July, 1995 Product upgrade, 6.02A ---------------------- IVX major upgrade. New features were added to IVX, enabling automatic signature extraction and signature scanning. IVX now creates its own signatures database from sampled files. The extraction of the signatures is automatic and does not require any special skills. The signatures can then be used to scan for their presence in other files. IVX also accepts user defined signatures by editing the database with an ASCII editor. An average user can now easily generate a signature for a new virus and announce it on the net or else. IV user can now scan for the presence of new viruses announced on the net. The new features of IVX reduce the response time to new virus alerts. The algorithm of IVX in statistical mode was refined and its detection capability improved, especially against some of the more difficult polymorphs, such as MtE viruses. IVB daily test under Win 95, bug fix. In former versions, the IVB DAILY test repeated itself on every boot, while booting in Win 95 DOS. The bug was traced to be caused by IVINIT and was fixed. IV 6.02A is compatible with Win 95 DOS. IVB history file. The IVB.RPT file is overwritten when a new report is created. In a networked environment, the current daily report will be appended to the IVB.HIS (history) file. The implementation is through the AUTOEXEC file, by adding a couple of lines after the IVB daily command. The appropriate lines are added automatically by the INSTALL program when installation from server is detected (or selected, in INSTALL's main menu). To add this feature in an existing installation, add the following lines in the autoexec, after IVB DAILY: IF EXIST \IVB.RPT COPY \IVB.HIS+\IVB.RPT \IVB.HIS IF EXIST \IVB.RPT DEL \IVB.RPT Licensing for OS/2 and Win 95. In version 6.02, InVircible's license reverted to Sentry when in Windows' or OS/2's DOS shell. Version 6.02A fixed that problem. Yet, you will need to run IV once in real DOS in order to upgrade your license from a former version, to 6.02A. This procedure does not apply to new licensed users, since the license can be installed to disk only in REAL DOS mode. Detection of PKLITE'd droppers and Trojans. During the last year, several droppers and Trojans were found, that used PKLITE in order to conceal the gen-1 file. Gen-1 is the designation of the first generation of a virus, usually the one used to launch the virus. While scanners usually find the offsprings, the gen-1 file will not be suspected, as many times it isn't recognized to be a compressed file, as the PKlite marks were removed, or disguised. The most recent case that used the PKlite method is related to the Big Caibua virus. The detection of potential droppers was added to IVscan, as the default. This feature should help SysOps and network administrators to keep their board and systems clean. Improved IVB signatures. Functional changes were made in order to improve IVB's discrimination between non-viral and legal modification of program, as well as to improve their immunity to dedicated viruses attacks (for details read the attached SECURITY.TXT file). The new signatures are no more compatible with the lower versions of IVB. To avoid confusion, or the loss of the former database, the default filename of the signature files was changed to IVB˙.NTZ. Note that there is a trailing character 255 (it looks like a space, but it is not!) between the IVB filename, and the .NTZ extension. Micro House boot driver's awareness. IV version 6.01D was aware of the WD large capacity ID, using the Disk Manager 6.03 dynamic boot driver. Other brands like Seagate are using the Micro House boot driver for their Decathlon models (540+ meg). In lower versions, IVinit indicated that the partition was "faked". This was objectively true, but it didn't indicate the presence of a virus. It actually detected the stealth used by the boot driver, since this is exactly how they work. These special boot programs load a special driver through the booting process and they use stealth to protect the special mbr from being accidentally overwritten, by FDISK/MBR for example. From version 6.02A, InVircible is aware of the possibility that a Micro House boot driver, or DM 6.03 is used. No escape in Sentry mode. System administrators asked to disable Sentry users from escaping IVB's daily full check. Adding the /ESC switch to the command line re-enables the Esc key when scanning daily. This change applies only to the Sentry mode. IVB exceptions list. There are instances when you may want to exclude a file from IVB's list of files to process. IVB has now provisions to exclude up to 5 filenames. Edit IVB.INI in the IVB.EXE directory with an ASCII editor, or create a new file with the above name, if it doesn't exist yet. Add a line for each file to exclude as follows: SKIP = EXCLUDE.BIN The CMOS "Restore" option was removed from IVINIT in Sentry