-----------------------------------------------------
AAVIRUS documentation (version of March 10, 1992)

by Maarten Meijer, 
Academic Computing Centre University of Utrecht (ACCU),
the Netherlands. 
Email addres: mmeijer@cc.ruu.nl


-----------------------------------------------------
Contents


1. Overview
2. Usage
3. Installation
4. Bootstrap integrity checking
5. Repair options
6. Some technical details
7. Concluding remarks


-----------------------------------------------------
1. Overview


The AAVIRUS ("ACCU Anti Virus") program checks the integrity of the DOS
bootstrap system on a bootable disk against a checksum file created by the
program at installation. 

This checksum file also holds a copy of the boot sector of the disk, and 
- if it is a hard disk - a copy of the master boot record, containing the
partition table. 

AAVIRUS is able to restore these bootstrap records even if the file is lost
(but not overwritten) or the hard disk has become unaccessible to DOS.


------------------------------------------------------
2. Usage


Just type "aavirus" to learn about the syntax and the options. The output
looks like this:

Usage:    aavirus option [file] [drive]

option    -i  installation: creates checksum [file] from [drive]
          -t  test: compares checksum [file] to actual bootstrap on [drive]
          -q  quick test: just compares (master) bootrecord and dir entries
          -r  repair: restores boot record and/or master boot record from
              checksum [file] back to [drive]
          -e  emergency repair: scans hard disk 0 for the most recent
              checksum file data. If file is lost or disk unaccessible.

[file]    filename (drive:\path\file) of checksum file. Default is
          "[drive]:\AAVIRUS.DAT".

[drive]   drive to protect. Default is current drive (DOS 3.x) or boot
          drive (DOS 4 or higher). If you want to checksum another boot disk
          than the current one, set COMSPEC variable to temporarily point to
          the COMMAND.COM involved.

Author:   Maarten Meijer, Academic Computing Centre University of Utrecht,
          the Netherlands. Email address: mmeijer@cc.ruu.nl

Version:  Mar 10, 1992.


------------------------------------------------------
3. Installation


Running AAVIRUS with option -i without any other arguments will create a
checksum file \AAVIRUS.DAT on the default drive (if you use DOS 3.x) or on
the drive you booted from (if you use DOS 4 or higher). 

You may specify another filename and/or another bootable drive. In the latter
case, you probably have to change the environment variable COMSPEC for a
while, to point to the COMMAND.COM file used when you boot from that disk.
AAVIRUS uses COMSPEC to locate the current command interpreter.

The checksum file contains the following
-   the boot record and master boot record if it's a hard disk,
-   the current COMSPEC environment variable, 
-   the disk's volume label,
-   the directory entries and checksums of the two hidden system files
    (IO.SYS and MSDOS.SYS or IBMBIO.COM and IBMDOS.COM),
-   the directory entry and checksum of COMMAND.COM (according to COMSPEC),
-   the directory entry and checksum of the AAVIRUS program itself,
-   the timestamp of creating the checksum file and its own checksum.

Before installation of the AAVIRUS checksum file always make sure that your
disk isn't already infected by a virus, by using a recent virus scan program.


------------------------------------------------------
4. Checking bootstrap integrity


The integrity of the bootstrap system is tested against the checksum file by
the option -t. Putting the line "aavirus -t" in your AUTOEXEC.BAT will check
the system when you start it. 

Normally AAVIRUS reports that "everything looks fine". You can suppress this
one line message by redirecting output to null device ("aavirus -t >nul"),
because if something appears to be changed, the AAVIRUS messages will reach
your screen anyway (writing to standard error device), waking you up with
beeps and requesting your acknowledgement.

Because checksumming the contents of 4 files (see above) takes some time,
especially on slower systems, the option -q (quick test) checks everything
(master boot record, boot record, COMSPEC, directory entries of hidden files,
command interpreter and the program itself, and the integrity of the checksum
file) - except the checksums on the 4 files contents. Use option -q in your
AUTOEXEC.BAT if option -t takes too long. 

