                        |-------------------|
                        |   SEGUR - V.3.3   |
                        |-------------------|

                          (Av-Tools V. 1.1)

INSTALLING
----------

Copy all  distribution files to C:\DOS. From DOS, execute the program  typing
'segur'; from  windows, execute 'avtlit16' or else  the Delphi Version if you
ain't got the 'vbrun300.dll' file. Icons are included for windows access.

To backup cmos, boot, mbr  and ivt execute 'segur' from DOS and press 'a' op-
tions.

Windows-95 users have no c:\dos directory. They  must create it using the DOS
command 'md' and copying  inside the DOS-7 files, which  are included in  the
following subdirectories:

C:\WINDOWS\COMMAND
C:\WINDOWS         (himem.sys & emm386.exe)
D:\OTHER\OLDMSDOS  (in the win-95 cd)

WINDOWS ENVIRONMENT
-------------------

From 'avtlit16' screen, if you are  connected to the internet and wish to  go
to my web page or send an e-mail, click  on the url or e-mail address to copy
any of them to the clipboard. Paste after where necessary.

WHAT DOES "SEGUR" MEAN?
-----------------------

'Segur' comes from 'seguridad', a spanish word  which  means 'security'. This
program tries to become the best  free  preventive  weapon  against  computer
viruses that modify or destroy the cmos, boot, mbr or ivt.

To perform this task, "segur" stores in four different data files these areas
so they can be restored if destroyed or  modified by computer viruses or  any
other reason.

And this little help file is intended  to  make  available  answers  to  some
doubts and questions for newcomers.

FEATURES
--------

 1) Backup main system areas (cmos, mbr, boot, ivt, fats, root directory)
 2) Restore main system areas
 3) View all those areas (through ports and also through ints. 13h,  25h  and
    40h)
 4) Edit all those areas (so they can be modified if needed - through ports &
    ints. 13h, 26h and 40h -).
 5) View memory
 6) Edit memory
 7) Save any sector to a file (hard disk and floppies)
 8) Restore any sector from a file
 9) Disinfect floppies.
10) DOS shell
11) Execute debug
12) Dir list
13) Ascii table
14) Interrupt list
15) Tunneling (to restore interrupt vectors being a virus memory resident)
16) Random screen - savers

Cmos, mbr, boot, ivt
--------------------

The cmos memory is a small chip, provided  with a battery to  keep alive some
information about system configuration, such as date,  time,  floppies & hard
disks installed, amount of memory, passwords, etc.  Some  viruses  change the
diskette drives specifications in cmos so that you can't boot  clean  from A:
They even could set passwords to access cmos, store whole viruses inside,etc.

The mbr (placed in cilinder 0, head 0, sector 1 in the hard disk  bios  area)
contains a short program (master bootstrap loader), to  inform  the system of
the available operative systems installed on the hard disk (detailed  in  the
partition  table, starting at address 1beh in the mbr). A partition table can
address up to 4 different partitions and each one  can  contain  a  different
O.S. This way, the mbr points to the boot sector  of  the  active  partition,
another short program which loads the current O.S.

Finally, the ivt (interrupt vector table) is just a list of memory addresses,
each one being two words long, pointing to  BIOS  or  DOS  routines. Resident
viruses  change  these addresses to point to themselves, in other to  perform
some tasks, just like  reproducing, stealthing, and  so on. The  ivt  is 1024
bytes  long, and starts in the address 0:0.

Fats, root directory
--------------------

Fat keeps an index of the hard disk file system. This way DOS knows in  which
clusters are stored the files. If this index is destroyed or modified  by  an
user mistake, a hardware fail or a computer virus, the hard disk  can  become
absolutely useless... all files are still there, but DOS does not know where.
Just imagine you want to look for some word in a 50 volume  enciclopedy  with
no index al all... It's just the same.

So the program allows to save both fats and the root directory of  the  drive
C: into a floppy. It MUST be into a floppy, because saving a fat backup  into
C: changes the fat, so the copy turns useless. What's more, if the  fat  gets
harmed and your fat backup is stored in the damaged drive... what's  the  use
of it? So the backup is stored to A:

And remember... ANY file modification changes the fat. Adding  registers to a
database, creating new files, moving them to another directories, etc.  modi-
fies the fat.

So is the user job to make fat backups periodically. And, in any  case, DON'T
YOU PLAY WITH THIS OPTION. USE IT WISELY, and perform the restore option only
if your fat is destroyed. Any misuse can turn the fat damaged and  you  would
lose your file structure, turning the drive C: useless.

