home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Business & Presentations
/
Business and Presentations - Volume 1 (1995)(Sideface)(NL).iso
/
virus
/
vc50_jan
/
vc.doc
< prev
next >
Wrap
Text File
|
1993-01-23
|
154KB
|
3,888 lines
VICTOR CHARLIE Ver 5.0
The World's First
Generic
Anti-Virus Program
Copyright (c) 1988-1993 Bangkok Security Associates
All Rights Reserved
Protecting Individual, Corporate, Government and Business Computers
Since 1988
By Bangkok Security Associates
PO Box 5-121
Bangkok 10330, Thailand
CompuServe: 76420,3053
_______
____|__ | (R)
--| | |-------------------
| ____|__ | Association of
| | |_| Shareware
|__| o | Professionals
-----| | |---------------------
|___|___| MEMBER
Shareware Edition for Single-User Machines
We feel computer owners and users should have a chance to see, use,
and decide for themselves about a generic anti-virus program which
requires no updates. This fully functional, non-crippled, shareware
edition is dedicated to wiping out PC viruses throughout the world.
VC will update itself by capturing virus signatures "in the wild."
It offers itself as virus bait to do this. Viruses are made
everywhere. You need to protect yourself against a virus made in
your neighborhood, and stay ahead of the virus writers.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 1
USER NOTE: This on-disk documentation includes most of the text of the
printed VC5 manuals provided to registered program users.
Only a short description of the use of VC on a network has
been omitted, since this is the single-user program version.
Screen captures from VC programs are
not available in this document.
Victor Charlie - Ver 5.0
Victor Charlie is a set of generic utilities which detect present and
future viruses on a PC running DOS. When a virus is detected, the
program alerts the user. It then advises on the virus specifics, asks
for permission to take the necessary action to wipe it out, and helps
the user return to work as quickly as possible.
VC5 is NOT "another anti-virus program." It is unique, and also is the
first of its kind, able to detect viruses other programs cannot.
The main ways it is different:
o No updates. It detects current and future viruses. It always has done
this and it will continue to do this. VC is NOT a virus
scanner.
o Bait Files. VC programs WANT to be attacked by viruses so they can
capture a signature identifying that virus.
o RTSC (TM). Real-Time Signature Capture means VC5 captures the
identifying strings of the virus(es) on YOUR computer and
keeps them in a library there. No downloading of a program
or signature list update. VC does it for you.
o Bitchecks. VC's unique Bitchecking creates two cryptographic
checksums by random and secure algorithms. The tiniest
change to any Bitchecked program or file will cause VC to
alarm to the user. Viral replication causes change;
Bitchecks detect that change, securely and reliably.
o Generic. VC has no built-in information on any virus. It only knows
what viruses MUST do.
1. A virus must replicate, or "jump" from program to
executable program. This is the PRIME DUTY of a virus.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 2
2. Replication must cause change.
Armed with this knowledge, certain other logical
information, and high security integrity of its own, VC
can detect more viruses, more often, than other programs.
o No scanner. VC is able to look for a virus after it is attacked. But
Victor Charlie is not a scanner, and does not include one.
Scanners have encouraged virus-writers to make "new"
viruses by changing a byte here or a bit there. Such
"virus-hacking" has no effect on VC whatsoever.
o DOS Check. The "system" of your computer is its heart. VC5 records
your computer's system the first time it runs, and checks
it for the slightest change EVERY time thereafter. Your
partition and boot sectors, DOS files and Command.COM are
in excellent hands with VC -- and will be fixed at a
keystroke in case of ANY problem, not just a virus attack.
ALL Victor Charlie programs are distributed in non-executable form.
Programs should be made executable (.COM or .EXE files) during the
installation or initialization processes. In case they are not, you
can merely COPY the programs Bootfix, PTRESQ, and Get to workable
programs. For example:
COPY BOOTFIX BOOTFIX.COM, or,
COPY GET GET.COM
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 3
TABLE OF CONTENTS
+-------------------------------------------------------------+
| NOTE: Installation and initialization of Victor Charlie is |
| an important and separate task from running the program. |
| See INSTALL.DOC for details on getting VC5 started on your |
| computer. INSTALL.DOC contains instructions for advanced |
| (quick) and for standard installation. |
+-------------------------------------------------------------+
Program Description ......................................... Page 5
System Requirements .............................................. 7
Copyright Notice ................................................. 8
Distribution Limitation ....................................... 8
Disclaimer of Warranty ........................................ 9
Introduction: What is a Virus? ................................... 11
Installation and Initialization .................................. 13
What Happens at Initialization ................................... 14
VC1.CFG (Special Program Protection) ............................. 16
Constructing VC1.CFG ............................................. 17
Mirror Files VC's Repair Kit ..................................... 21
VC Menu -- Virus Checks at a Keystroke ........................... 23
General Security ................................................. 27
Attack Simulations ............................................... 28
VC1 and VC2: VC's Bait Programs ................................. 29
VC.SIG: The Virus Signature Library .............................. 33
VCHECK: VC's Do-Everything Program ............................... 36
False Alarms (If VC Finds A Virus Which Isn't) ................... 42
VCHECK.CFG ....................................................... 43
Excluding Files From VCHECKing ................................... 44
VSEARCH -or- Audit Programs ...................................... 46
The Meaning of BITCHECKS ......................................... 46
VCOMP ............................................................ 51
Protecting Your Data: Baiting Virus Bombs ........................ 53
Renaming VC ...................................................... 57
VC Utilities
BOOTFIX: Victor Charlie's Diskette Sterilizer ................ 59
PTRESQ: VC's Generic Partition Sector Utility ................ 64
GET.COM: Virus-resistant, Interactive Batch Files ............ 70
Some Questions about VC .......................................... 72
Index ............................................................ 74
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 4
Program Description
Ver 5.0 of VC detects today's and tomorrow's viruses on the fly, using a
variety of inter-connected disk, program and self-monitoring techniques.
The program includes a user-friendly interface, but can also be
completely customized, and run by batch routines, even invisibly to the
user (until a problem develops). Messages, help and instruction files
and even menus can be localized and/or customized, partly or completely.
In addition to viral detection on the fly, Victor Charlie includes
semi-automated routines which are capable of detecting virus infections,
and of monitoring data files for both infection and viral Bomb damage.
Victor Charlie, used from the command line or the interface, uses
several techniques to detect, track and wipe out PC viruses:
o Bait: Victor Charlie's two front line programs (VC1 and VC2) actually
invite viral infection. When infected, they halt the PC's activity.
They also warn the user of infection. VC uses Real-Time Signature
Capture (RTSC) to obtain meaningful code from the virus as a
signature. Then, the VC program VCHECK is able to search out the
virus signature on any disk or diskette.
o System Monitoring. When Victor Charlie is initialized, or started up
the first time, it makes BITCHECKS, or cryptographic checksums, of
the computer system. These include items such as Partition and Boot
sectors, DOS files and COMMAND.COM. Details of key DOS Interrupts are
recorded. These then are encrypted again, and stored in a secure
(random) area within Victor Charlie. Each time Victor Charlie runs,
it checks its recorded information against the true system of the
computer. If differences are found, VC alarms with context-sensitive
information, help, and suggestions.
o Searching. VC5's VCheck includes a sample Signature Library which
detects many common and uncommon viruses. When VC discovers a new
virus, it automatically adds this signature to the library. The sample
library is not needed, but provided as a convenience.
o Artificial Intelligence. VC5 includes some proprietary techniques able
to detect viruses unknown to it. These include analysis of former
virus code which has been included in the Victor Charlie program.
Victor Charlie is based upon and designed around a simple fact --
viruses must change something when they replicate. As a generic utility,
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 5
able to detect present and future viruses, VC assumes that the threat to
a PC, a user, programs and data comes only from an active virus. Thus,
its primary task is to monitor viral activity.
On a PC, viruses must perform replication in a finite number of ways.
They must alter system specifics or actual executable files. Although
there are many ways to perform replication, and some of these are
invisible to the naked eye, change must take place.
Bangkok Security Associates is positive that viruses will become even
more sophisticated in the future. Programmers will take advantage of the
definition of executable files to have viruses replicate other than
through .COM and .EXE programs. We can expect to see variations on the
theme of today's so-called stealth viruses, and tracking a virus to its
source can be expected to become ever more difficult and, in some cases,
tedious and time-consuming.
Victor Charlie has been designed specifically with this scenario in
mind. Preparation for the worst case has underlain the development of
the program from the start.
Today, in the real world, Victor Charlie detects most viruses in an
almost routine matter. But it includes procedures able to detect the
expected viruses of tomorrow. The most powerful and important of these
is BITCHECKing. This is a proprietary method of cryptographic
checksumming, using two random, bit-dependent algorithms to compile
checksums, then combining these two results and, finally, encrypting the
end output. Bitchecking is essentially secure from software tampering.
An important part of this security involves distribution of many
different versions of the program, each of which uses different
algorithms for Bitchecking. This provides a type of "car-key security"
for Victor Charlie users.
By using Bitchecking in combination with such safe-computing techniques
as cold-booting to a write-protected, clean DOS diskette, Victor Charlie
can compile lists of program or bait data alike. This enables end users
to compile an audit trail capable of back-tracking any viral infections,
and in all likelihood discovering its source.
VC's main operating -- monitoring and detection -- programs are
written completely in assembler language. This enables the utilities to
burrow beneath DOS and to detect change at the hardware and OS level.
The Victor Charlie Ver 5.0 interface is written in a high-level
language, but is programmed to "talk" to the VC programs to ensure a
coherence and full security during all phases of viral detection and
tracking.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 6
System Requirements
Victor Charlie anti-virus software needs the minimum of the minimum to
check, hunt for, find and, often, cure computer viruses.
o DOS 3.0 or above
o An IBM PC or compatible computer. It supports most PC, XT, AT, PS/2,
286, 386, 386SX, 486.
o A hard disk. VC can be set up to run on floppy-only computers, but
it is generally not practical to do so.
o A minimum of 256K RAM for the standalone programs and a minimum of
512K for the shell.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 7
Victor Charlie
Copyright (c) 1988 1989 1990 1991 1992 1993 Bangkok Security Associates
All Rights Reserved
Victor Charlie is distributed as a shareware product. It is not free,
or public domain, software and must not be sold or used continuously
past the licensed trial period. It is copyright in, and subject to
the national laws and international copyright provisions of, the
United States, Thailand and other signatory nations to the Berne
Convention on International Copyright.
You may not reverse engineer, decompile, disassemble, or create
derivative works based on the software for any purpose other than
as an essential step in its utilization for your own use. This
software embodies valuable trade secrets proprietary to Bangkok
Security Associates, the owner of the software and its copyrights.
You may not disclose any information regarding the internal
operations of this software to others.
Permission is granted for individuals and companies to copy and use
this software in order to try it out for 30 days or less. If you find
Victor Charlie useful, you must purchase and register a license.
Please note the following Distribution Limitation:
-------------------------------------------------
The shareware evaluation edition of Victor Charlie may NOT be
distributed by electronic or other means in the following countries
or areas without permission in writing from Bangkok Security
Associates:
Australia New Zealand France Thailand
Shareware distribution provides a full, working copy to users for
evaluation on a "try before you buy" basis. If you choose not to
register, then erase or pass your copy onto someone else.
Please note that if you obtained your copy from a mail order
distributor, the fee paid goes entirely to the distributor and does
not cover the cost of the program license itself.
To register Victor Charlie, please see the document ORDER.DOC.
If you register Victor Charlie, you will receive:
1. The latest version of the program, in case of any updates/fixes.
2. A program version different from most other VCs and thus
impervious to generic attack even by a dedicated virus which
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 8
might be aimed at Victor Charlie.
3. Printed and bound manual(s) on installation and use of VC.
4. Discounts on future versions of VC, which is under constant
development to make generic anti-virus detection ever easier
and less intrusive.
The shareware, evaluation version of Victor Charlie functions only on
single-user computers. Companies, businesses, schools or government
offices wishing to register Victor Charlie for use on a site, or in
multiple locations, should contact BSA or a BSA agent listed in the
document in this shareware diskette or archive. Please refer to
SITE.DOC for an overview of the range of network-compatible, site and
customized versions currently available.
You may make as many copies of this shareware evaluation copy of
Victor Charlie as you wish, provided you copy, UNCHANGED, all files
and included documentation, specifically including this document.
Copies may be distributed freely to others electronically or via
diskette.
However, you may not sell or ask any consideration for Victor Charlie.
Mail Order Vendors and BBSes may charge a nominal distribution fee
NOT EXCEEDING $5.00 (five US dollars) or the equivalent in foreign
currency to cover copying and distribution costs.
The latest version of VC is always available for download at the BSA
home BBS, the War on Virus. For fast access, log onto the War on
Virus under the user name "Victor Charlie" and use the password "VC".
Reliable, secure copies of the latest VC version also can be obtained
from BBSes listed in the file ORDER.DOC included in this evaluation.
War on Virus BBS: (An ASP-approved BBS)
(66-2) 255-5982 -or- (662) 437-2085
These numbers operate at modem speeds up to 14400bps (V.32bis) 24
hours a day. War on Virus is the East Asian hub for U'NI-net, and
a node BBS member of Smartnet BBS networks. A list of other official
places to obtain the latest Victor Charlie programs is in both the
VCSITE.DOC and ORDER.DOC files.
Disclaimer of Warranty
----------------------
This software and documentation are distributed "AS IS" and without
warranties as to performance of merchantability or any other
warranties whether expressed or implied. Because of the various
hardware and software environments into which this program may be
put, no warranty of fitness for a particular purpose is offered.
This program, like any new software, should be thoroughly tested with
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 9
non-critical data before relying upon it. The user assumes the entire
risk of using the program.
In no event will BSA be liable for incidental, consequential,
indirect or other damages including any lost profits or lost savings
arising from the use of, or inability to use the software even if BSA
has been advised of the possibility of such damages, or for any claim
by any other party.
