								Page 1
___________________________________________________________________________


	      ķ                 ķ        
	                                     
	           ķ ķ з           ķ
	              Ľ                  Ľ
	      Ľ     Ľ            Ľ
			 

			    Known\Unknown Virus
			     Detection Utility




     Copyright (c) 1994,1995 by Martin Overton.  All rights reserved.



	Written by:                 Internet:

	Martin Overton,             <Martin@salig.demon.co.uk>
	8 Owl Beech Place,          <gbsalmgo@ibmmail.com>
	Horsham,
	West Sussex,
	RH13 6PQ,
	UNITED KINGDOM

	+44 (1403)-241376




  THE INFORMATION  AND CODE  PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY
  OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
  THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
  PURPOSE.  IN  NO  EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES
  WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS 
  OF BUSINESS PROFITS OR SPECIAL DAMAGES. 

   _____________________________________________________________________

    This  program  executable, bait  files  and  related files  may be     
    distributed freely as long as  no money is charged for the program  
    itself or  any of its components. This program MUST be distributed  
    as  a  whole  with  its   associated  files   and  this  document.            
    This version of  ChekMate  may not be distributed as a part of any   
    commercial package  without prior written agreement of the author.   
   _____________________________________________________________________

  This program was developed entirely using personal time and personal 
  resources. 
  
  It is fully functional and there are no 'nag' screens or crippled
  functions. 
  
  It has been tested on many different PCs and DOS versions with no 
  problems encountered.

  This program has no connection with ,or is endorsed by my employers. 

								Page 2
___________________________________________________________________________

License:
_______

 This version of ChekMate is hereby released under the Shareware concept.

 For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK)

 Companies or other institutions using or interested in using ChekMate
 MUST contact the author to arrange a SITE license.

 The author retains the copyright of ChekMate and all of its 
 components (except MD5 which is copyright RSA Data Security, Inc.)
      
 ChekMate or any of its components may not be used as part of any 
 other package unless written agreement is obtained from the author.

 ChekMate must not be modified in any way.

 MD5 is the RSA Data Security, Inc. MD5 Message-Digest Algorithm,
 Copyright 1991 RSA Data Security, Inc.  

 
Thanks:   
______ 

 Thanks to Philip Tong for early Beta testing and a copy of the then
 unknown 'Dalian_China' or 'Gene_1991' (name still not agreed by CARO)
 virus which ChekMate captured.

 Thanks also go to Jon Dron, Ed Fenton & many others for their 
 suggestions for improvements and constructive feedback.


Requirements:
____________

 ChekMate requires you to have an IBM PC Compatible running DOS 3.3
 or later and at least 128Kb of memory and a Hard Disk.

 DEBUG must also be on your PC in your Path.
	 

What is ChekMate:
________________     

 ChekMate is a DOS based virus detection utility written
 originally for my own purposes. Other people have seen and
 /or used ChekMate and suggested that I release it as a virus
 detection tool. 
      
 So here it is!
      
 ChekMate was written to detect new and known file, boot and 
 partition table viruses. It should be used alongside a good
 quality virus scanner.  It is NOT a substitute for a virus
 scanner.

 It will detect most file infector, boot sector or partition
 table viruses. It will also detect many memory resident viruses.

								Page 3                                                                Page 3
___________________________________________________________________________

Why was ChekMate Written:
________________________

 I frequently receive suspect files from people throughout the
 world that believe, either rightly or wrongly,they are infected
 with a new/unkown or known virus.
 
 I needed a way to confirm that the file/disk was indeed infected.
 My first step was to scan it for known viruses, if that did not
 detect a known virus then the infected file/disk was run on a 
 'sheep-dip' PC and ChekMate was then used to tempt the virus into
 infecting one or more of the bait files or the Boot sector or
 Partition Table.

 In all cases the virus was caught by ChekMate. Either by infecting
 one or more of the BAIT files or the Boot Sector or Partition 
 Table.
      
 Many people do not perform a daily scan of their PC, because it 
 takes too long (3-20 Minutes). ChekMate takes under 20 seconds to 
 run, even on 80286 based systems.
      
 
How ChekMate Works:
__________________

 Every time ChekMate is run, it will first test the DOS memory
 for modifications (unless you disable this test, see below).
 
 ChekMate, when run for the first time will create a series of
 Finger-Print (.CHK) files of the following:

      COMMAND.COM  or alternate command processor, CHEKMATE.EXE,
      GETPART.EXE, MD5.EXE, THE BOOT SECTOR(s), THE PARTITION TABLE,
      101.COM, 1001.COM, 1001.EXE, 4001.COM, 4001.EXE

 Any other time that ChekMate is run it will match the Finger-
 Print files with the actual files or image files taken at runtime.