If AAVIRUS reports any differences between the checksum file and the actual
situation, there is the possibility of virus infection, but the symptoms may
also be caused by quite normal actions like changing the boot disk's volume
label (which affects the boot record of DOS 4 and above), upgrading DOS,
changing COMSPEC (the location of COMMAND.COM), changing file attributes
(e.g. the archive attribute after backup), getting a new version of AAVIRUS,
and so on. 

To get acquainted with AAVIRUS' operation, you could try it: change something
for a while, then run "aavirus -t" or "aavirus -q". The real disk heroes are
challenged to alter their boot record or partition table and try "aavirus -r"
or "aavirus -e" too (see below).

So don't get upset if AAVIRUS cries, but use your memory (Did I recently
change something?) and a recent copy of a virus scan program.

By the way, AAVIRUS will only discover viruses that affect the bootstrap
system, as by definition all partition table and boot record viruses do. 
It is not suited to signal infection of .COM and .EXE files, although it
checks COMMAND.COM and its own integrity - being of the .EXE species.
So, use a virus scan program anyway, from time to time. Personally, I don't
like memory resident virus watchers. It's too much paranoia to have it
interfere with the normal functioning of the system, as they too often do.


------------------------------------------------------
5. Repair options


AAVIRUS is able to restore the boot record and the master boot record from
the checksum file to their original locations in two ways. 

The first method (option -r) reads the given checksum file and restores
either or both sectors after prompting. A lot of boot sector viruses (those
that do not intercept writing to sector 0 at BIOS level) can be removed by
simply restoring the original bootrecord this way and rebooting the system.

The second method (option -e) has to be used when the checksum file resided
on hard disk #0 (in any partition) but has been lost (yet not overwritten!)
or when the hard disk isn't accessible to DOS anymore. 
The program scans the entire disk at the BIOS level to find the most recent
file data, using the data's checksum and timestamp (see chapter 3). Formally
you should complete the scanning process to be sure you have got the most
recent data, but if you installed the checksum file just once, you may
interrupt scanning as soon as data are found. You will then be prompted to
restore either or both records.


------------------------------------------------------
6. Some technical details


AAVIRUS requires or assumes the following technical specifications:
-   PC-DOS or MS-DOS version 3.0 or above
-   hidden system files should be either IO.SYS and MSDOS.SYS or IBMBIO.COM
    and IBMDOS.COM
-   standard sector size of 512 bytes
-   a one sector boot record
-   if a hard disk: a one sector master boot record at cylinder 0 head 0
    sector 1

If you're not sure your system meets all these standards: they're quite
common. But read the exceptions below.

The source code of AAVIRUS has been written in Turbo C 2.0 from Borland with
a few functions in Microsoft MASM 4.0 assembler. 

The current version of AAVIRUS has been tested on several systems of
different model and brand, with hard disks varying from 20 up to 110 MB, with
one or more partitions per disk and different BIOS parameters, using DOS
versions 3.30 and 5.0. I wiped partition tables and boot sectors, and was
able to restore them from the checksum file using either the -e or -r option.

I did NOT test the program with memory resident disk handlers (other than
DOS's) that compress, encrypt, or relocate data. Restoring boot records
without having these same handlers loaded, will obviously produce wrong
results. 
Also, it seems that Digital Research DOS (DR-DOS) uses two sectors for its
boot record or partition table. If that is true, AAVIRUS isn't suitable to
DR-DOS users. Perhaps the same goes for other DOS-like operating systems as
well. Let me know if you have more definitive information on these issues.


------------------------------------------------------
7. Concluding remarks


So, if you use common hardware and common DOS, I don't expect you will run
into any trouble using this program. BUT:

>>  Nor I, nor my employer, will accept liability for any damage caused by
>>  or following the use of this program! You will use it at your own risk!

If you have any questions or remarks concerning the program, please don't
hesitate to write me at my mail address: mmeijer@cc.ruu.nl.

You may freely use, copy and distribute this program, on the simple terms
that program and documentation will not be modified in any way, will not be
sold, and are distributed together.


======================================================