Association of Shareware Professionals
Ombudsman Statement
--------------------------------------
This software is produced by BSA, a member of the Association of
Shareware Professionals (ASP). ASP wants to make sure that the
shareware principle works for you. If you are unable to resolve a
shareware-related problem with an ASP member by contacting the member
directly, ASP may be able to help.
The ASP Ombudsman can help you resolve a dispute or problem with an
ASP member, but does not provide technical support for members'
products. Please write to the ASP Ombudsman at 545 Grover Road,
Muskegon, MI 49442, USA or send a CompuServe message via Easyplex to
ASP Ombudsman 70007,3536.
== LATE-BREAKING NEWS ==
!!! Edition Française !!!
Victor Charlie parle français maintenant.
A complete French-language Victor Charlie is available to anyone
asking for this feature. This includes the entire program, help
files, batch files, ALL documentation, etc.
If you wish a registered VC that "speaks French," please send your
registration DIRECTLY to Bangkok Security Associates (BSA) and be
certain to request the French-language edition.
!!! CompuServe On-Line Registration !!!
You can register Victor Charlie directly via CompuServe
At any CIS prompt, type "GO SWREG" and follow the screen prompts to
register VC. CompuServe will bill you directly, as for any service.
CIS also will notify us directly so we can ship VC directly to you.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 10
What is Shareware?
------------------
Shareware distribution gives users a chance to try software
before buying it. If you try a Shareware program and continue
using it, you are expected to register. Individual programs
differ on details -- some request registration while others
require it. Some specify a maximum trial period. With
registration, you get anything from the simple right to continue
using the software to an updated program with printed manual.
In the specific case of this program, you are encouraged to
evaluate it for a maximum of 30 days. After this period, please
register it by sending us your license payment -or- delete the
program from your disk -or- pass it along to someone else for
evaluation.
Copyright laws apply to both Shareware and commercial software,
and the copyright holder retains all rights, with a few specific
exceptions as stated below. Shareware authors are accomplished
programmers, just like commercial authors, and the programs are
of comparable quality. (In both cases, there are good programs
and bad ones!) The main difference is in the method of
distribution. The author specifically grants the right to copy
and distribute the software, either to all and sundry or to a
specific group. For example, some authors require written
permission before a commercial disk vendor may copy their
Shareware.
Shareware is a distribution method, not a type of software. You
should find software that suits your needs and pocketbook,
whether it's commercial or Shareware. The Shareware system makes
fitting your needs easier, because you can try before you buy.
And because the overhead is low, prices are low also.
Shareware has the ultimate money-back guarantee -- if you don't
use the product, you don't pay for it.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 10A
Introduction
What is a Virus?
We're not going to get overly technical here, but it's useful to know
just what a computer virus is, and how it works. As you undoubtedly
know already, a virus is just another computer software program. Most
people naturally -- and correctly -- equate a virus with harmful
effects.
A virus is a program, or more commonly part of a computer program,
capable of replication by attaching itself to a host.
Like its medical namesake, a computer virus is most concerned with
self-preservation. Generally, it replicates by finding an unwitting
host and attaching itself, like a toadstool to a tree. Each time it
spreads, it creates a self-contained unit that also is a functional
virus. If a virus replicates by spreading to a non-executable host
(such as data), it ceases to be a virus.
In the computer world, as in the healing world, the spread of viruses
is usually geometric. There is no master virus. The latest clone is as
virile, and as able to attack a host, as the original.
We classify computer viruses depending upon the host it seeks.
Virus Types: Type 1 Virus
A Type 1 Virus infects and spreads through actual programs on your
disk, such as .EXE, .COM and Overlay programs. Infamous viruses in
this category are the so-called Jerusalem, Dark Avenger and Friday the
13th viruses. (VC has no knowledge of specific viruses or their names.)
Type 2 Virus
A Type 2 Virus uses the computer's system to spread. The system on a
PC is generally defined as two dedicated disk areas (the Partition
sector and Boot sector), the two DOS hidden files, and the command
interpreter, typically called COMMAND.COM.
Both major types of viruses are actual computer programs capable of
doing what any other software on your machine can do. But this is also
the limit of a PC virus.
A virus certainly is capable of such harmful tasks as formatting your
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 11
disk, destroying or changing your data or interrupting a printing
task.
But no virus can physically destroy a hard disk, infect Backup data
diskettes kept in a separate box, or destroy a power line -- just as
examples. Virus myths include stories about a virus writing to a
write-protected diskette, operating through modem NRAM, or hiding in
the computer's ROM. These are all impossible tasks for any software,
including a virus.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 12
Installation and Initialization
This is the most important part of operations with Victor Charlie.
Before you use VC for the first time, read the document INSTALL.DOC
included in the VC release. It explains the two methods of installing
VC on a PC.
"Initializing" VC means to run a fresh copy of the program VC1.COM one
time to allow it to look at the specifics of the host machine.
+---------------------------------------------------------------+
| NOTE: Any time you make changes to the basic computer setup |
| (such as installing a new DOS or memory manager, for |
| example), you will have to re-initialize VC. This can |
| be done at any time with one command: |
| |
| VINIT [Enter] |
+---------------------------------------------------------------+
Initializing Victor Charlie after VINSTALL is necessary because the
program is specific to your computer. If you change your basic DOS
setup, you will have to initialize VC again. This involves making a
new copy of the programs, and running the main anti-virus program
VC1.COM one time. This is when Victor Charlie records within itself
the details of your DOS, including DOS System files, and specifics of
your Command interpreter, Partition Table and Boot sector.
NOTE: If you change your DOS in any significant way (such as by
installing a new copy of DOS) it is likely that Victor Charlie
will hang your computer the first time it runs, unless you
re-initialize. You may have to boot to a DOS diskette to perform
re-Initialization if you have forgotten this.
No harm occurs to the computer or any program because of such a hang.
Initializing or re-initializing Victor Charlie is handled
automatically through the program batch file VINIT.BAT.
You must Re-Initialize if you install a new DOS version.
You must Re-Initialize if you make changes to the personal .CFG
configuration files, VC1.CFG, where you choose specific files for VC
to watch over.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 13
You should Re-Initialize if you change the location or name of your
Command interpreter program (usually COMMAND.COM, in the root or
C:\DOS directory).
In case any of these three events, please read the following
carefully. Most users will not have to worry about Re-Initializing if
they VINSTALL VC according to the manual.
Like most software today, Victor Charlie has a couple of qualms about
certain TSR (memory-resident) programs and Drivers. But VC has a
built-in method of dealing with such programs instead of simply
crashing. In order to calm the program's distaste for these few
examples, it is necessary to Initialize and Re-Initialize VC under
clean conditions. By doing this, you will ensure compatibility.
The brief process outlined below for Re-Initializing VC is unnecessary
at Installation if you follow the VINSTALL procedure.
What Happens at Initialization
VC must make observations and records of your vital disk areas and
programs while your system is running "clean." To be clean, a system
must have no memory-resident programs running.
Victor Charlie has built-in alarms in this regard. If you try to
initialize outside our guidelines below, VC will halt and give you the
advice you're paying for. Specifically, it will ding the computer bell
and state on-screen:
!!! CONDITIONS NOT SAFE TO INITIALIZE VC1 !!!
It will add one line to tell you the problem. And it will provide
context-sensitive help.
The most common cause of the warning is a running TSR or special-
purpose driver which has hooked a vector which VC needs to look at. In
this case, you will be informed simply that you are
Not Initializing with clean boot
NOTE: VC requires a clean computer only during Initialization.
Following this, you may resume computing with your normal
setup.
Here are the easiest steps to take in the event you ever have to
Re-Initialize Victor Charlie after installing the program. (You also
can cold-boot your computer to a known clean, write-protected DOS
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 14
diskette. This technique always will provide a clean environment for
VC Re-Initialization.)
1. Go to the root directory of your boot drive, REName your
AUTOEXEC.BAT file to a different name, and boot your computer. For
example, perform the following steps:
CD \ [Enter]
REN AUTOEXEC.BAT A.B [Enter]
and press the Ctrl-Alt-Del key combination.
2. The computer will start clean, that is without any active
memory-resident (TSR) programs. Proceed to the VC Home Directory,
to create (or re-create) the new program files, and initialize the
anti-virus program with the batch file VINIT.BAT. For example,
type:
CD \VC [Enter]
VINIT [Enter]
That's all there is to it. VINIT will automatically initialize
VC1.COM, by running this program once. You will receive an on-screen
message informing you Victor Charlie has properly initialized:
Initializing ... recording system signatures.
Below this, you will watch VC1 clean up any previous Mirror Files,
check out the system, and make new Mirror images. If the program runs
into any problem here, information and help will be displayed
on-screen.
3. Return to the root directory of the boot drive. Type:
CD \ [Enter]
Put your Autoexec.BAT file back the way it was:
REN A.B AUTOEXEC.BAT [Enter]
4. Finally, reboot the computer again with Ctrl-Alt-Del, or by
briefly turning it off and back on. This returns complete control
of the computer back to you and your favored setup.
For you, nothing has changed. But you have made Victor Charlie one
happy program. It should reside in perfect harmony with any and all of
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 15
your TSR programs and drivers, including any new ones you wish to add.
VC1.CFG - Special Program Protection
This simple text file is a powerful tool. You can use it both to
contain software-caused damage to your computer, and to help isolate a
sub-class of viruses which infects programs in a seemingly mindless
way. You will be offered to make your custom VC1.CFG when you VINSTALL
Victor Charlie. You can change it or make a new one at any time, so
long as you remember to re-initialize VC when you do so.
The file itself is merely a list of up to 15 programs or other files
you expect to use frequently, but never to change. For most users, this
means program files. Some users may wish to include bait data in their
routine anti-virus checking. VC1.CFG is a simple text (ASCII) file of
up to 15 lines. Each line contains merely the location and name of one
file on your computer.
If you have a VC1.CFG file, Victor Charlie records details of it when
it initializes, and on every subsequent anti-virus check. Upon
Initialization, it checks the list against the actual existing program
or file. Thereafter, each time it runs, Victor Charlie's VC1 will
monitor each of the programs listed in VC1.CFG. If any changes are
made to the files on the list, Victor Charlie takes appropriate
action.
This action depends on the makeup of your own VC1.CFG file.
o The first five lines of VC1.CFG are reserved for files you wish
checked and backed up. For each program listed on each of these
five lines, Victor Charlie will make a Mirror file in the Home
Directory, give it a special, random name, and record all details
internally.
o If, at any future time, Victor Charlie finds changes in one or more
of the files listed in these first five lines, it will stop and
warn you of the change. It will provide specific help, and finally
will ask you if you wish to replace the changed program with the
Backup it has kept. Unless you have made changes to the program
yourself, you probably should accept this option.
o Lines 6 through 15 of VC1.CFG are reserved for the names and
locations of programs which you do not wish to be backed up.
Backups take disk space, remember, and the fewer Backups kept, the
more space you have available for productive or personal work.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 16
o For these 10 or fewer files, VC1 will conduct specific BITCHECKing
each time it runs. Again, if it finds any changes, it will stop,
tell you what is happening and provide advice. It cannot, of
course, replace any damaged program or file since it has no Mirror
file from which to work.
VC1.CFG Strategy
The obvious (and perfectly acceptable) method of using VC1.CFG is to
provide the names of your most-used and valuable programs. VC1 will
automatically check the originals each time you check for viruses. In
case of a virus or any other problem, it will give you immediate
replacement at a single keystroke.
The single drawback to this is the size of such programs. While you
may well have 15 programs and Overlays which are vital to you, these
might occupy several megabytes of disk space. Mirror file Backups are
highly secure and improbable targets of virus infection. But remember
that the Mirror files will take up as much disk space as the original.
We recommend for your VC1.CFG, therefore, a thoughtful mix of obvious
(big application) programs and smaller files -- particularly
utilities -- which you use fairly often.
Viruses can seem to be mindless and entirely random in their infection
process. Many viruses already infect multiple programs far away (in
computer terms) from your present workspace.
It is entirely possible, for example, to be working in your word
processing application and directory, and trigger a virus which would
infect several files on another drive and in another directory -- or
even several different directories.
While it is not necessary to have 15 different files listed in VC1.CFG
(see Constructing VC1.CFG, below), we recommend you consider the
following when you make or edit this file for Victor Charlie:
o Choose, by all means, one or several of your large application
programs you use often. Specifically because you use it frequently,
it will be more likely to become infected or damaged.
o Bear in mind the amount of available disk space you have. In many
cases, it may be better to copy a dependable, configured program to
a floppy diskette, write-protect the disk, and keep it available in
case VC detects changes. On-disk Backups are wonderfully
convenient. But remember that Mirror files take the same disk space
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 17
as the original.
NOTE: If any Mirror File created by Victor Charlie should itself
become damaged or changed, VC1 will know this and tell you. In
such a case, the program will refuse to use the changed Mirror
File to attempt to fix the original. VC1 does not monitor
Mirror Files as a matter of course, but checks them only when
you wish to use them.
o Fixing an infected program is important, but not as important as
detecting the viral activity in the first place. VC1.CFG is a
wonderful opportunity to provide Victor Charlie with a broad
spectrum of program types to keep extra-close watch over. These
might range from a 650K .EXE program to a 600-byte .COM utility. In
fact, we recommend you have such a range, if possible.
Constructing VC1.CFG
The VC1.CFG text file may be changed or edited at any time. There only
is one hard-and-fast rule about this: If you change VC1.CFG, you must
re-initialize Victor Charlie. This may require a cold boot without an
active Autoexec.BAT (see INSTALL.DOC for details of this).
If you change VC1.CFG, and do not re-initialize the program, VC1 will
warn of changes to this file each time you conduct an anti-virus
check. In some special cases, the program may malfunction and even
hang your computer.
