BEC.SHAPIN@ECLA.USC.EDU (Ted Shapin) (06/16/88)
This file is IBMPROT.DOC.
Reviews of Virus Protection Programs
Please feel free to add to this list.
Version 1, 6/15/88, T. Shapin
===============================================================
Class 1 are programs that warn of changes to system files after the fact.
These methods either compute some sort of CRC or hash sum, or compare a
file against a copy of the file. While it is theoretically possible
for a particular CRC to be forged, each program seems to use a different
algorithm for the computation so that different values are obtained.
Furthermore, each version of DOS will give a different values, so I
doubt that the signature can be forged practically.
===============================================================
CHKSUM.ARC, contains: CHKSUM.C, CHKSUM.DOC, CHKSUM.EXE, CRC16.C, STOI.C.
From: Bob Taylor, compiled using Turbo C 1.5.
What it does: Computes a redundancy check (CRC) for any file, (including
system and hidden), and compares a computed CRC for a file with a specified
one given as a parameter to the program. Wildcard file names and more than one
filename can be supplied as parameters. Either gives a warning message or
optionally sets a return code. On a vanilla 4.77 Mhz PC, it takes about 7
seconds to check all three system files.
Evaluation: Fast and very useful. [T.S.]
- - - -
CHECK-OS.ARC, contains: CHECK-OS.DOC, CHECK-OS.EXE, CHECK-OS.PAS.
From: R.J. Bartlett & Erik Ch. Ohrnberger
Compiled with Turbo Pascal version 4.0.
What it does: It checks the Filesize, File Date/Time (last updated), and
Checksum of COMMAND.COM, AUTOEXEC.BAT, and CONFIG.SYS. Will also check
system files.
Evaluation: On my system it would not handle the "FCBS=" parameter in
my CONFIG.SYS file. It needs some work. [T.S.]
- - - -
CHKUP14.ARC, contains: CHECKUP.DOC, CHECKUP.EXE, REGISTER.DOC.
From: Richard B. Levin. BBS's: (215) 969-8379 or (215) 635-5226
Compiled Microsoft BASIC v.6.0
What it does: Compares a target file's size, its incremental checksum, and its
total checksum.
Evaluation: While the method of computing hash sums would be difficult to
forge, it prints lots of messages when it runs, and there is no provision for
returning error codes that can be tested in a batch file. I find the
the lack of source code a minus and the appeals for money obnoxious. [T.S]
- - - -
CONDOM.ARC, contains: CONDOM.BAT, CONDOM.DOC, CPY.C, CPY.EXE,
DIF.C, DIF.EXE, READ-ME.NOW.
From:
Charlie Ros5e [sic], Boulder, Colorado, BBS Fido Node 104/23, Account Name:
Charlie Rose; and Gerry Williams, Albuquerque, New Mexico, BBS Fido Node
15/1001.
DIF.C and CPY.C, were compiled with Aztec C86, Version 3.40b, Manx Software
Systems.
What it does:
CPY makes a reference copy of any file, including system, or hidden. DIF
compares a current file to the reference copy and sets an error return code
that can be tested in a batch file that indicates what happened.
Evaluation: Very useful for checking system files for any changes. [T.S.]
- - - -
FILECRC.ARC, contains: COMPARE.CHN, COMPARE.COM, COMPARE.PAS,
FILECRC.COM, FILECRC.DOC and FILECRC.PAS.
From: Ted H. Emigh, Department of Genetics, North Carolina State University
Box 7614, Raleigh, NC 27695-7614, emigh@ncsugn.uucp, NEMIGH@TUCC.BITNET.
Compiled with Turbo Pascal 3.0.
What it does:
FILECRC creates a list of all the files on the default drive along with
creation date, file size, and a CRC (cyclic redundancy check) for each file.
When FILECRC is run again the new list is compared with the old list.
Evaluation: I tried it on two systems and it didn't work. They
both hung and I had to reboot. [T.S]
- - -
SYSCHK1.ARC contains SYSCHK.EXE and SYSCHK.DOC.
From: Terratech, 19817 61st Ave. S.E., Snohomish, WA 98290
What it does:
Performs checksums of the first and second files in the root directory
and the COMSPEC file. These are the three system files. The first time
the checksums are displayed. If they are given as parameters, they are
compared against the current values. Error levels are set so a batch file
can test the results.
Evaluation: Works well. This is shareware, with donation information only
given if you request it with "SYSCHK /?". [T.S.]
- - - -
VACCINE.ARC, contains VACCINE.EXE, VACCINE.DOC.
From: BBS (616)361-7500
What it does:
A compiled BASIC program that will give the size, time and date of a
supllied file name. If these are given as parameters, it will compare the
current values with the parameters and print a message that they
agree or disagree. It will not read files with the system attribute.
Evaluation: Probably not very useful. [T.S.]
- - - -
VIRUSCK.ARC contains: LICENSE, README, VIRUSCK.DOC, VIRUSCK.EXE.
From: Matt Cohen, PO Box 10589, State College, PA 16805-0589
Written in Turbo or Microsoft C
Source code: 83 lines
What it does:
It runs a program and reports any changes in its size or date
after it is executed.
Evaluation: Not recommended. [T.S.]
===============================================================
Class 2 programs terminate and stay resident and attempt to stop
undesirable activity.
===============================================================
C-4.COM, INSTALL.EXE
From: Interpath, 4423 Cheeney St., Santa Clara, CA 95054,
(408) 988 3832.
What it does:
This is a commercial product that costs $40. It makes itself
resident, hooking vectors 9, 13, 21, 22, 26 and 2F.
