ÖÄÄÄ· · Ò ÖÄÄÒÄÄ· · º Ð º º Ö º º º ×ÄÄ º ÇÄÄÄ· ÖÄÄÄ· ÇÄÄз º º º ÖÄÄÄÒ º ÖÄÄÄ· º · º º ÇÄÄĽ º º º Ð º º º º ÇÄÄĽ ÓÄÄĽ Ó ½ ÓÄÄĽ Ð Ó ½ Ð ÓÄÄÄÐÄ ÓÄÄÙÓÄÄĽ Known\Unknown Virus Detection Utility Copyright (c) 1994,1995 by Martin Overton. All rights reserved. Written by: Internet: Martin Overton, 8 Owl Beech Place, Horsham, West Sussex, RH13 6PQ, UNITED KINGDOM +44 (1403)-241376 THE INFORMATION AND CODE PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES. _____________________________________________________________________ This program executables, bait files and related files may be distributed freely as long as no money is charged for the program itself or any of its components. This program MUST be distributed as a whole with its associated files and this document. This version of ChekMate may not be distributed as a part of any commercial package without prior written agreement of the author. _____________________________________________________________________ Page i __________________________________________________________________________ This program was developed entirely using personal time and personal resources. It is fully functional and there are no 'nag' screens or crippled functions. It has been tested on many different PCs and DOS versions with no problems encountered. This program has no connection with ,or is in any way endorsed by my employers. Table Of Contents _________________ License ---------------------------------------------------- 1 Thanks ----------------------------------------------------- 1 Requirements ----------------------------------------------- 1 What is ChekMate? ------------------------------------------ 1 Why was ChekMate Written? ---------------------------------- 2 How ChekMate Works ----------------------------------------- 2 A Guided Tour of ChekMate ---------------------------------- 3 Before Installation ---------------------------------------- 3 Installation (ALL Operating Systems) ----------------------- 6 Installation (DOS) ----------------------------------------- 7 Installation (Windows) ------------------------------------- 7 Installation (OS/2) ---------------------------------------- 8 FILELIST.INI ----------------------------------------------- 9 Using SETUP ------------------------------------------------ 10 Upgrading from Version 1.05c ------------------------------- 12 DOS ERRORLEVEL return codes -------------------------------- 12 Command line switches/help --------------------------------- 13 Known limitations ------------------------------------------ 13 Common Questions and Answers ------------------------------- 14 Latest versions (Where to get them)------------------------- 16 Bug reports/suggestions (Where to send them)---------------- 17 And finally .... ------------------------------------------- 18 Information about MD5 -------------------------------------- 19 Page 1 __________________________________________________________________________ License: _______ This version of ChekMate is hereby released under the Shareware concept. For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK) Companies or other institutions using or interested in using ChekMate MUST contact the author to arrange a SITE license. (Very Reasonable Rates) The author retains the copyright of ChekMate and all of its components (except MD5 which is copyright RSA Data Security, Inc.) ChekMate or any of its components may not be used as part of any other package unless written agreement is obtained from the author. ChekMate must not be modified in any way. MD5 is the RSA Data Security, Inc. MD5 Message-Digest Algorithm, Copyright 1991 RSA Data Security, Inc. Thanks: ______ Thanks to Philip Tong for early Beta testing and a copy of the then unknown 'Dalian' virus which ChekMate captured. Thanks also go to Jon Dron, Ed Fenton & many others for their suggestions for improvements and constructive feedback. Requirements: ____________ ChekMate requires you to have an IBM PC Compatible running DOS 3.3 or later and at least 128Kb of memory and a Hard Disk. DEBUG must also be on your PC in your Path. What is ChekMate: ________________ ChekMate was written to detect new and known file, boot and partition table viruses. It should be used alongside a good quality, up-to-date virus scanner. !!! ChekMate is NOT a substitute for a virus scanner. !!! ChekMate can be integrated with your current DOS based virus scanner. It will detect most file infector, boot sector or partition table viruses. ChekMate makes no wild claims about 'Providing 100% protection