HS v3.5, Boot Virus detection and repair Contents 1. What is HS? 2. Benefits of this program 3. Compatibility 4. Installation 5. Features 6. How good is HS? 7. Error messages, and other messages from HS 8. Disclaimer, Licensing, Prices, Address 1. What is HS? HS v3.5 is a small program written to protect against boot viruses. It checks for changes in the boot sectors of your harddisk. It will find almost any boot virus, notify you of the virus, and cold boot your machine after removing the virus. A copy of the infected boot sector is stored for later examination. I wrote the program because I couldn't find the virus protection setup I wanted. My program executes in less than a second, and generates no output to the screen, as long as no virus is detected. You will no longer waste your time on boot virus infections! 2. Benefits of this program A) Very fast B) Easy to install C) Catches almost any boot virus D) Small (less than 5 KB) E) Automatic removal of detected viruses F) Works with stealth viruses (even hardware stealth) G) Does not need regular upgrades H) Inexpensive 3. Compatibility HS supports: PCs and PS/2s DOS 3.2 --> 7.0 DR-DOS 6.0 & Novell DOS 7.0 OS/2 2.0's Boot Manager Windows NT's FlexBoot HS will not RUN under OS/2 or Windows NT, but OS/2 and NT have "multboot" capabilities and it is possible to use HS when booting DOS on these "multboot" systems. 4. Installation 1) Make sure your machine is virus free 2) Copy HS.COM and HS.SYS to your harddisk 3) Run HS.COM /M [drive:][path][Savefile] Where Savefile is an optional filename for the file containing a copy of the original Master Boot Record and the DOS Boot Record of the active drive. The default name for the Savefile is C:\BOOT.HS Quite a few boot infectors will cause the machine to hang if you use an alternative primary shell (like 4DOS.COM or NDOS.COM instead of COMMAND.COM). It is therefore advisable to invoke HS from your CONFIG.SYS rather than from AUTOEXEC.BAT, as the lines contained in CONFIG.SYS are handled before control is given to the primary shell. This gives HS a chance to get rid of the virus and restore the machine to a working state before you experience such a crash. 4) Insert a line like: DEVICE=[drive:][path]HS.SYS [drive:][path][Filename] near the top of your CONFIG.SYS If this generates a conflict another possibility is, Install=[drive:][path]HS.COM [drive:][path][Filename] near the bottom of your CONFIG.SYS A third possibility would be to place a line like, [drive:][path]HS.COM [drive:][path][Filename] near the top of your AUTOEXEC.BAT If you are running DR-DOS 6.0, you should use, DEVICE=[drive:][path]HS.SYS [drive:][path][Filename] DR-DOS does not support the INSTALL= statement. Using INSTALL with DR-DOS may cause the machine to hang. 5) Run the [drive:][path]HS.COM [drive:][path][Savefile] from the command line to check that everything works. 6) Reboot your machine to check that it boots without problems. 7) If everything works smoothly without any error messages, HS is properly installed. 8) If you want extra security it is a great idea to make a special recovery diskette. Such a diskette may be used when a boot virus causes the machine to crash before the CONFIG.SYS or the AUTOEXEC.BAT is processed. For example a boot virus infection of Form or No_INT will cause the machine to crash or halt if you use the Boot Manager that comes with OS/2 2.1. In such situations a bootable, virus free, write-protected DOS diskette containing HS.COM and its Savefile, is all you need to get the machine back to its working state within seconds. 9) If there is a problem you can try to solve it by checking out the explanation of the error messages, described later in this document, or you can contact me by E-Mail. See end of document. 5. Features *) /M [drive:][path][Savefile] The /M option has to be used the first time you run HS, and again each time you have repartitioned your harddisk, or installed a new version of any operating system you are running on your computer, for example when you upgrade to a newer version of DOS. When you upgrade the BIOS, change harddisk controller, or harddisk, it is a good idea to disable and reinstall HS. *) When a change in one of your boot sectors is found, HS will assume it is a boot virus. It will notify the user, and ask for a key press as a confirmation that the user wants to remove the virus. It will cold boot the machine after having removed the virus and dumped the infected boot sector to the file C:\INF.HS. *) At any time you can TYPE C:\INF.HS to get information about past