CHKMEM & CHKBOOT
The CHK programs, CHKBOOT and CHKMEM are part of a suite of programs
which I have developed as personal tools for the investigation of
viruses. For some reason (possibly laziness) I have become something
of a specialist in Master Boot Record and Dos Boot Record infections.
Each carries its own documentation internally. To read, for CHKMEM
simply TYPE the progran (e.g. TYPE CHKBOOT.COM), for CHKBOOT, invocation
without a drive letter (e.g. CHKBOOT) will provide help.
With the current rise in number and prevalence of such infections - in
particular the destructive MICHELANGELO, I am releasing these programs,
as FREEWARE to the general public so long as they are not changed in any
way, and in particular so long as the ASCII notices remain intact and are
Like any personal tool, I can make no guarentee as to the fitness for
any use but they have proven effective for me. They are not 100% effective
against any and all viruses but CHKMEM will find all of the MBR infectors
and quite a few of the file infectors that go resident in the "upper 640".
MICHELANGELO in particular will return a total memory value that is 2k
lower than expected (most 640k machines should return A000 seg 640k 655,360
bytes when clean) when resident as will STONED and most of its varients.
If DOS 4.x is in use, this return may be 1k lower - 9FC0 seg - and certain
COMPAQ and other machines with dedicated mouse buffers may do so also as
will most BIOS-beginning security program such as my DiskSecure program.
Be aware that such a memory loss may be normal but any should be
investigated to determine what the cause is. If you have a low value and
are in doubt, one test would be to boot from a known, clean, write-protected
floppy and see if the values are the same. Note that the lower two values
will change depending on what TSRs are loaded but their sum should remain
The best use of CHKMEM is before a virus strikes to record "clean" values.
This way and differences will be redily noticable.
CHKBOOT simply checks the boot record of floppy and fixed disks for
adherance to certain rules. Note that STONED and MICHELANGELO will not
be detectable on fixed disks this way since they are MBR not DOS Boot
Record infectors. CHKBOOT will detect these infections (and others) very
effectively on floppies. Also please note that it will not detect certain
viruses that "play by the rules" on floppy disks but I have seen very few
of these. Again be aware that some security products maintenance disks
(e.g. my DiskSecure again) may also violate these rules so if a disk is
flagged as infected, be aware that there is a small chance that it may
be a valid disk. It is also possible that some disk formatting routines
may legitemately violate my somewhat arbritrary rules. If so, I would
like to know about it.
Since some "stealth" viruses may return correct values to CHKBOOT, it
is recommended that CHKMEM be run first unless the system is known to
be clean. Those "stealth" MBR infections that I have observed are detectable
with CHKMEM when resident.
Just to make things a bit more difficult for would-be virus-writers, the
rules these publicly-released versions use are slightly different than
those in my personal toolkit but are designed to be just as effective
at finding viruses.
Note: while these programs are designed to provide indication that a virus
such as STONED or MICHELANGELO is present, they do nothing to remove such
viruses, the proper treatment will depend on the virus encountered. For
protection, please see my FREEWARE programs SafeMBR and NoFBoot.
RETURNS: While these programs were originally designed for manual use,
errorlevel returns have been added for use in batch files (CHKBOOT
should only be used this way on fixed disks) or from Network
servers. Returns will be 0 for valid termination and 1 or 2 for
Orlando, Florida, USA
18 January, 1992
Internet: padgett%[email protected]
VALIDATE (C) Mcafee Associates values
File Name: chkmem.com
Check Method 1 - 0E1E
Check Method 2 - 1974
File Name: chkboot.exe v1.3d - fix ZDS (Zenith) conflict
Check Method 1 - 756D
Check Method 2 - 0B86