AVK: Difference between revisions

From Atari Wiki
Jump to navigation Jump to search
m (Added category)
No edit summary
 
Line 1,269: Line 1,269:
 
<br><br>
 
<br><br>
 
Back to [[Antivirus]]
 
Back to [[Antivirus]]
[[Category:Atari ST software]]
+
[[Category:Antivirus]]

Latest revision as of 13:29, 12 October 2011

                 USER MANUAL for the "Ultimate Virus Killer"
                        written by Richard Karsmakers

                 Mark III (rewrite) initiated June 19th 1993
                          Last change: June 3rd 1999


                               LIST OF CONTENTS


                               LIST OF CONTENTS
                              DISCLAIMER NOTICE
                                 INTRODUCTION
                               MAKING A BACKUP
                     STARTING THE "ULTIMATE VIRUS KILLER"
                   WORKING WITH THE "ULTIMATE VIRUS KILLER"
                            SEEK'N'DESTROY VIRUSES
                                IMMUNIZE DISKS
                      REPAIR BPB (BIOS PARAMETER BLOCK)
                              BOOTSECTOR VIRUSES
                                 LINK VIRUSES
                                RESTORE DISKS
                           THE SYSTEM STATUS SCREEN
                                   FEEDBACK
                                   CREDITS
                            TROUBLE SHOOTING CHART
                THE "ULTIMATE VIRUS KILLER" CONFIGURATION FILE
                   THE "ULTIMATE VIRUS KILLER" HISTORY FILE



            The "Ultimate Virus Killer" programme and manual are 
                copyright (c) 1999 by C.R.I.M.E. Development


0         DISCLAIMER NOTICE


 We  make no warranties,  either expressed or implied,  with respect  to  this 
manual or with respect to the software described in this manual,  its quality, 
performance,  merchantability,  or  fitness for any  particular  purpose.  The 
entire  risk as to its quality and performance is with the buyer.  Should  the 
programme prove defective following its purchase, the buyer assumes the entire 
cost of all necessary servicing,  repair,  or correction and any incidental or 
consequential damages.  In no event will we be liable for direct,  indirect or 
consequential damages resulting from any defect in the software.


1         INTRODUCTION


 Congratulations on your acquisition of the "Ultimate Virus Killer"  (or,  for 
short,  UVK).  This is probably the most versatile and definitive product   in 
the  battle against computer viruses on the Atari  ST/STE/TT/Falcon;  a  full-
fledged tool that has taken many years of painstaking development already. The 
main features of this programme are:

 * Recognition of virtually all software that uses the disk's bootsector
 * Recognition of ALL known viruses - both bootsector-and link viruses
 * Option to restore previously damaged software that needs a specific
   bootsector program
 * All harmless data on your disks remains 100% intact!
 * Immunization of disks/files against many bootsector-and link viruses
 * Option to repair damaged or destroyed BIOS Parameter Blocks
 * Automatic recognition of any hard-, floppy-and RAM disks that are present
 * Automatic recognition of all known viruses already present in the computer
   system
 * Almost  40 direct on-line,  context-sensitive help screens included in  the 
   programme, accessible by pressing the [HELP] button
 * Automatic calculation of a 'Virus Probability Factor' for
   suspicious/unknown bootsectors
 * Fast scanning of a whole drive or partition for link viruses.  This allows
   you to scan a full partition or floppy disk for link viruses 'at the touch
   of a button'
 * Option to save potential viruses to disk or print them out, to have them
   analysed by the programme author
 * Extensive system check; specifies suspicious system variables, scans for
   reset-proof programmes and checks for viruses in memory - also when a hard
   disk is attached!
 * Full compatibility with MEGA ST,  MEGA STE,  ST,  STE, TT and Falcon with a    
   minimum of 512 Kb of RAM, any ROM TOS and any known hard disk driver
 * Total compatibility with "MultiTOS" and "Geneva"
 * Contains fast, compact machine code routines, harnessing the raw processing
   power of the 680x0 type of processors
 * Extensive recognition of memory-resident programmes (among
   which all known viruses...)
 * Comfortable and easy-to-use mouse/keyboard user interface
 * Programme checks itself for link virus infection on start-up
 * Metados compatibility - check up to 26 drives/partitions!
 * Fully GEMDOS compatible, using dialog boxes and easy GEM
   conventions

 With this tool handy, you need never worry about viruses on your computer any 
more: You can simply use it to de-infect your disks and programmes, destroying 
the viruses and leaving all other information and data intact.


2         MAKING A BACKUP


 Just use the GEM desktop facilities to copy the files to another disk (or  to 
hard  disk)  for  backup purposes.  For the programme  to  run  properly,  the 
"DATA.PAK"  and  "UVK_x_x.PRG" files on the original "Ultimate  Virus  Killer" 
disk  are  needed.  An  optional  configuration file may  be  handy  (see  the 
appropriate chapter). If you wish to use the programme as a desk accessory you 
may  rename  the "UVK_x_x.PRG" file to "UVK_x_x.ACC" and  copy  the  necessary 
files to the root directory of your boot drive. Usually this is partition C if 
you have a hard disk, drive A if you don't.
 If  you are not familiar with the GEM copying conventions,  please  refer  to 
your computer's user manual.

 Notes on using the "Ultimate Virus Killer" as an accessory:
 Usually an accessory is located within the root directory of your boot drive. 
However,  with use of small accessories such as "Chameleon" that can load  and 
unload  another accessory it may very well happen that you load  an  accessory 
from somewhere else.  The "Ultimate Virus Killer" has no problems with that as 
long as you make sure that the supplemental files are located in the *current* 
directory of a floppy disk or hard disk partition. This means that you have to 
open  a  window to that directory first,  *then* use "Chameleon" to  load  the 
"Ultimate  Virus  Killer".  If  you neglect this,  as a  rule  only  the  root 
directories of all your valid partitions will be checked for occurrence of the 
supplementary files.
 You can leave away the "DATA.PAK" file when using it as an accessory in order 
to save memory.
 If  you  want to use the "Ultimate Virus Killer" as an  accessory  on  colour 
monitors,  you  have to make sure that your system is switched into  a  proper 
resolution (NOT low resolution!) before any accessories are loaded.  They  may 
be achieved through AUTO folder programs such as "Superboot" and "XBoot" which 
can leave your system in medium resolution upon leaving.


3         STARTING THE "ULTIMATE VIRUS KILLER"


 Turn your computer off and on again with the "Ultimate Virus Killer" disk  in  
drive  A.   After   some  seconds,   a desktop will   appear   that   contains 
several  file names,   amongst which is one  called "UVK_x_x.PRG" (where "x_x" 
stands for whatever the current version number is).  Double-click on this file 
with the mouse pointer to load and run it.  If you do not want the  "DATA.PAK" 
restore  data file to be loaded (which is only needed if you want  to  restore 
commercial  games  or demos that have had the programs  on  their  bootsectors 
wiped out) you can keep the [CONTROL] key pressed during booting.  If you want 
to skip the start-up system status screen for whatever reason you should  keep 
the [RIGHT SHIFT] key pressed.
 In case the current system date is not valid (i.e.  if the system's  internal 
clock  is  set  to  a date before the year and  month  in  which  the  current 
"Ultimate  Virus Killer" version was finished) you will be requested to  enter 
the date and time before doing anything else. if you do not want to change the 
time,  you  may  simply  leave  the time  specification  unaltered  and  press 
[RETURN],  [ALTERNATE]-O or click on the "OK" button after having entered  the 
date.
 The "Ultimate Virus Killer" will present its start-up screen after some  more 
seconds, after which it will be ready to be used.
 It  is  advisable to boot your system with the "Ultimate Virus  Killer"  disk 
because  it contains a virus-free and immunized bootsector.  Theoretically, no 
virus  can  be present in memory this way (turning your system   off  and   on  
again assures that no possible reset-resistant  viruses survive).
 Should  you want to create another disk to regularly boot your  system  with, 
just  copy  whatever files you want on it,  then check it with  the  "Ultimate 
Virus Killer", write-protect it and keep it write-protected.
 KEEP  YOUR ORIGINAL "ULTIMATE VIRUS KILLER" DISK WRITE-PROTECTED AT ALL  (!!) 
TIMES!


