RVK: ROSE Virus Killer - a generic virus remover for COM files ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Written and (C)opyright 1992-96 by ROSE Softwareentwicklung, Dipl.-Ing. (FH) Ralph Roth, Finkenweg 24, D 78658 Zimmern ÄÍÍ[ 1 SYNOPSIS ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ This is a utility that will step through a polymorph (MtE, NED, DSME, DSCE, ViCE, TPE, SPE, G2, PS_MPC...) decryptor or just an ordinary (unencrypted) virus and decrypts and cleans the virus from the infected file. This process will restore the host pro- gram, disable the virus and cut parts out off the virus. RVK then terminates before executing the virus! ÄÍÍ[ 2 ABOUT THE PROGRAM ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ This program is useful if you have an infected file and you want to remove the virus. Just clean it using RVK, then check the re- sulting file. RVK isolates viral code in an infected program and disables it. From then on it will be safe to use the program again, as the risk of other files being infected or damaged by it will have been securely disabled. ÄÍÍ[ 3 ABOUT THE CLEANING PROCESS ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ RVK works completely different compared to the 'conventional' cleaners. First of all, it does not recognise any particular vi- rus. However RVK is aware of many tricks used by common viruses. Its disinfection scheme is therefore completely different from known cleaners and it works with almost any (COM) virus. This technique is called heuristic cleaning mode! In that cleaning mode RVK does not need any information about viruses either, but it has the added advantage that it does not even care about the original, uninfected state of a program. This cleaning mode is very effective if your program is infected with an unknown, a po- lymorphic or with a virus using 80386+ instructions! Note that this does not imply that the cleaned file is 100% equal to the original one. When RVK uses heuristic cleaning to disin- fect the program, the file will never be exactly the same as in its original state. This is not an indication of failure of RVK, nor does it mean the file is still infected in some way. First of all, it is normal that the heuristic cleaned file is still larger than the original one. This is normal because RVK tries to be on the safe side and it will avoid removing too much from the host program. The bytes left at the end of the file are 'dead' code, the instructions will never be executed again, since the 'jump' at the beginning of the program has been removed. The functiona- lity of the cleaned file will nevertheless be the same! For this reason a virus scanner MAY find still the virus in cleaned files - or will now report a new variant of this virus (F-Prot)! In the heuristic mode, RVK loads the infected file and starts em- ulating, simulating and tracing the program code to find out which part of the file belongs to the original program and which to the virus. The result is successful if the functionality of the original program is restored, and the functionality of the virus has been reduced to zero. When used, RVK will attempt to follow the execution of the program until the end of the decryp- tor or if the original entry point is restored by the virus! It will not execute dangerous interrupt calls, and will terminate if one is encountered. Some interrupt calls will be simulated, some emulated, a few will be executed (e.g. "get DOS version" or virus installation check) and some will be removed! It also terminates if DS and ES change, or if a far call is encountered. THIS DOES NOT ABSOLUTELY GUARANTEE SAFETY WHEN RUN! The viruses I have tested RVK on are over 500 COM infectors! One possible time when RVK may go to pass the cleaning process is when the virus does not actually restore the host program - instead trying to go res- ident or to infect other victims. Please send me any virus that can not be killed with RVK! If possible I will improve RVK to clean this virus too. ÄÍÍ[ 4 MULTIPLE INFECTIONS AND ANTIDEBUGGING TRICKS ]ÍÍÍÍÍÍÍÍÍÍÄ It is possible that the infected file is infected with multiple viruses, or multiple instances of the same virus! Some viruses keep on infecting files, and in such case the infected files will keep growing (e. g. Jerusalem). It is very likely that RVK re- moves only one instance of the virus. In this case, it is neces- sary to repeat the cleaning process until RVK reports that it can not remove anything any more. Remember that you cannot clean COM files protected with PROTECT or HackStop due to the fact that this code uses antidebugger techniques. You can remove safely en- cryption added by SCRAMBLE, CRYPTCOM or R-Crypt instead! By the way, RVK can by-pass the most anti-debugger tricks found in ex- isting viruses! ÄÍÍ[ 5 A LITTLE WARNING ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ This is a prototype version, and is NOT IN ANY WAY GUARANTIED! I am only releasing this program because to this date nothing else seems to be able to do this (apart from TBCLEAN). This will allow anyone to be able to disinfect COM files. As an advantage RVK is not limited to 8086 code, it will even clean viruses which will use 80586+ instructions (remember: you CAN NOT CLEAN 386 code on a 286 machine)! Send me ANY virus that could not be cleaned by using RVK! ÄÍÍ[ 6 LEGAL TERMS AND DISCLAIMER ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ RVK basically has no legal guarantee and warranty because I do not want to get sued over it, and should be used "as is". Here is the official disclaimer: RVK ("program") will ALTER and DESTROY executable files and may have or cause compatibility problems with them (that is why YOU should keep a backup file, in case of incompatibility with a par- ticular file) in certain circumstances. Under no circumstances may Ralph Roth ("author") be held liable or accountable for any damage to system files, executable files, data files, or any other system or data damage due to use or misuse of his program. The author also may not be held accountable for loss of profits or for any other damages incurred by the use or misuse of his program. The author has forewarned any users that damage to files may occur with use or misuse of his program, and in executing the program, the user fully understands these risks and this dis- claimer. Greetings (and virus free time) Ralph Roth You can obtain the newest DECOM & RVK version from: (Please add some money for disc and shipping!) ROSE Softwareentwicklung Dipl.-Ing. (FH) Ralph Roth, Finkenweg 24, D 78658 Zimmern FAX +49.741-32347 E-Mail until ?: rar@fh-albsig.de Fido: 2:246/2101.2 Please check the file "address.txt" for more information! ÄÍÍ[ 7 HISTORY ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ 7.1 Version 0.01-0.05 Now RVK prompts you only for a filename _IF_ the virus has been safely decrypted or disabled! This means although, that you can now overwrite the old file at your own risk. RVK no emulates a lot of MS-DOS calls to handle many more viruses! "Anti Debugger Code Handling" improved! 7.2 Version 0.10 RVK can now be invoked via commandline else you will be prompted for a source file! RVK now truncates (most of) the virus-body, therefore check the resulting file carefully! 7.3 Version 0.11 Added more code checking in order to clean the Annihilator Stealth viruses. RVK displays now information about the cleaned file. Some (dangerous) instructions are now additionally overwritten with NOP's, therefore check your cleaned files carefully! 7.4 Version 0.13 Added more anti-debugging tricks checking. Tested with over 50 new viruses. 7.5 Version 0.20 (March 95) Added a software emulator that is able to emulate INT calls and most anti debugger tricks without loosing control over the program! RVK can now handle almost all files, except some special anti debugging code. Furthermore the handling of infected files is now safer, more reliable and more successful than ever before! 7.6 Version 0.21 (April 95) My FAX number has changed! Little code enhancements to clean more viruses! 7.7 Version 0.22 (June 95) The program is now able to by-pass some IN/OUT commands. The package now includes an alpha version of the heuristic scanner "RPCATCH". 7.8 Version 0.23 (December 95) Fixed some orthographical errors in RVK.COM. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Please excuse my English, it is not my native language! ANY IMPROVEMENTS WELCOMED!