:author: ROSE SWE, Ralph Roth
:doctype: book
:data-uri:
:icons:
:lang: en

= MemScan

MemScan - Memory Scanner: A rule based, universal memory virus scanner for *DOS*
viruses. Not limited to known viruses! Will not run on 64 bit Windows systems.

----
     __  __                ____                     ______   ___  ____
    |  \/  | ___ _ __ ___ / ___|  ___ __ _ _ __    / /  _ \ / _ \/ ___|
    | |\/| |/ _ \ '_ ` _ \\___ \ / __/ _` | '_ \  / /| | | | | | \___ \
    | |  | |  __/ | | | | |___) | (_| (_| | | | |/ / | |_| | |_| |___) |
    |_|  |_|\___|_| |_| |_|____/ \___\__,_|_| |_/_/  |____/ \___/|____/

                                 (c) 16.10.1990-2018 by ROSE SWE, Ralph Roth

    $Id: MemScan_Eng.txt,v 1.40 2018/04/12 20:13:42 ralph Exp $
    Written in ASCIIDOC using the UTF-8 code set and Windows LF/CR
    Umlaute and screen copy may look ugly if our text program don't use UTF-8

----

NOTE: A short English "FAQ" for QMS, MemScan and TestBoot can be found
      at the end of the document!

== Function of MemScan

MemScan examines your working memory for resident MS-DOS computer viruses.
If you have further questions about computer viruses, please read the files
VIRSCAN.DOC & VIRSCAN.TXT (if available).

MemScan can also check the "UPPER" DOS Memory (UMB = memory between 640 KB
and 1 MB) and the HMA (High Memory Area = 1088 KB) gate. MemScan needs
approx. 450 KB of free working DOS memory for the virus database and hash
tables! MemScan main memory usage was adapted especially to network
environments and therefore needs only 450 KB of free memory!

MemScan detects due to heuristic scanning unknown viruses (option /UNB).
MemScan usually reports such viruses with one of the following messages:

        Execution-Function [Exec] or
        Generic File Open [Fopen] or
        Memory Control Of Blocks [MCB] or
        Generic Exeheader.????-???? or
        Generic Boot virus [BOOT] etc.

In case of detection of one of these two viruses please send me an infected
file: To classify the virus (if VirScan reports the same virus type with
the option /HEUR) and to include it in MemScan!  Try to make the virus
infect the "victim/bait/goat files" INFECTME.* included in this package!

NOTE: MS-DOS 6.xx and Novell DOS 7.0 produce a false alarm with the option
/UNB together with the option /HIGH. In most cases a Generic Exec Virus is
reported in the segment Fxxx:xxxx which, however, is occupied by COMMAND.COM
loaded high.


== Why MemScan?

We are using MemScan internally to quickly and securely add new viruses to
VirScan. However, customers frequently asked us for a program that checks ONLY
the working memory. For this reason MemScan was made accessible to the public
for FREE.


== Optional parameters

    /?                Displays a short help
    /HIGH             Search high memory (to 1 MB) too
    /IVT              Check interrupts for viruses, see also VIRSCAN.DOC
    /NOLIVEBAIT       Skip Live Bait Test
    /NOMEM            Skip complete "Quick Memory Check"
    /NOPATHCOMPANION  Skip path Companion Test
    /UNB /UNK         Search for new unknown viruses
                      No output on argument syntax (Guru option).
    /AKTION           Display information on virus special offer.

TIP: To see a short description of more options execute MemScan
     with the parameter /? for a short help!

===   Option /UNB

This option is only for the case of emergency!  This function ALWAYS
produces false alarms!  I use it for finding known and new viruses! Almost
every new resident MS-DOS virus can be found with MemScan!

===  Option /IVT

With the parameter /IVT the working memory can be examined for approx. 180
of the most known DOS viruses.  This is being done by so called "Am I there"
calls in a split of a second (in comparison to the slow memory scan). Among
other things, the working memory is being examined for the following viruses:

  - Jerusalem and related viruses (at least 48 variants)
      * Frere Jacques
      * Fu Manchu
  - Tequila (Stealth virus)
  - Yankee Doodle/Vacsina (45 variants)
  - Cascade and Yap (14 variants)
  - Flip/Omicron (6 variant/Sub-stealth virus)
  - Parity (4 variants, boot virus)
  - dBase
  - Plastique (AntiCad, Invader, Tobacco, 4.21, 5.21 and Cobol)
  - Tremor (Stealth virus)
  - Hare (Stealth multipartite virus)

On detection of the virus the user is being informed about that.