against all current and future viruses!' (I'll leave that to other products.) ChekMate is simply an extra layer for a virus to try to defeat. When combined with 'frequent' backups and a good up-to-date virus scanner, ChekMate WILL help to protect your data from many unknown & known viruses. One of ChekMate's users said: "ChekMate has been a real security blanket" ChekMate will NOT bombard you with lots of false alarms (unless your system is always in a state of flux!). It just monitors the areas /files that a virus will frequently target. Think of ChekMate as a viral smoke alarm. Page 2 __________________________________________________________________________ Why was ChekMate Written: ________________________ I frequently receive suspect files from people throughout the world that believe, either rightly or wrongly, they are infected with a new/unknown or known virus. I needed a way to confirm that the file/disk was indeed infected. My first step was to scan it for known viruses, if that did not detect a known virus then the infected file/disk was run on a 'sheep-dip' PC and ChekMate was then used to tempt the virus into infecting one or more of the bait files or the Boot sector or Partition Table. In all cases the virus was caught by ChekMate. Either by infecting one or more of the BAIT files or the Boot Sector or Partition Table. Many people do not perform a daily scan of their PC, because it takes too long (3-20 Minutes). ChekMate takes under 20 seconds to run, even on 80286 based systems. How ChekMate Works: __________________ Every time ChekMate is run, it will first test the DOS memory for modifications (unless you disable this test, see below). ChekMate, when run for the first time, will create a series of Finger-Print (.CHK) files of the following: COMMAND.COM or an alternate command processor, THE BOOT SECTOR(s) and THE PARTITION TABLE. Any other time that ChekMate is run it will match the Finger- Print files with the actual files or image files taken at runtime. These Finger-Print (.CHK) files are not CRC's (Checksums, as these are easily fooled by some viruses) but are actual code fragments of the start and in some cases the end of the file or area. All the BAIT files, ChekMate.EXE, MD5.EXE and the Command Processor are also protected with MD5 hash values. ChekMate.EXE SETUP.EXE & MD5.EXE are also protected in polymorphic security envelopes. MD5 hash values are 128 bit cryptographic signatures of the files, which are VERY secure. Far more secure than other similar techniques. If these Finger-Print files &/or hash values do NOT match the runtime images, then you will be warned that one or more of the files/areas have been changed. The actual area/file name will be displayed. The information will also be written to the error log (ERROR.LOG) in the ChekMate directory. Page 3 __________________________________________________________________________ If a change is detected then ChekMate will return to DOS without checking any other files/areas for modifications. Most viruses change executable code at the beginning and/or end of a file or area. ChekMate checks for this sort of modification. MD5 hash values are computed from the contents of the *whole* file & therefore will detect ANY change to the file(s). A Guided Tour of ChekMate: _________________________ Below is an example of the output that ChekMate produces when run. Explanations are given at each stage of the process. __________________________________________________________________________ 640 KB (DOS BASE) Memory Detected ÕÍÍÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Checking ChekMate Files & The Command Processor ... ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; CHEKMATE.EXE OK ÿ MD5.EXE OK ÿ COMMAND PROCESSOR OK ÿ __________________________________________________________________________ Fig 1. The first screen (fig 1.) shows ChekMate reporting the DOS base memory detected at execution. This is compared with a stored value in the FILELIST.INI. If these values are different, then a warning message is shown, ChekMate returns a DOS errorlevel and returns control to the operating system. Many boot sector or partition table viruses lower the base memory value by 1Kb or more. ChekMate detects many of those viruses by this method alone. The next step, assuming no change is detected in the DOS base memory is for ChekMate to check itself (it also checks itself BEFORE it gets this far!). It checks its fingerprint file against its own code and then checks its MD5 cryptographic fingerprint against a stored value. If either of these do not match, a warning message appears, ChekMate returns a DOS errorlevel and returns control to the operating system. More detailed information is written out to the error log file (ERROR.LOG). This is repeated for MD5.EXE and the Command Processor. (The error/change reporting is the same at each stage of ChekMate's examination of your system files/areas.) Page 4 __________________________________________________________________________ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Checking BOOT Sector and PARTITION Table ... ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; BOOT SECTOR E: OK ÿ BOOT SECTOR D: OK ÿ BOOT SECTOR C: OK ÿ PARTITION TABLE OK ÿ __________________________________________________________________________ Fig 2. A similar routine is used for the boot sector(s) and the partition table. The main difference is that the whole 512 bytes are compared with the values/images stored the first time that ChekMate was run. If either of these do not match, a warning message appears,ChekMate returns a DOS errorlevel and returns control to the operating system. __________________________________________________________________________ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ BEFORE EXPOSURE ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; 101.COM OK û 1001.COM OK û 4001.COM OK û 1001.EXE OK û 4001.EXE OK û ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ ALL APPEARS TO BE OK û ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; __________________________________________________________________________ Fig 3. The next phase of ChekMate is to check the decoy/bait files used to trap file infecting viruses, before they are executed. These files are first checked in the same way as CHEKMATE.EXE etc., except the cryptographic fingerprints are stored inside CHEKMATE.EXE, and that the filesize is also checked. This is done to minimise the chance of modifications to these files by an unknown party. That is to say, this is an anti-hacker ploy. If these files are found to be unchanged, they are then executed. This is to purposely expose them to any viruses that are capable of infecting files. This is like a lamb walking up to wolf and saying "my you have big teeth!" This has proved to be very effective in trapping unknown file infecting viruses. Yet again, if ANY changes are detected, you will see an error message. Page 5 __________________________________________________________________________ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Exposing BAIT Files to Any Viruses in Memory ... ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ DONE ... ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; __________________________________________________________________________ Fig 4. This is merely a message to let you know that the files have been executed. __________________________________________________________________________ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ AFTER EXPOSURE ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; 101.COM OK û 1001.COM OK û 4001.COM OK û 1001.EXE OK û 4001.EXE OK û ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ ALL APPEARS TO BE OK û ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; __________________________________________________________________________ Fig 5. The decoy/bait files are then checked AGAIN after they have been executed to determine whether a file infecting virus has modified them. If you got this far without any warning messages, then your system is deemed to be clean (assuming it was clean BEFORE ChekMate was installed, and that an up to date, good quality virus scanner is used at reasonable intervals, say weekly!) Page 6 __________________________________________________________________________ Before Installation: ___________________ Before installation scan the target PC with a good quality up-to-date virus scanner. *** Only once the PC is found to be free of viruses *** *** should you proceed with the installation of ChekMate. *** Copy all the files to a floppy disk and write protect it. This disk can then be used in the event of a virus outbreak to replace infected ChekMate files. Also copy the .CHK files after ChekMate is run for the first time. Before installation, ensure that the Validation information is correct. The Validation information was generated by MD5 from RSA Inc. (Supplied with this file as MD5.EXE) Filename Size MM-DD-YY Time MD5 Hash ____________________________________________________________________ CHEKMATE EXE 49825 05-02-95 1:05a d712fe4aa36ab5dc6f797248c4fbea18 CHEKMATE CHK 160 05-02-95 1:05a 5055e0ccc98a8d83df7311ab66fbf6a1 SETUP EXE 41038 05-02-95 1:05a d77eb0adc8a92ac84c956529d0a74cc8 MD5 EXE 11426 05-02-95 1:05a c0b1079b86abd8a8ba0e435c49b56900 101 COM 101 05-02-95 1:05a c53acb3a15bed4f2f2f64ebe4d17d77d 1001 COM 1001 05-02-95 1:05a 68d09047733bf417e32cf82c8f804e49 4001 COM 4001 05-02-95 1:05a 80f6d221271fc7da8d1dc9815cb2b607 1001 EXE 1001 05-02-95 1:05a f900448491ea25d946b93fe80b04a468 4001 EXE 4001 05-02-95 1:05a 19ce58981a26f0817abbcbfe34ce51f0 FILECHK1 CHK 160 05-02-95 1:05a 916b67666f15fbf94276c381b493fe2c FILECHK2 CHK 160 05-02-95 1:05a 2928c3077ac254fe07c07ddc45f56f12 If these values do NOT match the files included with this document then please inform me and do not run them. Run MD5 to check hash values. eg MD5 Chekmate.exe Install (ALL Operating Systems): _______________________________ Create a directory for this program and copy the files listed below to that directory: CHEKMATE.EXE -> The Main Program File CHEKMATE.ICO -> Windows Icon File for ChekMate CHEKMATE.PIF -> Windows PIF File for ChekMate CHEKMATE.CHK -> ChekMate Finger-Print file SETUP.EXE -> Setup program for modifying FILELIST.INI FILELIST.INI -> Program INI File (See Later) MD5.EXE -> RSA's MD5 hash generator (PUBLIC DOMAIN) FILECHK1.CHK -> Bait files Finger-Print file (Start of Files) FILECHK2.CHK -> Bait files Finger-Print file (End of Files) 101.COM \ 1001.COM \ 1001.EXE - - -> Bait files 4001.COM / 4001.EXE / Page 7 __________________________________________________________________________ (Bait files are simple files that display a message and return to DOS, they act as a decoy to tempt a virus into infecting it. They have no other purpose and DO NOT execute any other code or files.) The BAIT files MUST not be replaced with your own versions of BAIT or any other executable files as MD5 hash values for the files are stored within the main CHEKMATE.EXE file. They must also be left in the same order in the FILELIST.INI provided, you can though, rename them if you so wish. Install (DOS): _____________ If you are running it from DOS then: Add ChekMate to your AUTOEXEC.BAT, either add the line below: C:\\CHEKMATE.EXE Also ensure that the FILELIST.INI is in the ROOT directory '\'. OR Create a batch file that contains the following lines: CD\ CHEKMATE.EXE CD\ should be the directory where you placed ChekMate eg. C:\CHEKMATE Install (Windows): _________________ If you want to run ChekMate from Windows then: Use the 'File' 'New' menu option in Program Manager to create an entry for this program. (PIF file supplied.) Edit the .PIF file to reflect the correct run-time directory. The ICON can be set to CHEKMATE.ICO in the directory where ChekMate was installed. Page 8 __________________________________________________________________________ Install (OS/2 2.x & Warp): _________________________ ChekMate can run just fine under OS/2, as long as you follow the instructions below for the relevant file system: FAT: From the OS/2 desktop, drag a new PROGRAM icon from the Templates folder & enter the following details: Path and file name: C:\\CHEKMATE.BAT The batch file should contain the following commands: (.... = any other batch file command) @ECHO OFF CHEKMATE.EXE ..... ..... ..... PAUSE This will make sure that ChekMate doesn't just exit back to the OS/2 Desktop when it's finished. Working directory: C:\ Where is the directory that you installed ChekMate. eg. CHEKMATE Now click on the General tab of the program notebook and change the title to: ChekMate Now drag this icon to the Startup folder, Thats it! HPFS: Follow the instructions for FAT. Page 9 __________________________________________________________________________ Filelist.ini: ____________ Edit the FILELIST.INI file (Shown Below) if required: You can use the SETUP.EXE file supplied to change the FILELIST.INI. SETUP will in many cases tell you what the settings should be for a particular line. (See SETUP later in this document) +---------------------+---------------------------------------------+ | Example File | What each line is/means | +---------------------+---------------------------------------------+ | C:\CHEKMATE | The Directory That ChekMate is Installed in | *| C:\COMMAND.COM | Path & Name of Command Processor in use. | !