HOSPITAL A suite of virus prevention and detection programs for the Atari ST Neil Forsyth Department of Computer Science Heriot-Watt University 79 Grassmarket Edinburgh neil@uk.ac.hw.cs Introduction This suite of programs has been developed to detect and prevent the spread of viruses on the Atari ST computer. The programs apply primarily to floppy disk boot sector viruses but some do have a wider application. Contents The complete contents of this package is as follows:- HOSPITAL.DOC Documentation in 1st Word format HOSPITAL.TXT Same but in pure ASCII format STVIRUS.DOC Discussion on viruses in 1st Word format STVIRUS.TXT Same but in pure ASCII format BOOTCMP.PRG The programs DT.TTP GOODBOOT.TOS MEDICAL.TOS RESET2.ACC SKULL.PRG VACCINE.PRG VECHECK.PRG WATCHER.PRG Creating a 100% virus free boot disk Before using these programs you must ensure that you have a safe disk to boot from in the first place. The following steps will ensure that you have a known 'clean' disk: Switch on your computer with no floppy disk in any disk drive and with your hard drive switched off. This will take some time to boot up (about a minute ) but it is worth it because we can be sure there is no virus in the computer. Next, insert a blank floppy in the floppy disk and format it using the normal desktop formatter. I know there are plenty of other formatters available, my own included, but if someone had modified them we'd be back to square one. Recommended Setup After creating your known clean disk it is recommended that you place the programs in an AUTO folder on this 'boot disk' in the following order1: VECHECK.PRG SKULL.PRG (other things like hard disk drivers, GDOS etc) VACCINE.PRG WATCHER.PRG BOOTCMP.PRG and on the root of the drive the following files will be created by two of the above programs: VECHECK.DAT BOOTCMP.DAT You need not use all the programs. Some may not suit your particular setup. Always boot up your machine with this disk, or one prepared in a similar way, and always keep it write protected if you can. This will give you the maximum amount of protection. BOOTCMP.PRG This program should be run from bootup. This program compares the floppy disk boot sector with a file. (BOOTCMP.DAT) When first run it will inform you that it could not find the file for comparison and will ask you if you would like to make one. Say yes to this and allow it to save to the disk. If the boot sector is ever changed then the program will stop and tell you. It will then ask you if you want to update the comparison file. Be absolutely sure that the disk does not have a virus before you decide to update the file. DT.TTP This is a generally useful disk toolbox. The full instructions for it can be obtained by double clicking on it and pressing return. The two commands relevant to this manual are:- Reversably change the executability of a boot sector -esh a: Change the order of execution of AUTO folder programs -ash a: GOODBOOT.TOS This program allows you to create custom executable boot sectors. What the boot sector does is up to you. The following options are available: ø Change to medium resolution on colour displays ø Change the colour palette to white on black until the desktop appears ø Run a program called COMMAND.PRG instead of the desktop ø Print up a message on screen If you enable one or more of these options on your boot sector then if it ever ceases to behave as it should then you can suspect foul play and examine it for a virus. You can also sterilise a boot sector. This cleans out the areas that can hold viruses but leaves the important parts of the sector alone. This can be used to kill any viruses you find or get rid of any custom boot sectors. Be very careful using this option because the code contents of the boot sector cannot be retrieved. If you are in any doubt use DT.TTP to reversably change the boot sectors executability instead. Note: If your hard drive is auto-booting then the floppy boot sector will not be executed after a soft reset. MEDICAL.TOS This is a program for the bulk checking of your disks for possible infection. It also checks the machine for possible infection. RESET2.ACC This desk accessory allows you to reset the computer. A soft reset is equivalent to pressing the reset button at the back and a hard reset is equivalent to switching the computer off then on (there is less stress on the hardware). Some viruses can survive a soft reset so if you think your computer is infected do a hard reset. If you have the TOS 1.4 ROM version in your computer then you can, usually, reset the machine by holding down the following key combinations: Soft reset: CONTROL-ALTERNATE-DELETE Hard reset: CONTROL-ALTERNATE-RIGHT SHIFT-DELETE SKULL.PRG This program should be run from bootup. This is a virus killer. If your machine is infected then a skull will appear at the left hand edge of the screen and the machine will hang up. You must then switch the computer off and boot with an uninfected disk. VACCINE.PRG This program should be run from bootup. When run, this program installs itself in the machine and attempts to prevent any active virus from infecting a disk. It also checks for viral code on incoming disks. Suspicious behaviour and suspect disks will cause the screen to pulsate for a few seconds. VECHECK.PRG This program should be run from bootup2. This program compares the vulnerable areas of memory that viruses usually change, with a file (VECHECK.DAT) saved when the machine was in a known clean state. When first run it will inform you that it could not find the comparison file and will ask you if you wish to make one. Say yes to this but no to the 'Update mask' prompt. Not all of the memory under scrutiny concerns disk access or viruses and some locations change constantly. For this reason the comparison file contains a map of the areas to be checked as well as what those areas of memory should contain. If the comparison goes well then an OK message will appear but if not the addresses of the differences will be printed with the option to update the file. Be sure the machine is not infected with a virus before you allow the program to update the file. RAM disks and hard disk driver programs use similar techniques as viruses to install their routines in the machine. If you have a hard disk drive and it is not auto-booting, then make sure this program gets run before the driver program is installed. Reset survivable RAM disks will probably cause the program to find differences since they make the system boot up again once they have installed themselves. Don't update the comparison file in this case because there are reset survivable viruses. Just know what to expect from your systems unique configuration. To understand what changes would constitute a possible viral threat I recommend you read a technical book about the ST. WATCHER.PRG This program should be run from bootup. When run, this program installs itself in the machine and checks that the boot sector has not changed during the most vulnerable times. If the boot sector is changed, probably by a virus, then the screen will pulsate for a few seconds to warn you about it. Disclaimer I make no warranty with respect to these programs, and disclaim any implied/explicit suggestions of usefulness for any purpose. Use these programs only if you are willing to assume all risks, and damages, if any, arising as a result, even if it is caused by negligence or other fault.