Segur is designed to support 16 bits fats. W-95 first release didn't  support
32 bits fats, but the OSR2 release did. I have not tested 32 bits fats...  it
could work, but it couldn't also... If you're not sure, don't use it under 32
bits fats. It's tested only under DOS + WINDOWS 3.11. Under this  environment
it works fine.

Other options
-------------

'Segur' is also a memory, hard disk  and  floppy  viewer/editor, allowing  to
save any sector to a file and retrieve it later at user's will.

ENVIRONMENT
-----------

Segur is designed to work under DOS. Any change in this environment can  dis-
turb its performance. a su  funcionamiento. Por  ejemplo, basta  sustituir el
intrprete de  comandos (command.com) por el 4dos o el ndos  para que ciertas
funciones dejen de ser operativas.


                 WINDOWS

        W-3.xx : Segur works fine in a DOS window.
        W- 95  : Segur also works in  a  DOS  window, but  accesing  floppies
                 through int. 40h. is no longer possible or real  slow. Port
                 access is also not  available. But from version 3.3 on, disk
                 sectors can  be read & written through  interrupts 13h & 25h.
                 The other features work fine.


        INSTRUCTIONS
        ------------

Using 'Segur' is an easy task. After checking pc's memory and hard disk  with
your favourite antivirus  scanner, to make  sure you're not  infected, do the
following:

            1) COPY the program distribution files to the 'C:\DOS' directory.

               To get a right copy of the ivt,  rename the 'autoexec.bat' and
               'config.sys' files with 'bak' extensions, reboot the computer,
               execute 'segur', backup and after rename those  files  back to
               their  original names... And  then  get another backup  floppy
               with your usual configuration.

            2) EXECUTE the program FROM C:\, typing 'segur' + <intro>, so you
               go to the main menu options.

               First of all, as said, backup your critical areas with  the A)
               option of the main menu.

            2) INSERT a floppy into drive a:

               The program will format the diskette, move  system  files  and
               save the system data (ivt,  cmos, mbr & boot). It  also stores
               some DOS programs... and the 'Segur' files.

               Once you get your  copy done, include  in  your 'autoexec.bat'
               the following lines:

               C:
               CD C:\DOS
               SEGUR /C
               CD..

               This way, you'll have your system checked every time you boot.
               The program will display a short output message reporting  any
               significant change in system configuration.

Fcil, no?. Os recomiendo que  hagis DOS disquetes de  seguridad. No vaya a
ser que cuando lo necesitis os encontris  con el  clebre mensaje 'error de
datos  leyendo unidad a: ... bla, bla, bla' :'-((. Y, por supuesto, proteged-
los luego contra escritura retirando la pestaita esa que llevan en el ngulo
inferior izquierdo... :)

Los ficheros que copia el programa siguen el nombre establecido en la versin
6.x del DOS. Por eso, si tenis  una versin  anterior, deberis  copiarlos a
mano en el caso de que tengan nombres o extensiones  diferentes... o estn en
directorios diferentes.

Aunque parece tonto decirlo, no est de ms que os recuerde que si tenis ms
de un ordenador tendris  que  hacer un disco de  seguridad para cada uno, ya
que normalmente los sistemas no sern iguales.

INTERRUPTS WHOSE VECTOR CAN'T CHANGE, NOT BEING A VIRUS
-------------------------------------------------------

   - Interrupts used by 'Segur' (by pascal, really):

    * 00H : Divide error
    * 1BH : Ctrl-Break
    * 3FH : Overlay manager
    * BDH :
    * C4H :
    * CBH :
    * D2H :
    * D3H :

   - Interrupts used by 'Share':

    * BEH :
    * F5H :
    * F7H :

   - Others:

    * 43H : DOS Video character table

   - Command.com:

    * 23H : Ctrl-C
    * 24H : Critical error handler

'Segur' proporciona las herramientas, pero no pueden  preverse todos los cam-
bios. When an interrupt vector changes, the user must analize  the  situation
to decide if the change must be considered suspicious or not. If  any  doubt,
use your favourite antivirus scanner.

        HELP! I GOT A VIRUS!
        --------------------

Segur" is specially good facing boot or multipartite stealth viruses, because it restores the changed areas by port-writing, even if viruses are
memory-resident. Viruses like "neuroquilla" [aka "neurobasher"] which changes
the diskette drives configuration in cmos (so you can  not boot  clean from a
floppy), overwrites the partition  table  and encrypts the  hard disk's  boot
sector, are no match for "Segur".

So if you've got a FILE virus, you better use  your favourite  antivirus ins-
tead, though you can remove the virus from memory with 'Segur', if you like.