A message pops up if any forbidden disk activity tries to take
place and gives you the option of allowing or aborting the
action. It protects against any program that attemots an interrupt
level write ti a disk, or any program that attempts to modify or
rename an EXE or COM program or CONFIG.SYS.
Evaluation: It does not warn of batch file modifications. The vendor
has cooperative in modifying the program when indesirable interactions
with other TSR programs were found. Useful in a situation where
existing applications are being run. Probably not suitable for use where
programmers are busy developing new programs. (These people seem to operate
the National BBS Society, too.) [T.S.]
- - - -
DPROTECT.ARC contains: DPROTECT.COM, DPROTECT.DOC, READ.ME.
From: Gee M. Wong for Public Domain use ONLY.
What it does:
It installs itself as a resident program, and monitors the use of the BIOS
level interupt 13H to protect one or more disks. If it detects a write
request to a protected disk, it will warn you and then reboot your PC.
Evaluation: Not very practical. I need to be able to write to my
hard disk. [T.S.]
- - - -
STOP1.ARC contains: NEWSTOP.ASM, NEWSTOP.COM, STOP.DOC.
From: Carey Nash, The Programmer's Forum, (818) 701-1021
What it does:
TSR that hooks interrupt 13H used for ALL low level disk I/O.
If write or format is requested, it will not allow interrupt 13 to
perform the command, but instead, it return a value to tell the calling
program that the write, or format was successful. It also uses interrupts 9
and 1C. It can be turned on and off from the keyboard.
Evaluation: When I tested it with a program that modifies sector 0,
it an error message saying A: was write protected. It might be
useful in particular circumstances with unknown programs, but I would
not recommend it for general use. [T.S.]
- - - -
HDSENTRY.ARC contains: HDSENTRY.ASC, HDSENTRY.ASM, HDSENTRY.COM, and
README.1ST.
From: Andrew M. Fried, 895 Cynthia Drive, Titusville, Fla. 32780
(305) 268-4500
What it does:
It will enable you to run any program on a floppy drive undisturbed, but
prevent most programs from accessing the hard disk for any type
of destructive call. Nondestructive calls such as reading or resetting the
drive are permitted; formatting and writing to the disk are trapped and
prevented from occuring. Interrupt 26h, the absolute disk write interrupt,
is also effectively removed from the system by this program.
Hooks interrupt vectors 13h and 26h.
Evaluation: Useful. It prevented a program from changing sector 0 on my hard
disk, although the program ran to completion and thought that it did. [T.S]
- - - -
BOMBSQAD.ARC contains: BOMBSQAD.COM, BOMBSQAD.DOC. (Version 1.3)
From: Andy Hopkins, 526 Walnut Lane, Swarthmore, PA 19081.
BBS: 302-764-7522
What it does:
It hooks interrupt vectors 13 and 70, intercepts calls,
displays what is going to happen, and asks if you want to continue
Evaluation:
It did stop calls to write to a sector on my hard drive, but it also
interfered with being able to read from A: when it should have allowed
that operation. [T.S.]
=================================================================
Class 3 Combination programs. These combine a check of system files
with a TSR part that watches for dangerous disk activity.
=================================================================
FSP-12.ARC contains: $READ_ME.1ST, $TOC, FLUSHOT.DAT, FLU_POKE.COM,
FLU_REG.FRM, FSP.COM, FSP.TXT, F_FEED, HARDWARE.TXT, MY_OWN.CPY,
PRINT.BAT, RAMNET.TXT, REWARD.FRM, REWARD.LST, THE_COOP.TXT,
UPDATES.TXT. [Flu_shot+]
From: Ross M. Greenberg, 594 Third Avenue, New York, N.Y. 10016
BBS:(212)-889-6438.
What it does:
After performing a check sum of the three system files, it installs
itself as a TSR COMMAND.COM copy, hooking interrupt vectors
8, 9, 13, 20, 21, 26, 27 and 28. It reads a data file that tells
how you wish files to be protected, e.g. no read, read only, no
EXE or COM or BAT files, etc. When any program attempts to do something
forbidden, a pop-up window tells you and lets you abort or allow the
operation.
Evaluation: Although PC Magazine, June 88 recommended it, a number
of people have reported serious bugs that have not yet been fixed
by the author. At this time, this version is *not* recommended.
=================================================================
Miscellaneous
=================================================================
CHK4BOMB.EXE ("Check for Bomb").
From: Andrew M. Fried, 895 Cynthia Drive, Titusville, Fla. 32780
(305) 268-4500
What it does:
It reads a .EXE of .COM program file from disk and attempts to spot
dangerous code and suspicious messages.
Evaluation: Useful for displaying text strings in program files, but of
almost no usefulness for virus protection. [T.S.]
- - - -
VIRU-SIM.TXT, VIRU-SIM.EXE.
From: National BBS Society/ICUG, 4423 Cheeney Street, Santa Clara, CA 95054.
Voice - 408 727 4559, BBS - 408 988 4004
What it does:
VIRU-SIM is a program that simulates characteristic
activities that .COM and .EXE infector viruses use for
replication. It also simulates some of the destructive
activities used by viruses to destroy disk information. It does
not simulate the infection techniques of boot infector viruses
(such as the Pakistani Brain Virus).
VIRU-SIM may be used as a tool to test the effectiveness of
anti-viral measures and as demonstration tool for viral
replication activities.
VIRU-SIM is available free of charge from the BBS Society's
Homebase bulletin board, or is available on diskette for a $3.00
mailing and handling fee.
Evaluation: Useful for testing protection programs. [T.S.]
======== end =======