The VC1.CFG file is an ordinary text (ASCII) file. It may be made in
several ways. The easiest is with a text editor, or with your word
processor (in non-document or ASCII mode).
DOS wildcards are not legal in VC1.CFG. You must provide Victor
Charlie with the exact location and file name for each entry.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 18
+----------------------------+
| Here is a sample VC1.CFG |
| ------------------------ +
| C:\WORD\WP.EXE |
| C:\DBASE\DATABASE.EXE |
| C:\SHEET\SPREAD.COM |
| C:\UTILS\ARCHIVE.EXE |
| ** |
| C:\COMMS\COMM.EXE |
| C:\DOS\COUNTRY.SYS |
| C:\SHEET\DATA\BAIT.WK1 |
| C:\UTIL\COMPARE.COM |
| C:\DOS\MORE.COM |
| D:\ASM\COMPILER.EXE |
| C:\EDITOR\ED.EXE |
| C:\BIN\ETC\UTILS\SHOW.COM |
+----------------------------+
VC1 has been trained to ignore the standard wildcards, * and ?. These
can be used, as in the example, to mark unused lines in VC1.CFG which
can have files added to them later. A quick glance will tell you how
many such files you can add. However, a blank line (carriage return
and line feed) performs the same duty so far as VC1 is concerned. The
only point here is to count the lines because of the different actions
by VC1 on the first five and last 10 files which may be listed.
Each line in VC1.CFG must contain a unique filename, including its
exact location on your computer. If you provide a false name or
location, VC1 will stop and tell you. In standard computer terms, the
form for each line is:
d:\path\filename.ext
where d: is the drive, \path\ is the name of one or more directories
from the root to the location of the program, and filename.ext is the
full name of the program. VC1 will ignore any blank spaces before or
after this full designation, if you want to make VC1.CFG look somehow
more aesthetic to you. But there must be no spaces in the actual
designation.
In the VC1.CFG, an "average" user has chosen two fairly large
application programs (the main word processor and database programs),
the far smaller spreadsheet loader and an often-used archive utility
to be backed up and Bitchecked on every anti-virus inspection. (S)he
has chosen to leave the fifth line blank, but has marked it for easy
reference with two asterisks.
This mythical user has chosen eight other programs for special
BITCHECKing attention from Victor Charlie. Big or small, these will be
Bitchecked every time (s)he conducts an anti-virus watch through VC.
Victor Charlie cannot provide virus cure at a keystroke, but our
average user will be informed automatically if any change has been
made to these eight files.
This user has selected a device driver for checking. The idea is to
watch this file, because it is vital -- if ever infected by a virus,
it could affect a system quickly because it is loaded by the computer
before the user has any control.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 19
This mythical user has chosen eight other programs for special
BITCHECKing attention from Victor Charlie. Big or small, these will be
Bitchecked every time (s)he conducts an anti-virus watch through VC.
Victor Charlie cannot provide virus cure at a keystroke, but our
average user will be informed automatically if any change has been
made to these eight files.
This user has selected a device driver for checking. The idea is to
watch this file, because it is vital -- if ever infected by a virus,
it could affect a system quickly because it is loaded by the computer
before the user has any control.
The other example of good strategy is in Line 9. This user has
selected an apparently typical spreadsheet, and laid it out as bait
for a virus. If a viral Bomb or a special kind of virtual machine
virus attacks this spreadsheet, the user will know about it as soon as
(s)he runs VC.
(For more details and ideas about laying bait for viruses on your
computer, please see the Victor Charlie manual section on VBAIT.BAT.
Strategy, technique and further samples are provided here.)
In all cases, but particularly in the example of the Bait.WK1 file, it
is important to choose files for VC1.CFG which should not change. VC
only can note change. If you select files for VC1.CFG carefully, you
can be almost certain that a virus is at work.
If you list files in VC1.CFG which you expect to change, you will
receive so many False Alarms it will reduce to almost zero the value
of the special monitoring, BITCHECKing, and Mirror Files.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 20
Mirror Files - VC's Repair Kit
In order to enable fast repair of damage caused by a virus or any
other reason, Victor Charlie creates Mirror images of up to 11 disk
areas, vital programs and user-selected files. Up to six of these are
made automatically, and as many as five others are user-selectable.
Briefly put, these Mirror-image files help Victor Charlie to monitor
for viruses, and permit the program to wipe out an entire class of PC
viruses at one keystroke if you are ever unlucky enough to suffer an
attack.
The files are placed on your disk automatically by VC whenever you
initialize the program. Should you re-initialize Victor Charlie, any
existing Mirror image files are erased, and replaced by new ones. (The
provided batch program VINIT.BAT automates Initialization.) The
Mirror-image files are given random alphanumeric names which are
different each time you initialize VC1, to help make them invisible to
possible attack.
When VC creates these files, it also gives them the DOS attribute of
read-only. This way, you can see the files with a simple DIR command,
but you cannot accidentally erase them with a simple DEL. Typically,
these files will have names beginning with the digits 0" or 1," but
this depends entirely upon your own version of DOS.
Victor Charlie uses these files, if they exist, as part of the process
of checking a virus attack, curing or Wiping Out some viruses, and
instantly restoring infected or damaged programs.
You should never change these files under any circumstances.
Like the VC programs, Mirror files are highly resistant to virus
attack. If changed, they become useless to you and to Victor Charlie.
They simply will take up disk space, but provide no help in the
virus-curing process. Should you absolutely need the disk space,
delete them by all means, but do not attempt to change them.
Victor Charlie does not need these files to detect a virus attack. If
you come under attack, VC and this manual can guide you through a cure
of the virus. But if you delete or change these files, Victor Charlie
cannot effect its simple, at-a-keystroke cure.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 21
Thus, we urge that you keep these files on your disk except in cases
of the most dire space emergency.
Details of the Mirror files depend upon your computer and its setup.
On an average IBM-compatible, AT, 386, or 486 computer of the kind
widely sold in the past few years, there will be six such files. Some
users will find only five such files. In some cases, you may find
fewer. If so, you probably are not booting the computer from the
actual C: drive, and you should refer to the Questions section near
the end of this manual.
What's in the Mirror Files?
The Mirror image files are copies of two vital disk areas and up to
four important programs essential to your computer.
o Boot sector disk area.
o Partition sector, also called the Master Boot Record or Partition
table.
o Two DOS System files, or DOS kernel.
o COMMAND.COM if located in the root directory and/or the \DOS
directory of the boot drive.
Up to five other Mirror files may be created according to your own
wishes. These are made if a small text file called VC1.CFG is present
in the VC Home Directory. Please see the manual section on VC1.CFG for
details on configuring VC for more Mirror files.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 22
VC Menu -- Virus Checks at a Keystroke
VC's Menu Interface is your Command Post for the War on Viruses. This
is a battle you should be constantly waging as you operate your
computer. The headquarters facilities which the menu provides, is the
means of planning strategy and tactics for ensuring the security and
safety of your computer and what is on it.
The VC Menu Interface makes Victor Charlie probably the easiest to use
and most flexible method of detecting and killing PC viruses. With no
configuration or extra work, any computer user can check and search
for -- and destroy -- active or latent viruses on a home or business
computer.
VC's Menu Interface, or simply menu, provides complete access to all
functions of Victor Charlie.
As you use the menus, full explanations are automatically provided,
and context-sensitive help is given at any stage. The menu program has
been specially designed and written to talk and listen directly to the
various VC programs. This means that even in the case of a severe
infection, VC can continue to stay active to help you kill the virus.
The VC menu allows users to escalate their anti-virus alert status. If
Victor Charlie senses real or suspected virus activity, the alert
status will be raised automatically by the program and menu.
Conditions Green (day-to-day), Yellow (real or suspected virus
sighted) and Red provide an escalation of security to track down rogue
software plagues, including viruses.
In addition to viral checking, detection and tracking, the Menu
Interface provides a range of Preventive Maintenance routines to help
you defeat even a potential virus attack before it begins. Sharp Edged
Tools allow you to sterilize floppy diskettes, Backup vital disk
areas, and even simulate every type of virus attack possible on a PC.
A Quick Tour
This section of the Reference Guide gives only an overview of the VC
User Interface. For more details on what each command or routine does,
please refer to the chapters on VC Programs, which deal with the
specific program(s) used by each menu function. These are noted below,
and on your screen when you run the menu program.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 23
After you have VINSTALLed VC on your computer, starting up and using
the menu is a simple command away.
VC [Enter]
Of course, this assumes you have added the VC Home Directory to your
computer's path statement during VINSTALL. If not, you must be in that
Home Directory for the above command to take effect.
The VC Menu Interface and VC's specialized front-line programs --
VC1.COM and VC2.EXE -- begin their communications immediately after
you issue the above command. Initial discussions among four separate
VC components take place quickly. The point of discussion is crucial
to you -- is there any sign of a current virus infection?
You probably will note a brief pause while this occurs. Then the menu
loads and runs like any computer program.
Assuming no active virus has been detected, you will be presented with
a menu of selections. You are placed by default into Condition Green,
although you may if you wish upgrade this to Condition Yellow or even
Condition Red.
If the VC command results in detection of a virus, the Menu Interface
takes a much different form. You will first be informed that a virus
(or possible virus) has been detected. Immediately and automatically,
you will receive context-sensitive help and explanations. In entering
the menu from this state, you will be placed immediately in Condition
Yellow.
The Menu Interface has an identifying bar across the top of the screen
which indicates that this is your command post for the war. Along the
bottom is a line indicating when you started checking for viruses with
Victor Charlie. This display will change if you encounter an actual
virus.
Condition Green
This state of security assumes you have no particular reason to
suspect you are under immediate virus attack or threat. You have two
options.
Quick Check
If you press the Q hotkey, or cover the Quick Check option with the
menu bar and hit Enter, VC will conduct a fast, system-wide anti-virus
check. (Note that as you move the light bar over another item with the
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 24
computer's arrow keys, the help window changes automatically to give
you information on each possible item).
The Victor Charlie front-line programs VC1 and VC2 each will run
twice. As they proceed, they will check your system, protected files,
computer memory and other vital elements. In case a virus is detected,
the VC programs will provide full information and help to allow you to
track down and kill it.
Search & Destroy
Choose this Condition Green selection by touching the S key or by
covering the menu item with the light bar and hitting Enter. The Menu
will call VC's powerful VCHECK program to provide an anti-viral search
of your hard drive, selected directories or programs, or a diskette.
An arrow will appear at the edge of the menu window, and a sub-menu of
Search & Destroy options now will appear. You may, again, choose one
merely by tapping the highlighted letter or digit. Choices include:
Current Directory: searches for signs of known viruses in the
sub-directory where you were located when you started the VC Menu.
Specify Directory: Allows you to specify a different sub-directory to
search for viruses.
Manual Parameters: This is the equivalent of using VCHECK from the DOS
prompt. See the manual section on VCHECK and the Menu help screens for
full details.
CUrrent Drive: Searches all virus-vulnerable program files on an entire
drive for signs of virus infection.
1. A: Drive: (and other available drives). Choose a floppy or hard
drive for Searching.
After you have made your selection of where you want to Search and (if
necessary) Destroy, you then have one further choice: to Display All
Files or only Infected Files. This selection affects only the screen
display. If you choose to see All Files, a scrolling screen will let
you see the results of each Bitcheck as it is made. If not, VCHECK
will show only those files it finds to be virus-infected.
Condition Yellow
You may move to Condition Yellow at any time. Routines in this state
of alert require more time and attention than those above. These
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 25
routines all involve the VC program VCHECK.COM. This is an extremely
secure and sophisticated program. In brief, VCHECK compiles
double-encrypted BITCHECKS of programs, files and even data on your
computer. By comparing various such lists of BITCHECKS, made at
different times, VCHECK can detect changes likely attributable to a
virus or other hostile software, or even ill-intentioned human
intervention.
Audit Programs
No security scheme can be successful without an audit trail, and this
is your key. This menu choice is the equivalent of the provided batch
program VSEARCH.BAT. Please see the manual section on this program for
more complete details.
Perform Audit
This menu choice first determines if an auditing file called VSUM.REF
exists in your Victor Charlie Home Directory. If not, it creates one.
VSUM.REF is a base program for any auditing procedure. It consists of
a list of all virus-vulnerable files on your computer's hard disk,
with sizes and unique BITCHECKS.
If you have previously created the summary reference file VSUM.REF,
the Perform Audit Menu selection proceeds to make a comparison file,
called VSUM.NEW. In this case, as with VSEARCH.BAT, it will compare
the old and new auditing files and provide information and help if the
lists differ.
New Audit Reference
From time to time during your computing life, you probably will want
to file your base VSUM.REF away. The addition of new programs and
versions to your computer will mean a large number of differences in
your base and new auditing files, and analysis will become difficult.
The New Audit Reference Menu choice will make a new base file,
VSUM.REF.
Compare BITCHECKS
This Menu selection calls the VC program VCOMP to compare any two
auditing lists you may have made, and displays any differences between
them. Analysis of the VCOMP output can be a crucial aid in determining
source and date of viral infection or other problems on your computer.
Only you can order a Red Alert for the Victor Charlie Menu Interface.
Condition Red requires that you have already made a VC Rescue Diskette
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 26
(see below). It is indicated by continual and seemingly untraceable
growth of programs on your hard disk. Such a situation almost
certainly means an exceedingly smart virus or an exceedingly dumb
virus is at work on your computer.
Tracking such viruses can be tedious and even frustrating. But the
vital first step is to cold boot your machine before proceeding.
Choosing Condition Red at the VC Menu checks to see if you have a safe
diskette complete with the needed tools, and then reboots the computer
to rid it of all traces of active virus activity. After this, you
should proceed to try to track the virus with the provided VC tools
and help.
General Security
Under this Menu choice lies a number of routines and programs, each of
which is designed as Preventive Maintenance to help ward off a
potential virus threat before it grows to attack state.
