-----BEGIN PGP SIGNED MESSAGE----- Submitted to Crisnews by: Bill Lambdin I posted this routine once before. I have done further testing on this idea, and it does work. even on some stealth infectors without the necessity of booting clean from a bootable diskette. I want to state up front, that this will not identify the virus, nor help you get rid of it. This is detection only, and should be considered as an enhancement to scanners, and integrity checking, and not be used to replace either. This will detect most (if not all) file infectors that a scanner may miss. This will act as an early warning system for people that use integrity checking software. namely limiting the number of infected files to a minimum. This can detect many viruses without the need to boot clean prior to running the test. If you wish to use my idea, you will need the following. LHA. I use LHA 2.13 Archive your most common used files. FC.EXE that comes with DOS 4.0 and above The .BAT file below. BAIT.BAT @ECHO OFF CLS C: CD\BAIT DEL VIRUS.LZH LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.* FC BAIT.LZH VIRUS.LZH CD\ It would be a very good idea to rename the utilties, and directory. to prevent a hacker from writing a virus that will delete or fool this routine. You can archive as many files as you wish, but I would recommend a minimum of two files. 1.COM file, and one .EXE file. Currently; I am archiving eight files. six are DOS programs, and two of them are Windows programs. So I can detect either DOS or Windows viruses in one test that takes only a few seconds on my 486. Be sure to use the asterisk for the .EXE extension. This will make LHA add any companion infectors that are present. Part of that .BAT file is complex, and it is vital that it be typed exactly as shown. So I should explain how it works in more detail. DEL VIRUS.LZH This deletes the previous test to give you a clean and fresh test every time. LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.* In the command line above, the first A instructs LHA to add the files to the archive. The second paramater -A instructs LHA to add the file regardless of which atribute(s) are set. It works for all four atributes. Hidden System Read only Archive I have been thouroughly testing this routine for weeks. I have tested it against the following stealth viruses. X = detected change. active inactive Virus in memory booting clean SBC X X FRODO X X TREMOR X My routine should have detected SBC because it is not fully stealthed, and it doesn't disinfect the host file when the it is opened. My routine should not have detected FRODO because it is fully stealthed, and does disinfect the host file on the fly when it is opened for any reason. FRODO sets the date stamp forward 100 years. This is how that Frodo Marks the files as infected. My routine detected the change to the date stamp even though Frodo had disinfected the host file when LHA archived the host file(s). My routine is able to detect the following types of changes. 1. Change to files 2. change of file attributes 3. change of file time stamp 4. change of file date stamp I release this routine to the public domain, and anyone may use it freely. Bill Lambdin -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLNc4LaM4CDusTF+9AQHRagH/VBeKGX7Nbdpcwo3xHzRCCGVFppDbPQZz KvGmA1Y8EL5dOx0ozjw57knsNGjbzU+FST5USsQfmVnf2Nc//FCiBQ== =w7Cq -----END PGP SIGNATURE-----