 These Finger-Print (.CHK) files are not CRC's (Checksums, as these 
 are easily fooled by some viruses) but are actual code fragments of 
 the start and in some cases the end of the file or area.

 All the BAIT files, ChekMate.EXE, MD5.EXE, GetPart.EXE 
 and the Command Processor are also protected with MD5 hash values.
 These are 128 bit cryptograhic signatures of the files, which are VERY
 secure. Far more secure than other similar techniques. 

 If these Finger-Print files &/or hash values do NOT match the runtime 
 images, then you will be warned that one or more of the files/areas have 
 been changed. The actual area/file name will be displayed.

 If a change is detected then ChekMate will return to DOS without 
 checking any other files/areas for modifications.

 Most viruses change executable code at the begining and/or end of 
 a file or area. ChekMate checks for this sort of modification.
 MD5 hash values are computed from the contents of the whole file &
 therefore will detect ANY change to the file(s).

								Page 4
__________________________________________________________________________

Installation:
____________

 Before installation scan the target PC with a good quality up-to-date
 virus scanner. Only once the PC is found to be free of viruses should
 you proceed with the installation of ChekMate.
 
 Copy all the files to a floppy disk and write protect it. This disk can 
 then be used in the event of a virus outbreak to replace infected 
 ChekMate files. Also copy the .CHK files after ChekMate is run for the
 first time.
      
 Before installation, ensure that the Validation information is correct.

 The Validation information was generated by MD5 from RSA Inc.
 
 Filename      Size   MM-DD-YY Time  MD5 Hash
 ____________________________________________________________________
 CHEKMATE EXE  46667  03-02-95 1:05a 8fba1ab7a1e80e5684367ebe819af888  
 CHEKMATE CHK    128  03-02-95 1:05a 3f991df2d4480b4f1f1b9abd324f8514  
 GETPART  EXE  11485  03-02-95 1:05a d9a612f0e6ad4556e2702f5c2f9d2dc1  
 MD5      EXE  18053  03-02-95 1:05a e409a17db7419ae13aa6793150a28cd6
 101      COM    101  03-02-95 1:05a c53acb3a15bed4f2f2f64ebe4d17d77d 
 1001     COM   1001  03-02-95 1:05a 68d09047733bf417e32cf82c8f804e49  
 4001     COM   4001  03-02-95 1:05a 80f6d221271fc7da8d1dc9815cb2b607  
 1001     EXE   1001  03-02-95 1:05a f900448491ea25d946b93fe80b04a468  
 4001     EXE   4001  03-02-95 1:05a 19ce58981a26f0817abbcbfe34ce51f0  
 FILECHK1 CHK    160  03-02-95 1:05a 916b67666f15fbf94276c381b493fe2c  
 FILECHK2 CHK    160  03-02-95 1:05a 2928c3077ac254fe07c07ddc45f56f12   
 
 If these value do NOT match the files included with this 
 document then please inform me and do not run them.

1. Create a directory for this program and copy the files listed 
   below to that directory: 

   CHEKMATE.EXE    ->       The Main Program File
   CHEKMATE.ICO    ->       Windows Icon File for ChekMate
   CHEKMATE.PIF    ->       Windows PIF File for ChekMate
   CHEKMATE.CHK    ->       ChekMate Finger-Print file 
   GETPART.EXE     ->       Takes a Snap-Shot of the PARTITION TABLE
   FILELIST.INI    ->       Program INI File (See Later)
   MD5.EXE         ->       RSA's MD5 hash generator (PUBLIC DOMAIN)
   FILECHK1.CHK    ->       Bait files Finger-Print file (Start of Files)
   FILECHK2.CHK    ->       Bait files Finger-Print file (End of Files) 
   101.COM          \
   1001.COM           \         
   1001.EXE        - - ->   Bait files
   4001.COM           /
   4001.COM         /

 (Bait files are simple files that display a message and return to 
 DOS, they act as a decoy to tempt a virus into infecting it.
 They have no other purpose and DO NOT execute any other code or files.)

 The BAIT files MUST not be replaced with your own versions of BAIT or 
 any other executable files as MD5 hash values for the files are stored
 within the main CHEKMATE.EXE file. They must also be left in the same 
 order in the FILELIST.INI provided.

								Page 5
___________________________________________________________________________

2.
a.If you want to run ChekMate from Windows then:

  Use the 'File' 'New' menu option in Program Manager to create
  an entry for this program. (PIF file supplied.)