Disinfect Floppies:
Pressing the D hotkey or covering this choice with the menu light bar
will call the VC program BOOTFIX, described separately in this manual.
Briefly, BOOTFIX.COM makes data and Backup diskettes virus-free at a
keystroke, and without danger to anything on the diskette.
Make Rescue Disk:
You must run this option prior to declaring a Condition Red alert on
your computer. Victor Charlie strongly advises you perform this as one
of your first tasks after installing your anti-virus program.
This routine will make the most secure and reliable Rescue Diskette
possible. The diskette will be bootable with your own DOS system, and
thus will be able to start your computer even in the worst possible
case of a virus which makes your hard drive temporarily inoperable.
Partition Sector:
This choice will allow you to view (but not to change) the Master Boot
Record, or Partition sector, on the hard drive of your computer. While
viewing this normally inaccessible disk area, you can back it up to a
file or print a copy on any printer attached to your computer.
Boot sector:
Each disk and diskette on a computer has a Boot sector, a small
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 27
program which (in the case of a bootable disk or diskette) is capable
of loading the machine's operating system. By selecting this choice at
the VC General Security Menu, you may view the Boot sector of any
available drive or diskette. You may make a Backup file, or print the
Boot sector for later viewing.
View Log:
There are two possible sub-selections with this General Security Menu
choice: a record of virus attacks suffered since Installation of VC,
or the latest available list of files flagged as virus-infected by
VCHECK. Both these logs (which can be viewed, saved to a file or
printed) could prove invaluable when back-tracking a virus attack to
its source, and in replacement of files deleted because of virus
infections.
False Alarms:
On a tiny minority of computers, the intelligence built into
VCHECK.COM may provide False Alarms, and detect a virus attack where
none took place.
Please read the Users Manual section on False Alarms before using this
Menu choice.
If you decide you wish to turn off VCHECK's programmed intelligence,
this Menu choice will perform the action at a keystroke.
Attack Simulations:
All three VC main programs have Demo modes where they simulate virus
attacks with startling realism. You can select and run these
Demonstrations for each of the programs VC1, VC2 and VCHECK with this
Menu choice.
Exiting the Menu Interface
The ESCape key is programmed completely logically in the VC Menu. At
any point, hitting ESC takes you back one level from the operation you
are conducting. At the Main Menu, ESC returns you to the DOS prompt
or, if you insist, your running application. You also can quit from
the VC Menu by touching the E-for-Exit key as indicated.
In most relevant cases, the Menu program returns the screen to the
exact condition it appeared when you started running it. As a final
reminder, it displays a safe computing tip across the top of the
screen.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 28
VC1 and VC2 - Victor Charlie's Front-Line Programs
VC1.COM and VC2.EXE are the shock troops in the battle against
viruses. They willingly volunteer to draw the fire of the enemy -- any
virus -- and thus pinpoint its location for you.
When ordered out on patrol by you, these two files invite ambush by
any virus. They go about this quite methodically, like any trained
soldier. An active virus generally cannot escape their quest.
We provide three separate methods of ordering the two front-line
anti-virus programs into action:
o From the Command Line, or DOS prompt, type the command
VC5 [Enter]
This command runs each of the two main VC programs in succession,
twice apiece. The programs should run twice for technical reasons. In
brief, repeating the same commands in sequence assures no virus can
hide in a DOS-provided buffer.
VC5.BAT (the program run with the above command) provides a fast check
for active viruses. Usually, it terminates with the happy news that no
virus activity was detected.
o A second way to check for viruses is to use VC's Interface Menu. The
command to begin this program is simply
VC [Enter]
Once you have entered the User Interface program, you should select
the Quick Check menu choice. This performs the same action as VC5.BAT,
but also gives more information both before the fact, and -- on some
unlucky day -- in case virus activity is detected.
o The third method of Quick Checking is even faster, but requires some
preparation. The first step is to run the provided program ALTV.BAT.
Type, at the DOS prompt, the command
ALTV [Enter]
NOTE:In order to work correctly in setting up your keyboard for
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 29
ultra-fast virus checking, ALTV.BAT requires the presence of a driver
or TSR in your computer's memory which can interpret ANSI. The program
ANSI.SYS on your DOS diskette is one such program. If you have a
question about ANSI, please refer to the DOS technical manual.
ALTV.BAT performs keyboard remapping on your computer, so that when
you press the Alt and V keys simultaneously, this serves the same
purpose as typing VC and pressing the Enter key. If ALTV.BAT succeeds
in correctly remapping your keyboard (success or failure will be
noticeable immediately), you can order up almost-instant anti-virus
checks simply by pressing
Alt-V
Remember, these keys must be pressed at the same time.
VC1 and VC2 on Patrol
The job of these programs is twofold. When you order either of these
two programs into action (or, more typically, both in immediate
succession, with the alternatives shown above) they first check your
headquarters, the absolutely vital parts of your computer that make it
run and work properly.
Specifically, VC1.COM searches the sections of your disk and memory
you normally never see -- but which a virus often attacks. You don't
have to know a thing about your System files, Partition sector or Boot
sector under normal circumstances. But if these are changed or
deleted, your computer won't work. VC1 then makes a quick check of the
vital file called COMMAND.COM if it is found.
NOTE: By default, VC1 checks out COMMAND.COM in the root directory of
the boot drive and/or in C:\DOS. Some advanced users place this
program elsewhere; rename their COMMAND.COM for security
reasons, or use a different or even second Command interpreter.
If this describes you, please see the section on VC1.CFG. If
you don't know, you needn't worry about this at all.
If the slightest change is made to these essential disk areas or
files, VC1 will immediately halt and report to you. It will specify
exactly where the probable virus is located, and provide advice on
what you should do next.
Unless you have made a change to these disk areas or files, it is
almost certain a virus or its Bomb has struck. No normal computer
action or program changes these areas and files. You should halt your
computing session immediately, and note VC's advice and recommendations.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 30
VC1 is the boss for a few minutes in such a case. Almost certainly, it
will be able to cure this type of virus at a single keystroke. If you
want, a full explanation will also be provided. (Victor Charlie never
performs a change on your programs without asking for a go-ahead
first.)
If everything seems all right in those places (and usually it will)
VC1.COM will truck on. A virus may be lurking elsewhere in your
computer, settling down in ambush somewhere and preparing an attack
against your machine, programs, precious data, and you.
VC1.COM and VC2.EXE will find such lurking enemy. Their two-man patrol
is generally irresistible to Type 1 (File infector) viruses. An active
virus by its nature is unable to resist the urge to try to attack VC1
and/or VC2.
Under normal circumstances, VC1 and VC2 will stand in harm's way and
invite attack from any lurking viruses. If you have no viruses on your
disks or in your computer system, they will flash you a message saying
OK so far and stand down, allowing you to continue your work.
But if you do have a virus present, that virus will attack one (or
sometimes both) of these programs -- and kill them! Just before they
die, they will send you a message in detail. The message will say
something along the lines of VC CAUGHT A VIRUS FROM YOUR MACHINE!
(SUICIDING NOW). A full-screen, context-sensitive help message will
scroll to your screen if you ask for aid.
This is a help screen you hope you never see. But if you do, you can
be certain your computer has a virus. VC, this manual, and your
computer provide the tools you need to sanitize your system in short
order and get back to work.
Such an attack would come from the type of virus which typically lurks
unseen in your computer's memory, or RAM, (although there are other
ways it can work). When it strikes, it is confident it can attach
itself unseen to any program. Usually, this is a correct assumption.
But when it opens its sights on either Victor Charlie program, the
tables turn.
The virus will have initial success. VC1 and/or VC2 will be hit in the
ambush. One or both will die. But the death of the program will not be
in vain. For when the virus kills VC1 or VC2, it must reveal itself.
In their death throes, the Victor Charlie programs will expose the
virus' camouflage.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 31
When VC1 and/or VC2 sense a virus attack upon themselves, they perform
several actions in addition to deleting themselves from your computer
disk for your safety:
o They identify the presence of a virus.
o They capture a unique virus signature.
o They write this identifying virus code to your disk as a new or
additional entry to the Virus Signature Library, a file called VC.SIG.
o They warn you they are under virus attack, and present you with the
help and prompt screens that could make destroying the virus a bit
of a diversion rather than a frightening, uncertain, and potentially
disastrous experience.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 32
VC.SIG - The Virus Signature Library
Victor Charlie's power and usefulness both spring from the fact the
program is a generic virus detector. But when you have the bad luck to
encounter a Type 1 Virus, the kind that infects program files, Victor
Charlie suddenly switches from generic virus checking to specifics. It
works with you until you have Wiped Out every occurrence of the virus,
and you can return to your work.
This sudden switch occurs the moment that hapless Type 1 Virus tries
to ambush Victor Charlie's VC1 or VC2 front-line programs. Instead of
the willing host it expects to find in such apparently helpless
programs, the virus becomes the victim.
VC1 or VC2 (and, in rare instances, both of these programs) commit
suicide during the attack. Their dying act is to capture a signature
from the virus. This unique computer code is all Victor Charlie needs
to identify every infection on every disk and diskette you own -- and
Wipe Out each infected file cleanly enough that not even an expert
hacker could revive it.
The virus signature captured by VC is identified on your computer's
disk or diskette by the filename VC.SIG. This is your Virus Signature
Library, and it is created and maintained completely automatically.
The Library contains one or more unique strings of computer code able,
like a person's hand-writing, to identify the virus for Victor
Charlie. Before we go on, there is one important point about the
VC.SIG Virus Signature Library:
These virus signatures are NOT viruses. They are only vital parts of
viruses. They cannot replicate. They cannot infect. They cannot
perform evil deeds on your computer, its disks, drives, programs or
data. Not even that mythical hacker, if he got access to your
computer, could use the Signature Library nor any part of it to make a
virus.
NOTE: The filename VC.SIG is the default identity for the Virus
Signature Library. Advanced users who wish to rename the VC
programs to provide invisibility to viruses must change the name
of the Library to match the new name for VC. Please see the
manual section on renaming VC for details.
VC.SIG is crucial to the Victor Charlie program VCHECK. This powerful
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 33
program reads the VC.SIG files, and then searches all vital programs
for the signature. Each time it finds it, VCHECK marks the infected
program. Each time it finishes checking an entire drive or diskette,
VCHECK halts with an offer to erase any infected files it finds.
We strongly urge you to accept this offer. We allow a choice only
because a few technically-minded users or supervisors may want to
examine a virus specimen. This would be impossible after VCHECK
finished Wiping Out each infected file. But 99.9 per cent of computer
owners and users will be better off to Wipe Out infected files, and
rebuild their disks and programs from uninfected Backup diskettes, or
even original program floppies. Keeping an infected file on your disk
is courting disaster of the worst kind.
The VC.SIG file allows VCHECK to find every infected program you own.
We provide a typical Virus Signature Library on every Victor Charlie
Distribution Diskette. Each entry in the Library was captured by the
relevant Victor Charlie program under real computing conditions, just
like yours. Again, these are harmless signatures -- except to the
viruses concerned. Each unique signature is as fatal to the virus as a
forger's handwriting is in the hands of an FBI expert.
What's In VC.SIG?
As provided on the VC Distribution Diskette, the Virus Signature
Library contains identifying code which will detect many so-called
common viruses. This is merely a sample library.
We provide these signatures purely for testing purposes. Victor
Charlie doesn't need them. You may wish to operate VC with no such
Library on your computer. If Victor Charlie detects an active Type 1
Virus on your machine, it will create a new VC.SIG Library, or append
any new signature to the existing Library as the situation demands.
But the provided Library allows a live Demonstration of VCHECK. We
suggest you run such a Demonstration when you have a few minutes free.
It allows you to see just how this program searches for specific
viruses. Full details on VCHECK's many capabilities are in the manual
section dealing with this Victor Charlie program. But to see VCHECK
work out against known virus signatures, you need only do two things:
1. Ensure that the provided files VC.SIG Library is in your Victor
Charlie Home Directory, and,
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 34
2. Type the following command at your DOS prompt:
VCHECK - [Enter]
That is the minus sign, - after VCHECK.
With this command, VCHECK will search all your vulnerable program
files across your entire hard disk (all drives) to see if any of these
unique viruses is present. When it finishes, it will halt and offer to
search diskettes. If it should find any of these common viruses, it
will offer to wipe them out for you.
There is no special reason to keep the provided Signature Library on
your computer after this demonstration. Feel free to remove it if you
wish. On the other hand, it won't hurt to keep it around either.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 35
VCHECK - VC's Do-Everything Program
VCHECK.COM is the third major part of the Victor Charlie anti-virus
software program. Like VC1 and VC2, it can range far and wide across
your disks and through your directories, unerringly searching out
every infected file.
And like VC1 and VC2, VCHECK is a preventative as well as a cure. You
should always use VCHECK in coordination with the shock troops to be
certain you have no viruses on your disks. Here are the two ways in
which you may do this.
If you simply type
VCHECK [Enter]
at your computer's DOS prompt, or choose the Search and Destroy
default option in the VC shell interface, the program will traverse
through your entire disk, running three consecutive inspections of all
programs and program parts susceptible to virus attack. These checks
scrutinize:
o The DOS-reported size (the file size you get when you type DIR) of
all such virus-vulnerable files, and,
o The actual size of these programs and program parts, and,
o The BITCHECK of each checked file. BITCHECKS are VC's cryptographic
checksumming procedures which produce unique reports on the state of
a file. So specialized is this routine that VCHECK's BITCHECKS
actually will vary from computer to computer throughout the world.
Usually, the two file sizes reported by VCHECK will be identical. If
they are not, VCHECK will tell you. Please bear in mind that in such a
case, it is more likely that reported and actual file sizes differ for
reasons other than a virus attack. Still, such a difference is always
a danger signal.
Some clever viruses, you see, are able to lie to DOS, making your
computer think everything is all right even while it is being attacked
by a virus. VCHECK works carefully to try to make this impossible.
BITCHECKing employs proprietary algorithms to create a special,
double-encrypted number for each file. (The numbers are created, in
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 36
ComputerSpeak, in hexadecimal form, and include letters as well as
actual digits). This number depends on every computer bit in the file,
and the order in which they occur. If so much as one bit of that file
is changed or moved, for any reason, VCHECK will warn you (see below).
Since viruses must change a file to hide and operate, BITCHECKing
provides a method of finding them.
You can watch VCHECK in action by typing
VCHECK [Enter]
any time you wish.
By itself, however, this is merely a piece of information that soon
will scroll by and out of sight. There is no way you can -- or should
-- try to remember what VCHECK is showing you.
This type of checking is somewhat interesting to techies, perhaps, but
has little relevance to the real role of VCHECK in your attempts to
defeat the spread of a virus on your computer. You have to harness
VCHECK, rein in the program's enthusiasm to speed through dozens of
sub-directories, gleefully checking programs and program parts at the
rate of up to several per second.
You say Whoa to VCHECK by invoking it from the VC menu interface, by
using it in combination with other Victor Charlie programs, or by
ordering permitted command-line parameters yourself. For a brief
on-screen explanation or reminder of what VCHECK can do, enter one of
the following at the DOS prompt:
VCHECK ? [Enter]
VCHECK HELP [Enter]
This provides a summary of what we are about to describe here, and can
be called at any time.
You may also see this help screen while using VCHECK from the menu
interface. Select Search and Destroy from the Green Alert menu. Then
select Manual Parameters. Simply type Help or ? and hit the Enter key.
Advanced or adventurous users will find the copious options of this
powerful program useful in varied ways. Among the many, we use some of
VCHECK's power to perform quick file-identity checks; provide
indelible holographic serial numbers for groups of files, and to
monitor changes in programs or data in general.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 37
A provided sample batch program, WI.BAT, harnesses VCHECK as a whereis
utility. You can search across an entire hard disk in seconds for any
lost file by providing its name or part of its name to WI.BAT. (Simply
type WI.BAT for a brief explanation of how it is employed.)
VCHECK, when reined in, serves three major, important purposes in the
anti-virus battle.
o As an on-line part of Victor Charlie's day-to-day anti-virus
ability, it is the part of the program which will find infected
files for you immediately after the suicide of VC1 or VC2, by
searching every virus-vulnerable program for the captured virus
signature.
o As a rear-area virus defense, it compiles a list of vital statistics
of your computer programs and program parts, storing them away for
future Auditing and reference. This Audit List could turn out to be
a vitally important step in curing a potential attack from a
super-clever virus, several of which already exist. We have
automated the compiling both of reference and comparison lists, and
the actual comparison, with the Victor Charlie batch program
VSEARCH.BAT.
The equivalent to VSEARCH in the Menu Interface is Audit Programs.
o As a friendly aid to you, VCHECK will monitor Data Files. Few
anti-virus programs even attempt to do this, because it is
incredibly difficult to monitor material that by definition changes.
For our suggestions on how to do this, please see the manual section
on VBAIT.BAT, a fully-automated method you can use to keep an eye on
data which may be vulnerable to viruses.
Usually, when you use VCHECK, you will want to redirect its output.
That is, instead of having the program print all the information it
assembles on your screen, you will want to put it in a file on your
disk, so you or another Victor Charlie program can peruse it at a
somewhat slower speed.
You may do this yourself by typing:
VCHECK parameter /filename.ext [Enter]
at the DOS prompt. You don't use the actual words parameter or
filename.ext. For filename, you may use any name that DOS accepts.
(For examples of this, see the files and manual sections on
VSEARCH.BAT and VBAIT.BAT).
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 38
For parameter, you substitute one or more of the following.
VCHECK - [Enter]
The "-" parameter is the minus sign. This command orders VCHECK to
look at all virus-vulnerable files and check them against VC's
Signature Library of common viruses, plus ones you may have suffered
the misfortune to have contracted yourself. The library is updated if
necessary, on the fly, each time VC1 or VC2 encounter a Type 1 virus.
The signature library is called VC.SIG by default. It must be present
in the Victor Charlie Home Directory for the - option to work. (We
provided a basic Signature Library with signatures from so-called
common viruses on your Victor Charlie distribution diskette. This
allows you to test this facet of the VCHECK program at any time.)
VCHECK d [Enter]
This command will check your computer drive d where "d" may be any
letter signifying an actual drive on your computer. If this parameter
is not provided, VCHECK works on the current drive -- the drive
indicated by your DOS prompt.
Please note you need not enter the colon after the drive letter as you
usually do with DOS-type programs.
VCHECK . [Enter]
VCHECK followed by a dot (period) and the Enter key further restricts
VCHECK's actions to the current directory or sub-directory only. This
specialty feature will not be of interest to you often. But in the
event you have to go on a long, drawn-out search for a persistent
virus -- a distinct possibility as virus programs become more
sophisticated -- it is a potential time-saver of great magnitude.
The "." option also could be useful for checking new programs before
you run them. Any newly installed or updated program should be checked
with this option immediately.
Advanced users who wish to monitor Data Files on their own could use
this option, plus a specialized VCHECK.CFG in the relevant
sub-directory.
VCHECK filespec [filespec] . . . [Enter]
You can override all VCHECK's orders about which files to check with
this command. Filespec can mean any part or whole name of a file
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 39
acceptable to DOS. That is, the filespec can be no longer than eight
letters, numbers or certain symbols, followed by period and not more
than three more such figures. The usual DOS wildcards ? and * are
fully supported by VCHECK. You may enter as many filespecs as will fit
on your command line (typically, 128 characters).
Thus, if you wanted to VCHECK only .EXE programs, your COMMAND.COM and
non-executable program files from a mythical software program called,
say, Victor Charlie, you could type:
VCHECK *.EXE COMMAND.COM VC*. [Enter]
VCHECK only [Enter]
The "only" parameter restricts VCHECKing to the current drive, that is
the drive to which you are logged on. In effect, this is a negative
parameter. It suppresses the default choice of VCHECKing other drives.
After completion of the VCHECK only operation, the program stops and
returns you to DOS or the VC Menu Interface after VCHECKing the single
drive as ordered. This is most useful in automating Victor Charlie to
your own needs.
All of the above parameters may be chained. Let's say you are
currently doing computer business in the sub-directory C:\DOS\BIN. You
have a D: drive, and you know that the current directory on that drive
is called D:\BACKUP\123. You want to see if any of the .EXE files in
that directory have become infected with a virus whose signature has
been left behind from a virus attack detected by VC. You would type:
VCHECK - d *.EXE [Enter]
This is an extreme case. Far more likely you would simply switch to
the D: drive and run VCHECK with the - parameter. Nevertheless, it
shows a potential ability of this Victor Charlie program.
VCHECK HUSH [Enter]
The hush parameter, which can be used with all VC programs except the
Menu Interface, suppresses the normal screen output.
This parameter should be used sparingly with VCHECK. The Hush order
suppresses virus searches. Even if you have a virus Signature Library,
use of the hush command will force VCHECK to ignore this library as it
Scans the disk. This makes it useful for specialized operations such
as in WI.BAT, where a user wishes to utilize VCHECK's speed in finding
one or more files on the computer's disk.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 40
VCHECK's Default
What checks does VCHECK check when VCHECK does check checks?
The program has a built-in default to perform VCHECKing on typical
programs and more-or-less typical program parts. This built-in list
ensures that VCHECK looks at all files with the following DOS
extensions in their names (the three letters after the period).
COM EXE SYS BIN OV? PGM PRG APP LOD LD? CHN PIF DRV DLL
These are only the most common of today's computer software programs.
Many particular programs have program parts (Overlays) which carry
other extensions.
Before much more time goes by, you should have a look at your actual
programs to see if this default list leaves any particular program
parts vulnerable. VCHECK will check any program parts you alert it to.
Such an alert is given in the adaptable text file called VCHECK.CFG.
VCHECK will always look for this text file before it swings into
frenzied action. If it finds the file, it substitutes the contents of
VCHECK.CFG for its own built-in defaults.
This is yet another Victor Charlie program fully adaptable by any
user, yet functional as it stands. The VCHECK.CFG provided on your
Victor Charlie Distribution Diskette is identical to the built-in
default list given above.
If you need further -- or, possibly, less -- VCHECKing than is
provided by VCHECK's defaults, please see the section of this manual
which deals specifically with VCHECK.CFG, and explains how it can be
quickly changed, and used, on your specific computer.
VCHECK uses the following precedence in determining which files it
should check on any given command:
1. The DOS command line or Manual Parameters given from the VC User
Interface, if any are given;
2. The file VCHECK.CFG, if found, in the current directory as
indicated by your DOS prompt;
3. The file VCHECK.CFG if found in the VC Home Directory, and,
finally,
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 41
4. The built-in defaults -- 14 program and Overlay extensions, shown
above.
Thus, for example, the specific command
VCHECK *.COM *.EXE [Enter]
whether given from the DOS command line, a batch program or the VC
shell interface, would override all other orders or configuration
files applicable to VCHECK.
If VCHECK finds a VCHECK.CFG file in the current directory, it will
take its search options from that file, and pay no attention to any
other VCHECK.CFG or the internal defaults. If no command line
parameters are given, and if no VCHECK.CFG is present in the current
directory, VCHECK will follow the instructions from VCHECK.CFG in the
VC Home Directory -- if it exists. If none of the above options are
used, VCHECK will check only files with the 14 default filename
extensions listed above.
False Alarms - If VC Finds A Virus Which Isn't
VCHECK, Victor Charlie's search-and-destroy program, uses proprietary,
built-in routines to detect viruses. These include artificial
intelligence, and examination of program code for known writing
techniques of identified writers of viruses.
These routines may cause False Alarms. If so, you may turn off
VCHECK's built-in virus-searching intelligence by making and
Initializing a new set of VC programs as outlined below.
In its default state, VCHECK looks at each file it BITCHECKS and
searches for certain tell-tale viral signs. These are in addition to
the presence of viral signatures captured and stored in the Signature
Library by VC1 or VC2.
Occasionally (but seldom), perfectly legitimate programs will use such
code themselves. This will cause VCHECK to assume the presence of a
virus in a program which, in fact, is clean.
If VCHECK alarms on programs which you are certain are virus-free, you
probably will have to run Victor Charlie without its special routines.
Please do not be hasty about making such a decision. Before you decide
that VCHECK is causing False Alarms on your computer, run through the
following checklist:
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 42
1. Run VCHECK, and note which programs it reports to be probably
virus-infected.
2. Run one of those programs itself.
3. Run VC1, VC2 and VCHECK in succession. (From the VC Menu, simply
run the two available routines at the Condition Green sub-menu,
Quick Check and Search-and-Destroy).
4. Look again at the programs VCHECK has detected as probable viral
carriers. See if any new files have been added to this list.
5. Replace one of the infected programs with a known, clean Backup
copy. Do not run this program.
6. Run Steps 2 through 4 one more time.
If VCHECK is no longer adding files to its list, and,
If you yourself believe your program is uninfected, and,
If only VCHECK continues to claim your clean program is infected,
while VC1 and VC2 disagree and report no infection, then,
You might now begin to assume VCHECK is, indeed, causing False Alarms.
Please be very careful while you do the above. Viruses already exist
which spread extremely secretively. If VCHECK continues to add
infected programs to its Log file, it is very possible -- even likely
-- that you have one of these viruses, and the alarm is true!
If you conclude that you are receiving False Alarms, simply proceed
immediately to your Victor Charlie Home Directory. There, you will
find a small program called NOFALSE.BAT. If you do not have this file,
copy it from your Victor Charlie Distribution Diskette. Issue the
command:
NOFALSE [Enter]
This batch program will initialize a complete, and new set of Victor
Charlie programs. In the process, it will turn off the VCHECK logic
which has detected viral infections where none seem to exist.
It is the nature of viruses to spread as secretively as possible. It
is the nature of VCHECK to smoke out the viral spread. While false
alarms are maddening and time-consuming, tracking down and killing a
cunning virus programmed to spread covertly can be far more difficult
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 43
and far more frustrating -- and such viruses have enormous potential
for destruction of your valuable data, information and time.
NOTE: As we try to stress as often as possible, detecting and tracking
viruses cannot reliably be performed with a single computer
command on every occasion. Virus writers often are exceedingly
and excruciatingly clever programmers able to circumvent and
capitalize upon the belief that virus detection is simple.
Sometimes, tracking a virus can take the patience of a saint,
the observations of a first-class detective, and the planning of
a battle strategy.
Hint: In the event that VCHECK causes a false alarm on one, two, or
even three programs, you should consider living with these.
Often, you can remember a couple of False Alarms during any
Search-and-Destroy or Audit operation. You may be glad in the
future you refused the temptation to remove VCHECK's
intelligence when it begins to detect new infections which are
not False Alarms.
Excluding Files From VCHECKing
An alternative to switching off VCHECK's built-in intelligence is to
exclude certain, specific files from the program's scrutiny.
This is performed by adding program names to the VCHECK.CFG text file.
The primary purpose of VCHECK.CFG is to add, by use of wildcards, to
the list of virus-vulnerable files you have on your computer. However,
it also is possible to exclude explicit files from VCHECKing. You
should consider this if you have several known-clean files which
VCHECK insists contain dangerous computer code.
Although it is unlikely you ever would consider excluding so many
files from VCHECKing, it is possible to segregate several hundred
files from VCHECK's scrutiny through this list.
To exclude a file from virus searching and checking by VCHECK:
1. Load or create the file called VCHECK.CFG with your text editor or
word processor. (This file must be created in pure ASCII text.
Most word processors have an ASCII, or non-document, mode for
creating and saving such files.)
