CHECK version 1.5 - integrity checker - Copyright (c) 1995, Venzislav Iliev Please read carefully before installing. Contents: 1.INTRODUCTION 2.EASY INSTALLATION 3.CUSTOM INSTALLATION 4.USAGE 5.OPTIONS 6.EXAMPLES 7.REPAIR MANUAL 1.INTRODUCTION: CHECK is an utility which can help detecting viruses. It's not a virus scanner - it will not scan for viruses in the memory or on the disks. It will try to detect suspisious things like modified memory,files, boot records,interrupts, etc. instead. CHECK is not a replacement for a virus scanner- you should use a good scanner too. CHECK tests the integrity of the: Master Boot Record Partition Tables Boot Sectors Interrupts Memory Upper Memory BIOS CMOS Files (CRC and code checks) 2.EASY INSTALLATION: For easy installation use the script INSTALL.BAT. You must specify path for the data files and all your hard drives on the command line, then reboot your computer and run INSTALL.BAT again with the same command line. Example: INSTALL c:\tmp\chkdata c: d: This will place CHECK at the end of your AUTOEXEC.BAT. It's a good idea to make a CHECK boot disk as well and use it to check your computer from time to time.This is needed to improve security against stealth viruses which can be detected only after clean boot. To create such disk make a new system disk (use "format a:", "sys a:" ) and then use MAKEBOOT.BAT. You must specify all your hard drives on the command line. Example: MAKEBOOT c: d: Using such a boot disk together with CHECK in your AUTOEXEC.BAT will almost sure detect the presence of viruses (no matter if known or unknown) and you will be able to recover your system using REPAIR without any troubles. If you have backups of all your files as well you don't have to bother about the most viruses anymore. 3.CUSTOM INSTALLATION: The /Sx options are the install options which will store values to the data files. You can specify filenames for the data files, or use the default names. The default installation will not include validating of all your executables - you may wish to place such check in your AUTOEXEC.BAT, or perform it manually from the command line from time to time (I do not recommend that you do that every time you boot your computer because it could be time consuming). 4.USAGE: check [options] [drives] ... Typing just 'check' or 'check /?' will display short usage info. 5.OPTIONS: Here is a full list of all CHECK options. You can omit the filenames - default filenames will be used instead. /SI [file] - save all interrupt vectors. INTERRUPTS /I [file] - compare the interrupt vectors to the saved ones. Depending on the current configuration these values may be different - but if you run CHECK always at the same place in your AUTOEXEC.BAT they must be always the same. /SO [file] - save the BIOS data area. BIOS /O [file] - compare the BIOS data area to the saved one. The BIOS data area contains system information - it depends again on the installed drivers, other resident programs, etc. Not the whole BIOS data area will be checked - there is data used by the timer, display, etc. - these values are always different. /SC [file] - save the CMOS. CMOS /C [file] - compare the CMOS to the saved one. The CMOS is the battery powered storage. If the check fails it's probably due to batteries powerdown, but a few viruses can destroy the CMOS contents or use it to store data. /SB [file] - save the boot sector. BOOTSECTOR /B [file] - compare the boot sector to the saved one. If CHECK detects that a boot sector was modified, it's al- most sure that a virus infection has occured. Use REPAIR to remove the virus. /SV [file] - save checksums for the files on the spe- VALIDATE cified drives. /V [file] - compare the checksums for each validated file on the spec. drives It will detect modified files. CHECK uses CRC algorithms for checksums. It uses the same polynoms as the McAfee VALIDATE and SCANV programs. Many thanks to Gary P. Mussar for the algorithms. The data is stored in a text file, so you can view it simply - each line in the file consists of the filename, the both checksums and the filesize. /SJ [file] - save some code information for the files CODE CHECK on the specified drives /J [file] - check the code of the filenames in the specified file It will detect modifications in files.A virus cannot exist without certain instructions - this option checks the code of the executables for certain modified / new instructions. This method is not as reliable as the validation, but it's much faster and gives you additional security. Note that this method will discover viruses, but possibly not dest- royed or modified data. Also, note that unlike the /V op- tion the /J option doesn't require drives to follow. It will just check the files on the drives you specified with the /SJ option. /SR [file] - save the MBR of the default disk (0) MBR /R [file] - compare the MBR to the saved one /SR0 [file] - same as SR0 /SR1 [file] - same as /SR0 but for disk 1 /R1 [file] - same as /R0 but for disk 1 The MBR is the Master Boot Record of your harddisk. Each