  Edit the .PIF file to reflect the correct run-time directory.


b.If you are running it from DOS then: 
      
  Add it to your AUTOEXEC.BAT, either add the line below:

  C:\<Directory_Name>\CHEKMATE.EXE
  Also ensure that the FILELIST.INI is in the ROOT directory '\'.

      OR

  Create a batch file that contains the following lines:
  CD\<Directory_Name>
  CHEKMATE.EXE
  CD\

  <Directory_Name> should be the directory where you placed ChekMate
  eg. C:\CHEKMATE

c.Edit the FILELIST.INI file (Shown Below) if required:
  +---------------------+---------------------------------------------+ 
  | Example File        |  What each line is/means                    |
  +---------------------+---------------------------------------------+
  | C:\CHEKMATE         | The Directory That ChekMate is Installed in |
 *| C:\COMMAND.COM      | Path & Name of Command Processor in use.    |
 !| 1                   | Number of drives (Physical or Logical)      |                                      |
 #| 640                 | The BASE DOS Memory as reported by MEM /C   |
  | 101.COM,101         | 101  Byte .COM Bait file, Size in bytes     |
  | 1001.COM,1001       | 1001 Byte .COM Bait file, Size in bytes     |
  | 4001.COM,4001       | 4001 Byte .COM Bait file, Size in bytes     |
  | 1001.EXE,1001       | 1001 Byte .EXE Bait file, Size in bytes     |
  | 4001.EXE,4001       | 4001 Byte .EXE Bait file, Size in bytes     |
  +---------------------+---------------------------------------------+
   This file MUST exist and the contents MUST be correct or ChekMate
   will NOT work correctly.

 * The command processor may not be COMMAND.COM, 4DOS & NDOS are also
   supported as common replacements for COMMAND.COM.
   See your COMSPEC setting for the 'active' command processor and
   the correct path. Type 'SET' at the DOS prompt to view COMSPEC.
    
 ! ChekMate will handle up to drive F: (The FILELIST.INI entry 
   would then need to be 4)

 # This is usualy 640Kb (655,360 Bytes), Some systems may report
   639Kb due to HD controllers 'borrowing' 1Kb for their own purposes.
   If this causes problems or you run ChekMate under OS/2, you can disable
   this test by setting this value to 0 (Zero).

   ChekMate now displays the DOS base memory detected at run time.

								Page 6
___________________________________________________________________________

Upgrading From Version 1.05a
____________________________

 To upgrade ChekMate from version 1.05a, proceed as follows:


1. Read all of this manual BEFORE procceding.


2, Copy CHEKMATE.EXE, CHEKMATE.CHK, & MD5.EXE
   to your ChekMate directory.

3. Delete COMMAND.CHK

4. Now run CHEKMATE.EXE, ChekMate will inform you that a FingerPrint file
   is missing, Press any key to continue. You will then be told that
   COMMAND.CHK is being created.

   ( This file needs to be re-created as the file structure has been
     changed to work with MD5 )

5. ChekMate should now work fine with the updated files.


6. If the above does not work correctly, then run CHEKMATE.EXE /CREATE
   as this will re-generate all the CHK files.


								
								Page 7
___________________________________________________________________________

Dos ERRORLEVEL Returns:
______________________
 
 The following errorlevel values are returned when ChekMate 
 exits back to DOS.
 
 0 = No modifications detected
 1 = COMMAND.COM (or other COMMAND processor) appears to have been changed
 2 = ChekMate.EXE appears to have been changed
 3 = The BOOT SECTOR(s) appears to have been changed
 4 = The PARTITION TABLE appears to have been changed
 5 = One or more of the BAIT files appear to have been changed
 6 = The DOS BASE Memory amount appear to have been changed
 7 = MD5.EXE appears to have been changed
 8 = GetPart.EXE appears to have been changed
 
 Q. What can you do with this information?
 A. You can use the errorlevels returned in a batch file
    to automatically run your favourite virus scanner when
    ChekMate detects a modification to your system.

    e.g. CHECK.BAT
    @ECHO OFF
    CLS
    CD C:\CHEKMATE
    CHEKMATE.EXE
    IF NOT ERRORLEVEL 1 GOTO :End
    :Ooops!
    C:\SCANNER\F-PROT.EXE C:
    CD C:\
    :End

    The batch file above will only run your virus scanner if the
    errorlevel returned from ChekMate is greater than or equal to 
    one. If zero (All OK) then don't run the virus scanner.

