Microsoft KB Archive/72796

= Common Ways of Detecting a Virus in MS-DOS =

Article ID: 72796

Article Last Modified on 11/26/2003

-

APPLIES TO


 * Microsoft MS-DOS 3.1
 * Microsoft MS-DOS 3.2 Standard Edition
 * Microsoft MS-DOS 3.21 Standard Edition
 * Microsoft MS-DOS 3.3 Standard Edition
 * Microsoft MS-DOS 3.3a
 * Microsoft MS-DOS 4.0 Standard Edition
 * Microsoft MS-DOS 4.01 Standard Edition
 * Microsoft MS-DOS 5.0 Standard Edition

-



This article was previously published under Q72796



SUMMARY
Viruses commonly &quot;hide&quot; in little-used files such as FIND.EXE. Listed below are steps you can take to check for a virus without the benefit of a viral scanner. The procedure involves using CHKDSK and FIND (commonly targeted for infection) to check for changes in conventional memory and/or file size.



MORE INFORMATION
If you suspect your machine may have contracted a virus, do the following:


 * 1) Put write-protect tabs on your DOS disks. This will keep the disks from being written over, and they can be used as a reference for file size and date checking.
 * 2) Compare the file sizes and dates of the DOS disks to the corresponding files residing on the hard drive. One way you can accomplish this task is to boot up with the DOS system floppy disk and, at the A: prompt, type DIR *.* > PRN . This command will pipe a directory listing to the printer.
 * 3) Repeat step 2 using the DOS supplemental disk.
 * 4) Type C: and change to your DOS directory. Type DIR *.* > PRN again. Be sure to do this for COMMAND.COM as well (it may be in the root directory). If there is any discrepancy in file sizes or dates between the DOS disks and your hard disk, you may have a virus. In that event, you should obtain a virus cleaning program and/or reformat your hard disk.
 * 5) Run CHKDSK after powering on your computer (don't boot off the floppy disk). At the bottom of the read-out, CHKDSK will give a number for Total Bytes Memory, as well as Bytes Free. Write down these numbers.
 * 6) Change to the directory in which the DOS commands reside. Type DIR FIND.EXE . Note the the size of the file and the date.
 * 7) Type FIND . You will receive an error message telling you &quot;No Parameters Specified&quot;, However, the command has been activated, even if in error.
 * 8) Run CHKDSK again. Check too see if there is any change in Total Bytes Memory or Bytes Free. Since FIND.EXE is not a memory-resident utility, there should not be a difference. If there is, you may have a virus. You should obtain a virus cleaning program and/or reformat the hard disk.
 * 9) Change to your DOS directory. Once again, type DIR FIND.EXE . Compare the files size and date with the number you had written down previously. If there is a change, you should obtain a virus cleaning program and/or reformat the hard disk.

MS-DOS version 5.0 disks are shipped without a notch; therefore, they are write protected. The chances of these disks containing a virus are extremely small. The DOS 5.0 disks are compressed; therefore, the file sizing is different. You can tell a compressed file by the underscore that will be the last character of the extension on a compressed file. To expand a compressed file, use the expand utility on Disk 5 (for 5.25-inch disks) or Disk 3 (for 3.5-inch disks).

Additional query words: 3.20 3.21 3.30 3.30a 4.00 4.01 4.01a 5.00

Keywords: KB72796

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.