physical harddisk has only one MBR. The MBR contains the code to load the boot sector of the active (the bootable) partition and the partition table. There can be more than one partition table on your harddisk if you have extended partitions. CHECK will save all partition tables, but you should have only one extended partition per partition table- the dos command FDISK will NOT allow you to create second extended partition in the same table, but theore- tically it's possible (suggest - another partitioning programs, directly created with disk editor, ...). /SM [file] - save the memory map MEMORY /M [file] - compare... You should run CHECK with this option always at the same place. When you use /SM or if the memory map is modified the map will be displayed - it has the following format: Block Type Owner Owner's-PSP Env Size Name xxxx X XXXX (PSP xxxx:0) Env xxx bytes nnnnnn Block is the segment address of a block, type should be M or Z (Z means last block), owner shows who owns this block, env shows if the block is used for program envi- ronment, name is the name of the program taken from the environment - note that programs are free to modify the environment, so don't relay on this name. Also, if you start a protected mode application (like QEMM386) it could destroy the environment of some resident programs (I don't know the reason for that), and COMMAND.COM doesn't have a name. If you use an EMS-manager (such as EMM386.EXE) you will see total amount of memory 16 bytes less than 640K - that's because the first UMB starts at 9FFF:0 (16 bytes before the 640K limit). If you don't use EMS the total amount of memory should be exactly 640K (655360 bytes). /SU [file] - save the upper memory map UPPER /U [file] - compare... MEMORY Just like /SM and /M but for the upper memory (640K to 1 MB). Note that you need a driver (such as EMM386.EXE) to use UMBs (upper memory blocks). Without such driver CHECK /SU and CHECK /U won't work. /SD - same as using the options /SR /SB /SI /SM /SO /SC /D - same as using the options /R /B /I /M /O /C Some important files like command.com and the system drivers will be validated/checked as well. /N - warn about new files which are not checked. /A - validate/check all files (not only the executables). You shouldn't need that. /L [file] - log to file (write report). 6.EXAMPLES: The following will use the directory c:\tmp\check for the default data files, will create a logfile in the same dir named DDMMhhmm.LOG (day, month, hour, min) and will store the MBR of the physical disk 0 and the bootsectors of the logical drives C: and D: in default files: CHECK /W c:\tmp\check /L /SR /SB c: d: This one will check all the files on the drives D: and E: against the default file VALIDATE.DAT in C:\CHKDATA: CHECK /W c:\chkdata /V d: e: The following will store the interrupts and the memory map in the files c:\ints.dat and c:\mm.bin: CHECK /SI c:\ints.dat /SO c:\mm.bin REPAIR version 1.2 REPAIR will restore values from files saved with CHECK. CAUTION! Before using REPAIR to restore MBR or BOOT SECTOR you should boot from a clean, write-protected diskette ( REPAIR should be on a clean write-protected diskette too)! You can use the disk created with the MAKEBOOT.BAT for that purpose. USAGE: repair [options] Typing just 'repair' or 'repair /?' will display short usage info. OPTIONS: /C - restore the CMOS /D - restore the BIOS data area /I - restore the interrupt vectors /F - free the memory block at :0 The options /I and /F can be used to remove TSRs (Terminate but Stay Resident programs) from the memory - some TSRs doesn't have an uninstall option, but it's very unlikely that you can remove a resident virus (Don't try it!). Example for removing a TSR: C:\USR>check /si intr.dat C:\USR>mouse C:\USR>check /sm mem.dat ... 0900 M App. (PSP 090B:0) Env 160 bytes C:\DOS\MOUSE.COM 090A M App. (PSP 090B:0) 8880 bytes C:\DOS\MOUSE.COM ... C:\USR>repair /i intr.dat /f 0900 /f 090A Other options: /B - restore the boot sector of Example: A:\>repair /B bs1.dat c: /M - restore the MBR and all partition tables of . is again your physical harddisk - it must be 0 or 1. Example: A:\>repair /M mbr.dat 0 REPAIR doesn't have an option to 'clean' infected files. If CHECK detects that an executable file was modified, and you're sure you have not modified this file by yourself (installing a new version, re-compi- ling the sources, etc.) I recommend deleting the file. A good virus scanner could reckognize and remove the virus (if it's a known virus) but possibly could not be able to restore the file to it's original state. It can happen that a scanner thinks to have reckognized one virus but the file is infected with a different virus or even a new version of the same virus and this can lead to some serious problems (like, the virus remains in the file). That's why it's reasonable to keep backups of all your files. Keep in mind that some programs are able to modify itself or other executables - for example to write configuration data, some antivirus programs add data to the files, etc.