Help/Command Line Switches:
__________________________

 To get help, run: 
     
 CHEKMATE.EXE /H  or  CHEKMATE.EXE /?

 Other command line switches:

 /CREATE                    Creates a 'new' set of Finger-Print files.
			    Usualy only used after DOS upgrade or 
			    after cleaning up after a virus attack.

 /NOEXPOSE                  Used to only check Finger-Print files 
			    against original files/area. Does NOT 
			    execute BAIT files.
			    Mainly used if you substitute the BAIT 
			    files for other executable program files.

 /MONO                      Force ChekMate to run in Monochrome mode.
			    (ChekMate will detect many MONO video cards
			    automatically.)
 
								Page 8
___________________________________________________________________________


Known problems/limitations:
__________________________

1) May not detect Companion viruses very quickly. But as soon as 
   one of the bait files are infected it will alert you. A companion 
   virus is very easy to spot as it makes a 'Companion' .COM file 
   for ANY .EXE file on the infected system.
  
2) May not detect direct action non-TSR viruses very quickly. 
   Most new viruses are TSR (memory resident) variants.

   The best way to test 'suspect' files is to place them in the same
   directory as ChekMate, Virus Scan them and if they are not reported
   as infected, then run them from there. Then run ChekMate.

	   **** REMEMBER TO BACKUP YOUR SYSTEM FIRST ****
  
3) Link viruses, such are DIR II may not be detected as no executable
   code is changed.

Latest Version:
______________

 The latest version of this application should always be available
 from the site that you originally obtained it. The main site is the
 SimTel archives or one of the mirror sites. 
   
 Source code is only available to companies interested in developing 
 a comercial version of ChekMate or program based on ChekMate.

 Source code will also be made available to companies who wish to 
 have a customised version written. Contact the author to discuss.
 
								Page 9
___________________________________________________________________________


Bug reports, suggestions, etc...
________________________________

 If you catch a virus with ChekMate in one of the Bait files, then 
 please send me a copy for analysis. I will send a reply to anyone 
 who sends me such a file. If possible I will send a search string to 
 correctly identify the new virus to aid removal.

 Mail files to the E-Mail or Postal address at the top of this document.
 (If you e-mail the file(s) then please use UUENCODE or MIME.)

 Send all bug reports, suggestions, etc to  the E-Mail or Postal address
 at the top of this document.
  
 If you like this program, let other people know about it!
 Post your comments in comp.virus or anywhere else that is relevant.  
 
 If you contact me to let me know you are using ChekMate I will send 
 you a Windows Write formatted version of this manual. It will
 contain more information about ChekMate and removing viruses. 
 (Remember to ask for it when e-mailing me.)

 You will also be informed when new versions are released.

 Let people know about it!

 If you use and/or like ChekMate, then please drop me a line to 
 let me know that you are using it. This will allow me to know the 
 future development requirements.

 If you have tested ChekMate against any viruses then please let me know
 the outcome of these tests, whether the results are good or bad. For
 details of viruses that ChekMate has been tested against, please see
 the file enclosed in this ZIP file, TESTS.TXT.
 
								Page 10
___________________________________________________________________________

Information about MD5 (Quoted from RFC1321)
_____________________

" 1. Executive Summary

   This document describes the MD5 message-digest algorithm. The
   algorithm takes as input a message of arbitrary length and produces
   as output a 128-bit "fingerprint" or "message digest" of the input.
   It is conjectured that it is computationally infeasible to produce
   two messages having the same message digest, or to produce any
   message having a given prespecified target message digest. The MD5
   algorithm is intended for digital signature applications, where a
   large file must be "compressed" in a secure manner before being
   encrypted with a private (secret) key under a public-key cryptosystem
   such as RSA.
   
   The MD5 algorithm is designed to be quite fast on 32-bit machines. In
   addition, the MD5 algorithm does not require any large substitution
   tables; the algorithm can be coded quite compactly.

   The MD5 algorithm is an extension of the MD4 message-digest algorithm
   1,2]. MD5 is slightly slower than MD4, but is more "conservative" in
   design. MD5 was designed because it was felt that MD4 was perhaps
   being adopted for use more quickly than justified by the existing
   critical review; because MD4 was designed to be exceptionally fast,
   it is "at the edge" in terms of risking successful cryptanalytic
   attack. MD5 backs off a bit, giving up a little in speed for a much
   greater likelihood of ultimate security. It incorporates some
   suggestions made by various reviewers, and contains additional
   optimizations. The MD5 algorithm is being placed in the public domain
   for review and possible adoption as a standard. "
   
*** END OF DOCUMENT ***
