Microsoft KB Archive/69069

Word: Methods of Detecting and/or Confirming Viruses PSS ID Number: Q69069 Article last modified on 03-02-1993 PSS database name: D_WorD

3.x 4.00 5.00 5.50

MS-DOS

Summary:

This article contains five methods that can be used to detect whether or not a virus has infected a customer’s computer system. Please remember that customers should be forwarded to a mentor if you are unfamiliar with the proper method of handling such calls.

CHKDSK Method

 * 1) Boot the system with a clean, write-protected DOS disk.
 * 2) At the DOS prompt, type CHKDSK.
 * 3) Note the number of bytes free in RAM.
 * 4) Run the allegedly infected program.
 * 5) Change to drive A and run CHKDSK again.
 * 6) Compare the number of free bytes with the number found in step 3.

If the two numbers differ, the computer’s system integrity has most likely been compromised by a virus.

File Size Method

 * 1) Check the directory of an unused (noninfected) program (for example, the DOS utility FIND.EXE).
 * 2) Note the program’s file size reported by the DOS DIR command.
 * 3) Run the allegedly infected program.
 * 4) Check the directory listing of the program from step 1 and compare the file size with your original observation.

If the two sizes differ, the computer’s system integrity has most likely been compromised by a virus.

LIST.COM Method

 * 1) Type “list” (without the quotation marks) and press ENTER.
 * 2) Enter the filename of the allegedly infected program.
 * 3) Press F (for Find).
 * 4) Type “sumsdos” (without the quotation marks).

If the “sumsdos” text string is found, the file in question has been infected by the Jerusalem virus.

DEBUG.COM Method
  If the allegedly infected file has an EXE extension, rename the file with an XXX extension.   Type “debug” (without the quotation marks) and press ENTER.   Enter the following search command: S O L FFFF “sUMsDos” 

The Debug program responds with some numbers if the text string was found. This particular text string is an identifier for the common Jerusalem virus.

SCAN.EXE
SCAN.EXE is a virus checking utility created by the Computer Virus Industry Association (CVIA) of Santa Clara, California. CVIA, a nonprofit organization, has authorized Microsoft Product Support Services to distribute its virus scanning software to customers who may be experiencing virus problems. To obtain this software to send to a customer, follow the steps below:


 * 1) Log on to \TOOLSVR!CORPSYS.
 * 2) Copy the entire contents of the directory to a floppy disk.
 * 3) Write-protect the floppy disk and send it to the customer.

Reference(s):

Handout authored by Roy Harper (royha)

Copyright Microsoft Corporation 1993.