Page 1 Page 1 ___________________________________________________________________________ ChekMate Known\Unknown Virus Detection Utility Copyright (c) 1994,1995 by Martin Overton. All rights reserved. Written by: Internet: Martin Overton, 8 Owl Beech Place, Horsham, West Sussex, RH13 6PQ, UNITED KINGDOM +44 (1403)-241376 THE INFORMATION AND CODE PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES. _____________________________________________________________________ This program executable, bait files and related files may be distributed freely as long as no money is charged for the program itself or any of its components. This program MUST be distributed as a whole with its associated files and this document. This version of ChekMate may not be distributed as a part of any commercial package without prior written agreement of the author. _____________________________________________________________________ This program was developed entirely using personal time and personal resources. It is fully functional and there are no 'nag' screens or crippled functions. It has been tested on many different PCs and DOS versions with no problems encountered. This program has no connection with ,or is endorsed by my employers. Page 2 ___________________________________________________________________________ License: _______ ChekMate is hereby released under the Shareware concept. For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK) Companies or other institutions using ChekMate or interested in a site license MUST contact the author to arrange a SITE license. The author retains the copyright of ChekMate and all of its components. ChekMate or any of its components may not be used as part of any other package unless written agreement is obtained from the author. ChekMate must not be modified in any way. Thanks: ______ Thanks to Philip Tong for early Beta testing and a copy of the then unknown 'Dalian_China' or 'Gene_1991' (name still not agreed by CARO) virus which ChekMate captured. Thanks also go to Stephan Loescher for his suggestions for improve- ments and constructive feedback. Requirements: ____________ ChekMate requires you to have an IBM PC Compatible running DOS 3.3 or later and at least 128Kb of memory and a Hard Disk. DEBUG must also be on your PC in your Path. What is ChekMate: ________________ ChekMate is a DOS based virus detection utility written originally for my own purposes. Other people have seen and /or used ChekMate and suggested that I release it as a virus detection tool. So here it is! ChekMate was written to detect new and known file, boot and partition table viruses. It should be used alongside a good quality virus scanner. It is NOT a substitute for a virus scanner. It will detect most file infector, boot sector or partition table viruses. It will also detect many memory resident viruses. Page 3 Page 3 ___________________________________________________________________________ Why was ChekMate Written: ________________________ I frequently receive suspect files from people throughout the world that believe, either rightly or wrongly,they are infected with a new/unkown or known virus. I needed a way to confirm that the file/disk was indeed infected. My first step was to scan it for known viruses, if that did not detect a known virus then the infected file/disk was run on a 'sheep-dip' PC and ChekMate was then used to tempt the virus into infecting one or more of the bait files or the Boot sector or Partition Table. In all cases the virus was caught by ChekMate. Either by infecting one or more of the BAIT files or the Boot Sector or Partition Table. Many people do not perform a daily scan of their PC, because it takes too long (3-20 Minutes). ChekMate takes under 20 seconds to run, even on 80286 based systems. How ChekMate Works: __________________ Every time ChekMate is run, it will first test the DOS memory for modifications (unless you disable this test, see below). ChekMate, when run for the first time will create a series of Finger-Print (.CHK) files of the following: COMMAND.COM or alternate command processor. CHEKMATE.EXE THE BOOT SECTOR(s) THE PARTITION TABLE 101.COM 1001.COM 1001.EXE 4001.COM 4001.EXE Any other time that ChekMate is run it will match the Finger- Print files with the actual files or image files taken at runtime. These Finger-Print (.CHK) files are not CRC's (Checksums, as these are easily fooled by some viruses) but are actual code fragments of the start and in some cases the end of the file or area. If these Finger-Print files do