					Virus Utilities (Oct 1991):KV2.1/kv.doc

    Virus Utilities (Oct 1991)

KV - KillVirus V2.1                                  11/26/89 KV will detect and remove three non-
boot block viruses, the IRQ Ver 41.0 the Lamer Exterminator and the Bundesgrenzschutz Sektion 9
(BGS) virus. KV will also detect and disable the XENO virus in executable files. The Lamer virus
will be removed from memory and any infected disks in the drives. Usage: kv -LIBA { filename ... }
-L or -l     check for Lamer virus on all floppies -B or -b        check for BGS-9 virus on all floppies -
I or -i NAME check for IRQ and XENO virus on NAME -A or -a                   do all of the above `*' (unix
style) wildcards allowed ex. kv -i C:* or kv -i C: will check all files in C: for the IRQ and XENO
virus kv DF0:C/ will check all files in DF0:C The XENO virus while `harmless' attaches itself to
almost any file that is opened for either reading or writing while the virus is active. This nasty can
spread rather rapidly over a hard disk before it is detected. KV will detect the infected files and
`disable' the virus. By disable I mean that the infectious portion of the virus will be neutralized but
not removed from the file. Unfortunetly, the XENO virus merges his code with the existing code
found in the first code hunk. Removal requires excising the virus code and adjusting the relocation
information found in the RELOC_32 hunk. Rather than delay KV until it can properly remove the
infection, I decided to release this version that will at least keep the virus from spreading. A future
version of KV will (hopefully) be able to remove the virus code - even the disabled version. KV will
look on all floppy drives in the system for the Lamer and BGS viruses.          Be aware that the IRQ virus
attacks the file C:dir as well as the first executable file that it finds listed in your startup-sequence
files. It is to your advantage to check all your disks startup files and the first executable file
referenced once infected with the IRQ virus. Also note that the new Lamer virus attaches itself to a
disk as an invisible file located in the root directory. It modifies the first line of your Startup-
Sequence file placing it's invisible name there. KV will not modify your startup file. You must delete
any blank lines at the beginning of the file. If KV finds the Lamer virus on a disk it will rename the
invisible file to `DANGERVIRUS'. The virus won't be automatically executed under that name - you
may delete it at your leisure. The BGS virus finds the name of the first executable file in the Startup-
Sequence file and renames it to an invisible file in the DEVS: directory. It then replaces the first file
with the virus code which will be executed on startup. During its execution it will LoadSeg the
invisible file and execute it. =============== Ver 1.01                  1/15/89 Minor changes: Added
more info on usage. Now allow multiple filenames on the command line. Appended `*' to filename
if it ended with ':' or '/' this allows one to check an entire directory such as KV C: Changed message
output format slightly. Virus found message is in inverse video. Used DisplayBeep() to flash screen
if IRQ virus is found Ver 2.0              9/1/89 Added tests for Lamer Exterminator and BGS viruses.
Added AutoRequest() for more positive indication of KV results. Ver 2.1                  11/26/89 Added
test for XENO virus. Added code to disable the XENO virus infection code.