infections. If no infections have occurred since HS was installed on the machine, no C:\INF.HS file will exist. If your machine has been infected the file contains a header with time & date of detection, and type of infector (MBR or DBR). Below the header are all the infected boot sectors stored (Max. 13). *) If you reach 13 infections you will be asked to insert a write-enabled and pre-formatted diskette in drive a:. The file C:\INF.HS will be copied to the diskette, and then removed from your harddisk. A request for you to send the diskette to me will appear on the screen. Then your machine will cold boot after you have pressed a key. By sending me the diskette with the INF.HS file, you may help me to improve my program. However, most people will never reach 13 boot virus infections. *) HS has only four components: HS.SYS ; The main program, invoked from CONFIG.SYS Savefile ; Datafile with a copy of the MBR & DBR INF.HS ; Infection log HS.COM ; Command line version of HS. Used to install. *) A virus can trap interrupts and trick programs requesting information about the contents of the sectors where the virus resides. HS uses no interrupts. Only direct calls to the ROM BIOS disk routines are used when reading the boot sectors of your harddisk. Direct calls to "Read Only Memory" can't possibly be trapped by a virus, so HS should never be tricked by a stealth virus. *) The Savefile is always checked for validity. If it is destroyed or tampered with, the user will be notified, and HS will not use it. *) If you failed to disable HS in your CONFIG.SYS or AUTOEXEC.BAT before you ran FDISK and made changes to the partition table, HS will ask you if you just repartioned your disk, and if you reply positively it will give you a chance to boot from a certified virus free system diskette and update the Savefile of HS by doing a HS /M [drive:][path][Savefile]. *) A boot virus could remove itself from the harddisk during the boot process and, by hooking one or more interrupts, write itself back after both CONFIG.SYS and AUTOEXEC.BAT have been handled by DOS. To avoid getting bypassed by such viruses HS.SYS will perform interrupt vector checking that should catch most viruses using this kind of stealth. HS.COM does not perform such vector checking, and does not detect such viruses. As of November 1993 only one virus is known to use this stealth technique. It is recommended to use HS.SYS instead of HS.COM, and to load it as the first device in the CONFIG.SYS (place it near the top). The earlier HS.SYS is loaded from the CONFIG.SYS, the better are the chances for the vector checking to detect new boot viruses. 6. How good is HS? HS v3.5 has successfully detected and removed all boot viruses I have tested it against. Since I don't have all known boot viruses (far from it!), I can't claim a 100% detection. To do so it would be necessary to run HS against all known viruses, on all possible machines, running all possible configurations. Since new viruses are created every day, it is NOT possible to prove a 100% detection of all viruses or, in this case, a 100% detection of all boot viruses. But I don't know of any boot virus that will not be successfully detected and removed by HS, and it should be quite difficult to write a virus that bypasses it. 7. Error messages, and other messages from HS v3.5 --- Unknown partition table format, aborting! --- None of the four entries in the partition table is set active, making it a non-standard format which HS will not try to handle. --- BIOS mismatch, HS v3.58 was installed with a different BIOS, reinstall HS! --- If the ROM BIOS handler for INT 13h has changed since the "Savefile" creation by the /M option, HS will display this message. Either you are trying to use a savefile that was created on another machine, or you have changed or upgraded the BIOS, harddisk controller or harddisk. The QEMM ST ("STEALTH") option may also cause this error message. --- Savefile tampered with, system unprotected! --- If the Savefile has been damaged or changed, in any way, you will get the message shown above. The message may also appear if you specify a file not created by HS. --- Error in volume label change detection routine, please contact the author. --- This error message indicate that you are experiencing a situation I never thought would happen in real life. I would then have to make some changes to the code handling the automatic volume-label updating of the savefile used by HS. --- Attempt to find entry point with method 3 failed! Contact the author. --- An error message