The Business Master (3rd Edition)

home *** CD-ROM | disk | FTP | other *** search

/ The Business Master (3rd Edition) / The Business Master (3rd Edition).iso / files / virution / ficheck5 / ficheck5.doc < prev next >

Wrap

Text File | 1989-01-01 | 49KB | 1,301 lines

Preventive Computer Medicine to help keep your system virus free. Fixed Disk "File Integrity Checker" ************************** *** *** *** FICHECK ver 5.0 *** *** MFICHECK ver 5.0 *** *** PROVECRC ver 1.0 *** *** *** ************************** (C)Copyright 1988, 1989, Gilmore Systems Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 U.S.A. Voice: (213) 275-8006 Data: (213) 276-5263 All Programs designed and written by Chuck Gilmore First Printing: June, 1988 Second Printing: July, 1988 Third Printing: August, 1988 Fourth Printing: January, 1989 ************************* *** IMPORTANT NOTICES *** ************************* Disclaimer FICHECK.EXE / MFICHECK.EXE / PROVECRC.EXE are offered AS IS without warranty of any kind. Gilmore Systems assumes no liability or responsibility for loss of profit, data, or any consequential or inconsequential damages resulting from the use or misuse of these programs. This applies to all versions of the above mentioned programs. FICHECK and MFICHECK are Evaluation versions DO NOT ATTEMPT to run FICHECK.EXE or MFICHECK.EXE without first reading this document in its entirety! FICHECK.EXE and MFICHECK.EXE are to serve as evalution versions only. If you use these evaluation versions for a trial period of time (30 days), we urge you to order one of the commercial versions (see order form at end of this document). The commercial versions (XFICHECK or PFICHECK) offers advanced, sophisticated state-of-the-art capabilities. But don't just take our word for it, use the supplied evaluation versions to know what kind of quality you can expect. For more information on the commercial versions, see the pages of this document describing XFICHECK / PFICHECK. ATTENTION FICHECK/MFICHECK are protected by federal copyright laws. We do grant you the right, however to distribute and use these evaluation versions as long as the following criteria are met: 1) The supplied programs and documentation are to be distributed as a group consisting of the following: FICHECK.EXE, MFICHECK.EXE, PROVECRC.EXE, PROVE.BAT, FICHECK5.DOC, and READ.ME files. They are NOT to be unbundled. 2) No modifications, disassemblies, alterations, removal of copyrights or other alterations are to be made, and no additional files are to be added to the above six files. 3) No fee or monetary consideration is to be charged. Diskette copying/distribution services may not charge more than $5. 4) The six files that comprise this evaluation package (as described in number 1 above), are NOT to be bundled, included, or used with any other product(s) or service(s). 5) You can NOT charge fees to evaluate disk drives with this product 6) A 30 day trial period is granted. Afterward, you may either order one of the commercial versions or destroy the evaluation copies. FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Table of Contents TABLE OF CONTENTS FICHECK 5.0 / MFICHECK 5.0 - January, 1989 ........................... 1 Introduction .................................................... 2 Introducing FICHECK / MFICHECK .................................. 3 CRC Checking vs MCRC Checking ................................... 4 Using FICHECK / MFICHECK ........................................ 6 Using FICHECK / MFICHECK - Interactive Usage .................... 7 Using FICHECK / MFICHECK - Command Line Usage ................... 9 Using FICHECK / MFICHECK - Optional Settings ................... 11 More Information and Final Remarks ............................. 12 XFICHECK and PFICHECK - The Commercial Versions ..................... 14 Explanation .................................................... 15 Ordering Info .................................................. 16 Bonus! ......................................................... 17 XFICHECK / PFICHECK Order Form ...................................... 