NOT match the runtime images, then you will be warned that one or more of the files/areas have been changed. The actual area/file name will be displayed. If a change is detected then ChekMate will return to DOS without checking any other files/areas for modifications. Most viruses change executable code at the begining and/or end of a file or area. ChekMate checks for this sort of modification. Page 4 __________________________________________________________________________ Installation: ____________ Copy all the files to a floppy disk and write protect it. This disk can then be used in the event of a virus outbreak to replace infected ChekMate files. Also copy the .CHK files after ChekMate is run for the first time. Before installation, ensure that the Validation information is correct. The Validation information was generated by Validate 2.00 from McAfee CHEKMATE EXE 45514 02-06-95 1:05a E88B EC25 CHEKMATE CHK 128 02-06-95 1:05a A78B 012B CHEKMATE PIF 545 02-06-95 1:05a 1A34 D81B GETPART EXE 11485 02-06-95 1:05a B222 8409 101 COM 101 02-06-95 1:05a 1582 7D78 1001 COM 1001 02-06-95 1:05a 19A5 437A 4001 COM 4001 02-06-95 1:05a 20D4 BE3C 1001 EXE 1001 02-06-95 1:05a 813D CB55 4001 EXE 4001 02-06-95 1:05a 1950 43F1 FILECHK1 CHK 160 02-06-95 1:05a 6D3D CB79 FILECHK2 CHK 160 02-06-95 1:05a 18DF 75F2 If these value do NOT match the files included with this document then please inform me and do not run them. 1. Create a directory for this program and copy the files listed below to that directory: CHEKMATE.EXE -> The Main Program File CHEKMATE.ICO -> Windows Icon File for ChekMate CHEKMATE.PIF -> Windows PIF File for ChekMate CHEKMATE.CHK -> ChekMate Finger-Print file GETPART.EXE -> Takes a Snap-Shot of the PARTITION TABLE FILELIST.INI -> Program INI File (See Later) FILECHK1.CHK -> Bait files Finger-Print file (Start of Files) FILECHK2.CHK -> Bait files Finger-Print file (End of Files) 101.COM \ 1001.COM \ 1001.EXE - - -> Bait files 4001.COM / 4001.COM / (Bait files are simple files that display a message and return to DOS, they act as a decoy to tempt a virus into infecting it. They have no other purpose and DO NOT execute any other code or files.) The BAIT files can be replaced with your own versions of BAIT or any other executable file if you so wish. BUT, don't forget to edit the FILELIST.INI file if you do that. Page 5 ___________________________________________________________________________ 2. a.If you want to run ChekMate from Windows then: Use the 'File' 'New' menu option in Program Manager to create an entry for this program. (PIF file supplied.) Edit the .PIF file to reflect the correct run-time directory. b.If you are running it from DOS then: Add it to your AUTOEXEC.BAT, either add the line below: C:\\CHEKMATE.EXE Also ensure that the FILELIST.INI is in the ROOT directory '\'. OR Create a batch file that contains the following lines: CD\ CHEKMATE.EXE CD\ should be the directory where you placed ChekMate eg. C:\WINDOWS\CHEKMATE c.Edit the FILELIST.INI file (Shown Below) if required: +---------------------+---------------------------------------------+ | Example File | What each line is/means | +---------------------+---------------------------------------------+ | C:\BAIT | The Directory That ChekMate is Installed in | *| C:\COMMAND.COM | Path & Name of Command Processor in use. | !| 1 | Number of drives (Physical or Logical) | | #| 640 | The BASE DOS Memory as reported by MEM /C | | 101.COM,101 | 101 Byte .COM Bait file, Size in bytes | | 1001.COM,1001 | 1001 Byte .COM Bait file, Size in bytes | | 4001.COM,4001 | 4001 Byte .COM Bait file, Size in bytes | | 1001.EXE,1001 | 1001 Byte .EXE Bait file, Size in bytes | | 4001.EXE,4001 | 4001 Byte .EXE Bait file, Size in bytes | +---------------------+---------------------------------------------+ This file MUST exist and the contents MUST be correct or ChekMate will NOT work correctly. * The command processor may not be COMMAND.COM, 4DOS & NDOS are also supported as common replacements for COMMAND.COM. See your COMSPEC setting for the 'active' command processor and the correct path. Type 'SET' at the DOS prompt to view COMSPEC. ! ChekMate will handle up to drive F: (The FILELIST.INI entry would then need to be 4) # This is usualy 640Kb (655,360 Bytes), Some systems may report 639Kb due to HD controllers 'borrowing' 1Kb for their own purposes. If this causes problems or you run ChekMate under OS/2, you can disable this test by setting this value to 0 (Zero). Page 6 ___________________________________________________________________________ Dos ERRORLEVEL Returns: ______________________ The following errorlevel values are returned when ChekMate exits back to DOS. 0 = No modifications detected 1 = COMMAND.COM (or other COMMAND processor) appears to have been changed 2 = ChekMate.EXE appears to have been changed 3 = The BOOT SECTOR appears to have been changed 4 = The PARTITION TABLE appears to have been changed 5 = One or more of the BAIT files appear to have been changed 6 = The DOS BASE Memory amount appear to have been changed Q. What can you do with this information? A. You can use the errorlevels returned in a batch file to automatically run your favourite virus scanner when ChekMate detects a modification to your system. e.g. CHECK.BAT @ECHO OFF CLS CHEKMATE.EXE IF NOT ERRORLEVEL 1 GOTO :End :Ooops! C:\SCANNER\F-PROT.EXE C: :End The batch file above will only run your virus scanner if the errorlevel returned from ChekMate is greater than or equal to one. If zero (All OK) then don't run the virus scanner. Help/Command Line Switches: __________________________ To get help, run: CHEKMATE.EXE /H or CHEKMATE.EXE /? Other command line switches: /CREATE Creates a 'new' set of Finger-Print files. Usualy only used after DOS upgrade or after cleaning up after a virus attack. /NOEXPOSE Used to only check Finger-Print files against original files/area. Does NOT execute BAIT files. Mainly used if you substitute the BAIT files for other executable program files. /MONO Force ChekMate to run in Monochrome mode. (ChekMate will detect many MONO video cards automatically.) Page 7 ___________________________________________________________________________ Known problems/limitations: __________________________ 1) May not detect Companion viruses very quickly. But as soon as one of the bait files are infected it will alert you. A companion virus is very easy to spot as it makes a 'Companion' .COM file for ANY .EXE file on the infected system. 2) May not detect direct action non-TSR viruses very quickly. Most new viruses are TSR (memory resident) variants. The best way to test 'suspect' files is to place them in the same directory as ChekMate, Virus Scan them and if they are not reported as infected, then run them from there. Then run ChekMate. **** REMEMBER TO BACKUP YOUR SYSTEM FIRST **** 3) Link viruses, such are DIR II may not be detected as no executable code is changed. Latest Version: ______________ The latest version of this application should always be available from the site that you originally obtained it. The main site is the SimTel archives or one of the mirror sites. Source code is only available to companies interested in developing a comercial version of ChekMate or program based on ChekMate. Source code will also be made available to companies who wish to have a customised version written. Contact the author to discuss. Page 8 ___________________________________________________________________________ Bug reports, suggestions, etc... ________________________________ If you catch a virus with ChekMate in one of the Bait files, then please send me a copy for analysis. I will send a reply to anyone who sends me such a file. If possible I will send a search string to correctly identify the new virus to aid removal. Mail files to the E-Mail or Postal address at the top of this document. (If you e-mail the file(s) then please use UUENCODE or MIME.) Send all bug reports, suggestions, etc to the E-Mail or Postal address at the top of this document. If you like this program, let other people know about it! Post your comments in comp.virus or anywhere else that is relevant. If you contact me to let me know you are using ChekMate I will send you a Windows Write formatted version of this manual. It will contain more information about ChekMate and removing viruses. You will also be informed when new versions are released. Let people know about it! If you use and/or like ChekMate, then please drop me a line to let me know that you are using it. This will allow me to know the future development requirements. If you have tested ChekMate against any viruses then please let me know the outcome of these tests, whether the results are good or bad. For details of viruses that ChekMate has been tested against, please see the file enclosed in this ZIP file, TESTS.TXT. !!! STOP PRESS !!! __________________ If enough interest is shown, then a Windows version will be written. So, if you want a Windows version, then let me know, NOW! ___________________________________________________________________________ *** END OF DOCUMENT ***