4         WORKING WITH THE "ULTIMATE VIRUS KILLER"


 On start-up,  a GEM dialog box will appear on the screen. This kind of dialog 
box  will be used throughout the programme and offers some interesting  extras 
when  compared  to  the standard GEM dialog boxes you  may  be  used  to.  For 
example,  it is  not only possible to select your option by clicking the  left 
mouse  button on its button,   but your selection may also be made by  keeping 
the  [ALTERNATE]  key  pressed  and then pressing  the  alphanumeral  that  is 
underlined  within  the  button you want to select.  The  option  that  has  a 
thickened frame is the 'default' button, which may be selected additionally by 
pressing [RETURN] or [ENTER].  Buttons that cannot be selected are represented 
with a 'greyed out' text and border.
 Help options, when available, are accessible by clicking on the "HELP" button 
at  the  left bottom of a dialog box,  or by pressing the [HELP] key  on  your 
keyboard.  Any  button  containing  a  "(U)" in its  text  (usually  a  button 
containing "NO",  "CANCEL" or "QUIT") may additionally be selected by pressing 
the [UNDO] key on your keyboard.
 Each dialog is displayed within a window.  Although it cannot be resized, you 
can  use  the  window title bar at its top to drag the window  all  over  your 
desktop and put it anywhere you want,  including partly off the actual screen. 
This can be done by clicking the left mouse button on it,  keeping it pressed, 
and moving the mouse in a dragging movement.

 Five options are available to you from the main menu dialog box:

                      Seek'n'Destroy Viruses
                      Restore Disks
                      Information about UVK x.x
                      System Status
                      Quit to the Desktop

 These options, where necessary, will be explained in further chapters.

 Note on using the "Ultimate Virus Killer" as a .TTP file:
 The  "Ultimate  Virus  Killer"  may  be used as  .TTP  file  (for  which  the 
"UVK_x_x.PRG"  needs  to be renamed to "UVK_x_x.TTP"),  or  similarly  from  a 
command  line interpreter.  This allows for it to receive  certain  parameters 
from you or from other programs before it gets started.
 Although  the  options  offered here are not as extensive  as  those  of  the 
programme in regular mode,  they may still be useful. All the options that are 
on offer here are purely diagnostic - no viruses can be killed, for example!

 SYNTAX:                  DESCRIPTION:

 B X                      Checks drive "X" for bootsector viruses.

 L X:                     Checks the entire partition "X" for link viruses.

 L E X:                   Checks  the entire partition "X" for  link  viruses, 
                          but only checks executable files. The ":" at the end 
                          is important!

 L X:\PATH\               Checks all files and all files in any folders within 
                          the  folder "\PATH\" of drive "X" for link  viruses. 
                          The "\" at the end is important!

 L X:\PATH\NAME.EXT       Checks file "NAME.EXT" in path "\PATH\" of drive "X" 
                          for link viruses.  "\PATH\" can consist of more than 
                          one folder name,  divided by "\",  to go into deeper 
                          subdirectories.

 X:\PATH\NAME.EXT or
 NAME.EXT or
 \PATH\NAME.EXT           Alternatively  you can feed just a valid file  name. 
                          It  will  then be checked  for  link  viruses,  with 
                          packer  info  mode  on and waiting for  a  key  once 
                          finished.  In combination with e.g.  "NeoDesk"  this 
                          allows  you  to  check a file for  link  viruses  by 
                          dragging  its  icon on top of  the  "Ultimate  Virus 
                          Killer"  icon  with having to rename  the  "Ultimate 
                          Virus Killer" program file at all.
                          In this mode, none of the parameters specified below 
                          may be added.

 After  the  initial  "L"  or "B" a "-" may be added  (like  for  example  "L- 
X:\NAME\NAME.EXT")  to  suppress you having to press a key  when  leaving  the 
programme and to prevent the screen from being cleared at start.
 Likewise,  a  "+" may be added when doing a link virus scan - to  supply  you 
with additional information about whether executable files are packed and,  if 
so,  with which packer.  A combination of "+" and "-" (to get both suppression 
of 'waiting for a key' AND extra packer information) is also permitted.

 In   a   command   line   interpreter  you   could   enter   "UVK_x_x.PRG   L 
E:\1ST_WORD\WORDPLUS.PRG"  for example.  For this to work in the standard  GEM 
desktop you would have to enter "L E:\1ST_WORD\WORDPLUS.PRG"  in the box  that 
appears  on  the screen after you have renamed the file to  "UVK_x_x.TTP"  and 
double-clicked  on the file.  In combination with an extended desktop such  as 
"NeoDesk"  you  can  just drag the "WORDPLUS.PRG" icon  across  (it  won't  be 
copied, only the name will be fed to the command line).


5         SEEK'N'DESTROY VIRUSES


  Following  the selection of this option,  another dialog box is put  on  the 
screen,   allowing   you   to   select   the   drive   on   which   to   start 
seeking'n'destroying viruses.  The programme automatically detects any  drives 
that  are attached to your system and displays their identifiers in  selection 
buttons.  Up  to 26 drives/partitions may be selected,  with  the  unavailable 
drives/partitions being represented in 'greyed-out' text.
 Please  note  that bootsector viruses can only  be  searched (and  destroyed)  
on floppy disk drives - A  and  B.  Selecting drive B is not possible when  it 
is  not actually attached.  Link viruses can be searched on  either  floppy-or 
hard disk (up to and including partition Z).
 You  may  select a drive or partition by clicking on its  appropriate  button 
with  the  mouse  button  or by entering  the  appropriate  keyboard  shortcut 
[ALTERNATE]-key.

 Once  the  drive to use is selected,   you can decide whether   you  want  to 
examine your media for bootsector-or link viruses.  If you selected bootsector 
viruses, you will get a prompt to insert the disk you want to check.
 In case you selected the option to check for the presence of link viruses you 
will  enter  some further dialog boxes where you can specify which  files  you 
want to check and in what way you want them to be checked.
 In the first dialog box you will be able to specify whether you want to  scan 
an  entire  drive  or  partition (ALL files on a  floppy  disk  or  hard  disk 
partition,  including  those  present  in all the  folders,  will  be  scanned 
recursively),  single files or folders,  or whether you want to exit.  If  you 
opted for the option to scan single files or folders you can either specify  a 
full  filename in the item selector box (in which case only that file will  be 
scanned)  or you can specify a folder you want to tree-scan  without  actually 
specifying  a  file  (in which case all the files in that  specific  folder  - 
including all files and further folders present in it - will be  scanned).  It 
is  important  not  to  select a file name  in  the  latter;  just  enter  the 
appropriate folder and then click on the item selector box' "OK" button.

 If  you decide to check an entire floppy disk for link viruses the  "Ultimate 
Virus Killer" will also automatically check that disk's bootsector (note: this 
is for floppy only!).
 Checking  for  link  viruses on a whole partition or  entire  folder  may  be 
aborted by pressing [ESCAPE] or [UNDO].  When there are many infected files or 
when you have set "warnings on" and there are many packed files,  you may have 
to press the [ESCAPE] or [UNDO] key a few times.

 There is  one rather important note  that applies to bootsector  viruses:  IT  
IS  POSSIBLE  THAT A PERFECTLY HARMLESS DISK IS SUSPECTED OF BEING   A  VIRUS!  
This   means that either the bootsector of the  harmless programme is not  yet 
recognized and not yet implemented in the "Ultimate Virus Killer",  or that it 
is  indeed a  new  virus!   Whenever  the "Ultimate Virus  Killer"  encounters 
such   a disk,  you will be given the possibility to either REPAIR  the  disk, 
PRINT its contents, WRITE A BOOTFILE or LOOK AT IT.
 In the second and third cases,  we would very much like  to receive  the boot 
file,   that  the  "Ultimate Virus Killer" can write on a  disk   with  enough  
space on it (at least 512 bytes free). When you do not have a disk nearby with 
sufficient space free,  you may want to use the FORMAT option that will format 
a  disk  (single sided).   If you send  that disk  (or the  print-out)  to  us 
(together  with some written info about the disk it  came from and  your  name 
and  address),   we  will check it out and send it back as  soon  as  possible 
provided you have supplied sufficient International Reply Coupons (!).
 Please  make sure the bootfiles are accompanied by sufficient explanation  as 
to what sofware they belong to,  for it's usually impossible to determine this 
information from the bootsector contents and the bootfile file name only.

 It is likely that the directories of disks that have auto-booting bootsectors 
on them will appear to be 'empty' or that they seem to have 'corrupted files'. 
This need not be (and most probably isn't) due to virus infection but to  some 
software protection schemes' exotic disk formats,  some of which include there 
not being any files on the disk at all.

