$Header: /home/CVS/asm/mbrkill/mbrkill_eng.txt,v 1.12 2003/01/12 20:20:01 ralph Exp $

  ------------------------------------------------------------------------
       _____ ____________________           ____  __.__.__  .__
      /     \\______   \______   \         |    |/ _|__|  | |  |
     /  \ /  \|    |  _/|       _/  ______ |      < |  |  | |  |
    /    Y    \    |   \|    |   \ /_____/ |    |  \|  |  |_|  |__
    \____|__  /______  /|____|_  /         |____|__ \__|____/____/
            \/       \/        \/                  \/

  ------------------------------------------------------------------------
         (C)opyright 1994-2003 by ROSE SWE, Dipl.-Ing. Ralph Roth


      Some viruses copy themselves into the hard disk's partition table, 
      (MBR) which makes them far more difficult to remove than boot sector 
      viruses.  Performing a low-level format is an effective, but rather 
      drastic cure.  MBRKill can be used to remove MBR viruses.  In most 
      cases you don't even need to do a cold boot to remove the virus, 
      MBRKill has build in tunneling and emulation capacities!

      If you have an overwriting stealth virus like Monkey or Neuroquila you 
      must use MBRKill when the virus is active.  MBRKill will read the 
      original MBR with the help of the virus, then disable the virus, using 
      its own stealth techniques, and write back a valid MBR!

      Another important feature of MBRKill is to replace the partition table 
      code with a new code offering greater resistance against MBR viruses. 
      The MBRKill partition code is executed before the (DOS) boot sector 
      gains control, enabling a check of the MBR sector in a clean 
      environment. The MBRKill partition code performs a byte by byte 
      compare on the master boot sector just before the boot sector code is 
      activated and issues a warning if the MBR sector has been modified. 
      These checks are carried out whenever the computer is booted from the 
      hard disk.  To disable any stealth virus, the secured partition code 
      (MBRKill code) tunnels again disc interrupts to disable active stealth 
      viruses!

      It should be noted that MBR sector verification is imperative before 
      allowing the boot sector code to execute.  A virus could easily become 
      resident in memory during boot-up and hide its presence.  MBRKill 
      offers total security at this stage by being active before the boot 
      sector is executed.  Obviously, MBRKill is far more convenient than 
      the traditional strategy of booting from a clean DOS diskette for an 
      undisturbed inspection of the boot sector.

      Please note that the MBRKill code DOES NOT stay resident. Therefore no 
      memory will be wasted and no incompatibilities will arise!

      MBR-Kill should find the interrupt 13h entry point at C000:xxxx or 
      above (e.g.: F000:955B). If so, MBR-Kill has bypassed the virus and 
      can write now a clean MBR sector!

      WARNING: DO NOT USE MBRKILL IF YOU HAVE (you can use MBRKILL instead 
      if you are a very advanced power user or an antivirus guru :)

        1.)   a SCSI drive (should work with standard SCSI) - works with my
              Adaptec controller and 5 different SCSI disc drives! See below
        2. )  an (E)IDE drive with more than 540 MB AND a special diskmanager
              like EZ-Drive or Ontrack.
              Drives with 40 GB++ (without diskmanagers) have been tested
              successfully.
        3.)   special boot managers like OS/2, Linux (Lilo/GURB), Ranish etc.
              (works with Linux 1.x/2.x), because MBRKILL removes their
              functionality!
        4.)   an XT or a 286 PC (MBR-Kill uses 386 code)
        5.)   installed Bootmagic by PowerQuest or BootStar


      Generally speaking the MBRKILL code is a special bootmanager that can 
      not co-exist with other boot- or diskmanagers! MBRKill has been tested 
      with very advanced stealth viruses.  All viruses have been detected by 
      the MBR loader!


What does FDISK /MBR do?

      People often recommend the undocumented DOS command FDISK /MBR to 
      solve problems with the MBR. This command however does not rewrite the 
      entire MBR - it just rewrites the boot code, but leaves the partition 
      information alone. Thus, it won't help when the partition table has 
      problems. Moreover, it can be dangerous to restore the boot code to 
      its original state: if the cause of the problems was a boot sector 
      virus, then vital information may have been stored elsewhere by the 
      virus, and killing the virus may mean killing access to this 
      information. (For example, the Stoned.Empire.Monkey virus encrypts the 
      original MBR to sector 0/0/3.) However, people who want to uninstall 
      LILO, and do not know that LILO has a -u option, can use FDISK /MBR 
      for this purpose.

---------------------------------------------------------------------------

      This is a beta version! NO WARRANTIES AT ALL! USE AT YOUR OWN RISK!

---------------------------------------------------------------------------

     usage:    MBRKill [Partition[0-9]] [/-?] [/-s] [/-w] [/-l] [/-r] [/-q]

     [Partition] is a 'p' followed by a digit, representing your physical
     drive. Use p0 for your first harddisc (0x80) and p1 for your second
     harddisc (0x81).

     Example: MBRKill p1

     Normally you DO NOT need to specify a partition, MBR-Kill cleans
     partition zero where the operating system is usually booted from.

Options:

     /?     Show this short help.
     /cxx   Set the color of the MBR message to 'xx', see below
     /l /r  Load (read) old MBR from file A:\MBRPART?.DAT
     /s /w  Save (write) current MBR into file A:\MBRPART?.DAT
     /n     Do not tunnel Interrupt 13h. Useful for special viruses
	    or when running under a emulator (Bochs, VMWare etc.).
     /q     Quit before replacing the MBR of the selected drive.
     px     Process physical drive x instead (p0 is default).


Option Color (/cxx)

        With this option you can specify a customized color the MBR loader 
        should use. Default is 14 (yellow). You can enter the value in 
        decimal or hexadecimal notation. /c10 is equal to /cah

        Here is a list of valid colors:

         -----------+---+--------------+----
          Black      0  DarkGray       8
          Blue       1  LightBlue      9
          Green      2  LightGreen    10
          Cyan       3  LightCyan     11
          Red        4  LightRed      12
          Magenta    5  LightMagenta  13
          Brown      6  Yellow        14
          LightGray  7  White         15

---------------------------------------------------------------------------
Glossary


Master Boot Record (MBR)
------------------------

       The Master Boot Record is the first sector of a Hard Disk and is 
       located at Head 0, Cylinder 0, Sector 1. The MBR is one disk block in 
       length (512 bytes). Its purpose is to provide a mechanism to load the 
       desired Operating System from the appropriate Volume on the Hard 
       Disk. The MBR consists of executable code, a Partition Table, and a 
       System Signature (55AAh). The executable code in the MBR determines 
       the Active Partition in the Partition Table, then loads and executes 
       the Boot Sector of that partition. The MBR is not a DOS specific 
       structure or function.


Partition Table (PT)
--------------------

       The Partition Table is a structure located in the Master Boot Record.
       The table consists of four 16-byte entries that describe Volumes on
       the hard disk. Valid DOS Partition Table entries are DOS Partition
       and Extended Partition.

System Signature
----------------

       The signature used to indicate valid system blocks is 55AAh. This
       signature is located in the last word of the block.

---------------------------------------------------------------------------

           German users: Please read the file MBRKill_De.txt too!

---------------------------------------------------------------------------

Whatsnew
~~~~~~~~

1.2.2   29-Jan-2003

	Misc enhancements (program + dox). Release.

1.2.1   03-Sept-2002

	Added the option /n (do not tunnel interrupt 13h).

1.1.3c  28-Aug-2002

        Enhanced the documentation. Tested against the Emperor.58xx viruses. 
        MBRKill detects them sucessfully, due to the recursive partition 
        used by these viruses booting from the harddisc isn't possible any 
        more.

1.1.3b  21-May-2002

        Enhanced the documentation.

1.1.3a  16-May-2002

        Enhanced the documentation.

1.1.3   14-April-2002

        Spelling fixed, Y2K2 fixed, small fixes.


1.1.2   23-Sept-2001, 5 Nov 2001

        Had to clean out my corrupted NT4.0 loader (was corrupted by a DR-
        DOS test installation). Worked fine with an Adaptec Controller and 4 
        different SCSI drives.


0.98.3  01-Nov-1999

        Tested with Civil_Defense family. Small changes. Tested with Adaptec 
        SCSI-II adapter.


0.98.1  10-Nov-1998

        Tested with a SCSI-II 4 GB multiple partition hard disc (including 
        Linux 2.32 and compressed partitions)

        Tested against

        One_Half.3544.A-I, 3474, 3486, 3518, 3524, 3570, 3577, 3579
        One_Half.3577.A-D, 3666, 3969
        Living_Death.3757, 3766, 4205
        Neuroquila.A-D
        Lung.2589


0.97    20-Apr-98 Option /c  (Color)

        Tested with an old 41 MB hard drive


0.96    13-March-98

        Tested MBRKill with old 40 MB and 42 MB hard disks. Tested MBRKill 
        with the following viruses (MBRKill detects them and can remove them 
        easily!):

        - Shrapnel.6067
        - Civil_Defense.6672.A, B, C & D
        - PM_Boot
        - Implant.6200, 6127, 6147 & 6178 (recursive partition!)
        - Goldbug.1401
        - TPVO.3464, 3506, 3783
        - Ugly.5995, 6000  (a.k.a Mammoth)


---------------------------------------------------------------------------

__________ ________    ____________________   ___________      _____________
\______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
 |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
 |    |   \/    |    \/        \ |        \  /        \\        / |        \
 |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
        \/         \/        \/         \/          \/       \/          \/

 -------------------------------------=-----------------------------------
     ROSE SWE                           See ROSEBBS.TXT for
     Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
     http://come.to/rose_swe
     rose_swe@hotmail.com               All Rights Reserved!
 -------------------------------------=-----------------------------------


Credits

	Frank Ziemann, VHM		Documentation fixes and enhancements.

/* end */
