PART II
THE "ULTIMATE VIRUS KILLER" MANUAL
5 - SEEK'N'DESTROY VIRUSES
Following the selection of this option, another dialog box is
put on the screen (see figure 5), allowing you to select the
drive on which to start seeking'n'destroying viruses. The program
automatically detects any drives that are attached to your system
and displays their identifiers in selection buttons. Up to 26
drives/partitions may be selected, with the unavailable
drives/partitions being represented in 'greyed-out' text.
Please note that bootsector viruses can only be searched
(and destroyed) on floppy disk drives - A and B. Selecting
drive B is not possible when it is not actually attached. Link
viruses can be searched on either floppy-or hard disk (up to and
including partition Z).
You may select a drive or partition by clicking on its
appropriate button with the mouse button or by entering the
appropriate keyboard shortcut [ALTERNATE]-key.
Once the drive to use is selected, you can decide whether you
want to examine your media for bootsector-or link viruses. If you
selected bootsector viruses, you will get a prompt to insert the
disk you want to check.
In case you selected the option to check for the presence of
link viruses you will enter some further dialog boxes where you
can specify which files you want to check and in what way you
want them to be checked.
In the first dialog box you will be able to specify whether you
want to scan an entire drive or partition (all files on a floppy
disk or hard disk partition, including those present in all the
folders, will be scanned recursively), single files or folders,
or whether you want to exit. If you opted for the option to scan
single files or folders you can either specify a full filename in
the item selector box (in which case only that file will be
scanned) or you can enter a folder you want to tree-scan without
actually specifying a file (in which case all the files in that
specific folder - including all files and further folders present
in it - will be scanned). It is important not to select a file
name in the latter; just enter the appropriate folder and then
click on the item selector box' "OK" button.
If you decide to check an entire floppy disk for link viruses,
the "Ultimate Virus Killer" will also automatically check that
disk's bootsector (note: this is for floppy disks only!).
Checking for link viruses on a whole partition or entire folder
may be aborted by pressing [ESCAPE] or [UNDO]. When there are
many infected files or when you have set "warnings on" and there
are many packed files, you may have to press the [ESCAPE] or
[UNDO] key a few times.
There is one rather important note that applies to bootsector
viruses: IT IS POSSIBLE THAT A PERFECTLY HARMLESS DISK IS
SUSPECTED OF BEING A VIRUS! This means that either the
bootsector of a harmless program is not yet recognised and not
yet implemented in the "Ultimate Virus Killer", or that it is
indeed a new virus! Whenever the "Ultimate Virus Killer"
encounters such a disk, you will be given the possibility to
either REPAIR the disk, PRINT its contents, WRITE A BOOTFILE or
LOOK AT IT.
In the second and third cases, we would very much like to
receive the boot file that the "Ultimate Virus Killer" can write
on a disk with enough free space on it (at least 512 bytes
free). When you do not have a disk nearby with sufficient space
free, you may want to use the FORMAT option that will format a
disk (single sided). If you send that disk (or the print-out)
to us (together with some written info about the disk it came
from and your name and address), we will check it out and send
it back as soon as possible provided you have supplied sufficient
International Reply Coupons (!).
Please make sure the bootfiles are accompanied by sufficient
explanation as to what software they belong to, for it's usually
impossible to determine this information from the bootsector
contents and the bootfile file name only.
It is likely that the directories of disks that have auto-
booting bootsectors on them will appear to be 'empty' or that
they seem to have 'corrupted files'. This need not be (and most
probably isn't) due to virus infection but to some software
protection schemes' exotic disk formats, some of which include
there not being any files on the disk at all.
IF YOU KNOW THAT THE SUSPECTED DISK CONTAINS NO VIRUS, WE WOULD
VERY MUCH LIKE TO RECEIVE IT ANYWAY, BECAUSE OTHER PEOPLE MAY NOT
BE AWARE OF IT AND MIGHT ACCIDENTALLY DESTROY THEIR PRECIOUS
SOFTWARE!!
Please send any disks in a good quality envelope that can also
be used for return mailing, and write "CONTAINS MAGNETIC MEDIA
- PLEASE DO NOT X-RAY" on it in clear, large characters (to
minimise loss of data). Do NOT FORGET TO ADD sufficient
International Reply Coupons! Disks without these cannot be sent
back!
Just before you can select whether to write a boot file or
simply to repair, a dialog box will be displayed that tells
you the 'Virus Probability Factor' (or VPF for short) - the
probability factor that the disk that is on the current
bootsector is indeed a virus (see figure 6). The reliability of
this factor is quite high.
The VPF is produced by scanning the code present in the
bootsector for some vital virus characteristics:
Factor 1: The presence of machine code that is to be found in a
routine that writes a sector to disk.
Factor 2: The presence of machine code that creates the checksum
for an executable bootsector.
Factor 3: The presence of magic checksums or memory locations
that are needed to make a program reset-resistant.
Factor 4: The presence of the addresses of system variables that
viruses can link themselves to.
If a virus is encoded it will first decode it in its own disk
buffer. Various other tricks are employed, too, to make sure that
viruses that try to evade the 'Virus Probability Factor' will be
found anyway.
In certain cases, an additional dialog box is produced (see
figure 7); this happens when an unknown disk is found to be
largely filled with the same value. The larger the percentage
mentioned in this dialog box, the less the likelihood of virus
infection (quite on the contrary, one might add, to the
percentage mentioned with the 'Virus Probability Factor'
calculation)!
Note on executable file extensions: When you want to check a
whole partition or folder for link viruses it is possible to
select whether you only all files to be checked, or so-called
executable files only. Executable files are files that can be run
directly by double-clicking on them from the desktop; other files
include text files, picture files, source code files and the
like.
When selecting to check executable files only, the program will
only check files with extensions ".PRG", ".TOS", ".APP", ".ACC",
and ".TTP" (including their disabled counterparts ".PRX" and
".ACX"). These are normally the extensions for executable
programs. Some alternative desktops (such as "NeoDesk") allow
other file extensions to be executable, e.g. ".NPG" and ".NTP".
More recent TOS versions also support a special "GEM Takes
Parameters" executable file type with the extension ".GTP". To
check these as well, you would have to opt for ALL files to be
treated, or you will have to configure the UVK.CFG file
accordingly (see chapter 11).
Note for users of "MultiTOS": This Operating System uses a
'unified drive' (identifier "U:") in which certain folders will
cause a crash when checking for link viruses. You should refrain
from checking the following directories: "U:\DEV", "U:\PROC",
"U:\PIPE" and "U:\SHM".