 IF  YOU KNOW THAT THE SUSPECTED DISK CONTAINS NO VIRUS,  WE WOULD  VERY  MUCH 
LIKE  TO RECEIVE IT ANYWAY,  BECAUSE OTHER PEOPLE MAY NOT BE AWARE OF  IT  AND 
MIGHT ACCIDENTALLY DESTROY THEIR PRECIOUS SOFTWARE!!

  Please send any disks in a good quality envelope that can also be  used  for 
return mailing,   and write "CONTAINS MAGNETIC MEDIA - PLEASE DO NOT X-RAY" on 
it in clear,   large characters (to minimize loss of data).  Do NOT FORGET  TO 
ADD sufficient International Reply Coupons! Disks without these cannot be sent 
back!
 Just before you can select whether to write a boot file or simply to  repair,  
a  dialog  box  will be displayed that tells   you   the  "Virus   Probability 
Factor" (or VPF for short) - the probability  factor that the disk that is  on 
the current bootsector is indeed a virus.   The reliability of this factor  is 
quite high.

 The  VPF is produced by scanning the code present in the bootsector for  some 
vital virus characteristics:

Factor 1: The  presence of machine code that is to be found in a routine  that 
          writes a sector to disk.
Factor 2: The  presence  of  machine code that creates  the  checksum  for  an 
          executable bootsector.
Factor 3: The presence of magic checksums or memory locations that are  needed 
          to make a programme reset-resistant.
Factor 4: The  presence of the addresses of system variables that viruses  can 
          link themselves to.

 In certain cases,  an additional dialog box is produced; this happens when an 
unknown disk is found to be largely filled with the same value. The larger the 
percentage  mentioned  in this dialog box,  the less the likelihood  of  virus 
infection (quite on the contrary,  one might add,  to the percentage mentioned 
with the "Virus Probability Factor" calculation)!

 Note on executable file extensions:  When you want to check a whole partition 
or  folder  for link viruses it is possible to select whether  you  only  want 
executable  files  to  be checked or whether you want this to  happen  to  all 
files.  Executable  files are files that can be run from  the  desktop;  other 
files include text files, picture files, source code files and the like.
 When selecting to check executable files only,  the programme will only check 
files with extensions ".PRG",  ".TOS",  ".APP",  ".ACC", and ".TTP" (including 
their  disabled  counterparts  ".PRX" and  ".ACX").  These  are  normally  the 
extensions  for  executable programmes.  Some alternative  desktop  programmes 
(such as "NeoDesk") allow other file extensions to be executable,  e.g. ".NPG" 
and ".NTP".  To check these as well, you would have to opt for ALL files to be 
treated,  or you will have to configure the UVK.CFG file accordingly (see  the 
appropriate chapter).

 Note  for users of "MultiTOS": This Operating System uses a  'unified  drive' 
(identifier  "U:") in which certain folders will cause a crash  when  checking 
for link viruses.  You should refrain from checking the following directories: 
"U:\DEV", "U:\PROC", "U:\PIPE" and "U:\SHM".


6         IMMUNIZE DISKS


 Most of your disks,  including those with valuable working material,  can  be 
immunized  so  that  they  will no more be infected   by  many  of  the  known 
bootsector viruses and all anti-viruses.
 The principle used  by the "Ultimate Virus Killer" immunization algorithm  is 
the fact that many known bootsector viruses, when resident in memory, check if 
they are present on a disk already before they bother copying themselves  onto 
it.  If they find themselves present,  they do not copy across that particular 
disk. When the "Ultimate Virus Killer" writes only those few recognition bytes 
to the bootsector that does the trick:  The virus thinks it is present on  the 
disk already and does not copy itself onto it.

- Disk immunization will not help against ALL viruses.
- Programmes that use the bootsector themselves (like the ones included in the 
  'RESTORE'  list in a text file on the "Ultimate Virus  Killer"  distribution 
  disk)  cannot  and should not be immunized as the few  bytes  necessary  for 
  writing  the  immunization will destroy the boot code program they  need  to 
  perform properly.
- In  the text file "VIRUSES.TXT" on your programme disk you will be  able  to 
  find  the  specifications of which virus can be immunized with  which  code. 
  Since  certain different viruses use the same bytes on the  bootsector  with 
  different values to check if they are already present,  this means that some 
  viruses  can  not be immunized against  without  sacrificing  another.  Some 
  viruses  cannot be immunized against at all as they simply  copy  themselves 
  across  any  bootsector without bothering to check their presence  prior  to 
  copying.  The  only way to protect yourself from these types of virus is  to 
  keep your disks write-protected. If this is not possible, you will just have 
  to check those disks regularly using the "Ultimate Virus Killer".
- On your search for viruses you will undoubtedly come across what the program 
  calls "MS-DOS disks".  These are standard disks that, however, have specific 
  values written in their bootsectors so that they may be interchanged between 
  Atari  and MS-DOS (i.e.  IBM PC and compatible) computers.  These disks  are 
  formatted  automatically  when  formatting  with TOS  version  1.04  or  up. 
  Whenever you immunize such a disk this so-called 'MS-DOS compatibility' will 
  be  lost!  It  may  be best to reserve only a limited  amount  of  disks  to 
  exchange  files  between  these two system standards,  and  to  check  these 
  regularly for virus infection.


7         REPAIR BIOS PARAMETER BLOCK


7.1       INTRODUCTION

 Some mutant viruses cause the BIOS Parameter Block (or BPB) to be  corrupted. 
This  means  that  there is no longer any information on  the  disk's  format, 
stored into the BIOS Parameter Block segment of a disk  bootsector,  available 
to  the Atari's Operating System.  It will no longer be able to determine  how 
many tracks and sectors a disk has, as well as several other vital parameters. 
Trying  to display a directory from such a disk will most likely result  in  a 
system hang-up,  bomb crash or the appearance of a disk filled with  corrupted 
files and filenames.
 The  "Ultimate  Virus Killer" incorporates a semi-intelligent  routine   that  
automatically  recognizes  known mutant virus versions and allows the user  to 
repair the BIOS Parameter Block again in case of it having been damaged  after 
the actual mutant virus has been removed.
 PLEASE NOTE  THAT  YOU SHOULD READ THIS SECTION OF THE MANUAL VERY THOROUGHLY 
BEFORE YOU EVER ATTEMPT TO REPAIR A BIOS PARAMETER BLOCK!!

 Repairing a BIOS Parameter Block is quite difficult;  after all,  this  small 
segment  of  the bootsector determines whether or not your computer  can  read 
from or write to individual disks.
 First,  let's supply you with a table that specifies how the BIOS   Parameter 
Block is built up.  OFFSET means  the  value  that  should be added  from  the 
start of the bootsector, starting at zero. The values are in decimal.

------------------------------------------------------------------------------
    OFFSET:   NAME:           EXPLANATION:
------------------------------------------------------------------------------
    11-12     BPS             Bytes per sector
     13       SPC             Sectors per cluster
    14-15     RES             Number of reserved sectors
     16       FAT             Number of FATs on the disk
    17-18     DIR             Number of directory entries
    19-20     SEC             Total number of sectors
     21      MEDIA            Media descriptor byte
    22-23     SPF             Sectors per FAT entry
    24-25     SPT             Sectors per track
    26-27    SIDES            Number of sides
    28-29     HID             Number of hidden sectors
------------------------------------------------------------------------------

 It is not necessary for you to know the above table by heart. It was supplied 
here  with  the intention to give you some idea of what  the  BIOS   Parameter 
Block  means to the Operating System.   Whenever a BPB   is  destroyed,  these 
essential pieces of information are no longer present (which,  as said before, 
will  most  likely result in various disk error messages,  system crash  or  a 
garbage disk directory).

  First of all,  you should know that you should preferably not try out   this 
'BPB  repair'  option on original game  software,   as   current-day  software 
protection  techniques involve the craziest disk  formats that would  probably 
drive the "Ultimate Virus Killer" algorithms nuts! Apart from that, attempting 
a  'BPB repair' on such a disk may also lead to instant software  malfunction. 
The  only  option  you should ever use in order to  restore  the  contents  of 
original  (game  or  demo-) software disk is the  main  menu  'restore  disks' 
option.
 Second,   you should  also realize  that the 'BPB repair' option may not work 
correctly   on  disks   that  have  been  formatted  using  'larger'   formats 
previously.  This would for example be the case with a disk that you formatted 
with  82  tracks  some time ago and later decided to  reformat  with  only  80 
tracks.  Some  remnants of the old format still left intact (in this case  the 
tracks above track 80) may be found, disturbing the algorithm.