NOTE: You should not use this option if you have Novell Netware installed
      because it results in overlapping of the interrupt calls. This function
      used to be executed automatically, but it emerged that the so called "Am
      I There" calls were not 100% compatible with different operating systems
      and configurations. So, if unusual side effects occur, this option might
      be the reason. This option also checks the high memory (HMA) - if
      available - for viruses.


=== Notes on parameter usage

Customers familiar with the American or UNIX parameter syntax (minus sign)
instead of the slash ('/') can also use the minus sign ('-') to start
an option.

    Example: -IVT is equivalent to /IVT

NOTE: There must be at least one blank between the individual arguments!
      The arguments are not case sensitive.


=== The environment variable MemScan

Instead of always calling MemScan with arguments, MemScan can be controlled
with a so called environment variable.  For example, enter the following at
the DOS prompt:

                        SET MEMSCAN=/unb -high -IVT

If you start MemScan now, MemScan reads all required arguments from the
variable.


===  Rollback of preset values

Sometimes it might be desired to reset already set options (i.e.  set by
SET MEMSCAN=...) This can simply be done by a minus sign following the
option on the command line.  With this action the option is being switched off.

For example, you have entered the following:

                             SET MEMSCAN=/high

Then start MemScan with the following argument:

                               MEMSCAN /high-

In this case the command line option overrides the option set by the
environment variable! Command line always override environment options.


== False alarms of MemScan

MemScan detects approx. 98% of ALL new resident DOS or boot viruses with
the option /UNB; however, this option is only for absolute virus gurus.
Hint: If you suspect a virus on your system, execute VirScan Plus with the
following parameters:


                            Virscan -auto -HEUR -log

NOTE: If VirScan Plus finds in several EXE/COM files the same virus as
      MemScan: New virus! If VirScan finds a different virus in many COM/EXE
      files, for example: Crypt/FamZ, then it is a new ENCRYPTED virus! In
      these cases please send me an email with the infected files! Note: The
      option /HEUR is available only in the full version of VirScan Plus!

This screen shot is normally a false positive, because the "virus" is only
found with

. the `-unb` option
. only in the main screen

----
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦   MemScan 10.x.x - (c) 03.01.1991-2018 by ROSE SWE, Ralph Roth  ¦¦¦¦¦¦
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦+-------------------------------- Messages ----------------------------+¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦  ¦ Free memory available for MemScan: 68.000/68.000                  ¦¦¦¦
¦¦¦  ¦ Command line: -unb                                                ¦¦¦¦
¦¦¦  ¦ Signatures created: Mi 25. Feb. 2004, build 3.073, 5.165 signs    ¦¦¦¦
¦¦¦  ¦ This PC has 640/640 kb free base memory                           ¦¦¦¦
¦¦¦  ¦ HMA/A20 gate present at segment: 0xFFFF:0000                      ¦¦¦¦
¦¦¦  ¦ Checking conventional memory (640 kb)                             ¦¦¦¦
¦¦¦  - Found the Type_Exec2a.35C6-D0A0 virus!                            ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦  Warning: A virus found in your main memory!                         ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦+----------------------------------------------------------------------+¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+---------- Scanning ---------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦     Please press a key!     ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+-----------------------------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
----

A normal virus infection looks like this, and MemScan won't go to the main
screen at all (in this case a 572 byte long new COM infector):

----

-----[ Quick scan of the system and memory for viruses ]----------------------

  MBR - HDD 0 (512) .......(45FC:2A00)..... -- OK! --
  Interrupt 13h (DOS) .....(0D58:18C5)..... -- OK! --
  Interrupt 13h (Orig) ....(F000:E3FE)..... -- OK! --
  Interrupt 21h (DOS) .....(9F75:0119)..... Type_Exec1a.4A77-F232 Virus
  Interrupt 40h (DOS) .....(F000:EC59)..... -- OK! --
  Memory (Low-System) .....(0000:0000)..... -- OK! --
  Memory (639 KB) .........(9C00:0000)..... Type_Exec1a.4A77-F232 Virus
  Memory (HMA) ............(FFFF:0001)..... -- OK! --
  HDD-IRQ 76h .............(0CC5:0117)..... -- OK! --
  Path Companion Test ..................... -- OK! --
  Live Bait Test ..........(295 KB)........ Type: COM=572 Virus
Heuristic mode:
  Single Step .............(0070:06F4)..... -- OK! --
  Misc BIOS ...............(0D58:19A0)..... -- OK! --
  Reboot ..................(0D3B:002F*).... -- OK! --
  Multiplex ...............(14E2:1180)..... Type_Exec2b.CF14-B4E4 Virus
  VCPI ....................(F000:FF53)..... -- OK! --
  Interrupt D3h ...........(F000:FF53)..... -- OK! --
  Interrupt 0Dh ...........(F000:FF53)..... -- OK! --
  Interrupt 0Eh ...........(0CC5:00B7)..... -- OK! --