Anyway, if you've  got a multipartite or  boot virus, you better use an anti-
virus first also, to identify the virus, because some of them  encrypt the hd
sectors (one-half, as example), and the unencryption algorythm is  inside the
virus body. I you restore the infected mbr, you just get an unrecoverable hd-
encryption. But calm down... In 99,9 per cent of times, you can  use  'Segur'
safely & restore your data back. Nowadays, I think 'Segur' is, more or  less,
an unbeatable program, because it can read & write through  ports,  restoring
the system areas back to theirs original configuration even  if  viruses  are
memory-resident... no matter what they have done.

Some points
-----------

* Restoring int. 13h vector leads  nowhere  when  facing a boot/mbr virus. In
  fact, 'Segur' does not notice any change, because you have the DOS int. 13h
  vector, not the original BIOS one. But 'Segur' will report  the  change  in
  mbr.

  If you can't use port-writing (needed ONLY with  STEALTH  viruses), because
  you've got a non-IDE drive, use the option 'try to restore int. 13h'... get
  on  your knees and pray to the Lord hoping it works :)  If succesful,  res-
  tore system through int. 13h.

* As said, Segur writes through ports only  to IDE drives. If  you've  got an
  SCSI drive, port r/w won't work. Don't even try, because I have no idea  of
  what can happen... Anyway, I'll try to include SCSI port r/w in a next ver-
  sion... and mfm r/w, as well.

* Some viruses hang from  interruption 76h, which  is the IRQ of  the hd con-
  troller. Against  these  kind  of  viruses, Segur is  not  in  any trouble,
  because it reports any change in this vector, so  you can  restore  the in-
  terruption before port writing or reading   :-PPP

* Only protected-mode viruses could avoid port-writing. Anyway, I only  heard
  of PMBS (Protected Mode Boot Sector), who, after Kaspersky, have  some bugs
  and hangs in the second generation.

Any other viruses are no  match to 'Segur'. In just a  second, while  testing
the program, I removed from my hard disk the neuroquilla, ugly.6000 / V.6000,
bleah, purplecum, snow, urkel, joshi and purcyst.

                   DISINFECTION EXAMPLE
                   --------------------

Let's say some day you turn on your pc, and 'segur' cries  you  got  a  virus
because cmos, boot and mbr have been modified. You execute an  antivirus  and
find out the 'purplecum' virus. If you boot clean from diskette  you  can not
access your hd, and any attemp to restore the mbr via int. 13h leads  nowhere
because the virus will intercept it.

Ok, no worry. You  execute 'Segur', go  right to 'restore  system  data'  and
restore information  using ports. Just two  keypressing  and  the  system  is
clean. Now, DON'T YOU DO ANYTHING ELSE. The virus is  still  memory-resident,
so if you start disk-viewing & system checking, you'll be infected again. So,
just turn your pc off. Start it again and everything will be ok. :)

If you got a non-IDE hd, you can check: 'try to  restore  interruption  13h',
so you remove the virus from memory, and  restore  everything  later  through
int. 13h, as said before.

And now, an important statement:
'Segur' is written in Pascal. Pascal modifies some  interrupts  for  handling
errors, restoring all ivt vectors when the program ends. So, if  you  want to
restore interruptions safely, you must end the program by using the 'absolute
DOS exit' option, bypassing Pascal, so your changes to  the  interrupt  table
will be safe.

        ------------------------------------------------------
        FAST GUIDE TO DISINFECT BOOT/MBR/MULTIPARTITE VIRUSES:
        ------------------------------------------------------

One thing you must avoid is 'fdisk/mbr'. This only  works if the  virus  does
not encrypt or overwrite the partition table. Use 'segur' instead, unless you
know which virus you are facing...


        A) DISKETTE BOOT-INFECTORS VIRUSES
        __________________________________


        There are some ways to remove these kind of viruses:

        1.- Get a copy of the boot sector  from  another same-kind  diskette,
            using 'copyboot', & write it after on the infected boot (DOS sec-
            tor 0).

        2.- The DOS command 'sys a:'

        3.- Format the diskette

        Each to his own, but if there's no room in the diskette to  perform a
        'sys a:', or you've got some files you  don't  want  to lose  if  you
        format the diskette, it's plain than the best choice is #1.


        B) VIRUSES WHICH INFECT LIKE 'A' & HARD DISK MBR
        ________________________________________________


        There are two main types:

        B1.- Non-stealth viruses
        ------------------------

        For any kind of hard-disk:

        1.- Restore information through int. 13h & reboot.

        B2.- Stealth viruses
        --------------------

        These viruses hide the infected areas to  the  user. When  trying  to
        access the mbr (sector #1) the virus  shows sector  #2  or  whichever
        where the virus have stored the original mbr.

