emigh@ncsugn.ncsu.edu (Ted H. Emigh) (03/02/88)
A couple of years ago, I wrote a program that can be used to help
detect Trojan horse programs. I announced it to the net and sent
a couple of copies to people. In light of the renewed interest
in detecting viruses, etc, I am announcing it again. I do not
know if it is on SIMTEL20. If there is interest, I will send
copies, or post if there is enough interest. The program was
written using Turbo Pascal 3.0, and the source is available.
The following is the first couple of paragraphs from the description
of the program.
FILECRC is a program to help detect when files have been
corrupted. FILECRC creates a list of all the files on the
default drive along with creation date, file size, and a CRC
(cyclic redundancy check) for each file. When FILECRC is run
a second time, the new list is compared with the old list. For
any file, it is possible that:
1) The file is completely unchanged from the previous time.
The file name (and directory entry) are the same at the two
times, and it has not been modified.
2) The file has been modified in the normal manner, so that the
directory entry has a new time of creation. Files of this
sort are counted, but no special treatment is given to them.
3) The file has been deleted in the time since the first time
FILECRC was run. Files of this sort are counted, but no
special treatment is given to them.
4) A new file has appeared that was not on the disk at the time
of the previous run of FILECRC. Files of this sort are
counted, and a list is placed in the file FILES$$$.NEW.
While it is usual to find new files on the disk, this gives
an easy way to keep track of what files are new, and where
they are located. This is important when using public
domain programs to make sure they are not creating new files
without you knowing about it.
5) The directory entry for a file is the same for both of the
times the program was run, but the file was modified in some
way. This should not occur in normal practice, so the
program writes a message to the terminal, and a list of
these files is placed in the file FILES$$$.MOD. This can
occur when you use NORTON UTILITIES, or other such programs
to modify the disk directly, bypassing the normal DOS
handling of the files. It also can happen when programs
'run wild' (this is what prompted me to write this program
in the first place).
Running the program prior to each backup will assure you
that you are not backing up files that have been corrupted.
Also, in program development, running the program before and
after a test run of your program can assure you that your program
has not messed up the disk.
--
Ted H. Emigh, Dept. Genetics and Statistics, NCSU, Raleigh, NC
uucp: mcnc!ncsuvx!ncsugn!emigh internet: emigh%ncsugn.ncsu.edu
BITNET: NEMIGH@TUCC @ncsuvx.ncsu.edu:emigh@ncsugn.ncsu.edumvolo@ecsvax.UUCP (Michael R. Volow) (03/02/88)
[stuff about program that records filespecs and crc's on entire HD and compares these across time and reports changes} Sounds like a good idea. Please post. Michael Volow, M.D. Dept of Psychiatry, Durham VA Medical Center, Durham, N.C. 27705 919 286 0411 mvolo@ecsvax.UUCP