| 1 | Number of drives (Physical or Logical) | #| 640 | The BASE DOS Memory as reported by MEM /C | | 101.COM,101 | 101 Byte .COM Bait file, Size in bytes | | 1001.COM,1001 | 1001 Byte .COM Bait file, Size in bytes | | 4001.COM,4001 | 4001 Byte .COM Bait file, Size in bytes | | 1001.EXE,1001 | 1001 Byte .EXE Bait file, Size in bytes | | 4001.EXE,4001 | 4001 Byte .EXE Bait file, Size in bytes | +---------------------+---------------------------------------------+ This file MUST exist and the contents MUST be correct or ChekMate will NOT work correctly. * The command processor can be COMMAND.COM. 4DOS & NDOS are also supported as common replacements for COMMAND.COM. Use SETUP.EXE if you are unsure about this. ! ChekMate will handle up to drive F: (The FILELIST.INI entry would then need to be 4) # This is usually 640Kb (655,360 Bytes), Some systems may report 639Kb due to HD controllers and some extended BIOSes 'borrowing' 1Kb for their own purposes. If this causes problems you can disable this test by setting this value to 0 (Zero) ** This is NOT recommended **. ChekMate now displays the DOS base memory detected at run time. Page 10 __________________________________________________________________________ Using SETUP: ___________ SETUP.EXE allows you to change/set the contents of FILELIST.INI without the use of an editor or require you to have any specialist knowledge of your system setup (apart from the number of LOCAL drive letters!). To run SETUP, simply ensure that you are in the directory that FILELIST.INI(default is the ChekMate directory) was placed into, now type the line below at your DOS or OS/2 prompt: SETUP Or to run SETUP on a mono screen type: SETUP /MONO You will see the screen below: __________________________________________________________________________ ÕÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Configuration / Setup Program ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; The FILELIST.INI Currently Looks Like This ChekMate Directory := C:\CM8OS2 Command Processor := C:\COMMAND.COM No. of Drive Letters := 3 (C:,D:,E:) DOS (BASE) Memory := 640 BAIT File 1 := 101.COM, 101 BAIT File 2 := 1001.COM, 1001 BAIT File 3 := 4001.COM, 4001 BAIT File 4 := 1001.EXE, 1001 BAIT File 5 := 4001.EXE, 4001 Are These Values Correct (Y/N) __________________________________________________________________________ As you can see above the CURRENT settings are shown. You are asked if the values are correct. If you answer 'Y' then SETUP simply exits back to the operating system without making any modifications. If you answer 'N' then you will be asked questions. An example is shown below: Page 11 __________________________________________________________________________ ÕÍÍÍÍÍÍÍÍÍÍÍ ChekMate û Version 1.05d ÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Configuration / Setup Program ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ; Enter Directory Where ChekMate is Installed Currently (C:\CHEKMATE) Path=: c:\cm8os2 Set To: C:\CM8OS2 Enter The Path & Name of Your Command Processor, Currently (C:\COMMAND.COM) DOS Reports The Following (D:\OS2\MDOS\COMMAND.COM) Shall I Set It To That (Y/N) ? Set To: D:\OS2\MDOS\COMMAND.COM Enter The Number of Drive Letters (Up to F: Only), Currently ( 3) Number =: 2 Set To: 2 Enter The Amount of DOS BASE Memory (Up to 640Kb Only),Currently ( 640 ) I Detect( 640 ) Set It to That Value (Y/N) ? Set To: 640 Is This Correct (Y/N) ? __________________________________________________________________________ As you can see SETUP will tell you what some of the settings SHOULD be set to. It will automatically work out what command processor is running from the environment variable COMSPEC. The DOS base memory is also detected automatically. Common values are 640 or 639, the latter is mainly found in systems with extended BIOSes. ANY other value should be questioned! Once all the questions are answered, you are then asked to confirm whether the settings are correct. Answering 'N' will restart the questions. Answering 'Y' will write out the changes to FILELIST.INI Page 12 __________________________________________________________________________ Upgrading From Version 1.05c ____________________________ To upgrade ChekMate from version 1.05c, proceed as follows: 1. Read all of this manual BEFORE proceeding. 2. Copy CHEKMATE.EXE, CHEKMATE.CHK, SETUP.EXE & MD5.EXE to your ChekMate directory. 3. Delete GETPART.EXE 4. Now run CHEKMATE.EXE, if ChekMate informs you that a FingerPrint file is missing, Press any key to continue. You will then be told that the missing .CHK file is being created. 5. ChekMate should now work fine with the updated files. 6. If the above does not work correctly, then run CHEKMATE.EXE /CREATE as this will re-generate all the CHK files. Dos ERRORLEVEL Returns: ______________________ The following errorlevel values are returned when ChekMate exits back to DOS. 0 = No modifications detected 1 = COMMAND.COM (or other COMMAND processor) appears to have been changed 2 = ChekMate.EXE appears to have been changed 3 = The BOOT SECTOR(s) appears to have been changed 4 = The PARTITION TABLE appears to have been changed 5 = One or more of the BAIT files appear to have been changed 6 = The DOS BASE Memory amount appear to have been changed 7 = MD5.EXE appears to have been changed Q. What can you do with this information? A. You can use the errorlevels returned in a batch file to automatically run your favourite virus scanner when ChekMate detects a modification to your system. e.g. CHECK.BAT @ECHO OFF CLS CD C:\CHEKMATE CHEKMATE.EXE IF NOT ERRORLEVEL 1 GOTO :End :Ooops! C:\SCANNER\F-PROT.EXE C: CD C:\ :End Page 13 __________________________________________________________________________ The batch file above will only run your virus scanner if the errorlevel returned from ChekMate is greater than or equal to one. If ChekMate returns 0 (zero) (All OK) then don't run the virus scanner. Help/Command Line Switches: __________________________ To get help, run: CHEKMATE.EXE /H or CHEKMATE.EXE /? Other command line switches: /CREATE Creates a 'new' set of Finger-Print files. Usually only used after DOS upgrade or after cleaning up after a virus attack. /NOEXPOSE Used to only check Finger-Print files against original files/area. Does NOT execute BAIT files. Mainly used if you substitute the BAIT files for other executable program files. /MONO Force ChekMate to run in Monochrome mode. (ChekMate will detect many MONO video cards automatically.) Known problems/limitations: __________________________ 1) May not detect Companion viruses very quickly. But as soon as one of the bait files are infected it will alert you. A companion virus is very easy to spot as it makes a 'Companion' .COM file for ANY .EXE file on the infected system. 2) May not detect direct action non-TSR viruses very quickly. Most new viruses are TSR (memory resident) variants. The best way to test 'suspect' files is to place them in the same directory as ChekMate, Virus Scan them and if they are not reported as infected, then run them from there. Then run ChekMate. **** REMEMBER TO BACKUP YOUR SYSTEM FIRST **** 3) Link viruses, such are DIR II may not be detected as no executable code is changed. Page 14 __________________________________________________________________________ Common Questions & Answers: __________________________ If ChekMate detects a change in your system then proceed as follows: To confirm this run your favourite virus scanner, after booting from the original write-protected bootable system disk. If the scanner finds nothing then send the following files to me (you will find them in the directory where ChekMate was installed): For the correct files to send see the relevent question. Q1. ChekMate informed me that the 'DOS Base Memory' value has changed what should I do? A1. If ChekMate has been working fine before, then you have probably been infected by a Boot Sector or Partition Table virus. Most of these types of viruses 'steal' 1Kb or more from DOS. Please send me the following files for inspection: ?BOOT.SEC files (Where ? is C, D, E or F) ?BOOT.CHK files (Where ? is C, D, E or F) PART.CHK PART.SEC ERROR.LOG Q2. ChekMate informed me that ChekMate.EXE has changed, what should I do? A2. ChekMate.EXE should NEVER change, apart from being upgraded to the latest version. Please send me the CHEKMATE.EXE & CHEKMATE.CHK files to inspect. Q3. ChekMate informed me that MD5.EXE has changed, what should I do? A3. MD5.EXE should NEVER change, apart from being upgraded to the latest version. Please send me the MD5.EXE file to inspect. Q4. ChekMate informed me that 'The Command Processor' has changed, what should I do? A4. Your Command Processor should NEVER change, apart from DOS being upgraded to another version. Please send me a copy of your Command Processor file to inspect. (Usualy COMMAND.COM, could be NDOS.COM or 4DOS.COM) Page 15 ___________________________________________________________________________ Q5. ChekMate informed me that 'The Boot Sector' has changed, what should I do? A5. If ChekMate has been working fine before, & you have NOT upgraded your version of DOS or changed the 'Volume Label' then you have probably been infected by a Boot Sector virus. Please send me the following files: ?BOOT.SEC files (Where ? is C, D, E &/or F) ?BOOT.CHK files (Where ? is C, D, E &/or F) ERROR.LOG Q6. ChekMate informed me that 'The Partition Table' has changed, what should I do? A6. If ChekMate has been working fine before, & you have NOT upgraded your version of DOS or changed the Partition Table by running FDISK then you have probably been infected by a Partition Table virus. Please send me the following files: PART.SEC PART.CHK ERROR.LOG Q7. ChekMate informed me that '1 or More of The BAIT File(s)' have changed, what should I do? A7. The BAIT files should NEVER change. Please send me the following files to inspect. 101.COM 1001.COM 1001.EXE 4001.COM 4001.EXE In all cases ensure that you have scanned your system with a good and up-to-date virus scanner (such as F-Prot, ThunderBYTE etc...). Please remember to inform me which scanner & version was used. Also please ensure that you send the ERROR.LOG file. Page 16 __________________________________________________________________________ Latest Version: ______________ The latest version of this application should always be available from the internet site that you originally obtained it. The main site is the SimTel archives (oak.oakland.edu) or one of the mirror sites. Secondary site is: ftp.demon.co.uk in /pub/antivirus/ibmpc/av-progs You will also find it on many BBS's throughout the world. Please E-Mail me if you want to know when a new version is released, I will add you to the mailing list for new version announcements. Source code is only available to companies interested in developing a commercial version of ChekMate or program based on ChekMate. Source code will also be made available to companies who wish to have a customised version written. Contact the author to discuss. Bug reports, suggestions, etc... ________________________________ If you catch a virus with ChekMate in one of the Bait files, then please send me a copy for analysis. I will send a reply to anyone who sends me such a file. If possible I will send a search string to correctly identify the new virus to aid removal. To date ChekMate has trapped three unknown viruses ("in the wild"). The latest was even undetected by heuristic based scanners. Mail files to the E-Mail or Postal address at the top of this document. (If you e-mail the file(s) then please use UUENCODE or MIME.) Send all bug reports, suggestions, etc to the E-Mail or Postal address at the top of this document. If you like this program, let other people know about it! If you contact me to let me know you are using ChekMate I will send you a Windows Write formatted version of this manual. It will contain more information about ChekMate and removing viruses. (Remember to ask for it when e-mailing me.) You will also be informed when new versions are released. If you use and/or like ChekMate, then please drop me a line to let me know that you are using it. This will allow me to know the future development requirements. If you have tested ChekMate against any viruses then please let me know the outcome of these tests, whether the results are good or bad. For details of viruses that ChekMate has been tested against, please see the file enclosed in this ZIP file, TESTS.TXT. Page 17 __________________________________________________________________________ And finally ......... _____________________ ________________________________ | | | Thank you for trying ChekMate. | |________________________________| Page 18 __________________________________________________________________________ Information about MD5 (Quoted from RFC1321) _____________________ " 1. Executive Summary This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. The MD5 algorithm is designed to be quite fast on 32-bit machines. In addition, the MD5 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. The MD5 algorithm is an extension of the MD4 message-digest algorithm 1,2]. MD5 is slightly slower than MD4, but is more "conservative" in design. MD5 was designed because it was felt that MD4 was perhaps being adopted for use more quickly than justified by the existing critical review; because MD4 was designed to be exceptionally fast, it is "at the edge" in terms of risking successful cryptanalytic attack. MD5 backs off a bit, giving up a little in speed for a much greater likelihood of ultimate security. It incorporates some suggestions made by various reviewers, and contains additional optimizations. The MD5 algorithm is being placed in the public domain for review and possible adoption as a standard. " *** END OF DOCUMENT ***