18 FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 1 Introduction Introduction Computer viruses have now become an international concern. They've infected places such as NASA, EDS (subsidiary of GM), universities such as Lehigh university, Miami university, the ARPANET network, and countless other firms as well as individuals. Major software houses are not immune either. If they admit being struck by a virus, nobody would buy their software. You know things are getting bad when you buy a name brand software package at a computer store and find that it's infected by a virus! Just what IS a computer Virus? A computer virus is a small piece of code contained within a seemingly innocent program. What's unique about the code is that when the program is run, it attaches itself to other programs. When those other programs are run, the virus inside them seeks out and attaches itself to yet more programs on your disks. These other programs (the targets) can be ANY program including your operating system (ie: command.com). Depending on what instructions are present within the viral code, the results can be quite severe - anything from wiping out your entire fixed disk to ruining your data to altering video I/O functions so that your CRT explodes! These catastrophic results are usually not carried out right away - the people writing these viruses usually set "time bombs" in the viral code. These "time bombs" can be anything - when a certain date is reached, or a certain memory location is written to with a certain value, or the number of files on your disk reaches a certain number, or you run a program a certain number of times - these are just a few examples of "triggers" that viruses set and look for. When the "trigger" happens, then the viral code does its catastrophic dirty work. Bulletin Board Systems In addition to spreading computer viruses by infected software houses, Bulletin Board Systems are a major target for the people who derive pleasure out of writing viral code. ANY program on a BBS can be downloaded by ANYONE. The person downloading a program from a BBS may be a "virus implanter" and implant the downloaded program with a virus, then upload it to other BBS's where perhaps thousands of people will download the infected version of the program. The problem is reaching epidemic proportions and as a result, some companies have banned the downloading of programs from BBS's. This is indeed a shame, since BBS's are there for the sharing of knowledge, information, and the opportunity to get talented programmer's works known. How Can I Tell If MY Computer Has Infected Programs? Simply put, YOU CANNOT! That's the scariest part of it all. Viruses may lie dormant for months or years on an infected system before they show their symptoms. Programs will continue to run normally until one day when the "trigger" is reached. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 2 Introduction What Can I Do to Stop a Potential Virus? There are some viral-fighting programs available such as FLU-SHOT, and versions of VACCINE. These programs attempt to block viruses from doing things that viruses typically do. They attempt to block any altering of COMMAND.COM or your other operating system's system files. They try to alert you of low-level disk writing. These programs look for other things as well but may slow your system down as a result. Some require you to make lists of approved programs and TSR's. The problem with these programs are that they are running on your system which may contain a virus that looks for these particular programs and renders them inactive or makes them think that everything's ok (sounds like AIDs, doesn't it?) while they do their dirty work. The original version of FLU-SHOT was found to contain a virus itself (NOT from the original author), although newer versions have been corrected. Because of this, we urge you to download virus detection programs from the BBS's of their original authors (ie: Gilmore Systems' BBS for FICHECK, Ross Greenberg's BBS for FluShot, etc). FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 3 Introducing FICHECK / MFICHECK Introducing FICHECK / MFICHECK FICHECK and MFICHECK are programs which differ from vaccine-type programs and other programs that attempt to find, block, or alert you to viruses. FICHECK does none of these things. As a matter of fact, FICHECK can't even be run from your fixed disk! FICHECK is a preventive medicine program which sort of takes a snapshot (x-ray) of your entire fixed disk(s) and logs it to a file. The things FICHECK logs are the date, time, size, attribute, and CRC (Cyclic Redundancy Check) of every file on your fixed disk(s). It looks for differences in all of these things whenever you decide to run it again and alerts you to any changes. Any changes potentially mean a virus is at work - Viruses have to alter files in some way in order to spread themselves. MFICHECK does the same thing as FICHECK except it uses our unique MCRC (Modified Cyclic Redundancy Check) instead of standard CRC checking. FICHECK also checks the CRC of your master boot record/partition table (MFICHECK checks the MCRC of your master boot record/partition table) and logs this information as well as available disk space and FAT (File Allocation Table) ID byte. When these programs compare your actual disk information against the log (boot record info, FAT ID byte, disk space, all file parameters: date, time, size, attribute, CRC or MCRC), any discrepencies are reported to you, suggesting a possible virus at work - especially if the master boot record/partition table info has been changed. FICHECK and MFICHECK can also optionally check your system's interrupt vectors for changes. Because of the nature of how FICHECK and MFICHECK work, you'll quickly find that they double as a complete file tracking system. In essence, these programs serve a dual purpose. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 4 CRC Checking vs MCRC Checking CRC checking vs MCRC checking CRC (cyclic redundancy check) is a sophisticated check of sequential bytes in a file resulting in a unique number for that file. This unique number should change in the event any one or more bytes of the file change. If the CRC number for the file changes, it indicates the file has changed. CRC has been around for many years in communications protocols for transferring files from one computer to another over telephone lines with modems. When sending files across telephone lines, CRC checking does its job very well to insure that the data the receiving computer gets matches the data the sending computer sends. CRC was designed specifically for communications between computers. However, CRC IS NOT A RELIABLE METHOD FOR DETECTING CHANGES TO FILES THAT ALREADY EXIST ON YOUR DISK SYSTEM! Later in this document, we'll prove that to you with a program that will alter a file and keep its CRC intact. Basically, a resident virus on your system has all day to modify your files and keep the original CRC of those files the same. So-called anti-viral or file checking programs claiming to alert you of changes to your files based solely on CRC checking will offer no protection against virus or trojan programs capable of file alteration while maintaining CRC integrity. MCRC is a unique, modified CRC check developed exclusively by us at Gilmore Systems for the sole purpose of checking files on your disk system for modification. Our MCRC check is a highly reliable, state of the art check used in determining changes to files on your disk system. While CRC can be fooled by clever viruses and trojans, MCRC does NOT fall victim to these file altering programs. MCRC will detect changes to files where CRC shows no change. You may be asking yourself at this point - what if some hacker tears apart our code and discovers our MCRC algorithm, then incorporates a means of modifying files in his virus programs which leave MCRC intact? This is an excellent question but rest assured that if this happens, standard CRC checking will show the change. In other words, one or the other of CRC or MCRC (but not both) will change with an altered file. As promised earlier, here's how to work the PROVECRC.EXE program which will prove to you that file alteration is possible without affecting the original CRC. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 5 CRC Checking vs MCRC Checking *** *** IMPORTANT: Before you try this example, read the rest of this user's *** manual completely, then come back to this example! *** First, choose a file between 25 and 32,000 bytes in length to be altered (if you can't think of any, use our PROVECRC.EXE program as the file itself). Next, enter the following on the DOS command line: PROVECRC INFILE OUTFILE where INFILE is the name of the file to alter, and OUTFILE is the name of the file to store the altered copy in. INFILE will remain intact, but OUTFILE will have an altered copy of INFILE which retains the same CRC as INFILE and the same date, time, size, and attributes. Next, run a CRC checking program (or use FICHECK.EXE as described later in this document with the "/s=" option) to show the CRC of INFILE and OUTFILE, noting that the CRC values of each file are identical. Repeat this process with MFICHECK.EXE, noting the different MCRC values for each file. You can also run the DOS COMP program to prove that the two files are indeed different! The above process can be automated with the PROVE.BAT file provided. Simply enter the following on the DOS command line: PROVE INFILE OUTFILE FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 6 Using FICHECK / MFICHECK ------------------------------------------------------------------------ IMPORTANT NOTE: Throughout the remainder of this document: We will use FICHECK to mean either of FICHECK.EXE or MFICHECK.EXE Both are identical except FICHECK does CRC checking MFICHECK does MCRC checking We use the terms "hard disk" and "fixed disk" interchangeably ------------------------------------------------------------------------ Using FICHECK / MFICHECK You should have the following programs/files on your disk: FICHECK5.DOC - this document FICHECK.EXE - the FICHECK version 5.0 program