 There are two ways to get access to the 'BPB REPAIR' option. The first is the 
most  obvious:   Whenever a damaged BIOS Parameter Block  is   detected   (and 
this  does  not even need to be the  result  of  a virus)  the  programme  ask 
whether you want to attempt a BPB repair or not.
 The second one is also quite obvious:  Whenever   the 'Seek'n'Destroy' option 
recognizes   a  mutant  virus  on  the disk,  or whatever remains  of  it,  it  
will initially remove the virus and then ask you  whether you want to  attempt 
a 'BPB repair' or not.
 Upon your confirmation the 'BPB repair' option will be entered.  You need not 
be  worried  about  inadvertently entering it -  after  having  specified  all 
parameters  you  can always cancel the whole thing at  the  end,  leaving  the 
current BIOS Parameter Block unaltered.

 As was stated already,   repairing the BIOS Parameter is not  only a slightly 
complicated  matter,  but  it  may  also  prove  dangerous  insofar  that  the 
specification  of  the wrong parameters it can make whatever is on  your  disk 
totally inaccessible.  Common symptoms of a disk with inaccessible material on 
it are the aforementioned crashes, disk errors and disk directories containing 
only garbage information (huge file sizes, weird file names, invalid dates and 
times). Therefore you should take care using the 'BPB repair' option.
 Even  if you have already attempted a BIOS Parameter Block repair with  wrong 
parameters there is a way to attempt it again - despite the fact that the disk 
will  now,  obviously,  have  a  valid BPB and the 'BPB  repair'  option  will 
normally no longer be entered.
 What  you would need to do in this case is check the disk's bootsector  again 
and keep the [RIGHT SHIFT] key pressed until the screen flashes  briefly.  The 
program  will  now have forced the BIOS Parameter Block to be  invalid  again, 
enabling you to enter the 'BPB repair' option again.  The most common mistakes 
made  while repairing a BIOS Parameter block involve the specification of  the 
number  of  tracks per side and sectors per track,  as well as the  number  of 
actual sides on a disk.
 Should you find yourself unable to fix it regardless (or if you simply do not  
dare to attempt a BPB repair yourself),  you can send  the disk to the address 
mentioned  in the "FEEDBACK" chapter of this manual.  Please add an amount  of 
money that equals the price of an "Ultimate Virus Killer" update and twice the 
amount of IRCs required. You will receive your disk(s) back after a short time 
(hopefully).  In  case  of my not being able to repair  it  either,  you  will 
receive your money back (not the IRCs though).

 Some important notes:

- It  is important that you do not try to delete files from or write files  to 
  disk that have a damaged BIOS Parameter Block.
- If  you send in disks with BIOS Parameter Blocks that need to  be  repaired, 
  please  clearly  state that you want your disk repaired and that  you  don't 
  want an update!
- Whenever you repair the BIOS Parameter Block of a disk it will automatically 
  be immunized.
- Attempting  a 'BPB repair' on a disk is no cheap way of increasing a  disk's 
  storage capacity.  Specifying more sides,  sectors per tracks or tracks  per 
  side than are actually present will cause whatever is on the disk to  remain 
  inaccessible.

 During the 'BPB repair' option some dialog boxes requesting input will be put 
on  the screen.   You have to use these to specify  BPB values,   but  do  not 
worry if you do not know anything about  this.  This part of the manual can be 
of some help, and you can also use the built-in context-sensitive on-line help 
options by pressing the [HELP] key.

 During  the 'BPB repair' option you will be requested to specify a number  of 
parameters needed by the "Ultimate Virus Killer" algorithms to write back what 
was previously the correct BIOS Parameter block for the current disk.

7.2       HOW MANY BYTES PER SECTOR

 Claus Brod,   Atari mass storage media expert and author of probably the best 
book  in  this field (called  "Scheibenkleister",  unfortunately  in  German),  
claims  that  only 512  bytes per sector are possible as  TOS  (the  Operating 
System  within  your computer) does not allow for 128,   256 or  1024  BPS  on 
floppy disks. For  the sake of compatibility with future TOS versions  as well 
as for the pure sake of completion it is possible to select any of the  values 
here.
 Unnecessary to say,  you will almost certainly have to specify 512 bytes  per 
sector here.

7.3       HOW MANY TRACKS PER SIDE

  This  can vary quite a lot,   due to formatting programmes  available   that 
allow up to 90(?!?!) tracks per side  to  be formatted (whether  or not  these 
programmes should  be  used and whether these tracks are safe for data storage 
will not be discussed here).
 When  requested to specify the number of tracks per side it will be handy  to 
remember if you formatted the disk in the drive using the standard GEM DESKTOP 
format option or not.  If you did, you should select 80.  If you did not,  you 
should  select   'Examine' unless you are certain yourself of  the  amount  of 
tracks  present  on  the  disk  (some  people  write  the  three  vital   disk 
characteristics - tracks per disk,  sectors per track and number of sides - on 
the label of a disk; this may be a good idea for you too).
 The   'examine'  option reads  the first sector from  ever  increasing  track 
numbers  and  calculates   the   number  of  tracks  present  on  a  disk   by 
substracting  1 from  the first track number that cannot be read (usually  due 
to  it  never having been formatted).  This  means that disks that  have  been 
formatted  using   more tracks earlier and that were  reformatted  using  less 
tracks later will cause the "Ultimate Virus Killer" to find the old amount  of 
tracks.
 As said earlier,  this may sound like a quick method to increase your  disk's 
amount of tracks, but really isn't: The 'BPB repair' option algorithms will in 
that case not work correctly!

7.4       HOW MANY SECTORS PER TRACK

 Much like the amount of tracks per side,  the amount of sectors per track can 
very  a lot.  When a standard ST disk was formatted using the   standard   GEM 
DESKTOP format option,   this value is 9.  In other cases it can be any  value 
from 1 to 11 (although 12 has been included,  for which there is no space on a 
track,  at  least  theoretically).  Standard Falcon (and post-1992  TT)  disks 
support higher amounts of sectors per track;  they are High Density (HD) disks 
as opposed to the regular Double Density (DS). High Density disks can write 18 
(on  3.5"  disks) or 15 sectors per track (on 5.25" disks).  Even  Extra  High 
Density (ED) disk drives exist,  allowing the use of a massive 26 sectors  per 
track, but these are quite rare.
 All kinds of disk drives,  including DD, HD and ED ones, are supported by the 
internal 'BPB repair' algorithms.
 Try  to  remember the right number of sectors per track yourself  (and  write 
this  information  on disk labels as of now),  since otherwise  the  'examine' 
option will perhaps find the remains of previously formatted extra sectors per 
track.  Normally  this should not happen,  but certain 'fast format'  programs 
neglect to fully initialise a track which may leave some old information  more 
or less intact.
 Analogous to the calculation of tracks per disk that was explained above, the  
'examine' option  here reads sectors from the first track and  calculates  the 
number  of sectors per track by substracting one from  the  first sector  that  
it cannot read due to it not being present (not formatted) in the first place.

7.5       HOW MANY SIDES

 Due to one of the more ancient Atari cock-ups the ST community is stuck  with 
the  phenomenon of the single-sided disk drive (SF  354).  Although  virtually 
nobody  has these drives any more,  some software is still supplied on  single 
sided  disks - or sometimes a disk may just be formatted single-sided  because 
it's quicker, who knows?
 Anyway,  even though the chances of a disk being double-sided are bigger  for 
certain,  there is no way to be sure whether a disk has one side or two unless 
you just happen to know (again,  it may be useful to write down the amount  of 
sides on your disk labels).
 In general most older original software is single-sided,  and all other disks 
are double-sided.  If you are  not sure,   you can use the  'Examine'   option 
here again,   but it has the  obvious drawback mentioned several times  above: 
If  a  disk is single-sided but has been formatted double-sided prior  to  the 
latest format,  the "Ultimate Virus Killer" will assume it's double-sided. The 
'examine' option just tries to read a sector from the second side and  assumes 
a disk is double-sided when this process happens without an error occurring.
 Disks  that have only been used on the Falcon or a TT will  almost  certainly 
have two sides.

7.6       HOW MANY SECTORS PER CLUSTER

 The amount of sectors per cluster (also called the allocation unit) is always 
2, except when the disk you're trying to repair is a single-sided disk with 40 
tracks (these are created and used by rather ancient MS-DOS-type machines).
 It is supposed to be impossible to use other values here, but for the sake of 
future compatibility it has been included anyway.
 In short, you should most likely specify 2 here,  as Atari ST/TT/Falcon disks 
always use 2 sectors (1 Kb) for one cluster.

7.7       HOW MANY FATS ON THE DISK

 The  FAT (short for File Allocation Table) is the space on  disk  where   the 
Operating System stores and gets information about which clusters on the  disk 
are  used  by  files  (and which are not) and  in  which  particular  sequence 
clusters  have  to  be put together in order to load a file  bigger  than  one 
cluster that is not stored contiguously (i.e. a fragmented file).
 TOS   maintains two FATs on a disk - one of these is  always  present  as   a 
temporary backup. It is not certain whether or not it is possible to use disks 
with  only one FAT - some formatting programs seem to allow for  it,  but  the 
aforementioned Claus Brod denies it categorically.
 You should usually specify 2 here.

7.8       HOW MANY DIRECTORY ENTRIES

 The  directory  is  list on a disk where  the   names,   lengths  and   other 
characteristics of individual files and folders on that  disk are stored.  The 
particular parameter discussed here pertains to the root directory,  i.e.  the 
directory  that  appears  first when you display the  contents  ("Open...")  a 
floppy disk drive or hard disk partition.
 The  longer the directory,  the less space is left on the disk.  Usually  the 
directory takes up the entire second track of a disk.
 Most disks have 112 directory entries,  but single-sided disks with 40 tracks 
(the  ones we also encountered above,  that are used by rather ancient  MS-DOS 
systems) have only 64 of them.  Again,  it is not possible to easily  increase 
your disk's storage capacity by specifying a lower amount of directory entries 
here. This will lead to whatever is on the disk to remain inaccessible.

7.9       HOW MANY SECTORS PER FAT ENTRY

 The FAT table is built up of several hundreds of entries,  and it is possible  
to  specify  how many sectors ('allocation units') are included in  one  entry 
here.  There  is  a 100%  full-proof way to have it checked by  the  "Ultimate 
Virus Killer" itself,  so you should specify 'Examine' here unless,  for  some 
reason  or other,  you are sure about selecting either '1',  '2',  '3' or  '5' 
(which is rather unlikely to say the least).

7.10      A NOTE ON DISKS WITH BUSTED BIOS PARAMETER BLOCKS

 In by far most of all cases disks with damaged BIOS Parameter Blocks are  not 
infected  by a virus,  nor do they suffer from any remaining parts  of  mutant 
viruses.  It is quite usual for game data disks (any disk belonging to a  game 
that you don't actually have to start up with - i.e. game disks labelled 2, 3, 
B,  C,  whatever)  to use some sort of exotic disk format,  whereas many  also 
don't  really bother about writing a BIOS Parameter Block at all  and  instead 
use even the bootsector to store graphics or map data.
 'Repairing'  the BPB of one of these disks will most likely prove lethal  for 
that piece of software!  In any case you should write a bootfile prior to  any 
attempt at repairing them.


8         RESTORE DISKS


 If  you find that you have accidentally destroyed a suspected but  apparently  
completely   innocent disk that needs a specific bootsector (this  destruction 
could  have  happened inadvertently by other or earlier  virus  killers,   for 
example),  or  when  you discover that a virus has copied  itself  across  the 
necessary  boot  program present in the bootsector of a commercial game  or  a 
demo,  the 'restore disks' option allows you to  restore a multitude of  these 
cases.
 Should you,  for example, find the bootsector of the popular game "Lemmings 2 
- The Tribes" destroyed by a virus or a rash 'repair' action,  it is  possible 
to install its proper bootsector on the original disk again, thus restoring it 
and saving yourself and the software company involved a lot of time and money.

 Selecting this option causes another dialog box to be displayed.  This  gives 
access  to a list of all restorable bootsectors,  identified by a game's  name 
(or a demo's,  whatever).  You can scroll up and down this list and select the 
title of the bootsector you would want to restore.
 You can use the arrow buttons at the right to scroll up and down through  the 
list.  A single-arrow button will scroll one entry; a double-arrow button will 
scroll one page (15 entries).
 Click the mouse pointer on an entry to select it.  After confirmation you can 
have it written to a disk.

 'T' BUTTON                   Go to top of list
 'B' BUTTON                   Go to bottom of list
 'CANCEL' BUTTON              Exit the screen, back to the menu
 'HELP' BUTTON                Access the help option
 A-Z/1/5 BUTTONS              Jump to first title with it
 [UNDO] KEY                   Exit the screen, back to the menu
 [HELP] KEY                   Access the help option
 [ALT]-[A-Z/1/5] KEYS         Jump to first title with it                

 When the bootsector of the game you want to restore should not be present  in 
the list yet,   you can order an "Ultimate Virus Killer" update and hope  that 
the  bootsector  you  wanted to restore is included in  the  new  version.  No 
promises  can be made with regard to this,  however,  so you had better   also 
supply the address and telephone number of the company that  made the software 
to  which  the  bootsector  belonged,  as well as the name  of  the  piece  of 
software.  That  company  can  then be contacted by us so that  some  kind  of 
agreement may be made.
  Most companies are very co-operative with regard to this,  as they  covertly 
recognize  the  virus problem and all know about the "Ultimate  Virus  Killer" 
(which has become more or less the de-facto industry standard).

- Are you not sure whether or not a bootsector belongs to a particular game of 
  a specific company?
  Just  'restore'  the  bootsector onto an empty TEST disk (which  has  to  be 
  formatted,  though) and then check it with the "Ultimate Virus Killer".  The 
  alert box stating which bootsector it is will also give the company name, if 
  one is known.


9         THE SYSTEM STATUS SCREEN


9.1       INTRODUCTION

 To  assist you in determining whether your computer system itself is  already 
infected  by a virus or not,  the "Ultimate Virus Killer" always  checks  your 
computer's  most important system variables and memory contents  on  start-up. 
These  specific  system  variables are pointers to various  routines  in  your 
Operating  System,  for example pointing to a routine to read or write a  disk 
sector,  a routine to 'open' a file and so forth.  Generally, viruses cling to 
these system variable in order to work.
 This  way all known bootsector viruses can be recognized in  the  system,  as 
well  as  resident types of link virus and a large number  of  harmless  other 
programs  that  also  cling to these vectors  (i.e.  'bend  them')  for  valid 
purposes.
 Of  course unknown viruses cannot be recognized yet.  That is the reason  why 
this  screen has been included.  On startup,  or after selecting  the  "System 
Status  check"  option from the main menu,  the "Ultimate Virus  Killer"  will 
check  all these important system vectors and try to establish which  programs 
are  hooked  to them.  It will notify you of unknown programs that  have  bent 
these vectors, signified by an inverted display of the memory address to which 
the  vector  points which indicates that there is a chance that you  might  be 
dealing with a new and unknown virus. This chance is increased dramatically if 
the program additionally displays "ALERT" behind a memory address displayed in 
inverted text style.  In this case it has calculated something not unlike  the 
regular  "Virus Probability Factor" for a small cluster of memory  located  at 
that memory address, and the programme code present there was found to contain 
one or several characteristics commonly found in viruses.

 Whenever  a specific program that bends a system vector is recognized by  the 
"Ultimate  Virus  Killer" it will display a figure between  brackets  directly 
after the actual memory address. This can have one of the following formats:

 (x)           The number of a recognized application
               (Number corresponds with the APPLICAT.TXT file list)
 (?)           An unknown application is recognized
               (This MIGHT be a virus, or a harmless program)
 (#x)          Anti-virus recognized. Reboot without it!
               (Number corresponds with VIRUSES.TXT file list)
 (-x)          Virus recognized. Turn off system and reboot!!
               (Number corresponds with VIRUSES.TXT file list)

 Sometimes the program does not display a number but instead displays a  four-
letter code (like "FrmD" of "CBHD",  or whatever). This is the so-called 'XBRA 
identification', which is a protocol devised in the early nineties (one of the 
few good things to come out of Germany) to allow for easier recognition of the 
multitude  of  files that can hook themselves to the various  computer  system 
variables.  These  XBRA  identifiers are displayed by default  when  they  are 
found;  should  you  want to see numbers only (as these  correspond  with  the 
APPLICAT.TXT file list) you need to keep the [ALTERNATE] key pressed while the 
addresses are put on the screen.  Pressing [CONTROL] will slow down the output 
-  in case you want to see what bends the vector and you are not content  with 
seeing that nothing is suspiciously inverted.
 An additional advantage of the XBRA protocol is that it is possible to  check 
if several programs have hooked themselves to the same vector. These will then 
form what is referred to as an 'XBRA chain',  a sequence of programs that  all 
use  the  XBRA  protocol.  This  chain of programs will  be  examined  by  the 
"Ultimate  Virus  Killer" as deep as it can go - which is until  it  finds  an 
unknown program that uses the XBRA protocol, a program (known or unknown) that 
does  not  use  the XBRA protocol,  or when it hits  on  the  actual  standard 
Operating System values.

- Please  note that,  with but a few exceptions,  installed RAM disks are  not 
  recognized  and will most likely result in "(?) Unknown Application  Found". 
  To get rid of this,  get rid of the RAM disks in memory.  Note that a lot of 
  the  modern  RAM disks are reset-proof,  so you will have to turn  off  your 
  system to get rid of them.
- When the Physical Top of RAM is inverted,  this usually due to some kind  of 
  (resident) RAM disk,  too.  Again, get rid of it and run the "Ultimate Virus 
  Killer" again.
- Alternative (and unofficial) versions of (beta STE) TOS 1.06 that go  around 
  (reference  to the TOS '1.07' by TEX,  TNT Crew and Level 16 is meant  here) 
  are  mostly recognized as a standard TOS 1.06.  This is because  the  people 
  behind  that  adapted  TOS wanted to have maximum  compatibility  and  could 
  therefore  not change the date and version number.  When specific  TOS  1.07 
  versions  are recognized,  they are thus stated in the  status  screen,  and 
  their release date will be stated at 'TOS date' (which normally displays the 
  date  contained is the TOS header,  which represents the date at which  that 
  particular TOS version has been released).
- Something similar is the case for the alternative Operating System "KaosTOS" 
  (an  adapted TOS 1.04).  When this is recognized,  the TOS version  displays 
  'KAOS'  and  the  TOS date specified is the release date  of  the  "KAOSTOS" 
  version currently in use.
- The  system screen will also check for reset-proof programmes and warns  you 
  when non-recognized resistant programmes are found.

9.2       WHEN SUSPICIOUS

 What  to do when one or several of these variables happen to be displayed  in 
inverted text style,  in other words when there is something 'suspicious' that 
isn't yet recognized?

 In that case you should turn off your system and turn it on again after about 
30  seconds,  with the "Ultimate Virus Killer" disk (or another disk  that  is 
guaranteed to be free of viruses) in the drive. If you're using an AUTO folder 
on your boot disk or boot partition,  disable all programmes in there, as well 
as all accessories. Do this prior to booting up your system anew.
 Disabling  AUTO folder programs can be done by changing the  extensions  from 
.PRG or .ACC into e.g.  .PRX and .ACX respectively.  The Operating System will 
only  load .PRG files from the AUTO folder and will only recognize .ACC  files 
as  accessories.  If these aren't present the system will assume  they're  not 
there and won't load any of them.
 You will now have a totally empty system.  All values displayed by the System 
Screen Status should be in regular text. In case of inverted display this does 
not  necessarily point to virus infection - perhaps your hard disk  driver  or 
particular  Operating System version is not yet recognized (hard disk  drivers 
typically  use  memory  slightly above the  bottom  of  memory,  whereas  your 
Operating System is typically located on addresses $E0xxxx or $FCxxxx).
 Now, enable one AUTO folder program, reset your system and load the "Ultimate 
Virus Killer". Continue like this until either all files are loaded or until a 
system  variable is displayed in inverted text style.  The file to  have  been 
enabled  last  before the system variables are 'suspicious' again is  the  one 
that changes them.
 Do not delete a programme that bends any system vectors, as it is usually not 
at  all likely to be of viral nature unless the word "ALERT!"  appears  behind 
the inverted address displayed. Please just send the appropriate program file, 
whether "ALERTed" or not, to the feedback address, if possible with additional 
files belonging to it and any documentation (on disk, or photocopied). It will 
be implemented into the forthcoming version of the "Ultimate Virus Killer"  so 
that it will be recognized and will no longer cause any memory addresses to be 
displayed in inverted text style. Do not forget to supply enough International 
Reply Coupons (!no stamps!) if you expect your disks to be returned.
 The same goes for the accessories, but do note that you have to check out all 
AUTO folder programs before you start enabling any accessories, as accessories 
will  be  loaded 'on top' of any AUTO folder programs and  might  disable  the 
"Ultimate  Virus Killer" from following the chain right down to possible  AUTO 
folder programs.

 In  case  you  are  reluctant to send the programme(s)  in  question  to  the 
feedback address,  you can move the mouse cursor on top of the inverted system 
variable  contents and click on it with the left mouse button.  An  additional 
dialog  box will be displayed,  containing some vital information that we  can 
work  with to some extent.  Please write down the contents of the  dialog  box 
together with the name,  version number and origin of the file that caused the 
vectors  to  be  inverted,  and  send it to us so  that  inclusion  in  future 
"Ultimate Virus Killer" versions may be possible after all.
 If you have a printer attached, you can keep [CONTROL] pressed while pressing 
the left mouse button;  the programme will then also output the information on 
your printer.  If you additionally keep [ALTERNATE] pressed,  a Form Feed will 
be sent after printing has finished,  causing the paper to be moved up to  the 
start of the next page (tractor feed) or to be ejected (sheet feed).
 Press  any  key or mouse button to cause the information lines  to  disappear 
from the screen.

 Pressing  the  "OK" button or pressing the associated keyboard  shortcut  (in 
this  case  [ALTERNATE]-O  or [RETURN]) will leave the  screen  system  status 
screen altogether, back to the main menu.

- If  system variables are suspicious even without any AUTO folder  programmes 
  and accessories having been installed,  and you have no hard disk,  it could 
  be a virus or RAM based version of TOS.
- If  the above occurs if you have a hard disk,  it is very likely to be  your 
  hard disk driver. This is normal.
- If the programme to bend the system vector uses the XBRA protocol,  the next 
  in line will be checked.  The deepest XBRA found will be displayed. This may 
  be helpful to determine which programme actually bent the vector. The deeper 
  down  the  XBRA vector,  the earlier it was loaded and installed  (with  the 
  "Warp 9" accessory being a known exception).

9.3       THE PROBLEM

 As  you could have gathered from the above,  it is no exception that  several 
programmes hook onto the same system variable.  It will not be hard to imagine 
that a dozen or more resident programs can be installed,  all bending  various 
system  vectors to their heart's content.  This sort of thing tends to  happen 
when you have a hard disk cache programme installed,  a screen speeder ("Turbo 
ST",  "Quick  ST",  "NVDI",  "Warp 9",  etc.),  an alternative  file  selector 
("FSelect",   "UIS",  "Selectric",  etc.),  a  resident  multi-tool  programme 
("Update",  "Mortimer"),  an alert box enhancement programme ("Let 'Em Fly" or 
"FormDoIt") and an alternative desktop ("Gemini", "Teradesk" or "NeoDesk") for 
example. It's easy to have even more programmes bending these vectors.

 To  check  which application (i.e.  which programme) has  bent  a  particular 
system  variable,  the  "Ultimate Virus Killer" examines the piece  of  memory 
where the vector points to.  It will (or won't) recognize the program  present 
there and display the appropriate message in the system status screen for  you 
to look at.
 Whenever  multiple programmes bend the same vector it becomes  difficult  (if 
not  impossible) to check which programmes bent the system vectors before  the 
last one did.  Usually the address that the last application found sitting  on 
the vector is stored somewhere within itself so that it can be called after it 
has served its own purpose,  and there is no way to tell precisely where.  You 
can compare a series of programmes bending one system vector with a chain. The 
program  that was loaded last (let's call it programme "A") is most  'on  top' 
and  will  be executed first whenever the system variable is accessed  by  the 
Operating System.  Once programme "A"  is finished doing what it was  intended 
for  it  will  pass on the address it found sitting on the  vector  before  it 
installed  itself,  i.e.  the address at which the programme is  located  that 
installed itself prior to that last programme.  Let's call that programme "B". 
Once  programme  "B"  has finished what it wanted to do it will  pass  on  the 
address that it found on the system variable, that of programme "C". And so on 
and  so forth,  until eventually the last programme in the chain will  execute 
the actual Operating System routine that needed to be called.
 The  addresses  that  each of these programmes found sitting  on  the  system 
vector are stored in themselves somewhere, internally. The location where they 
are stored vary from programme to programme,  even between different  versions 
of the same application.

 The problem for a programme such as the "Ultimate Virus Killer" that tries to 
determine  which  other  applications  are hooked  to  any  particular  system 
variable  is that it is normally only possible to tell which application  bent 
that system vector last.  There is no way it can be determined what the  other 
applications  before  it are,  as those programmes'  addresses  are  contained 
somewhere in the programme that later patched that vector (I hope you're still 
with me - this bit of the manual actually took longest to rewrite).

 Only  when  the  last  programme  ("A") used the  XBRA  protocol  can  it  be 
determined  where  the programme before that application ("B") is  located  in 
memory  - and when that uses the XBRA protocol again it is possible to go  one 
step  deeper (to "C") until one encounters the first programme that  does  not 
use XBRA.
 You  see  that  it is thus normally only possible  to  check  the  programmes 
bending the vectors until a certain 'depth',  i.e.  up to the first  programme 
that is foolish enough not to use the exalted XBRA protocol.
 Anything  that's  any 'deeper' can only be guessed at.  So in case  you're  a 
programmer  writing utilities that bend system vectors,  do abide by the  XBRA 
rules! They are available in any recent programmer's guide or in the "Ultimate 
Virus Killer" book (:-)).

 As was said before,  the "Ultimate Virus Killer" checks the system  variables 
as  extensive as possible - up to the first programme that bends the  variable 
without  using  XBRA,  up to the first programme using XBRA that  is  not  yet 
recognized,  or,  ideally, up to the dark and mystic depths of your computer's 
Operating  System.  You will see the system status screen display the  various 
addresses  with  the application numbers associated with them as  it  proceeds 
along the chain of XBRA programmes.

 So  far  mention  has  been made only of problems  for  the  "Ultimate  Virus 
Killer". But what about a problem for you? Well, unfortunately there is one.
 Just suppose a virus installs itself in your system. It hooks itself to a few 
system  variables and would be plainly visible for any extensive system  check 
screen you'd care to throw at it.  However,  now just suppose a bunch of  AUTO 
folder programs and desk accessories are loaded right afterwards.  Unless  all 
of  these are using the XBRA protocol,  they will effectively hide  the  virus 
from  view  (and,  what's  most important,  they will also hide  it  from  the 
"Ultimate Virus Killer" check algorithms and all will appear to be OK).
 For you to be sure that all is safe you will have to do pretty much the  same 
as  was  described  above,  where the isolation of  unrecognized  AUTO  folder 
programmes and desk accessories was concerned.  Disable all of these and  boot 
your system anew.  Enable one AUTO folder program at a time, each time run the 
"Ultimate  Virus Killer",  then do the same with the desk accessories.  If  no 
memory  addresses  are  displayed  in inverted text  style  you  can  consider 
yourself  safe  even if the programme will not be able to check  to  the  most 
extreme depths each time.
 Do note that you will have to check each newly acquired AUTO folder programme 
and desk accessory afterwards if you want to continue feeling safe!


10        FEEDBACK


 Feedback,  suggestions, comments and non-recognized boot files (on disk or as 
printout) can be sent to:

 Richard Karsmakers
 P.O. Box 67
 NL-3500 AB  Utrecht
 The Netherlands

 Please  do  not forget to add sufficient International Reply Coupons  if  you 
want some sort of reply,  or if you want to receive disks back! Do not add any 
stamps unless they're Dutch!!
 You may direct important questions to my electronic postbox at email account 
cronos@atari.org.
 If possible limit any electronic mail to the explanation of  problems,  bugs, 
and  other  questions  of technical  nature.  Inquiries  about  subscriptions, 
administration, orders, pricing, replacement copies, disks with bootfiles that 
you sent,  etc., should be sent to the above regular address. Please make sure 
your message subject is appropriate.


11        CREDITS


All resource and Flydial routines, as well as help using them
                                                              Gregor Duchalski

System Status Screen memory check
                                                    H.W.A.M. de Beer (SysInfo)

Insurmountably invaluable GEM programming assistance
                                                                    Mark Matts

Scan Partition Code and various small but important bits
                                                               Stefan Posthuma

AntiVirus
                                                             Helmut Neukirchen

Additional ideas and miscellaneous help
                                                      Claus Brod (ST Computer)
                                                Volker S”hnitz (Virendetektor)
                                   Chris Brookes (Professional Virus Killer 3)
                                               Martijn Wiedijk (Lucifer Eksod)
                                           Mike Watson (Sinister Developments)
                                                                Filipe Martins

'Fame' acknowledgements
                                      Niall McKiernon (Douglas Communications)
                                            Tarik Ahmia (TOS Magazine Germany)
                                               Willem Hartog (Atari ST Nieuws)
                                         Les Ellingham (New Atari User/Page 6)

Special thanks
                                                          Kai Holst (Antidote)

All other coding (what's left of it), research,  programming, resource design, 
text, manual, development, program collection and layout
                                                            Richard Karsmakers


12        TROUBLE SHOOTING CHART


 In  this  chapter  you will find some of the problems that  may  occur  while 
running  the "Ultimate Virus Killer" - and suggestions on how to prevent  them 
from appearing again.

* A 'NOT ENOUGH MEMORY' ALERT BOX APPEARS.
 Disable  all  desk accessories,  RAM disks and AUTO  folder  programmes  that 
occupy  memory  space.  Please note that cache programmes (such as  hard  disk 
speeders,  "Turbodos" and printer spoolers) also occupy a lot of  memory.  The 
"Ultimate Virus Killer" should also work on a machine with half a megabyte  of 
memory (it will not be able to restore any bootsectors then, though).

* AN  ERROR  MESSAGE OCCURS DURING PROGRAMME EXECUTION AND IT RETURNS  TO  THE 
DESKTOP UNWANTED.
 This  means  that  you've done something awkward  that  the  "Ultimate  Virus 
Killer" couldn't handle!  Please try to re-create this error message and write 
down  EXACTLY what you did to do it,  as well as some of your  system  details 
(TOS version,  amount of memory,  monitor mode,  etc.).  The bug will then  be 
avoided in future versions (hopefully).
 If  the error in question was an error '33' during the link  virus  partition 
scan,  this is due to a bug in GEM. The older the TOS version, the more likely 
it is that this error will occur. Nothing much can be done about it, as GEM is 
faulty  in  this  case.  You may try to use  the  "FOLDRxxx.PRG"  AUTO  folder 
programme, which serves to increase the GEMDOS internal memory pool. This will 
delay the occurrence of the error, but will not fix it.

* VERY MANY SYSTEM VARIABLES ARE PRINTED IN REVERSE WHEN DISPLAYING THE SYSTEM 
STATUS CHECK.
 You are probably using (a beta version of) a disk based TOS.  Reboot  without 
this.  The "Ultimate Virus Killer" works smoothly with all known TOS  versions 
on ROM.  Basically,  these inconveniences should only occur with a RAM version 
of any of the TOS versions.
 You  might also be using lots of unknown resident programmes,  e.g.  in  your 
(hard  disk)  AUTO  folder.  Please  send those to us  so  we  can  include  a 
recognition!  Send accessories as well,  and never forget to explain WHAT does 
WHAT and WHO made it!

* DISKS THAT YOU HAVE IMMUNIZED WITH VERSIONS 3.X ARE FOUND TO BE IMMUNIZED IN 
THE 'OLD' WAY, WHEREAS 3.X VERSIONS STATED THAT THEY WERE IMMUNIZED PROPERLY.
 Quite a while ago the immunization logics have been redesigned to fit some of 
the  later viruses,  and are therefore 'new' as of version 4.0 (this  was  the 
first  time  this was changed since version 3.3) and up.  It is  advisable  to 
immunize  your  disks anew with the current "Ultimate Virus  Killer"  version. 
Please  refer  to the VIRUSES.TXT file to check out against which  viruses  it 
protects  you.  Other  viruses can only be protected against by  keeping  your 
disks write-protected!

* WHENEVER  THE PROGRAMME WANTS YOUR ATTENTION (FOR EXAMPLE WHEN A  SUSPICIOUS 
BOOTSECTOR IS FOUND),  IT FLASHES THE SCREEN.  DURING THIS FLASHING,  YOU FIND 
THAT YOU REPEATEDLY HAVE TO LISTEN TO A SAMPLED SOUND OF SOME VARIETY.
 You  probably have a programme installed that changes your computer's  'bell' 
sound (chr$(7)) into a sample. A programme like this is Gribnif's "Newbell" by 
Dan Wilga. Disable this program.

* THE PROGRAMME REFUSES TO LOAD THE "DATA.PAK" FILE,  EVEN IF YOU DISABLE  ALL 
RAM DISKS AND ACCESSORIES.  YOU EVEN TURNED OFF THE MACHINE FOR 30 SECONDS AND 
YOU  BOOTED  WITH  THE ORIGINAL "ULTIMATE VIRUS KILLER" DISK  SO  THERE  CAN'T 
POSSIBLY BE SOMETHING IN MEMORY...
 Then you surely have a 512 Kb machine.  For the "DATA.PAK" file to be  loaded 
it needs more free memory than a 512 Kb machine has. Since the programme needs 
considerably less space to run WITHOUT the "DATA.PAK" file,  it decided not to 
load it.

* READING IN A BOOTSECTOR RESULTS IN A 'TRACK NOT FOUND' ERROR.
 Some games use exotic disk formats,  especially for their data disks (usually 
any  disk other than the boot disk).  Psygnosis,  for example,  is famous  for 
creating  these kind of formats.  This is NOT unusual,  and does NOT  indicate 
hardware/software failure,  nor virus infection.  If this happens with a  game 
boot disk (a disk labelled "1" or "A") this is no good news and DOES  indicate 
some  sort of disk failure (though no virus infection) - in case of  the  game 
not working either,  you should have it replaced by the company you bought  it 
from (refer to the game manual for details).

* THE PROGRAMME BOMBS OUT WHEN EXITING - USUALLY ABOUT SIX BOMBS.
 Do  you  have  the Rubrik's Screen Saver (on offer on  the  UK  magazine  "ST 
Format",  cover  disk #42) installed?  This has the problem that,  when it  is 
resident in your system,  all programmes written in "GfA Basic" versions  3.xx 
will  cause a bomb crash when exiting back to the desktop.  This even  happens 
with "GfA Basic" itself.

* THE PROGRAMME BOMBS OUT WHEN PERFORMING THE EXTENSIVE SYSTEM CHECK.
 Do  you  have Dan Wilga's (Gribnif's)  "Sysmon"  programme  installed?  Older 
versions of this program install an XBRA vector the wrong way which will  lead 
to the mentioned bomb error.  Either disable "Sysmon" from being installed  or 
skip  the  system check screen when starting the "Ultimate  Virus  Killer"  by 
keeping  [RIGHT SHIFT] pressed until the first regular dialog box  appears.  A 
special algorithm fixes this with some "Sysmon" versions.

* YOU  HAVE  FOUND  SEVERAL  DISKS  SOME TIME  AGO  AND  YOU  IMMUNIZED  THEM. 
EVERYTHING'S  OKAY  SO FAR,  BUT ONCE YOU EXIT YOUR  CURRENT  "ULTIMATE  VIRUS 
KILLER"  SESSION  YOU GET "IMMUNIZATIONS PERFORMED:  0" (OR ANY  OTHER  NUMBER 
LOWER THAN WHAT YOU THINK YOU HAVE ACTUALLY IMMUNIZED).
 The statistics apply only to the CURRENT session.  This means that this  line 
of  statistics  specifies  the  number  of  immunizations  you  have  actually 
performed  during  the current virus killer  session.  The  "HISTORY.PRG"  and 
"UVK.HST"  files  are used to maintain statistics across  sessions,  and  this 
option only works if you start the program from hard disk.

* AFTER RE-PARTITIONING YOUR HARD DISK OR INSTALLING ANOTHER HARD DISK DRIVER, 
THE  HIDDEN  HARD  DISK OPTION TELLS YOU THAT THE  HARD  DISK  BOOTSECTOR  HAS 
CHANGED AND GIVES A WARNING.
 Simply leave the programme, erase the "AVK.BUF" file in the root directory of 
hard  disk  partition "C:",  restart the "Ultimate Virus Killer" and  run  the 
hidden option again.

* YOU WANT TO CHECK DRIVE "U" BUT IT'S DISABLED.
 This is not a bug or anything. You are using "MultiTOS", which used drive "U" 
as the 'unified drive'.  This drive should never be checked for link  viruses, 
as it would irrevokably crash the system.


13        THE "ULTIMATE VIRUS KILLER" CONFIGURATION FILE


 As of version 5.8 the programme can be additionally configured with regard to 
the file extensions it handles as belonging to 'executable files' (i.e.  files 
that  you  can double-click on and execute from the desktop  directly  without 
having to 'install application').  When checking for link viruses, 'executable 
files' used to be only those with the extensions .PRG, .TOS, .APP, .TTP, .ACC, 
.PRX (disabled .PRG) and .ACX (disabled .ACC).
 It  is now possible to create a configuration file,  named "UVK.CNF",  to  be 
present in the "Ultimate Virus Killer" directory.  This configuration file can 
contain  up  to  8192 file extensions  of  executable  files.  When  selecting 
"executable files only" during link virus partition or folder scan,  only  the 
files with these specific extensions will be checked.

 If you have no configuration file in the main directory, the program will use 
the default extensions, listed above.

 The following rules apply to the "UVK.CNF" file.

1) Extension  entries  should be no longer than  4  characters,  including  an 
   obligatory "." as the leftmost character.

2) Remarks can be added on any line not containing an actual extension  entry. 
   They need to start off with ";".

3) The  file must be called "UVK.CNF" and it must be in the same directory  as 
   the "Ultimate Virus Killer" programme itself.

4) The  file  should be written in straight ASCII (i.e.  without  any  control 
   codes). This can be done with any text editor (such as "EdHak" or "Tempus") 
   or a word processor with WP mode switched off while saving.

 Below you'll find a sample configuration file:


;
; Ultimate Virus Killer configuration file
;
; These are the regular extensions
;
.PRG
.TOS
.APP
.TTP
.ACC
.CPX
;
; These are Neodesk special executable file extensions
;
.NPG
.NTP
;
; These are some common disabled versions of the above
;
.PRX
.ACX
.CPZ
;
; This is the 'GEM takes parameters' extension for TOS >2.00
;
.GTP
;
; End of file
;

 As of version 6.1,  the program supports a special extension that is used  to 
determine  the  minimum size a file must have in order to be  checked  in  the 
"check  all  files"  link  virus scan department.  You  can  use  any  of  the 
extensions you want for this (even multiple ones) but only the last one  found 
will be used so it's best the use the very last entry for this.
 The  format is ".XXX",  where "XXX" stands for the minimum size in  kilobytes 
(i.e.  the  actual  file size divided by 1024) from 0 to  999.  When  none  is 
specified,  the program uses a default minimum size of 3 Kb (i.e.  3072).  The 
larger the specified size, the quicker the link virus scan but the less safe!
 In  all  cases  fill up the value with zeroes to make sure the  length  is  3 
digits (so "123", "003" and "030" would be valid entries).


14        THE "ULTIMATE VIRUS KILLER" HISTORY FILE


 When  you are using the "Ultimate Virus Killer" from a hard disk  (!not  when 
running it from floppy disk!) it will write (or, when already present, it will 
update)  a  small  file  called "UVK.HST" that will be  located  in  the  same 
directory as that of the "Ultimate Virus Killer" programme.  Its contents  may 
be displayed on screen in any resolution offering 80 characters per line (i.e. 
80  columns) by double-clicking on the "HISTORY.PRG"  programme.  This  latter 
file  should  also  be located in the same directory as  the  "Ultimate  Virus 
Killer" programme.
 The  "UVK.HST" file will contain some statistics such as the total amount  of 
times the "Ultimate Virus Killer" was used, the total amount of time you spent 
using it, which TOS version it was last used on, how many viruses were killed, 
etc.

 You are requested for statistical purposes to supply a copy of your "UVK.HST" 
file every time you send in anything on disk to the feedback address.



Back to Antivirus