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 44
2. Each file to be excluded from VCHECKing must be listed on a
separate line in VCHECK.CFG, and must be completely identified in
the form:
-d:\path\filename.ext
3. Please note in the above example that each line must begin with a
minus sign (dash). This is the signal to VCHECK to ignore the file
during virus searching.
4. The d: is the drive letter where the false-alarming file resides.
The \path is the full DOS path to the file. Filename.ext is, of
course, the full name and DOS extension of the pesky false alarm.
5. Save the new or edited VCHECK.CFG to your disk in the VC Home
Directory, and exit your word processor or editor.
6. From that moment, VCHECK will ignore the file(s) you added to
VCHECK.CFG with the leading minus sign. No further action is
required. It is not necessary to make a new copy of VC programs,
or to reinitialize.
Again, please do not be hasty in applying Nofalse to your Victor
Charlie program. Extensive testing and research prior to release of
this software revealed that in more than 90 per cent of cases,
VCHECK's programmed logic detects viruses rather than causes False
Alarms.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 45
VSEARCH - Audit Programs
VSEARCH.BAT and its Menu Interface equivalent, Audit Programs, may be
the most important routine in your anti-virus computer arsenal. If you
use them as directed here, you may detect any virus attack possible on
a personal computer running under DOS.
NOTE: Comparisons of lists of BITCHECKS can detect all viruses on a
PC. This is subject to several conditions. These include the
necessity to perform BITCHECKing immediately after a cold boot
to a known-clean DOS diskette. In addition, the results of list
comparisons must be correctly analyzed by the computer user.
There are two default methods of employing BITCHECKing on your
computer. Imaginative users can come up with many others. We provide a
sample of such thinking with the provided batch program VBAIT. Please
see this manual's chapter on VBAIT.BAT for an example.
You may use BITCHECKing to your advantage with the provided program
VSEARCH.BAT, and with the selections Audit Programs at the Condition
Yellow choice in the VC Menu Interface.
We would like to take a moment for a brief explanation of these
foolproof harnessings of Victor Charlie's VCHECK program. The computer
you save may be your own.
The Meaning of BITCHECKS
A checksum is a mathematical computation of every bit and byte in any
single file on your computer. Checksums may be computed of data or
programs, text or computer language. In the real world, they require a
program to make. In turn, the program consists of one or more
algorithms which are used as the basis for the calculation.
There is no standard or regular way of computing checksums. Any group
of 100 good computer programmers may literally have 100 different
methods of computing checksums. And while those same 100 programmers
might very well agree on what makes for bad checksumming algorithms,
it is unlikely they ever would agree on a unique, good algorithm.
Victor Charlie's proprietary method of checksum computation is
top-of-the-line. Because of this, we have replaced the generic
term "checksum" with our own term: BITCHECK. Without going into
detail, VCHECK uses more than one method to compute a BITCHECK. The
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 46
methods used on any given occasion are entirely random. Not even we
can predict in advance which of many possible algorithms will be
utilized by VCHECK in its computations. Each VC program set uses
different algorithms from others (a good reason to register your
shareware version of the program).
Each Bitcheck produced is bit-dependent upon what went before. Results
are double-encrypted.
This provides bulletproof security against even a mythical (so far)
intelligent virus which might try to figure out BITCHECKing as part of
its operation. The thousands of possibilities of Bitcheck computations
at any time effectively rules this out.
The VSEARCH batch program and the Audit Programs menu selection at the
VC menu uses these facts about VCHECK and BITCHECKing to your
advantage.
Foolproof Virus Disabling
No virus on a PC under DOS can survive actively if you cold boot your
computer with an uninfected, write-protected DOS diskette.
This is unequivocal. A fresh start for your computer with that DOS
diskette will absolutely disable any virus. Naturally, it will not
eliminate any viral code, but no virus can remain active or regain
control of your computer if you turn off the machine, stick a clean,
write-protected DOS diskette in the A: drive and turn the computer
back on.
This operation renders inactive even the hypothetical virus with
artificial intelligence. This is the point where virus detection
begins to become absolutely certain.
Using VSEARCH
VSEARCH.BAT (and the equivalent Menu selection Audit Programs) are
illustrations that in the task of total virus detection and cure there
is no free lunch." We have made these routines as easy as possible to
run, use and interpret. But still, it makes two demands on you, the
thoughtful computer user:
1. Time. VSEARCH will take several minutes to run on the average PC
with a hard drive.
2. Attention. When the program finishes, it may require some
interpretation on your part. Here is how we suggest you set up
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 47
program auditing for yourself. What follows is only a model and
you can -- indeed you should -- adapt this to your own needs.
First, we recommend you always run program auditing after cold-booting
to a write-protected DOS floppy diskette. While this can be a bother,
it makes the virus hunt certain, as we pointed out above. You can make
a bootable floppy for this purpose. Or simply shut off your computer,
insert your standby DOS diskette in the A: drive to restart the
machine, and then begin your auditing.
If you decide to play it very safe and conduct the auditing itself
from a floppy diskette, this disk may have to include a copy of your
Config.SYS file from your hard drive, and copies of any "driver"
programs required by Config.SYS. To be extremely safe, also include:
o The program VCHECK.COM, copied from your Victor Charlie Home
Directory
o The program VCOMP.COM, also copied from the Home Directory, and,
o The batch program VSEARCH.BAT itself.
This is all you need to conduct a full-scale, completely dependable
anti-virus search. These three programs will interact to provide you
with reference and comparison lists of files anywhere on your
computer. They then will compare these lists, and finally strain out
and show you any differences. This is where your logic must play a
part.
VSEARCH is capable only of identifying to you the following:
o Changes in the makeup of any program on your disk;
o New programs added to the disk between runs of VSEARCH, and,
o The absence of files between such runs.
It is up to you at this point to apply your logic. If a program has
changed its makeup, you must figure out whether you have changed it in
some way. Perhaps you have upgraded to a new version. Or maybe you
have reconfigured a self-modifying program. Either of these events
will show up in VSEARCH as a flagged problem.
And so will any program which has been changed by a virus attack.
With VSEARCH, the up side is that you will detect all changes to your
computer programs. Since a virus must change a program to infect it,
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 48
you will catch all viruses.
The down side is that you must, to a certain extent, know what you
have on your computer and whether you have changed what is there.
VSEARCH itself is self-explanatory once it begins to run. And running
it is as simple as issuing the following command:
VSEARCH [Enter]
In its provided, default mode, VSEARCH.BAT
o will work from any drive on your computer (although, again, we
highly recommend you use it only from a floppy drive after a cold
boot).
o search the entire C drive of your computer for program files and
parts (Overlays).
o record the results of this search in a special file in the VC Home
Directory.
The first time you run VSEARCH (you have an opportunity to do this
right at VINSTALL stage) the program will create a file called
VSUM.REF. On subsequent runs, it will create a file called VSUM.NEW.
It will automatically compare these two files, and flag differences to
your attention for possible action.
(These two lists are plain text, although they never should be edited
or modified in any way by you. As text files, however, they cannot be
virus carriers.)
Like all Victor Charlie Batch Programs, VSEARCH can be edited, changed
and adapted to your own use.
Whether you use VSEARCH or the Audit Programs menu selection, the
routine will take some time to run. We can't predict how long, because
it depends on how big your disk is, how many programs you have on it,
and how fast your computer can run. Figure at least two or three
minutes on an average machine with more than 1,000 total files,
several major applications and various utilities.
It is neither necessary nor worthwhile running VSEARCH often. Once a
week on the "average" computer would be sufficient. If you add
programs to your computer often, you will want to run VSEARCH more
frequently. If you never add a new program, there is little to be
gained from running VSEARCH more than every couple of weeks.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 49
We suggest you pick a specific time to run it, however, when the
computer is not being used for a while. One of Victor Charlie's early
users said he ordered BITCHECKing routines once a week as he went to
lunch. When he returned, results of the program were awaiting him.
This seems eminently sensible to us.
However you wind up using this powerful BITCHECKing feature, we
strongly advise you to run the program as soon after you obtain Victor
Charlie as possible, to build a reference list of programs, their file
sizes and BITCHECKS on your disk. Even if you do not use VSEARCH again
for a while, having such a list easily at hand could be extremely
valuable as you go about your computing.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 50
VCOMP
This small program is part of your rear-area defenses. Its sole task
is to compare two file lists made by VCHECK or by batch programs which
use VCHECK automatically.
VCOMP is programmed to detect differences in what in practice are
reference lists and new lists of files and the Bitchecks. If there are
no differences, VCOMP politely and quietly informs you.
If differences exist, VCOMP will show you exactly what they are.
Bear in mind differences in the lists are most commonly caused by your
own actions, and not by viral activity. For example, let's suppose
that two weeks ago, you performed an Audit Programs search of your
virus-vulnerable files with VC. This list would be stored in the
Victor Charlie Home Directory.
Let's suppose further that last week, you added new software to your
computer. You liked it and you intend to keep it around on your disk.
Now, today, in the last stage of this scenario, you Audit Programs
once again (or use VSEARCH.BAT for this purpose). In this hypothesis,
VCOMP will show differences for sure. It will show the program and
program-part (Overlay) files of your new program weren't there two
weeks ago, with a note that the lists differ, although no files show
known signs of a virus. This is absolutely true, of course.
VCOMP cannot know when or if you have added or deleted
virus-vulnerable programs. In the above case, for example, the proper
procedure (detailed in the section on VSEARCH) is to delete the
original reference list, and make a new one that included the added
files.
The VC User Interface Menu has a specific function, under Condition
Yellow, to perform this function automatically. At the DOS prompt,
this can be handled smoothly with the following command:
VSEARCH NEW [Enter]
VCOMP is useful in your final defense lines -- the point at which, in
fact, you are attacking the virus instead of vice-versa. With VCOMP
and advance planning, you will be able to spot files changed in size,
or whose Bitchecks do not match. Now this is a sign of a virus attack
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 51
upon that file, possibly a certain sign unless you have changed the
file yourself.
VCOMP is not a program to be used daily. It is specialized, usually
used in direct connection with VCHECK, and most effectively used in an
automated process such as VSEARCH, VBAIT, or Audit Programs.
To use VCOMP, at the DOS prompt on the command line or in a batch file
of your own, you should type:
VCOMP [Enter]
The program will prompt for the names of two text files to compare.
These files must be made by VCHECK, by the way. Otherwise, VCOMP will
simply exit.
More efficiently, however, you should use VCOMP with two parameters by
typing:
VCOMP file1 file2 [Enter]
where "file1" and "file2" are two unique reference files made by
VCHECK.
Never attempt to edit, change or even save a disk file made by VCHECK.
Certainly you can look at it in a word processor, a text editor, or
even with the DOS TYPE command. But if you make any change, there is a
good chance you will receive a string of false-alarm differences a
mile long when VCOMP tries to read it. This is because different
editors and word processors do different things to files, most
commonly adding or deleting blanks at the ends of lines. This tiny,
actually invisible change, can radically change the file to the point
where VCOMP is incapable of figuring what is going on.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 52
Protecting Your Data
Baiting Viruses with VBAIT.BAT
In the war on viruses, there is nothing so feared as the virus Bomb
which deletes or changes data. While programs can be replaced
relatively easily and cheaply, data can involve weeks, months, even
years of work.
As Victor Charlie and this manual were being written, new viruses were
being discovered daily. Some of these contained Trojans or Bombs aimed
injurious to data.
This is nothing new. In fact, the world of mainframe computers has
suffered major problems of this type for years. Thieves and practical
jokers have introduced viruses, Trojans, Bombs, and worms (a type of
destructive program that, thank goodness, cannot exist in the PC-DOS
world) into large computers. These programs on occasion were capable
of changing data in almost indiscernible ways. Often, these are aimed
at illegally transferring money or goods to the virus writer.
In the PC world, a virus was discovered in 1989 that greatly troubled
computer security experts. Its Bomb section worked like the worst
nightmares of most computer users. The program was capable of
searching out pairs of numbers, say 29 or 63, and reversing them.
Reader-users who work with numbers can immediately see the possibly
catastrophic results of such an action on a lengthy spreadsheet,
database, or report in a word-processing program.
Thus, before we even discuss how Victor Charlie can help you protect
your data from a virus Bomb or Trojan, we must stress two basic
computing rules:
1. Detect, and wipe out, viruses as quickly as possible. You can do
this with VC if you use the program often. It takes only seconds.
If you have no active virus, your data is safe from attack by a
virus Bomb.
2. Back up your data. We recommend daily Backups. This can be done by
99.9% of users in minutes, as the second-last task of the
computing day. (The last one is, of course, to run VC one more
time before you shut down).
Data that is backed up and stored cannot be touched by a virus Bomb.
If it is on a write-protected floppy disk, it cannot be changed by any
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 53
software under any circumstances.
Users who back up their data regularly have little to fear from a
virus attack. While it might be frightening, annoying, and even
time-consuming to recover from a severe virus attack, such a process
is nothing compared with the months of work that go into building Data
Files on your computer or, even worse, a computer network.
Setting up Test Files
That said, we now will proceed with some suggestions on how you
provide security against a spurious software program trying to play
tricks with your data.
The first step in this process is to decide what kinds of files to
give over to this process. This should be fairly simple. Bait files
should contain typical data produced by the software programs with
which you or your computer operators work.
We suggest you pick two or three typical files from each of your major
programs, or which come from programs you consider particularly
important. These will serve as your virus bait on a fairly permanent
basis, at least until you change the version or program you now are
using.
Copy each of these chosen bait files to a new name. Since they will
serve only as bait, pick names which -- to you -- mark them as files
you never will touch. We hope each VC user picks a different way to
identify these bait files, but we recommend something along the
following lines.
Change to the directory where you keep (for example) your Lotus 1-2-3
Data Files and type commands something like the following. Naturally,
you should use real filenames and bait names in place of the examples
we give.
COPY MAR90RPT.WK1 BAIT1.WK1 [Enter]
COPY TAX1990.WK1 BAIT2.WK1 [Enter]
Now go to the sub-directory where you keep your database files
produced by, say, the dBase IV program. Perform a step something like
this:
COPY EMPRCDS.DBF BAIT3.DBF [Enter]
COPY CARDLIST.DBF BAIT4.DBF [Enter]
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 54
You might next proceed to the sub-directory where you keep documents
produced by your word processor. There, type commands along the lines
of the following.
COPY REPORT03.DOC BAIT5.DOC [Enter]
COPY MOMLETT.PER BAIT6.DOC [Enter]
You may see our theory. We are providing bait for a Bomb attack. We
can provide fast, easy checking of the new files we just created,
because we have given them similar names. But the names are also
similar to existing files, so no virus Bomb, Trojan or data-changer
can possibly be intelligent enough to avoid these files.
Again, you need not use our suggested bait names. We hope you do NOT
use these names. If every user selects different names for his
Bomb-bait, no virus Bomb will be able to avoid attacking the data
files. Our aim is to invite a Bomb attack, so we then can pinpoint the
origin of the attack and effect damage control.
Nor should you try to group these bait files in any special area.
Leave them in the sub-directories with your day-to-day files. That
way, to any virus Bomb, they look like harmless data that invite
attack. Thanks to the VCHECK-VCOMP combination, they are lethal
weapons.
You then can adapt the program batch file VBAIT.BAT to your own files.
With this program, VCHECK-VCOMP will detect so much as a one-bit
change to any of these files. Normally, this batch file will produce
the following message on your screen:
Statistics compared OK!
This means you can breathe easily. The original checklist you
established has been compared with a new checklist, and the file sizes
and checksums are exactly the same. No changes have been made to the
files.
If, however, you should come under a data-Bomb attack, you will get a
message something like this:
STATISTICS NOT SAME !!!
This is your signal a Bomb may have been launched. Now you must go
looking for a harmful program. If it is a virus, Victor Charlie can
find it for you, possibly with the VSEARCH / Audit Programs routines.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 55
Once you create bait files, you never should touch them again. If you
make any changes to them, you must run the VBAIT program again. Your
first step then would be to delete the check files VBAIT.OLD and
VBAIT.NEW created in the VC Home Directory by the VBAIT.BAT program.
You are free to adapt or change VBAIT.BAT to your own needs or work
habits. We provide such programs and explanations specifically so you
can use VC in a manner that best helps you in the hunt for viruses and
other hurtful software programs.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 56
Renaming VC
It is possible to hide Victor Charlie and thus to make it "invisible"
to generic attack by malicious software. Except for the shareware
version of the program, VC is manufactured in small or unique program
sets in which the dates, times, sizes and checksums of all VC programs
are different. Site users always receive a unique program set, which
can include renamed programs and other files.
Users of any VC program can rename their own VC on any computer.
Please,
NOTE: VC programs cannot simply be given new names by using the DOS
REName function. Victor Charlie programs must be able to
"communicate" with each other, and can only be renamed as
described here.
Malicious programs already exist which search out certain software and
"attack" it by name or location. A program which insists on
installation in a certain directory, or which must have specific files
using specific names is wide open to such attack.
To give your VC programs new names and help to hide them from any such
generic attack, you must first initialize Victor Charlie. You probably
have done this if you have reached this point in the manual. If not,
initialize VC with the command:
VINIT [Enter]
Following this, simply type:
VC RENAME [Enter]
The rename process is documented, with help, on the screen. You will
be asked for new names for the VC programs and some other files.
Others, such as the Signature Library and main help file, will be
renamed to reflect your own chosen names. A list of old and new names
is retained for your use.
After renaming VC, be sure to change any batch files you may be using
to reflect such changes. Don't forget Autoexec.BAT, which may include
VC commands for starting up your computer.
There are two "restrictions" on renaming VC. One is that names must
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 57
adhere to DOS rules, i.e. they must be no more than 8 characters
(extensions such as .COM and .EXE are, of course, not changeable). In
addition, VC has a couple of reserved characters for its own internal
use. In the unlikely event you choose one of these, you will be
informed and asked to change the "offending" name.
VC programs can only be renamed one time. If you wish to rename Victor
Charlie a second time, you must restore VC to its original names,
initialize the program again, and then begin your second round of
renaming.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 58
VC Utilities
BOOTFIX: Victor Charlie's Diskette Sterilizer
Type 2 Viruses often spread via the Boot sector of a disk or diskette.
Typically, such a virus begins acting in the few seconds after a
computer is turned on, or rebooted, either via the reset switch of the
Alt-Ctrl-Del key combination. The boot sector virus is notably
nefarious because it activates automatically. The user, apart from
starting or rebooting his computer, takes no action at all.
Type 2 Boot sector Viruses live and work in a reserved portion of a
hard disk or diskette which is read automatically by the PC. It is
from this dedicated disk area that the machine gets information to
proceed. Through this area, the machine becomes ultimately capable of
running DOS and, through it, your main applications.
BOOTFIX is a Victor Charlie utility to help you to remove
diskette-based boot viruses. Along the way it provides a few extra
services. It will, simply, sanitize data and Backup diskettes, killing
any virus it may find along the way, and help to remind all users in
the future of the dangers of trying to boot from the wrong type of
diskettes.
What does BOOTFIX do?
o Allows you to view the Boot sector of any diskette. By looking at
this diskette area, you may even see a virus.
o At your command, overwrites most of the Boot sector with a special
message which will show on the computer screen if ever you
accidentally do boot from the diskette.
What is the value of this?
o If you allow BOOTFIX to write a new Boot sector for your data and
Backup diskettes, you can ensure immediately that any virus which
might have been there will be wiped out.
o Such a diskette will, in the future, remind you to be careful about
booting from such diskettes, and lower the chance you ever will
spread a possible virus.
The Reason for BOOTFIX
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 59
A virus can hide on, and replicate from, a non-bootable diskette. Data
and Backup diskettes can hide and launch viruses.
Consider your recent computing habits. Have you ever accidentally left
a data diskette in the A: drive of your computer and then started or
restarted the machine? If so, you probably saw a message that read
something like:
Non-System disk or disk error.
Replace and strike any key when ready.
Probably, if you're like us and most other users, this is exactly what
you did, perhaps muttering briefly about the delay. But your machine
started all right, and you went about your computing affairs.
What Could Have Happened
Tens of thousands of such users have discovered later, to their
horror, that they had a virus infection. Where did it come from?
Because true Type 2 Viruses affect only the computer's System files,
they are difficult to track to their source.
What happened was this.
The virus was activated at the time the machine started and, almost
immediately, looked for and ran the computer code you will be able to
see when you use BOOTFIX. On a data diskette, such code usually only
displays the message to replace the disk and no harm is done. But on
an infected diskette, this code is manipulated by the virus
immediately, typically spreading to all available disks and diskettes,
certainly including the normal boot drive on the hard disk. Some
infected the hard disk's Partition sector. This makes the virus
difficult to eradicate since normal DOS tools are denied entry to this
disk area. Thousands of hard disks had to be low-level formatted to
cure such viruses.
Starting BOOTFIX
BOOTFIX.COM should be run from a diskette. We recommend you
o use the original Victor Charlie Distribution Diskette or, even
better, a working copy;
o write-protect this diskette with the usual method -- write-protect
tabs for 5-1/4" diskettes and the sliding tab on the 3-1/2"
diskettes.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 60
BOOTFIX, if used as a standalone program, is virus-resistant. But it
is not directly integrated with the main, Victor Charlie programs.
Although it will detect most PC viruses and inform you, there is a
remote chance that BOOTFIX itself may become infected if you fail to
use a write-protected diskette. For safety's sake, BOOTFIX.COM has
been programmed to run only one time from a hard drive, and then to
delete itself. Because of this, BOOTFIX can never become a virus
carrier itself. (You can always make another copy from the
non-executable Backup file BOOTFIX.)
Running BOOTFIX is simplicity itself. Type the command
BOOTFIX [Enter]
The program will load itself in memory. You may remove the diskette
containing the program, as BOOTFIX no longer needs it.
BOOTFIX now will present you with a screen of information about itself.
This is a summary of the information above.
You will immediately be presented with two options.
Please select a drive by letter: [A] [B]
or [Q] to quit now
(The drive letters in this message should match what is available on
your computer.)
Place a data, Backup or scratch diskette in one of the drives BOOTFIX
indicates, and press the keyboard letter to match. BOOTFIX now shows
you another screen. It provides three choices:
[Q]uit, [V]iew, or [W]rite the new Boot sector.
You will probably want to see what is in the Boot sector of your
diskette. When you press V on your keyboard, BOOTFIX will read the
Boot sector of your diskette, and display it on your screen. You'll
see something like the following, but please bear in mind that this is
only a typical representation, and what you actually see may be
somewhat different:
[ Screen capture available in printed manual ]
At the bottom of this display, you once again will be presented with
the BOOTFIX choices to [Q]uit, [V]iew or [W]rite.
[W]rite a New Boot sector
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 61
As you see, Victor Charlie recommends, for safety's sake, that you
write a new Boot sector on your diskette. If you do, any virus hiding
in the sector you just [V]iewed will be killed.
The above message (seen in the printed manual) is inserted by BOOTFIX,
automatically, between the only two tiny pieces of computer code
actually required on the diskette's Boot sector. If, in the future,
you should accidentally boot from this diskette, this special message
is what you will see on your computer screen:
Some viruses can spread by accidentally TRYING to boot from
a data diskette! VICTOR CHARLIE once "sterilized" this diskette.
But virus infection may occur at any time. Virus spread can not
be prevented in such a case. Please run VC when you regain
control of the computer. To reboot now:
Remove this disk and hit any key ==>
If you do see it, you'll know the diskette does not a Type 2 Virus. A
virus could not leave this message intact when it infected your
diskette. Instead, this message will serve to remind you of the
dangers of booting from a diskette.
Victor Charlie recommends you treat all data and Backup diskettes with
BOOTFIX.
To do this, simply [W]rite the new Boot sector with BOOTFIX, feed a
new diskette into the indicated diskette drive, and hit the
W-for-Write key again.
DOS Boot Diskettes
Every user, as we have said numerous times, should have two or more
DOS system diskettes capable of starting the computer in case of
trouble of any kind, including virus trouble.
Such diskettes should not be treated with BOOTFIX. On top of this,
such emergency DOS diskettes should be write-protected. If they are,
BOOTFIX will not be able to change them anyway (nor could a virus). In
such a case, BOOTFIX will note the diskette is write protected and
prompt you with an appropriate message.
You may safely [V]iew the Boot sector of such a diskette, since
BOOTFIX performs no action in such a case. But if you present a DOS
diskette to BOOTFIX, whether by accident or design, the program will
warn you.
Victor Charlie Advises
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 62
If you have a DOS diskette which you no longer wish to use as such,
you should FORMAT it, rather than simply treating it with BOOTFIX. A
full format will also remove the hidden-System files, and give you
more space on the diskette if you wish to use it for storage purposes.
After formatting, treat the diskette with BOOTFIX.
Use in Batch Files
Bootfix is a virus-resistant program you can use in batch files. A
part of any batch file must be to copy a backup of Bootfix to
executable form, since Bootfix will delete itself after each use from
a hard drive.
Bootfix will return the following errorlevels in case of incident:
0 = OK
1 = WRONG DOS VERSION (if 2.0, no return if 1.x)
2 = COULD NOT FIND MYSELF
3 = OTHER FAILURES
4 = TRIED TO RUN FROM HARD DISK, DELETED
9 = VIRUS DETECTED, FILE INFECTOR
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 63
PTRESQ: VC's Generic Partition Sector Utility
PTRESQ.COM is a Victor Charlie specialty utility capable of fixing
most damaged hard-disk Partition sectors including damage by a virus
or other causes. Normally, you will use it only when the VC program
itself recommends you do so. This will occur in a tiny percentage of
cases, and almost always during installation or initialization of
Victor Charlie itself.
The Partition Sector
Every hard disk on a PC contains a small, dedicated section called the
Master Boot Record (MBR). It also is called the Partition Sector and
often, slightly incorrectly, the Partition Table (PT).
By whatever name, this fixed-position area contains a small amount of
computer code. This holds essential details of the hard disk. It tells
the machine -- among other things -- what sort of disk is present, how
many sectors it has, and what kind of Partitioning has been performed.
This is a vital part of your PC equipment if you have a hard disk. It
may be written in a number of automated ways, ranging from a low-level
format and the DOS-provided FDISK program, through a large number of
commercial programs.
The PC user worried about viruses has a special concern about the
Partition sector. In short, this is the only virus-vulnerable area in
your entire computer to which you do not have easy access. You can not
easily view this area and without special tools and knowledge, neither
can you access it. Most especially, the average PC user cannot change
this area -- i.e. wipe out a virus residing there -- with the normal
tools provided by DOS.
For most users, PTRESQ is the answer to this quandary.
Partition Sector Warning
PTRESQ, if you use it at all, it will likely be used only once in your
computer's life. This will be during an attempt to VINSTALL Victor
Charlie itself. (For the exception, see When Your Hard Disk Won't Boot
near the end of this section.)
During initialization, VC will examine the Partition sector. Should
it see something unusual, it will immediately stop the Installation
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 64
process and present this advice:
Victor Charlie has found something that appears dangerous
in your hard disk Partition sector.
[ Screen capture available in printed manual ]
Victor Charlie takes a generic approach to all virus and possible
virus-related problems. If you ever see this message from Victor
Charlie's help file, please note the following:
1. Neither VC nor PTRESQ nor any other PC utility can know for sure
if you have a virus in your Partition sector, or even whether you
actually have a problem at all.