MFICHECK.EXE - the MFICHECK version 5.0 program PROVECRC.EXE - the CRC disprover program PROVE.BAT - batch file for PROVECRC.EXE READ.ME - text of announcements, changes, etc. If you've used previous versions of FICHECK/MFICHECK, please destroy and replace them with these newer versions. These newer versions (version 5.0) are upward compatible with the logs created by version 4.x (but not versions lower than 4.0). FICHECK should NOT be placed on your fixed disk - it will ONLY RUN FROM A FLOPPY, and furthermore, DOS MUST BE BOOTED FROM THAT FLOPPY DISK! Why all the hassle of booting from and running from a floppy? Simple. If you boot from a fixed disk, you may be booting from an infected copy of your operating system, starting an infected TSR, have an infected device driver, or may have run an infected program. If you boot from floppy, you don't give the viruses on your fixed disk a chance to become active. Therefore, the first thing you should do in order to prepare for using the FICHECK program is: 1) Boot DOS from your ORIGINAL distribution disk. 2) Format a bootable floppy. (use the command "FORMAT A:/S") 3) Copy FICHECK.EXE to the newly formatted disk. 4) Diskcopy this new disk for as many fixed disk drives or logical drives you have on your system and label each one for a specific drive (ie: FICHECK for drive C:, FICHECK for drive D:, etc). Anytime you want to run FICHECK, you should first turn your computer OFF, then back on with the bootable FICHECK diskette in drive A: (Hitting Ctrl-Alt-Del may not get rid of actively running viruses). FICHECK can be run 1 of 2 ways: interactively or command line arguments. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 7 Using FICHECK / MFICHECK - Interactive Usage Running FICHECK Interactively Simply type and enter "FICHECK" on the command line (without quotes). You'll be presented with a screen containing 3 sets of fields to fill in: 1) The Drive Letter of the fixed disk you wish to check. 2) The Processing Option you wish FICHECK to perform. 3) The filename extensions of the files you wish to check. The first field simply asks for the drive letter of the fixed disk drive you wish to check. The second field has one of three answers: N, C, or P which stand for New, Check, and Print, respectively. The first time you run FICHECK you should choose N which will scan your fixed disk and log a "snapshot" of your files, master boot record/partition table, FAT (file allocation table) ID byte, disk free space, and interrupt vectors. FICHECK will create 2 log files on floppy drive A named DRIVEx.CCK (holding file information), and DRIVEx.CDI (holding boot record and space information) where the "x" is the drive letter of the drive that's being logged (Note that MFICHECK uses extensions of ".MCK" and ".MDI" instead). You should run FICHECK with the N option after every BACKUP or immediately before running a new program, or whenever appropriate. Using the N option logs all files which may have been added since the last time you used the N option. Choosing C or P requires that your printer be turned on (writes to LPT1 or PRN). After running N, you should re-run the program choosing P for a readable hardcopy of the log (P runs at lightning speed). Run FICHECK with the C option after anytime you've run a new program such as one that may have been downloaded from a BBS (or even purchased from a store). Besides after running a new program, it would be very beneficial to give your disk a weekly checkup by running FICHECK with the C option. FICHECK will print any discrepencies in checks of the actual files on your fixed disk against the log entries, as well as report on any deleted or added files, and any removed or added directories, changed volume names, changed master boot record/partition table info, FAT ID byte, disk free space, and optionally - changed interrupt vectors. This report should alert you to possible infection by viruses present on your system and which files or programs may have become infected. Some discrepencies are normal: - If you're a programmer, the only EXE, COM, OBJ, LIB, SYS or BAT files that should have changed are the ones YOU create or modify. - If you've edited an existing text file this will be reported by FICHECK if you've used "*" or supplied its extension. - Many programs modify data files (ie: database programs modify database files, games may modify their own data files, etc). This is normal but will be reported by FICHECK nonetheless. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 8 Using FICHECK / MFICHECK - Interactive Usage - If you've asked for the Interrupt Vector report, some changes to interrupts are normal - consult with an experienced technical programmer about any reported changes. The third field lets you enter anywhere from 0 to 10 different extensions (filename extensions) which can be anywhere from one to three characters including the wildcards (? and *). If you're not familiar with wildcards, please consult your DOS manual. Whenever you specify extensions, FICHECK only looks for and checks filenames on your fixed disk that match the extensions you supply. For instance, if you supply EXE, COM, SYS, and BAT (which we recommend as a minimum), FICHECK will only check or look for files matching those extensions (ie: *.EXE, *.COM, *.SYS, and *.BAT). Some programs use overlays, usually matching the OV? extension. For maximum protection, use "*" by itself (without quotes) to check and look for EVERY file on your fixed disk (including those without any extensions). If you use "*" (without quotes) by itself, ALL files on your fixed disk will be specified, whereas if you use "*" as in "XX*", all files matching "XX*" will be specified along with any other exensions you specify (if any). If you don't enter any extensions, "*" will default (ALL files). NOTE: WE VERY STRONGLY SUGGEST USING "*" (without quotes) EVERY TIME YOU USE "FICHECK" - NO MATTER WHICH OPTION (N,C,P) YOU CHOOSE. Once all three fields have been filled in by you, press the F2 key on your keyboard to start processing. Anytime before pressing F2, you can press F1 for brief help with the field you're on, or F10 to quit the program. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 9 Using FICHECK / MFICHECK - Command Line Usage Running FICHECK With Command Line Arguments You can run FICHECK with command line arguments in one of three methods: method 1: FICHECK d: /n=EXT | /c=EXT | /p=EXT [/o=OUTFILE] method 2: FICHECK /s=FILESPEC method 3: FICHECK /v Method 1 The arguments are not case sensitive so feel free to use lower and/or uppercase characters. Spacing is not important either, use spaces wherever you want or none at all. The argument definitions are: d: - The drive letter of the fixed disk drive to check. /n= - Identical to N of field 2 of interactive usage. /c= - Identical to C of field 2 of interactive usage. /p= - Identical to P of field 2 of interactive usage. EXT - Identical to field 3 of interactive usage. Extensions must be separated by commas. [/o=OUTFILE] - The brackets surrounding this argument mean it's optional - don't use the brackets. /o=OUTFILE if present, will print output to the filespec specified by OUTFILE instead of your printer. OUTFILE should contain a COMPLETE PATH INCLUDING DRIVE. Note that printed output (which would be routed to OUTFILE) takes place when the C or P options are used. Note that ONLY ONE of /n=, /c=, or /p= is to be used (just as in the interactive mode). Examples: FICHECK c: /n=* creates new log of ALL files on drive C FICHECK c: /n=exe,com,sys,bat creates new log of files on drive C: matching *.exe, *.com, *.sys, *.bat FICHECK e:/p=* makes a readable hardcopy of everything in the DRIVEE.CCK log. Also useful for a great "enhanced" disk drive listing. FICHECK e:/p=* /o=c:\log_e same as above but creates file C:\LOG_E and prints to this file instead of your printer. FICHECK f:/c=* checks drive F against the log DRIVEF.CCK and prints any discrepencies FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 10 Using FICHECK / MFICHECK - Command Line Usage on your printer. FICHECK f: /c=* /o=c:\report same as above but creates file C:\REPORT and prints to this file instead of your printer. FICHECK d: /c=exe,com,sys,bat checks drive D against log DRIVED.CCK and prints any discrepencies on your printer. Note that only *.exe, *.com, *.sys, and *.bat will be checked against the matching log entries. Method 2 FICHECK / MFICHECK has the abiltiy to scan single files (or groups of files via wildcards) for CRC calculation (or MCRC calculation with MFICHECK). This feature is invoked by using the "/s=" option. Note that when "/s=" is used, no other command line arguments are allowed. Also note that when "/s=" is used, you are not limited to hard disks - you may specify floppy drives. When "/s=" is used, the file(s) will be listed along with their size, date, time, attribute, and CRC or MCRC. Examples: FICHECK /s=*.exe calculates and displays info on *.exe files in current directory. FICHECK /s=c:\ibmbio.com calculates and displays info about c:\ibmbio.com FICHECK /s=a:\*.bat calculates and displays info about all *.bat files found in current directory for drive A: FICHECK /s=*.* >prn calculates and prints info (on printer) about all files in current directory and drive. NOTE: Logs are not used, created, read, or modified when the "/s=" option is used. Also note that the "/s=" option is only available during command line processing and that no other options are allowed when "/s=" is used. Method 3 FICHECK incorporates code that can test itself to see if any changes to itself were made. To test the validity of FICHECK, simply enter: FICHECK /v FICHECK will then perform a validity test of itself. You should use this method periodically to insure that FICHECK has not become infected or altered in any way. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 11 Using FICHECK / MFICHECK - Optional Settings ******************************************************* *** Changing the FICHECK/MFICHECK screen appearance *** ******************************************************* The FICHECK screen was designed with color monitors in mind. Although FICHECK incorporates code to automatically detect your monitor type (color or monochrome), you can force changes to the screen appearance by use of an environment variable. To do this, enter one of the following on the DOS command line prior to starting FICHECK (you only need to do this once unless you restart your machine): SET SCRMODE=MONO SET SCRMODE=OTHER If you have a color monitor and don't like the blue background, you would use the SET SCRMODE=MONO command above. If you have a nonstandard monitor and the FICHECK screen doesn't display properly, use the SET SCRMODE=OTHER command above. To turn off these commands (defaulting back to the built in auto-detection), enter "SET SCRMODE=" (without quotes). ******************************************** *** Reporting/Checking Interrupt Vectors *** ******************************************** In addition to changing the screen appearance above, there is 1 additional environment setting which you can use with FICHECK: SET INTREPORT=YES SET INTREPORT=NO Although FICHECK logs interrupt vectors during the N (new) option, it will not print or check them during P (print) or C (check) options unless you set the above environment variable to YES. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 12 More Information and Final Remarks ************************ *** MORE INFORMATION *** ************************ Even if you only plan on using FICHECK/MFICHECK in the interactive mode of operation, you should still view the help screens by entering one of the following on the DOS command line: FICHECK /help MFICHECK /help There are 4 screens of help which will present themselves. The last screen also provides information on our commercial XFICHECK (eXtended FICHECK) and our PFICHECK (Professional FICHECK). *********************************** *** IMPORTANT FINAL REMARKS *** *********************************** Whenever booting your system from a floppy, it is extremely important to boot from the same version of DOS on floppy as that on your fixed disk! Running FICHECK with the N option will only log the current state of your files on your fixed disk(s), which may already contain infected files. Subsequent runs using the C option alert you to any changes which may have occurred. Any of the changes reported is an alert of a potential virus. If a file has changed that shouldn't have, remove it from your system immediately and replace it with the same file from your original distribution diskette. If COMMAND.COM, IBMBIO.COM, or IBMDOS.COM have changed on your drive C, turn off your computer immediately. Insert your original DOS diskette in Drive A and restart your computer. Once restarted, do a "SYS C:" to overwrite these files to the way they should be. If COMMAND.COM was the only file that changed, turn off your computer immediately. Insert your original DOS Diskette in Drive A and restart your computer. Once restarted, do a "COPY COMMAND.COM C:" or to the appropriate disk drive. FICHECK searches all file attributes - system, hidden, etc. Once processing has started, FICHECK starts a timer and when processing finishes, FICHECK prints how long it ran. On computers running at 4.77 Mhz such as the original IBM XT's, FICHECK may take a while to complete its job. On computers such as the IBM PS/2 Model 80 running at 20 Mhz, FICHECK flies right through. We've incorporated fast algorithms so that FICHECK will run through your system as fast as possible. It's pretty difficult to evade a CRC (cyclic redunancy check) of your files, not to mention changing file size by adding a couple of bytes or so. Clever viruses install themselves over unused portions of program files, and manage to keep the same size, date, time, and attribute of the file. But even with these protective checks, CRC does not guarantee that some FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems FICHECK 5.0 / MFICHECK 5.0 - January, 1989 Page 13 More Information and Final Remarks clever deviant may code a virus to attempt to match the original CRC of a file it altered. There are no reports of this yet, but as more CRC checking programs such as this are in use, virus-writing