that may occur on future hardware configurations. If you get this error message I will have to make some changes to the code handling a very rare situation. It concerns VESA Local-Bus harddisk controllers with several different ROM BIOS disk routines. They are chosen during boot, or by setting DIP-switches on the controller-card. --- HS.COM v3.58 Checks integrity of MBR & DBR using previously saved information. Syntax: HS [/M] [Savefile] Savefile File containing copy of original MBR & DBR /M Makes copy of MBR & DBR --- This message appears on the screen if you type HS/? or similar. --- Error tracing BIOS entry point, probably VIRUS in memory, HS will not run! --- This message should only appear if you are infected by a virus, or if you have some very special hardware or software installed. Control Access Packages (e.g., DiskSecure and SafeMBR) may cause this problems. Try booting from a virus free system diskette, then use a scanner and check for viruses. If no viruses are found you could try to run HS /M [drive:][path][Savefile] again. Some rare configurations may also cause this to happen. for example the ST option ("STEALTH") of Quarterdecks QEMM386.SYS memory manager, Version 6 and above. If you want to use QEMM's STEALTH on a computer running HS, you should use the EXCLUDE STEALTH option as well (XST). To determine which segment to exclude from being "Stealthed" you should disable STEALTH, reboot, and run QEMM-XST.COM. It will display the correct exclude option and segment. --- Incompatible DOS, HS will not run! --- Running HS under any OS returning anything else than v3.2-7.0 will cause this message to be displayed. As an example, OS/2 will return a version-number of 10 or greater in its DOS BOX, so HS will not run. --- "Savefile" not found! --- "Savefile" will be replaced by the name specified by you in the CONFIG.SYS, AUTOEXEC.BAT, or on the command line. If you did not specifiy a file name, HS.COM, when executed, will default to C:\BOOT.HS. If the specified or default savefile cannot be found, the above error message will be displayed. Either the filename or path is wrong, or the file has been deleted or was never created. --- Unable to read/write Savefile or C:\INF.HS, system unprotected! --- Either HS is unable to create a valid Savefile or INF.HS file, or it is unable to read one of these files. Lack of disk space may lead to such an error. Check that the files are on your harddisk and that they are available to HS. If you by a mistake type C;\ instead of C:\ you will also get this error message. The same will probably be the case with other illegal characters in the filename. --- Read/Write error on harddisk, system unprotected! --- A call to the BIOS disk routines (INT 13h) failed. THIS SHOULD NEVER HAPPEN. It may indicate a harddisk error. Retry the command. If it still does not work you should get expert help. --- HS v3.58 Only Partition table in MBR has changed! Did you just repartition your harddisk ? (Y/N) --- If the partition table (Offset 1BEh-1FEh in the MBR) was the only area in the Master Boot Record to change, and INT 13h is not trapped, HS will assume that the user has performed changes in the partition table. HS assumes you failed to update the Savefile and will give you a chance to do so. If you have no knowledge of any such changes you should either reply NO or get help from a person with knowledge of system software and computer boot viruses. --- Insert a certified virus free system diskette, cold boot from it, and rescan the harddisk for any viruses. If no viruses are found you can run HS /M [Savefile] and boot from the harddisk again. Press any key to cold boot... --- This message appears if you reply Y for YES to the question; "Did you just repartition your harddisk?" --- ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ HS.SYS v3.58 ÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ ³ ³ ?BR Infector ³ ³ Press a key to clean up virus, or ³ ³ turn off your PC and get expert help! ³ ³ ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; --- This is the message displayed if HS.SYS finds that a change has occurred in the Master Boot Record or the DOS Boot Record of your harddisk. This normally means that a boot virus has infected your machine and has been detected by HS. It will be removed when the user confirms this action by the single press of a key. HS.COM displays a very similar message. You may also get this message if you have upgraded your version of DOS without updating the savefile for HS. Usually any new version of DOS will make enough changes in either the MBR or DBR to trigger HS. So you should disable HS in the CONFIG.SYS or AUTOEXEC.BAT during such updates of the operating system. The question mark displayed in the message above is replaced by an M or a D. MBR = Master Boot Record (The first physical sector on a PC-style harddisk) DBR = DOS Boot Record (Active partitions first sector) --- New copy of MBR and DBR made --- After HS has successfully created its Savefile you should receive this message. --- Volume label has changed. "Savefile" updated. --- If you change the volume label of your boot drive, newer versions of DOS may update the volume label field in the DBR. HS will detect when such an update has occurred. Instead of flagging the change as a virus, it automatically updates the Savefile to match the new DBR. It will display the above message to notify the user of the change. The volume label field inside the DBR is a datafield, so this feature of HS cannot be exploited in any usefull way by future boot infectors. --- Please insert a pre-formatted, write enabled, diskette in Drive A: And press any key... --- When you have had 13 boot sector infections on your machine since HS was installed, it will ask you to insert a diskette so it can copy the C:\INF.HS file to the diskette (to A:\INF.13). The C:\INF.HS file will be deleted. It has reached its maximum size, and HS will create a new C:\INF.HS upon the next boot sector infection. If you wish to preserve the infection log contained in the C:\INF.HS file, which was moved to the file A:\INF.13, you could do a TYPE A:\INF.13>Filename.Ext, or a TYPE A:\INF.13>PRN to get the report printed. --- Help us in the fight against viruses. Send the diskette to: Henrik Stroem Stroem System Soft Husebyveien 58c, 7078 Saupstad Trondheim, Norway Or email the file, in UUEncoded format, to hstroem@ed.unit.no Press any key... --- To aid me in improving my program it may be of help to study more viruses. It also helps to know which viruses are common, and where they have been detected. So by sending me the viruses you get infected by, you are helping me. Thanks! --- HS.SYS has found an interrupt vector that points to the Top of Memory! This indicates that a virus probably is present in memory. The system will now be cold booted to remove the virus. To ignore this warning, press SHIFT-C... (Any other key will cold boot) --- After HS.SYS has checked the MBR and DBR for any changes, and none were found, it will do a check to see if some of the more important interrupts points to the Top of Memory. The SHIFT-C Ignore option will only be given if there was no memory-size mismatch and the second user interrupt was unused. If you get this message every time you boot, you should probably cold boot from a virus-free, system diskette and use a scanner to check for viruses. Also try to run HS from the floppy. If you still get this message something is conflicting with HS, and you should contact me (by E-Mail), or get other expert help to find out what is happening. If there really is a virus in memory, a reboot should usually kill it. --- 8. Disclaimer, Licensing, Prices, Address Disclaimer The author takes NO responsibility for unwanted effects from the use of HS v3.5, or any of its components! Licensing This program is NOT freeware, but non-commercial users are free to use it on their home machines. Any company interested in using HS v3.5 on their computers can buy a site-license! This site-license is reasonably priced and is valid for all computers owned by that particular company, department, institute or similar. Upgrades can be obtained on the InterNet by Anonymous FTP, by E-Mail, or other similar services. If you want me to send you a diskette with the latest version by mail, it will cost an additional $20. HS does not use signatures, and therefore does NOT require regular upgrades. New versions will contain new features, and bug fixes if any bugs are discovered. A site-license will usually be valid for ONE year. If you have any questions you may contact me either by mail or by E-Mail. Prices Non-commercial user = Free Single commercial user = $15 Company with up to 20 machines = $50 Company with up to 200 machines = $200 Company with more than 200 machines = Contact the author Prices are in US dollars. Numbers above 10 are approximate. You receive an invoice confirming your order. The invoice is valid as a site-license when it has been paid. Address Henrik Stroem Stroem System Soft Husebyveien 58c, 7078 Saupstad Trondheim, Norway E-Mail: hstroem@ed.unit.no or hstroem@pvv.unit.no