2. If you have what Victor Charlie calls an unusual Partition sector,
you probably already know about it. Some hard disks and
Partitioning (disk-managing) programs do make non-standard
Partition sectors. This may include 5% or more of machines which
are otherwise standard PCs.
3. Use of PTRESQ will not cause irreversible changes to your Partition
sector. It will not touch any other part of your computer's disk.
We recommend that you run PTRESQ if advised to do so by Victor
Charlie, unless:
o You know you have a non-standard Partition sector, or,
o You have a specific tool to check and, if necessary, fix your own
Partition table, or,
o You are otherwise certain you wish Victor Charlie itself to back up
and permanently protect your Partition sector as is.
In the above cases, you may force Victor Charlie to continue its
initialization, and to record and protect your non-standard Partition
sector. If you do so, Victor Charlie will no longer complain about
this problem.
DO THIS ONLY IF YOU KNOW YOU HAVE A NON-STANDARD SETUP. Otherwise, you
may be forcing VC to back up and protect a virus it has already warned
you about.
Starting PTRESQ
PTRESQ should be run from a floppy diskette. Although it is virus-
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 65
resistant, it is not completely virus-proof. For this reason, the
program will delete itself after each use if started up on any hard
drive. If you must run it from a hard disk, make a backup:
COPY PTRESQ.COM PTRESQ [Enter]
Start up PTRESQ in the normal computing manner. For example, if the
diskette with PTRESQ is in the A: drive, place your computer prompt at
this drive. Then start the program:
A: [Enter]
PTRESQ [Enter]
The program is virtually self-documenting. When it starts, a screen of
help will appear first. Then, you will have a choice to [V]iew,
[S]ave, or [R]estore the MBR, or to quit the program.
[ Screen capture available in printed manual ]
Probably, you will want to look at the Partition sector. [V]iew will
perform no action except to display the Partition sector to your
screen. Most "normal" Partition sectors will include a small amount of
computer code and three or four error Messages in ordinary English.
These Messages are part of the DOS contingency planning to alert you
if something goes wrong.
It is possible, if you have a virus, that you may see it here. A
notorious Partition sector virus called the Stoned Virus, has readable
English in this sector, which says "Your PC is now Stoned! LEGALISE
MARIJUANA!" In such a case, you definitely will want to continue with
PTRESQ.
Putting PTRESQ to Work
If you are using PTRESQ for a real problem, rather than out of
curiosity, you will now want to put it to work for you. Here is the
way the program works.
If you press [S]ave, PTRESQ will make a copy of the existing Partition
sector, which you viewed with the [V]iew choice. This copy will be
called PT1.CPY. It will be placed automatically in the root directory
of your C: drive, because every C: drive has a root directory. If
PTRESQ finds more than one partition sector, it will save them under
sequential numbers, such as PT1.CPY, PT2.CPY, etc.
PTRESQ allows you to save either the first (256-byte) sector of the
MBR, or the entire track (varies in size according to many variables).
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 66
The default choice is to save only the first sector.
NOTE: PT1.CPY should never be changed. Do not erase it until you are
certain you have a functioning Partition sector which is
virus-free and able to boot your computer properly.
At the same time, [S]ave will place a new and probably different
Partition sector in place of the one you saw. This replacement of your
Partition sector with a generic selection by PTRESQ probably will
function perfectly for your computer. If it does, you may be certain
of the following:
You no longer have any active virus in the Partition sector.
Please remember that the operative word in the preceding paragraph is
probably. PTRESQ, to paraphrase Abraham Lincoln, will satisfy most of
the people all of the time. Because of the huge variety of PCs, disks
and software, no single utility, no matter how generic, can please all
of the people all of the time. If [S]ave doesn't work for you, read
on.
Testing PTRESQ's Attempt
As soon as PTRESQ has finished your order under Selection [1], it will
signal you. This should take no more than a second or two.
You must now test the result.
o Remove the diskette or open the drive door on your A: drive.
o Reboot your computer. Ctrl-Alt-Del is fine for the test.
One of two things will occur:
1. Your computer will boot normally and leave you at the hard disk
prompt, normally C>, or,
2. it will not boot normally, meaning the boot process most likely
will hang your computer.
If the boot is normal, you are a virus-free, satisfied user of PTRESQ.
File the program away, but you'll probably never need it again. You
simply return to installation of Victor Charlie.
If the computer hangs during its initial boot, place your clean,
write-protected DOS diskette in the A: drive and boot again. PTRESQ
has not worked in your case on your computer. You should return to
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 67
Square 1 by reversing PTRESQ's unsuccessful rescue attempt. To do
this, read on.
Un-doing PTRESQ
If you press [R]estore, the reverse of [S]ave will occur. PTRESQ will
replace the Partition sector with the original Partition table from
its Backup copy, PT1.CPY.
[R]estore, in short, leaves you exactly where you started. A generic
solution has not worked in your case on your computer. Most likely you
now will need expert help and you should contact your computer
salesman to find out the best way to get it.
This is why it is vital that you neither change nor delete PT1.CPY
until you are satisfied that PTRESQ has fixed your problem.
Once your computer is working properly, but not before, you may delete
PT1.CPY. It is of no use on a computer which is performing normally.
When Your Computer Just Won't Start.
Computers can be ornery machines, usually at the most awkward times.
Often, computers seem to delight in presenting us with problems.
One of the more common ones is failure to boot. You start or restart
your machine, and it just hangs. Sometimes, an on-screen error message
gives a clue to the problem, but more often the blank screen simply
stares. Sometimes, even if it appears, the error message is as
mystifying as the problem.
If your computer just will not boot, it may be time to try PTRESQ.
Running PTRESQ is easy, quick and painless. The worst that can happen
is nothing. The best is that it will fix your computer for you.
Victor Charlie Recommends: Do not run PTRESQ as a frequent event. VC
itself allows users to view their Partition sector at a keystroke.
There is no reason to access this absolutely vital part of your
operating system, except in an emergency.
Use in Batch Files
PTResq will return the following errorlevels in case of incident:
0 = OK
1 = WRONG DOS VERSION (if 2.0, no return if 1.x)
2 = COULD NOT FIND MYSELF
3 = OTHER FAILURES
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 68
4 = TRIED TO RUN FROM HARD DISK, DELETED
9 = VIRUS DETECTED, FILE INFECTOR
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 69
GET.COM: Virus-resistant, Interactive Batch Files
GET.COM is a standalone batch-file utility with great general
usefulness. Most GET operations return both errorlevels AND
environment information. If you are unclear about how to use
errorlevels or environment variables, please refer to the batch file
section of your DOS manual.
GET can:
o Obtain and use a wide variety of information about the computer,
hard disk, drive, directory, floppies, environment, and DOS version,
and return useable errorlevel and environment strings;
o Wait for and act upon user instruction based either on a single key
(such as in a custom menu) or on a full string;
o Boot the computer by two different methods (cold boot or warm boot);
o Pause the computer at any point for a variable number of seconds,
and then branch to as many as dozens of possible operations
including a default option, and,
o Actually detect and warn of probable virus infection through self-
checking every time it is run.
Unlike the other virus-resistant VC utilities, GET.COM does not
automatically delete itself after each use from a hard disk. This is
for user convenience, despite a small danger that GET.COM could become
infected by a "smart" or "stealth" virus. GET.COM is NOT a direct part
of the overall VC program, and is not directly protected by VC.
BSA encourages creative programming and batch-file techniques. GET.COM
provides the means to provide a wide variety of methods and
combinations of inventive batch programming. Several batch files
provided with VC use GET, and can provide ideas. VINSTALL, VSearch and
VBait are a few of the batch files which employ the VC interactive
batch utility.
GET.COM produces dozens of different errorlevel returns and environment
variables. A two-screen help can be viewed by simply typing:
GET [Enter]
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 70
Errorlevel 209 is one key return: this one means that GET has detected
change to itself -- a likely virus attack. In such a case, GET.COM will
delete itself to avoid becoming a virus carrier. To generate a new
GET.COM, copy the non-executable backup GET to program form:
COPY GET GET.COM [Enter]
Do your batch files interactively -- and help detect and stamp out
viruses at the same time!
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 71
Questions and Trouble-Shooting
1. Is VC compatible with DR-DOS Ver 6.0?
Yes. VC is compatible with a wide variety of DOS versions. DR-DOS
6.0 and VC are compatible.
2. Will VC work with Windows?
The shareware version of Victor Charlie will not work when Windows
is running. You must exit Windows to use VC. For a Windows-
compatible version of the program, please register your VC, and
note that Windows is a specific concern. Note that VC will check
your computer automatically during a boot. To check the machine at
the end of a day or a computing session, you will have to Exit
Windows to make that check.
3. Can VC work on a "stacked" disk?
Yes, VC SHOULD be installed on a virtual disk such as those made by
Stacker, AddStore, etc. Make certain that drivers and programs
needed for such software are running before installing VC.
NOTE: These programs work by "tricking DOS" into believing that a
large file is actually a C: drive. This means that, via this trick,
programs such as Victor Charlie are unaware that vital files and
programs reside on a disk now called the D: (or other) drive.
You should compensate for this by having VC check for these files
on the "unstacked drive." Be certain that the first lines of your
VCHECK.CFG file look something like this (depending on your DOS
version and software setup):
D:\COMMAND.COM
D:\IO.SYS or D:\IBMBIO.COM
D:\MSDOS.SYS or D:\IBMDOS.COM
4. VC is hanging my computer. What is wrong with it?
Victor Charlie is an integrity program. This means one of VC's major
tasks is the detection and analysis of CHANGE, to itself or to the
computer and programs on which it is running.
If you change important parts of the computer system, VC attempts to
warn of this. In any case, if you make such changes (usually through
startup configuration file CONFIG.SYS, Victor Charlie may hang the
computer. If this happens to you, you must re-initialize VC. Do this
with the single command:
VINIT [Enter]
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 72
Victor Charlie depends upon the one look at your computer system it
takes during initialization. Important changes to this cause
unpredictable results from VC.
If you use two or more basic and different setups during your normal
computing, please run VC only when you are in the "standard setup"
which VC looks at during initialization. If you often change these,
we recommend you set up two or more VC Home Directories, and
initialize the programs in each with those different setups. By
adjusting the path statements in your respective Autoexec.BAT
routines, you can be sure you will only use the Victor Charlie
initialized with that setup.
5. Does VC work with Desqview and memory managers such as QEMM?
Victor Charlie works smoothly under Desqview, but often will note
that DV has "stolen" memory from DOS without reporting this. The
condition will be reported by VC as a "memory parasite." The
[H]elp screens note that this condition is normal with Desqview.
If this is the only problem, it is safe to assume this is a
Desqview quirk and not a danger to your computing.
VC has been tested with a wide range of memory managers and no
problems have been noted. In some cases, these proprietary systems
may cause a VC alarm during initialization. If so, you should
"assert," or force, this process as noted on the mandatory help
screen which appears any time this problem is encountered.
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 73
INDEX
=====
ALTV: 29, 30
AUTOEXEC.BAT: 15, 18, 57, 73
Audit : 6, 26, 38, 44, 46-49, 51, 52, 55
Audit Programs: 26, 38, 46-49, 51, 52, 55
BITCHECK: 2, 5-6, 17-20, 25-26, 36, 37, 46-51
BOOTFIX: 27, 59-63
Bait: 1-6, 16, 18, 20, 38, 46, 52-56, 70
Batch Programs: 49, 51
Bomb: 5, 20, 30, 53, 55
Boot sector: 3, 11, 13, 22, 27-28, 59, 61-62
COMMAND.COM: 3, 5, 11, 14, 22, 30, 40, 72
Checksum: 2, 5-6, 36, 46, 55, 57
Command interpreter: 11, 13-14, 30
Condition Green: 24, 25, 43
Condition Red: 24, 26, 27
Condition Yellow: 24, 25
Data Files: 38-39, 54
Demo: 28, 34-35
Drivers: 14, 16, 72
False Alarms: 20, 28, 42-44
File infector: 31, 63, 69
Home Directory: 15, 22-24, 26, 34, 39, 41-43, 48, 51, 56
Initialization: 13-16, 21, 64-65, 73
Installation: 9, 13-14, 28, 64, 67
(See also INSTALL.DOC)
Interrupts: 5
Logs: 3, 9, 28, 37, 40, 43, 45, 48
Menu Interface: 23-29, 37-38, 40, 46-47, 49, 51
Messages: 5, 66
Mirror Files: 15, 17-18, 20-22
Monitoring Data: 5
NOFALSE.BAT: 43
Overlay: 11, 17, 41, 49, 51
PTRESQ: 64-68
Partition Sector: 11, 22, 27, 30, 60, 64-68
Quick Check: 24, 29, 30, 43
Rescue Disk: 26-27
Search for viruses: 2, 3, 25, 40, 44-45
(See also VC.SIG, VCheck)
Search and Destroy: 36-37
System Requirements: 7
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 74
System : 3-7, 11, 13-15, 19, 22, 30-31, 60, 62-63
System files: 13, 22, 30, 60, 63, 73
TSRs: 14-16, 30
Trojan: 53, 55
Type 1 Virus: 11, 33, 39
Type 2 Virus: 11, 59, 60, 62
User Interface: 23, 29, 51
VBAIT: 20, 38, 46, 52-56, 70
VC.SIG: 32-34, 39
VC1.CFG: 13, 16-22, 30
VC1: 24, 25-29
VC2: 5, 25-30, 42, 43
VC5.BAT: 29
VCHECK: 33-45, 46, 51-52, 55, 72
(See also VSearch)
VCHECK.CFG: 41-45, 72
VCOMP: 26, 48, 51-52, 55
VINSTALL: 13-14, 16, 24, 49, 64, 70
(See also INSTALL.DOC)
VSEARCH: 26, 38, 46-52, 55, 70
_____________________________________________________________________________
Victor Charlie Ver 5.0 JAN 1993 Page 75