programmers will have to incorporate code (mutations) to match the CRC of the original file when they alter it. It's not a small task for them, however CRC checking is a well known method. If you can test a file for CRC, you can alter a file such that its CRC stays the same. Because of this, we offer another version of FICHECK (MFICHECK or Modified FICHECK) which uses a unique, modified CRC check which is not known to the virus-writing programmers (and we won't make the method public in order to protect you). Since the modification we made to the CRC algorithm is unknown to anyone but us, a virus-writing programmer will not know how to defeat the check. The MFICHECK program is distributed with FICHECK, and its operation is identical to that of FICHECK with 2 exceptions: 1) it uses an extension of ".MCK" and ".MDI" instead of ".CCK" and ".CDI", and 2) it uses our unique Modified CRC (MCRC) check instead of standard CRC checking. We also anticipate these deviant virus-writing programmers to hack away at our MFICHECK program in an attempt to discover the MCRC checking algorithm so that the viruses they write can also modify your programs and files to match our MCRC values. Have no fear - we have a solution to that too. Although its possible for a virus to alter the contents of a file and cleverly maintain the same CRC value, the MCRC value will change. Likewise, if the virus incorporates code that alters a file and cleverly maintains the same MCRC, the CRC value will change. No matter what the virus does to your files, if it is altered in any way, either the CRC or the MCRC has to change. It is virtually impossible to alter a file and maintain both the original CRC and MCRC values - one or the other will change and will be detected by our File Integrity Checking programs. You could employ this dual checking method by running FICHECK, then immediately running MFICHECK but that would be too time consuming to be worth the bother - we have another solution - read on! FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems XFICHECK and PFICHECK - The Commercial Versions Page 14 Explanation Our commercial XFICHECK (eXtended FICHECK) for $15, incorporates both CRC and MCRC checking in a single pass, and doesn't take much longer to run than MFICHECK. The added security and peace of mind of dual-cheking for CRC and MCRC alone is worth the price, but that's not all XFICHECK does. XFICHECK does everything FICHECK and MFICHECK does together, AND has more features: - Dual CRC and MCRC checking in a single pass! Saves enormous time! Can optionally be forced to do CRC or MCRC only. - Allows Exclusion of extensions from searches as well as inclusion (saves more time!) - Can optionally ignore the archive bit of the attribute byte (eliminates long reports when C option is used after a backup is performed). - Records information on ALL bootable partitions (FICHECK only does the master boot record/partition table). - Stores actual master boot record/partition table and ALL separate boot partitions on disk - saves this in a hidden/read-only file on floppy disk. - Can optionally restore master boot record/partition table and any of the separate boot partitions. - Can optionally be run from hard disk (without boot from floppy and without starting the program from floppy - NOT RECOMMENDED). - Reports on disk space also include: available clusters, total clusters, bytes per sector, and sectors per cluster as well as any changes to them. This is in addition to disk free space and FAT ID. - Can be run from the command line to do a quick CRC and MCRC of any file or group of files on any disk (including floppies). Does not require or use the log. - Reports all files within new directories (those not logged). - Shows before and after values of any changed interrupt vectors. - Stores information in the log as to its creation criteria: - search extensions specified in creation - search extensions excluded in creation - date/time of log creation (independent of date/time of file) - Log creation criteria (above) is printed in all reports along with: - search extensions specified for current report - search extensions excluded for current report - date/time of current report FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems XFICHECK and PFICHECK - The Commercial Versions Page 15 Explanation PFICHECK (Professional FICHECK) for $20, has all of the above features of XFICHECK but is geared more for the corporate or other user who needs more computing power and flexibility: - Update feature can create new logs during the C (checking) process. - Can override floppy logs, and read/write/process logs on hard disk. - Sophisticated ERRORLEVEL return for batch processing. - Can run on Local Area Networks (LANs) - won't