International Business Machines Corporation Armonk, New York 10504

IBM Program License Agreement for the IBM Virus Scanning Program

BEFORE USING THE IBM VIRUS SCANNING PROGRAM (SCANNING PROGRAM) YOU SHOULD
CAREFULLY READ THIS AGREEMENT AND ALL DOCUMENTATION ACCOMPANYING THE
SCANNING PROGRAM, INCLUDING THE FILE NAMED "READ.ME." YOU WILL INDICATE
YOUR ACCEPTANCE OF THIS AGREEMENT AND ITS DOCUMENTATION BY YOUR INITIAL USE
OF THE SCANNING PROGRAM. IF YOU DO NOT AGREE WITH THESE TERMS AND
CONDITIONS, YOU SHOULD PROMPTLY RETURN THE UNUSED SCANNING PROGRAM,
TOGETHER WITH ITS DOCUMENTATION, AND ANY MONEY YOU HAVE PAID WILL BE
REFUNDED.

1. INTRODUCTION
Some individuals and groups, regrettably, are introducing "virus"
programs into computer systems in an attempt to damage the systems. A
number of firms in the computer industry are addressing this challenge.
IBM has developed the Scanning Program for its own internal use to help
detect the presence of some of these virus programs. Since you may face
some of the same problems that IBM does in this regard, IBM is making the
Scanning Program available to you to assist you in addressing this industry
problem.
You should note that the problem is an evolving one. As virus detection
programs are developed and made available, new virus programs may emerge
which seek to avoid detection. Your continued attention to appropriate
back-up procedures and physical security measures is essential.
Since the Scanning Program is itself a program, it is not immune to
tampering. To help prevent tampering, you should exercise great caution in
controlling the access, use and reproduction of the Scanning Program.
Because of the above considerations, IBM can only distribute the Scanning
Program on an "AS IS" basis. The terms of the "AS IS" license follow.
2. LICENSE
This is a license agreement and not an agreement for sale. You obtain no
rights other than the license granted you by this Agreement. Title to the
enclosed copy of the Scanning Program, and any copy made from it, is
retained by IBM. IBM licenses your use of the Scanning Program in the
United States and Puerto Rico.
You assume all responsibility for the selection of the Scanning Program
to achieve your intended results, the installation of and use of the
Scanning Program, and the taking of corrective action regarding computer
programs in which suspected virus "infection" is detected.
You may:
a)use a copy of the Scanning Program on one or more machines at a time;
b)make additional license copies of the Scanning Program for
distribution for use within your enterprise. You may not distribute
copies of the Scanning Program to any third party. You may not
distribute the Scanning Program over networks by means of electronic
"bulletin boards"; and
c)make copies of the Scanning Program for backup purposes only in support
of your use.
You shall reproduce and include the copyright notices and any other
legend on all such copies of the Scanning Program.
You may not:
a)use, copy or distribute the Scanning Program except as provided in this
Agreement or as otherwise specified by IBM in writing;
b)modify, merge or transfer copies of the Scanning Program;
c)reverse assemble or reverse compile the Scanning Program; and/or
d)sublicense, rent, lease, or assign the Scanning Program or any copy of
it.
3. DISCLAIMER OF WARRANTY
IBM LICENSES THE SCANNING PROGRAM ON AN "AS IS" BASIS, EXCLUSIVE OF ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow the exclusion of implied warranties, so the
above exclusion may not apply to you.
IBM does not warrant that the Scanning Program or its documentation is
free from claims by a third party of copyright, patent or trademark
infringement or the like.
4. LIMITATION OF REMEDIES
IBM's entire liability and your exclusive remedy shall be as set forth
in this Section.
For any claim related to the subject matter of this Agreement, IBM's
liability for actual damages, regardless of the form of action, will be
limited to the money you paid to IBM, an IBM Authorized Dealer or an IBM
approved supplier for the license for the copy of the Scanning Program that
caused the damages or that is the subject matter of, or is directly related
to, the cause of action. This limitation will not apply to claims for
bodily injury or damages to real or tangible personal property for which
IBM is legally liable. In no event will IBM be liable for any lost
profits, lost savings, or any incidental damages or other economic
consequential damages, even if IBM, an IBM Authorized Dealer or an IBM
approved supplier has been advised of the possibility of such damages, or
for any damages claimed by you based on any third party claim.
Some states do not allow the limitation or exclusion of incidental or
consequential damages so the above limitation or exclusion may not apply
to you.
5. GENERAL
You understand that the Scanning Program detects only a limited number
of computer viruses. The Scanning Program is itself subject to computer
viruses and other forms of tampering.
IBM does not guarantee that the Scanning Program's operation will be
uninterrupted or error free. IBM does not provide service or defect
correction for the Scanning Program.
If you have not already paid IBM by credit card, you agree to send a
check for thirty-five dollars for your original license to:

IBM
Grand Central Station
P.O. Box 2646
New York, N.Y. 10163

IBM waives charges for any additional license copies.
You may terminate your license at any time by destroying all your copies
of the Scanning Program.
IBM may terminate your license if you fail to comply with the terms and
conditions of this Agreement. Upon such termination, you agree to destroy
all your copies of the Scanning Program.
You agree that you are responsible for payment of any taxes resulting
from this Agreement.
Neither party may bring an action, regardless of form, arising out of
this Agreement more than two years after the cause of action arose.
This Agreement will be construed under the Uniform Commercial Code of
the State of New York.

=======================================================================
=======================================================================

Virus scanning program capabilities and limitations:
====================================================

This program has been developed by IBM to aid in the detection of some
computer viruses and is used internally by IBM to detect computer
viruses. It is designed to scan boot records and executable files
looking for signatures of viruses known to IBM when the program was
written. A signature is a bit pattern that is indicative of a particular
virus. The virus signatures have been derived by performing "reverse
engineering" on virus samples. The files that are scanned by this
program must be in their native executable form (e.g., not encrypted and
not packed) in order for signature matching to occur.
This virus scanning program does NOT remove viruses, inhibit virus
propagation, or recover any damage done to files or data caused by
viruses. It simply scans files looking for bit patterns matching the
virus signatures.
There may be other viruses that currently exist, or will exist in the
future, that this program will not detect. We know of no available,
guaranteed solution to computer viruses, so we recommend regular backups
of your data and caution in acquiring and using software. See the
rest of this file for more information about computer viruses and
this program.

Contents of this diskette:
==========================

In addition to this file, (READ.ME) there are only 3 other files
contained on this diskette. They are VIRSCAN.EXE, SIGFILE.LST and
SIGBOOT.LST. VIRSCAN.EXE is 44983 bytes long, SIGFILE.LST is 2873
bytes long and SIGBOOT.LST is 980 bytes long. If there are additional
files on this diskette or the files have lengths different than those
listed here, do not use this diskette.

Description of the virus scanning program:
==========================================

This program tests executable files on disks for signature strings that are
found in some common PC-DOS computer viruses. If a drive is specified,
it will also test the drive for boot sector viruses.

To use it, simply type at the command prompt (for example)

VIRSCAN C:

to scan the executable files and boot records on the C: drive
or

VIRSCAN A:

to scan the executable files and the boot record on the A: drive.

Type VIRSCAN without any arguments for some help.


Technical details:
==================

VIRSCAN.EXE is the executable program. It runs under OS/2 1.2
when the DOS compatible file system is installed (but not the new High
Performance File System) and OS/2 1.1, 1.0, and DOS 2.0, 2.1, 3.1,
3.2, 3.3, 4.0. The current version may not have been tested in all these
environments. It will also run in an OS/2 PM window.

This virus scanning program can be run off a bootable write protected
floppy diskette. It is suggested that the program be installed on such a
diskette, and that the system be cold booted (power-cycled) using this
diskette before running the program. This procedure *should* be followed
if the program is being used when there are any computer virus infections
endemic (or epidemic) in the vicinity.

SIGFILE.LST is a list of signature entries for COM and EXE viruses. The
first line of an entry is a simple hex string. The second line is a
message displayed if the hex string is found. The third line informs
the program of what file types the signature might be found in. The
scanning program does not trust the name of a file. Files with the .EXE
header, i.e. files whose first two bytes are hex 4D and 5A, are assumed
to be .EXE files. Files without the .EXE header are assumed to be of
indeterminate type.

To view the signatures for the EXE and COM viruses, type the following
at the command line prompt when the program is on the A: drive

TYPE A:SIGFILE.LST

SIGBOOT.LST is a list of signature for boot sector viruses. It has the
same format as SIGFILE.LST. The scanning program will test system boot
sectors of any drives that are specified, and the master boot record of
the C: drive if it is specified. There are also command line parameters
to scan any particular drive for boot sector viruses only.
Warning: This program cannot scan master boot records if it is run in
an OS/2 protect mode session!!

To view the signatures for the boot sector viruses, type the following
at the command line prompt when the program is on the A: drive

TYPE A:SIGBOOT.LST

This program sets the DOS or OS/2 error level as follows upon exit:
Errorlevel 0 means no virus signatures were found, and no other
fatal errors occurred.
Errorlevel 1 means no virus signatures were found, but the program
terminated with some other error, before the scan
was complete.
Errorlevel 2 means that virus signatures were found.