Please deactivate the virus through a cold boot from a system disc!
Press any key to continue...
----

== Program Return Values


MemScan return an error-code back to DOS that can be evaluated by the
variable ERRORLEVEL. The following error-codes are used:

----

        ERRORLEVEL              Short description
        -----------------------------------------------------------------
        0                       All OK, Option -?, -h etc.
        1                       Internal error
        2                       Option -exit
        3                       Overlay (MemScan.ovr) handling error
        8                       Not enough free memory available

        10                      QuickMemoryScan found a virus
        11                      NOSTEALTHTEST found a virus
        12                      NOWINTEST found a virus
        13                      Found a virus in the main scan function

----

== Hints and FAQ

 Q: can you help me fix the virus on my main memory...?
 attached is the view of MemScan and QMS...

A: I think this is a so called "false positive". Please read the
attached document (MemScan_Eng.txt). If you have a DOS or boot virus,
you should be able to trace it (as described in MemScan_Eng.txt)
with QMS/MemScan and VirScan Plus. What DOS Version and Windows
Version do you use. Some special DOS drivers in usage?

 Q: Only the TESTBOOT routine found something. Since it was in German, I really
 didn't know what it said. I went to an online translator and realized that
 it said "wert ermittelt" and "wurden gesichert" which translated "worth
 determines" and "became secured". After that I ran it again and it didn't

A: That's normal for the first (initial run) - I have added were possible
an English translation in the new version!


TIP: How you can possibly detect a file-/boot virus:

. MemScan -unb -high
. QMS -unb
. put testboot.exe into the Autoexec.bat as last command
  (DOS/Win9x based systems only)
. rhbvs -auto -log -all -high


== Integrated virus protection


The program contains an integrated check-sum tester to alert the user on
a possible virus infection.  The check-sum for the program can be found
in the file with the extension ".XXX".

This check-sum contained in the file as well as the main program must not
be changed nor modified in any case!  Otherwise, the main program regards
itself being possibly infected by a virus (a virus still unknown to the
program)!

Following features of the EXE file are monitored and checked for
modifications every time the program is executed:

* Check-sum (CRC32) - If only one bit of the program is changed by a
virus, the check-sum will no longer match (own secure routine, according
to ANSI X3.66 - CRC-Poly is: 0xDEBB20E3).

* File size - If a program becomes one or two KB longer, it is infected!

* Overlay size - If the program uses overlays (".OVR").

I strongly recommend not making any changes to the EXE & XXX-file since
the program will not run any more!

The file with the extension ".XXX" also contains the creation date and the
standard MD5 checksum that can be checked with other tools like md5dir or
hashall from ROSE SWE. Verifying the CRC32 checksum takes less than 1 second
(depending on computer type and hard disk drive). If the check-sum is OK, the
program is being executed. Otherwise a detailed error report with indications
of possible error reasons will be displayed.

This is a screen shot of MemScan self check envelope finding itself
infected with an 647 bytes EXE infector!

----

#####   Länge der Datei MEMSCAN.EXE hat sich geändert!   #####

Hierfür gibt es mehrere Möglichkeiten für diese Fehlermeldung:

¦    Ein Virus hat das Programm befallen!
     Am besten gleich mit VirScan Plus testen ...
     WARNUNG: Programm ist um 647 Bytes größer geworden!!!
     SENDEN SIE UNS DIESE DATEI ZU ANALYSEZWECKEN ZU! TYPISCH FÜR VIREN!

¦    Sie haben die Datei MEMSCAN manipuliert, deshalb ist die
     Checksumme verändert worden.

¦    Sie haben nicht alle Dateien mit kopiert (s. o.), oder auf dem
     Datenträger sind Informationen verloren gegangen (Bits umgekippt).

¦    Verwenden Sie die Option /NOCHECKCRC um diese Überprüfung zu umgehen!