abort if it can't open a file that's in use. FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems XFICHECK and PFICHECK - The Commercial Versions Page 16 Ordering Info ************************ *** Order Today! *** ************************ If you've obtained this copy of FICHECK from a friend or BBS (shared programs), there is NO guarantee that your copy of FICHECK hasn't become infected by a virus. We cannot guarantee that somebody didn't download this program, infect it (purposely or accidentally), and pass it on by uploading it to other BBS's or giving it to friends. If there's any question about integrity, download FICHECK5.ARC from our BBS. Once you've tried FICHECK/MFICHECK for 30 days and are satisfied, order one of our commercial versions (see last page of document for order info). Unless you specifically request a 3-1/2" micro-floppy disk, we will send you a 5-1/4" floppy disk. FICHECK, MFICHECK, XFICHECK and PFICHECK will run on all true IBM compatible computers running the IBM PC-DOS or MS-DOS operating systems versions 2.0 and above. Some fixed disks require drivers which should be placed on your boot diskettes from the original driver distribution diskette. FICHECK, MFICHECK, XFICHECK and PFICHECK will run on the entire family of IBM (and compatible) computers ranging from the XT to all of the PS/2 models. Fixed disks containing the OS/2 operating system and associated files can also be checked since they maintain the same file structure as DOS - you must still format DOS bootable diskettes to use the programs. To order, send $15 for XFICHECK (Calif. residents add .98 sales tax), or $20 for PFICHECK (Calif. residents add 1.30 sales tax) to: Gilmore Systems P.O. Box 3831 Beverly Hills, CA 90212-0831 - or call us with your VISA/MC number at (213) 275-8006 - - or use your Visa/MC online (our "Virus Info" BBS) at (213) 276-5263 - FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems XFICHECK and PFICHECK - The Commercial Versions Page 17 Bonus! *************** *** *** *** Bonus! *** *** *** *************** As a bonus for ordering, we will grant you 6-months of usage on the "Virus Info" section of our BBS which deals with the topic of Computer Viruses. The "Virus Info" file section has text files, programs, source code and news articles ready for downloading. The "Virus Info" file section is only visible and available to those who've purchased our commercial XFICHECK or PFICHECK programs. All other sections are available to all callers - so give our BBS a call and browse around - download the file that lists all files on the board (includes list of files in the "Virus Info" file section). Public message section is also available. Many companies such as us use BBS systems to exchange and share information, ideas, new technologies, programs, tools, and multitudes of other things. How can we continue to use these invaluable offerings in fear of destruction of your most valuable programs, data, or even hardware? We hope that our "File Integrity Check" programs will offer you security against these fears and at the same time inspire other programmers to create other anti-viral or preventive computer medicine type programs. - Chuck Gilmore, President FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems XFICHECK / PFICHECK Order Form Page 18 Please Print Clearly Your Name: ____________________________________________________ Shipping Address: _____________________________________________ _____________________________________________ _____________________________________________ Phone Number: (______) ______-________ How did you hear of us? _______________________________________ _______________________________________ Check Diskette Type: ____ 5.25" diskette ____ 3.5" diskette Computer Type: __________________________ ___ Professional File Integrity Checker @ $20 ea (PFICHECK) - _____.____ If in California, add $1.30 ea sales tax - _____.____ ___ eXtended File Integrity Checker @ $15 ea (XFICHECK) - _____.____ If in California, add $0.98 ea sales tax - _____.____ Each Order includes 6 mos BBS access. Add $5 ea for 12 mos - _____.____ Total: _____.____ We pay shipping/handling. Enclose payment in U.S. funds, or charge to: VISA or MC # ________-________-________-________ Expiration: ____/____ Name (EXACTLY as on Credit Card): ______________________________________ Today's Date __/__/__ Signature: ______________________________________ Send to: Gilmore Systems P.O. BOX 3831 Beverly Hills, Calif. 90212-0831 U.S.A. Contact us (voice) at (213) 275-8006 for: - Site Licensing Info - Dealer Inquiries - Quantity Discounts - Faster Credit Card Orders Credit card purchasers can also order online on our BBS at (213)276-5263 FICHECK/MFICHECK User Guide - (C)Copyright 1988,89, Gilmore Systems