        Mbr is  in  cylinder 0, head 0, sector 1 (bios area). Head #0 of  the
        first cylinder in the hard  disks is  invisible to DOS, so  accessing
        this area must be done to a lower level.

        Stealth is usually  done at int. 13h level. There  are, nevertheless,
        some  viruses  which use  an  even lower  level, by intercepting  the
        interrupt 76h. (hard disk IRQ) trying to avoid r/w through ports.

        So, how do I know if I've got a stealth virus...?

        That's an easy task. If you  test the  system, 'Segur', will  show  a
        modified mbr when checking through ports, and the  original one  when
        checking through int. 13h.

        In previous 'beta' versions, 'segur' restored automatically  the int.
        76h. vector before  port r/w,  this  causing  system  hangs  when the
        interruption had been 'normally' modified by the system. So, now  the
        program warns the user if detects any  change in the int. 76h vector,
        so it can be restored if needed. So:

        IDE DRIVES
        ----------

        1.- Restore the information through ports & reboot.

        If you don't know if you've got an IDE drive, just try  to  read  the
        mbr through ports. If it works, your've got an IDE.

        NON-IDE DRIVES
        --------------

        1.- Use the option 'try to restore the int. 13h', from the 'antiviral
            utilities' menu.

        2.- Get on your knees &/or cross your fingers  :)

        3.- If you succeed, restore the information through the int. 13h.


        C) MULTIPARTITE viruses (INFECTING LIKE 'A', 'B' & FILES)
        _________________________________________________________


        There are two methods:

        1):
        ---

        1.- Follow the same steps showed in 'B'

        2.- Boot from a clean, write protected floppy and scan the hard disk,
            looking for files infected by the multipartite virus.

        3.- Disinfect the infected files, or replace them  for  clean  backup
            copies.

        4.- Reboot.


        2):
        ---

        1.- Rename the 'autoexec.bat' and  'config.sys'  files  to  'bak' ex-
            tension. This should avoid reinfecting the mbr when rebooting  by
            automatic execution of some possibly infected files  included  in
            the configuration files... but this  approach  is  risky, because
            the 'command.com' could also be infected.

        2.- Follow the same steps showed in 'B'

        3.- Reboot, this time from 'C', and scan the hard disk.

        4.- Disinfect the infected files, or replace them  for  clean  backup
            copies.

        5.- Rename the  files 'autoexec.bak' and  'config.bak' back  to their
            original names.

        6.- Reboot.

Use your head. Segur is, basically, a working tool, to be  used in a  way  or
another according the environment. You've  got a weapon, having a  backup  of
cmos, mbr, boot & ivt. Use it wisely against viruses.

        HEY!, GOT A VIRUS BUT NO SYSTEM BACKUPS!!!
        ------------------------------------------

Mmmmmmm... :-? ... well, you've got to restore cmos by yourself, pressing the
<del> key when booting. Nothing to do with ivt. Few viruses look  for hd-boot
to infect... some of  them  encrypt it (nothing to do, also), and  those  who
save a copy in any hard disk sector... I can't imagine any user  looking  for
his clean boot copy all around the hard disk... But you can seek your  origi-
nal mbr. 99,99% of viruses keep a copy in any sector of the hd-bios area, not
many sectors to look, save it on a file and  restore it  later. If  you  deal
with a stealth virus, the better, because it will  show you  kindly your  mbr
when  reading the  hd through int. 13h, so  you can  save it on a file  named
'mbr.dat', to restore it later via ports.   };-)

Afterwards, if your boot is also infected, boot from a  clean  diskette  with
the OS on it and permorm a 'sys c:'.

Imagination, is what you need...

The  point is, always, BOOTING FROM A CLEAN DISKETTE. Segur  helps  you to do
so. Restore your cmos & mbr and you're on the right way.

For file-only infectors, you must use your favourite antivirus.


        SOME OTHER OPTIONS OF THE PROGRAM':
        -----------------------------------


        VIEWING DRIVES OR MEMORY
        ________________________


There is a little help-menu included in the program. With the  function  keys
F1-F8 you can go back & forward.

Disk viewing
------------

F1   : Saves
F2-F8: Goes forward (F8:1, F2:1000000)

If you press the function key together with caps key, you'll go back instead.

Memory viewing
--------------

F1-F4: Increases segment
F5-F8: Increases offset

If you press the function key together with caps key, you'll go back instead.

                   --------------------------------------

Nothing else to say, I think. I hope this program can be of any help  to  DOS
computer users... Let me know, and report bugs or suggest improvements.

Greetings...

-Jose Antonio Sobrino Crego-, Madrid, 05/31/98

Ŀ
 http://www.geocities.com/SiliconValley/Haven/9955/ 
 email: jscrego@hotmail.com                         

