								Page 1                                                          Page 1
___________________________________________________________________________



		     ChekMate Known\Unknown Virus

			  Detection Utility




     Copyright (c) 1994,1995 by Martin Overton.  All rights reserved.



	Written by:                 Internet:

	Martin Overton,             <Martin@salig.demon.co.uk>
	8 Owl Beech Place,          <gbsalmgo@ibmmail.com>
	Horsham,
	West Sussex,
	RH13 6PQ,
	UNITED KINGDOM

	+44 (1403)-241376




  THE INFORMATION  AND CODE  PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY
  OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
  THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
  PURPOSE.  IN  NO  EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES
  WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS 
  OF BUSINESS PROFITS OR SPECIAL DAMAGES. 

   _____________________________________________________________________

    This  program  executable, bait  files  and  related files  may be     
    distributed freely as long as  no money is charged for the program  
    itself or  any of its components. This program MUST be distributed  
    as  a  whole  with  its   associated  files   and  this  document.            
    This version of  ChekMate  may not be distributed as a part of any   
    commercial package  without prior written agreement of the author.   
   _____________________________________________________________________

  This program was developed entirely using personal time and personal 
  resources. 
  
  It is fully functional and there are no 'nag' screens or crippled
  functions. 
  
  It has been tested on many different PCs and DOS versions with no 
  problems encountered.

  This program has no connection with ,or is endorsed by my employers. 

								Page 2
___________________________________________________________________________

License:
_______

 ChekMate is hereby released under the Shareware concept.

 For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK)

 Companies or other institutions using ChekMate or interested in a
 site license MUST contact the author to arrange a SITE license.

 The author retains the copyright of ChekMate and all of its 
 components.
      
 ChekMate or any of its components may not be used as part of any 
 other package unless written agreement is obtained from the author.

 ChekMate must not be modified in any way.


 
Thanks:   
______ 

 Thanks to Philip Tong for early Beta testing and a copy of the then
 unknown 'Dalian_China' or 'Gene_1991' (name still not agreed by CARO)
 virus which ChekMate captured.

 Thanks also go to Stephan Loescher for his suggestions for improve-
 ments and constructive feedback.


Requirements:
____________

 ChekMate requires you to have an IBM PC Compatible running DOS 3.3
 or later and at least 128Kb of memory and a Hard Disk.

 DEBUG must also be on your PC in your Path.
	 

   
What is ChekMate:
________________     

 ChekMate is a DOS based virus detection utility written
 originally for my own purposes. Other people have seen and
 /or used ChekMate and suggested that I release it as a virus
 detection tool. 
      
 So here it is!
      
 ChekMate was written to detect new and known file, boot and 
 partition table viruses. It should be used alongside a good
 quality virus scanner.  It is NOT a substitute for a virus
 scanner.

 It will detect most file infector, boot sector or partition
 table viruses. It will also detect many memory resident viruses.

								Page 3                                                                Page 3
___________________________________________________________________________

Why was ChekMate Written:
________________________

 I frequently receive suspect files from people throughout the
 world that believe, either rightly or wrongly,they are infected
 with a new/unkown or known virus.
 
 I needed a way to confirm that the file/disk was indeed infected.
 My first step was to scan it for known viruses, if that did not
 detect a known virus then the infected file/disk was run on a 
 'sheep-dip' PC and ChekMate was then used to tempt the virus into
 infecting one or more of the bait files or the Boot sector or
 Partition Table.

 In all cases the virus was caught by ChekMate. Either by infecting
 one or more of the BAIT files or the Boot Sector or Partition 
 Table.
      
 Many people do not perform a daily scan of their PC, because it 
 takes too long (3-20 Minutes). ChekMate takes under 20 seconds to 
 run, even on 80286 based systems.
      
 
How ChekMate Works:
__________________

 Every time ChekMate is run, it will first test the DOS memory
 for modifications (unless you disable this test, see below).
 
 ChekMate, when run for the first time will create a series of
 Finger-Print (.CHK) files of the following:

      COMMAND.COM  or alternate command processor.
      CHEKMATE.EXE
      THE BOOT SECTOR(s)
      THE PARTITION TABLE
      101.COM
      1001.COM
      1001.EXE
      4001.COM
      4001.EXE

 Any other time that ChekMate is run it will match the Finger-
 Print files with the actual files or image files taken at runtime.

 These Finger-Print (.CHK) files are not CRC's (Checksums, as these 
 are easily fooled by some viruses) but are actual code fragments of 
 the start and in some cases the end of the file or area.

 If these Finger-Print files do NOT match the runtime images, then
 you will be warned that one or more of the files/areas have been
 changed. The actual area/file name will be displayed.

 If a change is detected then ChekMate will return to DOS without 
 checking any other files/areas for modifications.