mode. IVINIT bug fix. The errorlevel returned by IVINIT in case of a suspicious finding should be 1, and 0 when no finding. Due to a bug in former versions this wasn't always the case. The bug was fixed. INSTALL/R bug fix. The rescue diskette procedure couldn't find the SYS.COM (or SYS.EXE) file in the search path, if the DOS directory was after character 64 in the environment string 'PATH', and the process aborted. The problem is now fixed. Product upgrade, 6.02 --------------------- The major change in version 6.02 is the handling of large capacity IDE drives. These drives appeared on the market in mid 1994 and they are now quite common. Several enhancements to handle the large capacity IDE were already introduced in version 6.01D. The new drives present technical challenges in the area of disaster recovery and vulnerability to boot and mbr viruses, that were unforeseen by both the drive's producers, and the AV industry. Version 6.02 consolidates the former enhancements and lays the grounds for further improvements, especially in the disaster recovery area of these drives. Read also in UPGRADE.TXT how to upgrade your licensed copy of InVircible. Licensing of large capacity IDE. The installation of the license record to large capacity IDE, was impossible with earlier versions, if the Ontrack extended boot driver (DM 6.03+) was used. It could be done only with plain FDISK partition, using the LBA (logical block access) option in the setup. Version 6.02 will allow the licensing of these drives too. Version 6.02 consolidates changes done to the hardware access routines, used in InVircible, to suit the newer fast access hard disks and boards (100 mhz and higher). Hardware access is sensitive to timing, and new industry standards were introduced in the last year. Therefore, we recommend that InVircible copies earlier than 6.01D are upgraded. Version 6.01B and 6.01C still have some slow routines that won't work properly with the newer fast disks. Also, versions earlier than 6.01D still have a routine that conflicts with a defect in design of some older models of Maxtor hard drives. The problem has been identified by NetZ Computing and acknowledged by Maxtor. From version 6.01D and on, there should be no problem anymore, all models of Maxtor included. Yet, if you have a large capacity IDE hard drive, we strongly recommend that you upgrade to 6.02. Bug fix in INSTALL. Some DOS variants are using SYS.EXE instead of SYS.COM. In former versions, the procedure for preparing the rescue diskette looked only for SYS.COM and refused the use of SYS.EXE. The bug was fixed. ResQdisk improvement, fixing the boot sector via DOS, the ResQdisk ^B function. There are instances when the boot sector of hard drive #1 is infected, and it cannot be accessed via regular int 13 functions. Such is the case with the newer large capacity IDE drives. The active partition's boot sector can then be refreshed through the ^B key combination. The ^B function operates on the boot sector, the same way that does FDISK/MBR on the mbr - it refreshes the bootstrap code, without affecting the BPB data. The ^B function should only be used when booted from the hard drive. Temporary files handling, bug fix. Former versions of InVircible used a couple of fixed names, SOFIA and \WRITEST, to perform certain tasks. If a file with the name SOFIA was present in the current directory while executing any of the IV self protected modules, then the file was erased. The same would happen to a file named WRITEST, if present in the root directory, while IVinit or IVtest are run. These routines slipped by, since no incident was reported in regard with them during the five years they were in use. Recently, an incident was reported in which a file named SOFIA was erased while executing an IV module. Therefore, the routine responsible for this has been changed and fixed. InVircible does now use only unique names (that are not in use by the user) for its temporary and bait files. Note that no other than files named SOFIA or \WRITEST were of any concern, in formers versions. Long pathname handling in networks, bug fix. Pathnames under DOS are limited to 64 characters. Yet it is possible to create pathnames of up to 255 characters (the maximum length allowed for strings). Such condition is encountered on file servers. On such instances InVircible hung when scanning a network file server, containing directories with pathnames longer than the DOS limit. The problem existed only in the sweeping programs: IVB, IVscan, IVX and IVmenu. It is now possible to scan with IV's sweepers (except for IVmenu) across file structures that have directories with pathnames longer than the DOS limitation. The limitation in IVMENU remains as before. The reason for this is that IVMENU allocates memory for keeping track of up to 500 directories, with pathnames no longer than the 64 bytes DOS limit. We need some memory to be left for some useful job to be done, other than just showing the user a nice directories tree. :-) We thus could provide the same with IVMENU, but only for 125 directories, if the pathname length is to be 255 characters. This would be inadequate for most users, that have more than 125 directories in a partition, and less than 500. If you want to use IVMENU on file servers containing directories with long pathnames, then use the network "map" function to define volumes for sub-trees of the root, and then you can use IVMENU on the new logical drive, as usual. Product upgrade, 6.01D ---------------------- Improved installation procedure. The Installation of IV will now run without needing to actually change the current directory. Just type the full pathname of where IV's INSTALL program is. Daily inspection for companion virus. The companion virus verification was added to IVB, since IVB runs daily. The same routine is retained in IVscan, for operational redundancy. Keeping track of the last inspected drive. In former revisions of IV there was need to manipulate the COMSPEC variable in order to keep track of the last drive checked by IVB DAILY. Now, just issue the IVB DAILY command and the tracking record will be updated, according to the current environment settings. Only make sure to always run the DAILY check from within the same environment shell. The last improvement is especially useful to LAN administrators. The user interface in ResQdisk was improved further. The newer features were grouped in three menus, Edit (accessible by pressing ^E), Track Zero maintenance (^Z) and Analyze sector (^A). Also, the new ^B function was added. The latter will refresh the boot sector of drive C: while accessing via DOS instead of the BIOS, and is the equivalent of the SYS C: command. The ^B function is helpful in removing boot sector viruses such as Da'Boys, Boot-437, Form etc. IVinit was enhanced to automatically invoke ResQdisk when needed. From now, Most boot / mbr infectors can be handled right at startup. Improved editing features in ResQdisk. Additional editing features were added to resQdisk. The sequence ^E ^F will read a file into the sector clipboard, while ^E ^D drops the content of the displayed sector into a file. The combination ^E ^Y will decrypt an encrypted sector into the clipboard and display it on screen. The later is especially useful for the recovery of damaged hard drives, like from the Monkey virus. It is indispensable for rescuing hard drives lost to inappropriate disinfection procedures, like with fdisk/mbr, or inadequate antiviral products. The above further improve ResQdisk as the best disaster recovery and boot-antiviral utility. Improved "track 0" maintenance features. ResQdisk is used in the rescue diskette for backing up track zero of the hard disk to floppy and for restoring track zero from file to the hard drive. The "track 0" functions are now available on-line, with the visual inspection of ResQdisk, in both SeeThru modes (backup only, recovery is always done with SeeThru off). The track 0 functions are started by the ^Z keys combination, followed by ^B for backup to file or ^R for restore from file. Either the Ctrl (^) or the Alt key can now be used for the editing and the "track 0" functions. For on-line help press Alt+H while running the ResQdisk program. Making a rescue diskette for other than standard configurations. The rescue diskette in the INSTALL program was improved to simplify the preparation of a rescue diskette in configurations containing other than Stacker, DoubleSpace or Disk Manager drivers. For details read in the on-line documentation. Improved resistance to IV dedicated viruses. The first virus aimed to "kill" IV's signatures has been reported and a sample of was analyzed by NetZ. It is recommended that users change the default filename of the signatures to one of their own definition. The signature files are no longer traceable as IV's, and cannot be identified as such -- provided you don't leave them with the default name. The new signatures are fully downward compatible with the former ones, and there is no action that a user needs to take in this regard. Random signatures' filename. When installing InVircible through IVlogin, a random signatures' filename will be selected. IVLOGIN can be used for standard installation with the default parameters. The random signature filename will be implemented on first time installation only, and with the default installation parameters only (to C:\IV). Compatibility with large capacity IDE. IVTEST was corrected to ignore the dynamic boot loader of large capacity IDE disks. Revision 6.01c was compatible with only Ontrack's Disk Manager extended bios drivers (XBIOS.OVL). The new revision is also compatible with other brands, recently introduced into the market - e.g. Micro House. Troubleshooting with IV. New text was added to the on-line help in regard of troubleshooting problems with IV. There is guidance how to detect an incompatible IDE controller with your hard drive, as well as disclaimers about a couple of hardware: Promise hard drive controllers with disk cache, and certain models of Maxtor's hard drives. Further improvement for use in networked environment. IVMENU, the integrated menu shell was upgraded to avoid conflicts in certain Netware environment. January, 1995 Product upgrade, InVircible 6.01C --------------------------------- Improved performance in networked environment: Revision 6.01C has further improvements for the operation of InVircible in the networked environment. All the scanning modules; IVB, IVscan and IVX were revised to avoid Novell's Netware files. The verification of Netware files under DOS created errors because of the special attributes of Netware's system files. IV's current revision avoids these files. Updated manual: The use of IV in network environment, as well as the strategy of how to disinfect the server and network are covered in a new appendix, in the manual text. Automatic IV version upgrades in network: IVLOGIN can now be used for both the automatic installation of InVircible to workstations in a networked environment, as well as the upgrading of an older IV version to a newer one. IVLOGIN checks whether its own version is newer than the current one installed on the hard drive. An older version will be automatically replaced by a new one, by just invoking IVLOGIN. It is recommended that the IVLOGIN command should always be included in the users login script, in networks. Improved piggybacking detection: Revision 6.01C has higher sensitivity of piggybacking detection. The detection threshold has been lowered to detect piggybacking within few affected files. The improved sensitivity has no effect on speed since the loss in speed was compensated for with a better search algorithm. New "copy and paste" functions in ResQdisk: It is an advantage to have editing capability of the master and boot sectors of the hard disk. ResQdisk can now copy the content of a displayed sector to the clipboard, by the ^E ^R sequence, then paste it elsewhere by pressing ^E ^W. The copy and paste functions are useful to recover from mbr and boot sector viruses, that relocate the original sector elsewhere, usually on track 0. The copying and pasting of the original sector can be done under the visual control of ResQdisk. The new functions can be used to store copies of the critical sectors (mbr and boot sectors) in the unused section of track 0, usually from sector 2 to the last sector on the track. Avoid using sector 3 (used by Monkey), 7 (Stoned, Michelangelo), 8 (used by Disk Manager - not a virus), 17 (B1-NYB), 13 (NewBug) and the last sector (Quox and a few others). December 1994 Product upgrade, InVircible 6.01B --------------------------------- Installation of InVircible on networked PC: Revision 6.01B has an additional file, IVLOGIN.EXE. As its name implies, its use is from the user login script in networks. When a workstation connects to the network, IVLOGIN verifies whether it has a hard drive, and if InVircible is installed on that disk. If not, INSTALL/FAST is invoked to install IV to the hard disk. The LAN administrator is required to install IV to the server and add the IVLOGIN command to the user login script. The rest is done automatically. IVB upgrade: Some lame viruses affect *.SYS and *.OVL files, if they have an executable structure (usually an EXE one). Thus, *.SYS and *.OVL files were added under IVB's coverture. These files are now secured by IVB, and can be recovered, in case they get infected. ResQdisk upgrades: There were disk configurations that ResQdisk didn't recognize properly. These were found mostly on Compaq models, having a special partition dedicated to proprietary diagnostics, coming first, before the DOS active partition. ResQdisk was upgraded to accommodate for these configurations too. In addition, ResQdisk had a few fixes to assure its proper functioning with the new mode 3 and 4 IDE standards, EIDE as well as with large capacity SCSI drives. This now covers all hard disk types used in personal computers. Install upgrades: The French version of InVircible configures now the rescue diskette to start with a French keyboard. Install also takes care to REM out the Thunderbyte TSR in the autoexec, at the installation of IV. The TB TSR intercept IV initialization checks and may crash the system. Also, Install will now install the IV registration key to hard drives having the Compaq configuration (see ResQdisk, above). User interface updates. Both IVB and IVSCAN command line syntax has been improved. The [d:] argument, where d represents a drive letter, will now start the program from the drive's root, instead of the current directory. For the default directory just don't give any drive argument.