (See also INSTALL.DOC) VSEARCH: 26, 38, 46-52, 55, 70 _____________________________________________________________________________ Victor Charlie Ver 5.0 JAN 1993 Page 75