 Most viruses change executable code at the begining and/or end of 
 a file or area. ChekMate checks for this sort of modification.

								Page 4
__________________________________________________________________________

Installation:
____________

 Copy all the files to a floppy disk and write protect it. This disk can 
 then be used in the event of a virus outbreak to replace infected 
 ChekMate files. Also copy the .CHK files after ChekMate is run for the
 first time.
      
 Before installation, ensure that the Validation information is correct.

 The Validation information was generated by Validate 2.00 from McAfee

 CHEKMATE EXE     45514  02-06-95   1:05a   E88B   EC25
 CHEKMATE CHK       128  02-06-95   1:05a   A78B   012B
 CHEKMATE PIF       545  02-06-95   1:05a   1A34   D81B
 GETPART  EXE     11485  02-06-95   1:05a   B222   8409
 101      COM       101  02-06-95   1:05a   1582   7D78
 1001     COM      1001  02-06-95   1:05a   19A5   437A
 4001     COM      4001  02-06-95   1:05a   20D4   BE3C
 1001     EXE      1001  02-06-95   1:05a   813D   CB55
 4001     EXE      4001  02-06-95   1:05a   1950   43F1
 FILECHK1 CHK       160  02-06-95   1:05a   6D3D   CB79
 FILECHK2 CHK       160  02-06-95   1:05a   18DF   75F2
 
 If these value do NOT match the files included with this 
 document then please inform me and do not run them.

1.

 Create a directory for this program and copy the files listed 
 below to that directory: 

 CHEKMATE.EXE    ->       The Main Program File
 CHEKMATE.ICO    ->       Windows Icon File for ChekMate
 CHEKMATE.PIF    ->       Windows PIF File for ChekMate
 CHEKMATE.CHK    ->       ChekMate Finger-Print file 
 GETPART.EXE     ->       Takes a Snap-Shot of the PARTITION TABLE
 FILELIST.INI    ->       Program INI File (See Later)
 FILECHK1.CHK    ->       Bait files Finger-Print file (Start of Files)
 FILECHK2.CHK    ->       Bait files Finger-Print file (End of Files) 
 101.COM          \
 1001.COM           \         
 1001.EXE        - - ->   Bait files
 4001.COM           /
 4001.COM         /

      
 (Bait files are simple files that display a message and return to 
 DOS, they act as a decoy to tempt a virus into infecting it.
 They have no other purpose and DO NOT execute any other code or files.)

 The BAIT files can be replaced with your own versions of BAIT or 
 any other executable file if you so wish.
      
 BUT, don't forget to edit the FILELIST.INI file if you do that.

								Page 5
___________________________________________________________________________

2.

a.If you want to run ChekMate from Windows then:

  Use the 'File' 'New' menu option in Program Manager to create
  an entry for this program. (PIF file supplied.)

  Edit the .PIF file to reflect the correct run-time directory.


b.If you are running it from DOS then: 
      
  Add it to your AUTOEXEC.BAT, either add the line below:

  C:\<Directory_Name>\CHEKMATE.EXE
  
  Also ensure that the FILELIST.INI is in the ROOT directory '\'.

      OR

  Create a batch file that contains the following lines:

  CD\<Directory_Name>
  CHEKMATE.EXE
  CD\

  <Directory_Name> should be the directory where you placed ChekMate
  eg. C:\WINDOWS\CHEKMATE

c.Edit the FILELIST.INI file (Shown Below) if required:
  +---------------------+---------------------------------------------+ 
  | Example File        |  What each line is/means                    |
  +---------------------+---------------------------------------------+
  | C:\BAIT             | The Directory That ChekMate is Installed in |
 *| C:\COMMAND.COM      | Path & Name of Command Processor in use.    |
 !| 1                   | Number of drives (Physical or Logical)      |                                      |
 #| 640                 | The BASE DOS Memory as reported by MEM /C   |
  | 101.COM,101         | 101  Byte .COM Bait file, Size in bytes     |
  | 1001.COM,1001       | 1001 Byte .COM Bait file, Size in bytes     |
  | 4001.COM,4001       | 4001 Byte .COM Bait file, Size in bytes     |
  | 1001.EXE,1001       | 1001 Byte .EXE Bait file, Size in bytes     |
  | 4001.EXE,4001       | 4001 Byte .EXE Bait file, Size in bytes     |
  +---------------------+---------------------------------------------+
   This file MUST exist and the contents MUST be correct or ChekMate
   will NOT work correctly.

 * The command processor may not be COMMAND.COM, 4DOS & NDOS are also
   supported as common replacements for COMMAND.COM.
   See your COMSPEC setting for the 'active' command processor and
   the correct path. Type 'SET' at the DOS prompt to view COMSPEC.
    
 ! ChekMate will handle up to drive F: (The FILELIST.INI entry 
   would then need to be 4)

 # This is usualy 640Kb (655,360 Bytes), Some systems may report
   639Kb due to HD controllers 'borrowing' 1Kb for their own purposes.
   
   If this causes problems or you run ChekMate under OS/2, you can disable
   this test by setting this value to 0 (Zero).

								Page 6
___________________________________________________________________________

Dos ERRORLEVEL Returns:
______________________
 
 The following errorlevel values are returned when ChekMate 
 exits back to DOS.
 
 0 = No modifications detected
 1 = COMMAND.COM (or other COMMAND processor) appears to have been changed
 2 = ChekMate.EXE appears to have been changed
 3 = The BOOT SECTOR appears to have been changed
 4 = The PARTITION TABLE appears to have been changed
 5 = One or more of the BAIT files appear to have been changed
 6 = The DOS BASE Memory amount appear to have been changed

 Q. What can you do with this information?

 A. You can use the errorlevels returned in a batch file
    to automatically run your favourite virus scanner when
    ChekMate detects a modification to your system.

    e.g. CHECK.BAT

    @ECHO OFF
    CLS
    CHEKMATE.EXE
    IF NOT ERRORLEVEL 1 GOTO :End
    :Ooops!
    C:\SCANNER\F-PROT.EXE C:
    :End

    The batch file above will only run your virus scanner if the
    errorlevel returned from ChekMate is greater than or equal to 
    one. If zero (All OK) then don't run the virus scanner.


Help/Command Line Switches:
__________________________

 To get help, run: 
     
 CHEKMATE.EXE /H
     or
 CHEKMATE.EXE /?

 Other command line switches:

 /CREATE                    Creates a 'new' set of Finger-Print files.
			    Usualy only used after DOS upgrade or 
			    after cleaning up after a virus attack.

 /NOEXPOSE                  Used to only check Finger-Print files 
			    against original files/area. Does NOT 
			    execute BAIT files.
			    Mainly used if you substitute the BAIT 
			    files for other executable program files.

 /MONO                      Force ChekMate to run in Monochrome mode.
			    (ChekMate will detect many MONO video cards
			    automatically.)
 
								Page 7
___________________________________________________________________________


Known problems/limitations:
__________________________

1) May not detect Companion viruses very quickly. But as soon as 
   one of the bait files are infected it will alert you. A companion 
   virus is very easy to spot as it makes a 'Companion' .COM file 
   for ANY .EXE file on the infected system.
  
2) May not detect direct action non-TSR viruses very quickly. 
   Most new viruses are TSR (memory resident) variants.

   The best way to test 'suspect' files is to place them in the same
   directory as ChekMate, Virus Scan them and if they are not reported
   as infected, then run them from there. Then run ChekMate.

	   **** REMEMBER TO BACKUP YOUR SYSTEM FIRST ****
  
3) Link viruses, such are DIR II may not be detected as no executable
   code is changed.

Latest Version:
______________

 The latest version of this application should always be available
 from the site that you originally obtained it. The main site is the
 SimTel archives or one of the mirror sites. 
   
 Source code is only available to companies interested in developing 
 a comercial version of ChekMate or program based on ChekMate.

 Source code will also be made available to companies who wish to 
 have a customised version written. Contact the author to discuss.
 
								Page 8
___________________________________________________________________________


Bug reports, suggestions, etc...
________________________________

 If you catch a virus with ChekMate in one of the Bait files, then 
 please send me a copy for analysis. I will send a reply to anyone 
 who sends me such a file. If possible I will send a search string to 
 correctly identify the new virus to aid removal.

 Mail files to the E-Mail or Postal address at the top of this document.
 (If you e-mail the file(s) then please use UUENCODE or MIME.)

 Send all bug reports, suggestions, etc to  the E-Mail or Postal address
 at the top of this document.
  
 If you like this program, let other people know about it!
 Post your comments in comp.virus or anywhere else that is relevant.  
 
 If you contact me to let me know you are using ChekMate I will send 
 you a Windows Write formatted version of this manual. It will
 contain more information about ChekMate and removing viruses. 

 You will also be informed when new versions are released.

 Let people know about it!

 If you use and/or like ChekMate, then please drop me a line to 
 let me know that you are using it. This will allow me to know the 
 future development requirements.

 If you have tested ChekMate against any viruses then please let me know
 the outcome of these tests, whether the results are good or bad. For
 details of viruses that ChekMate has been tested against, please see
 the file enclosed in this ZIP file, TESTS.TXT.

!!! STOP PRESS !!!
__________________

 If enough interest is shown, then a Windows version will be written.
 So, if you want a Windows version, then let me know, NOW!

___________________________________________________________________________

*** END OF DOCUMENT ***
