How to use
VCHECKER.EXE
To scan your disk drives for viruses

1. Introduction

The program VCHECKER.EXE is designed to check all executable files
on a designated disk drive for the presence of computer viruses. VCHECKER
will search all .COM , .SYS, . EXE, .OVR, and .OVL files on the disk
drive for evidence of the viruses described in the data file SYNDROME.H.
This file contains information on the DATACRIME 1 & 2 Viruses, also
known as the COLUMBUS DAY VIRUS, and may be updated with information
on future viruses. If you run the VCHECKER.EXE program with its initial
version of SYNDROME.H it will automatically search the drive you designate,
typically your hard drive, for the presence of the DATACRIME 1 & 2
Viruses.

2. Getting Started

The Instructions for the size of the virus to be searched for, the
drive to be searched, and the attributes of the virus to be searched
for are given in the file SYNDROME.H. This file may be updated with
information on any virus for which you wish search. The SYNDROME.H
file is initially set to search the designated drive for attributes
of the DATACRIME 1 & 2 (COLUMBUS DAY) Viruses . If you wish to test
for the presence of the DATACRIME 1 & 2 viruses use the following
command:

VCHECKER c:
Where C: is the letter of the drive you wish to search for the virus.
You may list multiple drive choices after VCHECKER in order to
scan multiple drives for the viruses. The format for scanning multiple
drives is the drive letter followed by an optional : and then a
space before the next drive letter to be scanned all on one line after
VCHECKER.
If the VCHECKER detects any viruses it will display the file name
and also print out a list of these file names on a printer if one
is connected to your machine.

3. Adding Virus information to SYNDROME.H

The SYNDROME.H file is provided to allow the user to update the list
of viruses that VCHECKER uses to search the disk drives with. Several
commands are available to control the size of the virus syndrome used
and the form of the output information. In the box below is a sample
SYNDROME.H entry for the DATACRIME 1 & 2 Viruses.

log "virus.log"

Size 2000;
end

Syndrome "Datacrime 1 & 2" =
11, 14, 01, 14, 16, 07, 16, 18
10, 75, 03, 1C, 07, 0, 06, 5F 58, 07, 10, 19, 19, 10, 14, 06, 10
11, 6F, 75, 64, 75, 18, 14, 07
16, 10, 75, 64, 6C, 6D, 6C, 5F, 58;



Verify ODBE;

ALL
SEARCH

The commands available for running the search program VCHECKER.EXE
are as follows. These commands should be entered in SYNDROME.H using
a text editor after the syndromes already listed in this file.

SIZE xxxx:

The size command is used to determine the maximum probable size of
the virus attached to the executable file. xxxx is a measure of the
length in bytes of the virus syndrome of the virus to be searched
for in bytes, of the virus syndrome being sought by VCHECKER. The
default and maximum value of size is 2048 bytes.

SYNDROME "name" = ........;

The SYNDROME command is used to describe the characteristic string
of bytes that identifies a particular virus. The syndrome may be given
a name to help identify it in the SYNDROME.H file and to identify
it when a virus is found in a file. After the = sign is a space, followed
by the syndrome bytes in hex separated by spaces and terminating in
a semicolon. The shortest string of bytes that the program will search
for is 8 bytes. Six of these bytes must be different in order for
the program to consider the string as a valid virus string.

SEARCH c:

The SEARCH command instructs VCHECKER to begin checking the drive
with the label c. This command should be placed after the syndrome
information in the SYNDROME.H file. If another drive is specified
when invoking VCHECKER it will take priority over this command.

PAUSE

The PAUSE command causes VCHECKER to pause whenever it encounters
this command in the SYNDROME.H file and waits until you hit Enter to
continue.

START

The START command instructs VCHECKER to begin at the beginning of
the files it is searching and scan all bytes from the beginning of
the file forward until it reaches the end of the virus' estimated SIZE.

END

The END command instructs VCHECKER to begin at the end of the files
it is searching and scan all bytes from the end of the file backwards
until it reaches the total file length - virus estimated SIZE point.
If this command is not given, the search program will start at the
beginning of each file and search until it reaches the end of the
viruses' estimated SIZE.

ALL


The ALL command instructs VCHECKER to search the entire length of
all the files on the specified drive for the representative virus
syndrome. This command is useful for finding viruses that are imbedded
in files. Please note that most viruses are attached to the end or
the beginning of files and this command will greatly increase the time
it takes VCHECKER to complete its search.

SHOW

The SHOW command instructs VCHECKER to show the syndrome information
highlighted on the screen. This will confirm whether or not the virus
that VCHECKER is searching for is actually the virus you want to locate.