Limitations:
============

Some testing of this program's ability to detect known boot sector
viruses has been conducted. It was able to detect all the
boot sector viruses of which we have samples. It is very easy to go
wrong, so read the following carefully.

- This program running under OS/2 will not (and cannot) find one of the
known boot sector viruses on an infected hard disk. Under OS/2, it
*does* find this virus on infected diskettes. Under DOS, it will
find this boot sector virus on an infected "C:" drive, and on
infected diskettes.

- Many boot sector viruses survive a soft boot, i.e.
control-alt-delete. For complete coverage, it is strongly recommended
that this program be installed on a bootable write-protected floppy
diskette (along with any other anti-virus programs used), and that it only
be run after *power-cycling* the computer.

- Another known boot sector virus is not detected unless it is not in
control. If this virus is in control, it intercepts reads of the boot
sectors and returns the original, uninfected boot sector.
(In other words, cold boot from an uninfected write-protected diskette!)

- The support for detection of boot sector viruses is strongest for the
"A:" and "C:" drives. For the boot viruses that this program currently
detects, suspect diskettes may be scanned in any drive.

- For technical folks: if a scan of the A: or C: disk is specified,
the program uses BIOS INT 13 to scan the master boot record at head 0,
track 0, sector 1 of physical drives 00H or 80H respectively. Note the
implicit assumption that the active partition is always C:.
For drive letters other than A: and C:, no such scan is done unless
explicitly requested on the command line.
For example, if the second physical hard drive were "D:", it might be
scanned as follows:

VIRSCAN D: -B81

Please recognize that this program scans only for signatures defined
in the SIGFILE.LST and SIGBOOT.LST files. Viruses which do not contain
any of the signatures listed in these two files will not be detected.

=======================================================================
=======================================================================

To Make A Copy of your IBM Virus Scanning Program Diskette
==========================================================

The following procedure will help you make a copy of the original
IBM Virus Scanning Program diskette. You can also use this procedure
to make a backup of your diskette. This copy will not be a bootable
diskette.


(1) Turn your PC or PS/2 off.

(2) Insert your original manufacturer's write-locked PC-DOS diskette
into the A: drive. If you are using DOS 4.0, use the "install"
diskette.

(3) Turn your PC or PS/2 on and let it boot from the A: drive. If you
are using DOS 4.0 from the "install" diskette, press the "Esc"
key and then the "F3" to end the install process.

(4) At the DOS prompt, type:

DISKCOPY A: B:

and follow the prompts on the screen to copy the contents of the
original IBM Virus Scanning Program diskette (the source diskette)
to a new diskette (the target diskette).

(5) Remove the new diskette and write-protect it with a write-protect
tab (on a 5.25" diskette) or by moving the write protect switch
(on a 3.5" diskette) so that you can see through the hole located
in the bottom right while looking at the back of the diskette.
We suggest leaving this diskette write-protected at all times.

(6) Scan the new diskette by reinserting it into the A: drive and
typing at the DOS prompt:

VIRSCAN A:




To Make A Bootable Diskette From The IBM Virus Scanning Program Diskette
========================================================================

The following procedure will help you make a copy of the files
on your IBM Virus Scanning Program diskette, onto a DOS bootable
diskette. We suggest running this program after booting your PC or PS/2
from a copy of DOS that is known to be virus-free.


(1) Turn your PC or PS/2 off.

(2) Insert your original manufacturer's write-locked PC-DOS diskette
into the A: drive. If you are using DOS 4.0, use the "install
diskette.

(3) Turn your PC or PS/2 on and let it boot from the A: drive. If you
are using DOS 4.0 from the "install" diskette, press the "Esc"
key and then the "F3" to end the install process.

(4) At the DOS prompt, type:

FORMAT A: /S

and follow the prompts to format a new diskette.

If you are using DOS 4.0, you may wish to create an
AUTOEXEC.BAT and CONFIG.SYS file that automatically
installs the SHARE program when a PC or PS/2 is booted from
this diskette. Refer to your DOS manual for further
instructions.

(5) At the DOS prompt, type:

COPY A:\*.* B:\

and follow the prompts on the screen to copy the contents of the
original IBM Virus Scanning Program diskette (the "A:" diskette) to a new
diskette (the "B:" diskette).

(6) Remove the new diskette and write-protect it with a write-protect
tab (on a 5.25" diskette) or by moving the write protect switch
(on a 3.5" diskette) so that you can see through the hole located
in the bottom right while looking at the back of the diskette.
We suggest leaving this diskette write-protected at all times.

(7) To test your new, bootable diskette, turn your PC or PS/2 off, insert
new, bootable diskette in the A: drive, turn your PC or PS/2 on and
let it boot from the A: drive. At the DOS prompt, type:

VIRSCAN A: