CheckMate Known\Unknown Virus Detection Utility Copyright (c) 1994,1995 by Martin Overton. All rights reserved. Written by: Martin Overton, Internet: 8 Owl Beech Place, Horsham, West Sussex, RH13 6PQ, UNITED KINGDOM +44 (1403)-241376 THE INFORMATION AND CODE PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES. +--------------------------------------------------------------------+ | This program executable, bait files and related files may be | | distributed freely as long as no money is charged for the program | | itself or any of its components. This program MUST be distributed | | as a whole with its associated files and this document. | | This version of ChekMate may not be distributed as a part of any | | commercial package without prior written agreement of the author | +--------------------------------------------------------------------+ This program was developed entirely using personal time and personal resources. It is fully functional and there is no 'nag' screens or crippled functions. It has been tested on many different PCs and DOS versions with no problems encountered. This program has no connection with ,or is endorsed by my employers. ----------------------------------------------------------------------- License: ------- ChekMate is hereby released under the Shareware concept. For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK) Companies or other institutions using ChekMate or interested in a site license MUST contact the author to arrange a SITE license. The author retains the copyright of ChekMate or any of its components. ChekMate or any of its components may not be used as part of any other package unless written agreement is obtained from the author. ChekMate must not be modified in any way. Thanks: ------ Thanks to Philip Tong for early Beta testing and a copy of the then unknown 'Dalian_China' or 'Gene_1991' (name still not agreed by CARO) virus which ChekMate captured. Requirements: ------------ ChekMate requires you to have an IBM PC Compatible running DOS 3.3 or later and at least 128Kb of memory and a Hard Disk. This version will only run on 80286 or later processors. Please contact the author if you require an 8088/8086/V20/V30 version. What is ChekMate: ---------------- ChekMate is a DOS based virus detection utility written originally for my own purposes. Other people have seen and /or used ChekMate and suggested that I release it as a virus detection tool. So here it is! ChekMate was written to detect new and known file, boot and partition table viruses. It should be used alongside a good quality virus scanner. It is NOT a substitute for a virus scanner. It will detect most file infector, boot sector or partition table viruses. Why was ChekMate Written: ------------------------ I frequently receive suspect files from people throughout the world that believe, either rightly or wrongly, are infected with a new/unkown or known virus. I needed a way to confirm that the file/disk was indeed infected. My first step was to scan it for known viruses, if that did not detect a known virus then the infected file/disk was run on a 'sheep-dip' PC and ChekMate was then used to tempt the virus into infecting one or more of the bait files or the Boot sector or Partition Table. In all cases the virus was caught by ChekMate. Either by infecting one or more of the BAIT files or the Boot Sector or Partition Table. Many people do not perform a daily scan of their PC, because it takes too long (3-20 Minutes). ChekMate takes under 20 seconds to run, even on 80286 based systems. How ChekMate Works: ------------------ ChekMate, when run for the first time will create a series of Finger-Print (.CHK) files of the following: COMMAND.COM CHEKMATE.EXE THE BOOT SECTOR THE PARTITION TABLE 101.COM 1001.COM 1001.EXE 4001.COM 4001.EXE Any other time that ChekMate is run it will match the Finger-Print files with the actual files or image files taken at runtime. These Finger-Print (.CHK) files are not CRC's (Checksums, as these are easily fooled by some viruses) but are actual code fragments of the start of the file or area. If these Finger-Print files do NOT match the runtime images, then you will be warned that one or more of the files/areas have been changed. The actual area/file name will be displayed. If a change is detected then ChekMate will return to DOS without checking any other files/areas for modifications. Most if not ALL viruses must change executable code at the begining of a file or area. ChekMate checks for this sort of modification. Tests: ----- Some of the Viruses ChekMate have been tested against are listed below: Boot Sector/Partition Table Viruses: Comments: ---------------------------------------------------------------- Parity Boot.B Fully Stealthed V_Sign (Cansu) Slightly Polymorphic Form.A Antitel (Kampana Boot) Polymorphic/Stealth Michelangelo Stoned File Infector Viruses: Comments: ---------------------------------------------------------------- Frodo.Fish.A Stealth/Polymorphic Cascade.1701 Jerusalem.Vtech.2880 Gene_1991 (Dalian_China) Ambulance (RedX) Installation: ------------ Before installation, ensure that the Validation information is correct. The Validation information was generated by Validate 0.4 from McAfee + -------------+--------+------------+---------+---------+ | File: | Size: | Date: | Check 1:| Check 2:| +--------------+--------+------------+---------+---------+ | CHEKMATE.EXE | 34,310 | 11-26-1994 | 0B7B | 0983 | | CHEKMATE.CHK | 128 | 11-26-1994 | A5E0 | 0692 | | FILECHEK.CHK | 160 | 11-26-1994 | 9A1E | 124D | | GETPART.EXE | 11,485 | 9-17-1994 | 46DE | 1264 | | 101.COM | 101 | 8-18-1994 | 4457 | 15B4 | | 1001.COM | 1001 | 8-18-1994 | 46E8 | 08C0 | | 1001.EXE | 1001 | 8-18-1994 | F509 | 069C | | 4001.COM | 4001 | 8-18-1994 | F753 | 1DD5 | | 4001.EXE | 4001 | 8-18-1994 | 8BC2 | 098C | +--------------+--------+------------+---------+---------+ If these value do NOT match the files included with this document then please inform me and do not run them. 1. Create a directory (MUST be 'C:\BAIT') for this program and copy the files listed below to that directory: CHEKMATE.EXE > | The Main Program File CHEKMATE.CHK > | ChekMate Finger-Print file GETPART.EXE > | Takes a Snap-Shot of the PARTITION TABLE FILELIST.INI > | Program INI File (See Later) FILECHK.CHK > | Bait files Finger-Print file 101.COM \ 1001.COM \ 1001.EXE > | Bait files 4001.COM / 4001.COM / (Bait files are simple files that display a message and return to DOS, they act as a decoy to attempt to get infected by a virus. They have no other purpose and DO NOT execute any other code or files.) The BAIT files can be replaced with your own versions of BAIT or any other executable file if you so wish. BUT, don't forget to edit the FILELIST.INI file if you do that. 2. a.If you want to run ChekMate from Windows then: Create an ICON in any Program Manager group. Use the File New menu option in Program Manager to create the entry for this program. b.If you are running it from DOS then: Add it to your AUTOEXEC.BAT, add the line below: C:\BAIT\CHEKMATE.EXE c.Edit the FILELIST.INI file (Shown Below) if required: +---------------------+---------------------------------------------+ | Example File | What each line is/means | +---------------------+---------------------------------------------+ | C:\BAIT | The Directory That ChekMate is Installed in | | C: | Location of COMMAND.COM, Usualy C: or C:\DOS| | 1 | Number of drives (Physical or Logical) | | | 101.COM | 101 byte .COM Bait file | | 1001.COM | 1001 Byte .COM Bait file | | 4001.COM | 4001 Byte .COM Bait file | | 1001.EXE | 1001 Byte .EXE Bait file | | 4001.EXE | 4001 Byte .EXE Bait file | +---------------------+---------------------------------------------+ This file MUST exist and the contents MUST be correct or ChekMate will NOT work correctly. Help/Command Line Switches: -------------------------- To get help, run: CHEKMATE.EXE /H or CHEKMATE.EXE /? Other command line switches: /CREATE Creates a 'new' set of Finger-Print files. Usualy only used after DOS upgrade or after cleaning up after a virus attack. /NOEXPOSE Used to only check Finger-Print files against original files/area. Does NOT execute BAIT files. Mainly used if you substitute the BAIT files for other executable program files. Known problems/limitations: -------------------------- 1) May not detect Companion viruses very quickly. But as soon as one of the bait files are infected it will alert you. A companion virus is very easy to spot as it makes a 'Companion' .COM file for ANY .EXE file on the infected system. 2) May not detect direct action non-TSR viruses very quickly. Most new viruses are TSR (memory resident) variants. 3) Will not run on 8088/8086/V20 or V30 based systems. Latest Version: -------------- The latest version of this application should always be available from the site that you originally obtained it. Source code is only available to companies interested in developing a comercial version of ChekMate or program based on ChekMate. Source code will also be made available to companies who wish to have a customised version written. Contact the author to discuss. Bug reports, suggestions, etc... -------------------------------- If you catch a virus with ChekMate in one of the Bait files, then please send me a copy for analysis. I will send a reply to anyone who sends me such a file. If possible I will send a search string to correctly identify the new virus to aid removal. Mail files to the E-Mail or Postal address at the top of this document. (If you e-mail the file(s) then please use UUENCODE or MIME.) Send all bug reports, suggestions, etc to E-Mail or Postal address at the top of this document. If you like this program, let other people know about it! Post your comments in comp.virus or anywhere else that is relevant. Let people know about it! If you use and/or like ChekMate, then please drop me a line to let me know that you are using it. This will allow me to know the future development requirements. !!! STOP PRESS !!! ------------------ If enough interest is shown, then a Windows version will be written. So, if you want a Windows version, then let me know, NOW! History, Revisions: ------------------ 1.04e (26/11/94) This Version. 1. Fixed the 'Parity Boot.B' detection. It will now detect it fine. 2. Changed the file access routines to make them more efficient. 3. Added checking of 'Boot Sectors' on up to 3 more physical/logical drives. Now supports up to drive 'F:' This will be of most use to those using disk compression producrs where the drive letters are swapped. Many 'Boot Sector' viruses will infect the 'ORIGINAL' C: drive. The disk compression program usually changes this to the highest drive letter after your existing drive(s). Eg Original Drive C: (You have 2 Drives C: & D: before compression) after compression installed C: becomes E: (compressed drive E: becomes C:) Boot sector virus infects system, drive E: (originaly C:). ChekMate can now detect the infected 'Boot Sector' on drive E:. ---------------------------------------------------------------------------- 1.04d (23/11/94) Internal test version (Not Released) 1. Tested & modified the improved file access routines. ---------------------------------------------------------------------------- 1.04c (11/11/94) First public release. ---------------------------------------------------------------------------- 1.00 - 1.04b & Others Beta versions, used personally and by Beta-testers. ---------------------------------------------------------------------------- *** END OF DOCUMENT ***