LOG "filename"

The LOG command instructs VCHECKER to output the results of the virus
search to a file specified in filename. If this command is given without
specifying a filename, the output will be directed to the printer on
printer port 1.

VERIFY number;

The VERIFY command is provided to ensure that the virus syndrome
information provided initially with the VCHECKER program and in future
updates is correct for the virus that you wish to locate. VERIFY uses
the hex number which is given with the VERIFY command to analyze the
virus syndrome information. This will then and ensure that it is the
correct syndrome for the virus it is included in the SYNDROME.H file.
With each virus syndrome update there will be a unique VERIFY number
provided to ensure that the provided syndrome inforamation is correct.
For the DATACRIME 1 & 2 Virus this verify number is 0DBE.

4. Results and further Comments

VCHECKER will report the definite and probable presence of any virus
found after the search is completed. If the program completes its
search without detecting any virus, it prints NO INSTANCES OF VIRUS FOUND.
If you receive this message, it would be a good idea to back up your disk
drive immediately, before any new virus can be introduced.
It is also a good idea to save a copy of VCHECKER.EXE and SYNDROME.H on a
bootable floppy disk with a write-protect tab on it and before testing
make sure you do a hard reset to clear the memory. You may rerun VCHECKER
as often as you like to detect virus attacks early.

If the VCHECKER.EXE program detects a string of bytes that are at
least 75% identical to the virus syndrome listed in the SYNDROME.H
file it will report that there is a PROBABLE virus present and give
all the file names on which the virus appears. If the program detects
a 100% identical string of bytes in the file it is searching it will
report a virus FOUND and the file names where it was detected.

If only one file is indicated on the disk drive as having a virus
either probable or found then there is a chance that the string of
bytes it is searching for randomly occurs in a non infected file
therfore, indicating no virus present. To check this file compare
the size of the file on the disk drive with the size of a Backup
copy of this file. If the files are identical in length it is
probable that there is no virus present in the specified file.
If the file is longer than the backup copy it is a good idea to erase
the copy on your disk drive and use the backup file to restore it.


If the VCHECKER program detects two or more files with viruses contained
in them, then it is quite likely that you have a virus problem. The
following procedure are recommended for dealing with this situation.

1. Get an original Dos Disk with write-protect tab.
2. Hard reset the computer with Dos disk in the 'A' drive.
3. Use the Backup disk of the infected files with write-protect tabs
on them to compare the size of the infected files with the backup
file lengths. If the backup files are shorter, the infected file should
be deleted and replaced with the backup copy.

5. Background of the DATACRIME 1 & 2 Viruses

The DATACRIME 1 & 2 Viruses or COLUMBUS DAY VIRUS, as they are collectively
known, are two of the many viruses to target MS-DOS computers. It
was reportedly unleashed a few months ago in Europe and has recently
begun to attack some PC sites in the United States. The virus is
self-propagating and encrypted and attaches itself to .COM, .EXE
and .SYS files. When the system clock reaches October 12 the virus
erases track 0 on the hard drive and destroys the hard disk directory.
At this point the hard drive must be reformatted with a low-level
formatting program which results in the destruction of all the data
on the hard drive. The DATACRIME 1 & 2 virus does not attach itself
to the COMMAND.COM file or to any .COM file that has D as its seventh
character. The virus is spread by networks through floppy disks and
modems whenever an infected .COM program is run on an unprotected
machine.

6. Viruses in General

Computer viruses are self-propagating programs that are designed
to elude detection. They attach to system utilities and can either
have a benign or catastrophic intent to them.

Viruses elude detection by merging themselves into various programs
on your hard disk after being introduced through infected files on
floppy disks or through modem lines. Once these infected files are
executed the viruses spread to files on the hard drive and can destroy
the data saved on the hard drive.

There are several measures available to prevent computer viruses from
infecting your hard disk. VCHECKER is used to check all software disks
before you copy them to your hard drive. The COMPSEC II Security Product
offers the ability to set discretionary access controls on all files
which will prevent all unauthorized access. COMPSEC II also has low level
write-protect features that help to prevent viruses from bypassing DOS and
writing directly to the hard disk. Finally COMPSEC II provides total user
access control which restricts computer usage to times when it may be
supervised by the proper personnel. For further information on the
COMPSEC II system please contact American Computer Security Industries Inc.
or your authorized dealer.

American Computer Security Industries Inc.
112 Blue Hills Court
Nashville, TN 37214
Tel: (615) 883-6741 Fax:(615) 883-6761