Bitte die ENTER-Taste zum Fortsetzen drücken...

----

== Other/Misc

If you want to obtain the full versions of my antivirus software, please
start the program REGISTER.COM, and an order form will be printed.

By the way: MemScan is compressed from 380 KB to currently 87 KB EXE + 183
KB overlay!


==  What's new?

----
Version             Changes
#######################################################################

    3.00            Parts of MemScan were swapped out to the overlay
                    file MEMSCAN.OVR, therefore MEMSCAN needs 50 KB less
                    working memory. Added checksum tester.
    3.10            Extended 'Am I There' Virus test.
    3.17            Program does not wait any more for key stroke
                    if NO virus was found!
    3.33            Number of detected viruses: approx. 3.000!
    3.36            The package now includes HMS.COM.
    3.50            Live Bait Test to detect
                    unknown file viruses.
    3.53            New ChkPC version (Hare & Boot-437)
    3.55            50 new viruses, i. e. CriCri & Grief.
    3.98            4180 viruses. QMS, TestBoot & HMS were
                    considerably enhanced. The Live Bait
                    Test was considerably enhanced.

    4.xx            New Viruses.

    5.0.1           Completely redesigned version. Program in English!
    5.1.0           Added Stealth Live Goat Test.
    5.6             /NOPATHCOMPANION, /NOLIVEBAIT
    5.7             /NoMem
    6.0             Win32 Live Bait Test
    6.2.7           /NoWin32Test, /NoStealthTest, DOKU revised
    6.3.1           This English documentation added
    6.5.5           /NoHMA fixes, A20-Gate/HMA fixes
    6.6.8           Tons of new viruses due to F_Mirc Linux porting
    9.5.5           adapted to run with DosEMU (Linux)
    9.5.8           30.08.2017 - Ported this documentation to ASCIIDOC
    10.1.5          22.01.2018 - new viruses
----

== BANNERWARE from ROSE SWE

This program may be freely copied and passed on.  It is considered as so-
called Bannerware.  I only request the following declarations to be kept:

* (C)opyright by ROSE SWE, Ralph Roth (the so-called Banner)
* sale and/or industrial transmitting of the programs is forbidden. No
commercial transmitting without ours hard-copy consent!
* the programs MUST distributed free and/or passed on against a small
copying-charge (Shareware trader) (max. EUR 10,--).
* the program/documentation must not be changed!
* the program package must be passed on complete and unchanged!

Trademarks of other companies mentioned in this documentation and package
appear for identification purposes only and are property of their
respective companies.

NOTICE TO USER: You should read the following terms and conditions
carefully before using this software. Your use of this software indicates
your full acceptance of this license agreement and warranty.  BY INSTALLING
THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.

The SOFTWARE is owned and copyrighted by ROSE SWE. Your license confers no
title or ownership in the SOFTWARE and should not be construed as a sale of
any right in the SOFTWARE.

No Warranty.  The Software is being delivered to you AS IS and ROSE SWE
makes no warranty as to its use or performance.  ROSE SWE AND ITS SUPPLIERS
DO NOT AND CANNOT WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY
USING THE SOFTWARE OR DOCUMENTATION.  ROSE SWE AND ITS SUPPLIERS MAKE NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO NON INFRINGEMENT OF THIRD PARTY
RIGHTS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE.  IN NO
EVENT WILL ROSE SWE OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY
CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING ANY LOST PROFITS OR
LOST SAVINGS, EVEN IF AN ROSE SWE REPRESENTATIVE HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY.

In short: This software is provided 'as-is', without any express or implied
warranty.  In no event will the authors be held liable for any damages
arising from the use of this software. If you do NOT agree simply do NOT
install and use this software!


== Copyright

----

(C)opyright by (ALL RIGHTS RESERVED!)


__________ ________    ____________________   ___________      _____________
\______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
 |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
 |    |   \/    |    \/        \ |        \  /        \\        / |        \
 |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
        \/         \/        \/         \/          \/       \/          \/

 -------------------------------------=-----------------------------------
     ROSE SWE                           See ROSEBBS.TXT for
     Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
     http://rose.rult.at
     rose_swe@hotmail.com               All Rights Reserved!
 -------------------------------------=-----------------------------------

----

NOTE: Initial Translation by ez-web Digital Services, ezweb@gmx.net in 03/2002

include::viruses.adoc[Virus Description]

// atom:set fenc=utf8 ff=dos ft=asciidoc ts=2 et:
