
                   CheckMate Known\Unknown Virus 
                         Detection Utility 


  Copyright (c) 1994,1995 by Martin Overton.  All rights reserved.

  Written by:
      Martin Overton,          Internet: <Martin@salig.demon.co.uk>
      8 Owl Beech Place,                 <gbsalmgo@ibmmail.com>
      Horsham,
      West Sussex,
      RH13 6PQ,
      UNITED KINGDOM
      +44 (1403)-241376

  THE INFORMATION AND CODE PROVIDED IS PROVIDED AS IS WITHOUT WARRANTY 
  OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO 
  THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
  PURPOSE.  IN NO EVENT SHALL MARTIN OVERTON BE LIABLE FOR ANY DAMAGES 
  WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS 
  OF BUSINESS PROFITS OR SPECIAL DAMAGES. 

  +--------------------------------------------------------------------+
  |  This program executable, bait files and related files may be      |
  |  distributed freely as long as no money is charged for the program |
  |  itself or any of its components. This program MUST be distributed |
  |  as a whole with its associated files and this document.           |
  |  This version of ChekMate may not be distributed as a part of any  |
  |  commercial package without prior written agreement of the author  |
  +--------------------------------------------------------------------+

  This program was developed entirely using personal time and personal 
  resources. 
  
  It is fully functional and there is no 'nag' screens or crippled functions. 
  It has been tested on many different PCs and DOS versions with no problems 
  encountered.

  This program has no connection with ,or is endorsed by my employers. 
  
  -----------------------------------------------------------------------


 License:
 -------
   ChekMate is hereby released under the Shareware concept.

   For personal/home use ChekMate is FREE. (Same as F-Prot by FRISK)

   Companies or other institutions using ChekMate or interested in a 
   site license MUST contact the author to arrange a SITE license.

   The author retains the copyright of ChekMate or any of its components. 
   ChekMate or any of its components may not be used as part of any other 
   package unless written agreement is obtained from the author.

   ChekMate must not be modified in any way.

 
 Thanks:   
 ------ 
   Thanks to Philip Tong for early Beta testing and a copy of the then 
   unknown 'Dalian_China' or 'Gene_1991' (name still not agreed by CARO) 
   virus which ChekMate captured.

 
 Requirements:
 ------------
   ChekMate requires you to have an IBM PC Compatible running DOS 3.3 
   or later and at least 128Kb of memory and a Hard Disk. 
 
   This version will only run on 80286 or later processors.

   Please contact the author if you require an 8088/8086/V20/V30 version.

   
 What is ChekMate:
 ----------------     
      ChekMate is a DOS based virus detection utility written
      originally for my own purposes. Other people have seen and
      /or used ChekMate and suggested that I release it as a virus
      detection tool. 
      
      So here it is!
      
      ChekMate was written to detect new and known file, boot and 
      partition table viruses. It should be used alongside a good
      quality virus scanner.  It is NOT a substitute for a virus
      scanner.

      It will detect most file infector, boot sector or partition
      table viruses.

 
 Why was ChekMate Written:
 ------------------------
      I frequently receive suspect files from people throughout the
      world that believe, either rightly or wrongly, are infected with
      a new/unkown or known virus.

      I needed a way to confirm that the file/disk was indeed infected.
      My first step was to scan it for known viruses, if that did not
      detect a known virus then the infected file/disk was run on a 
      'sheep-dip' PC and ChekMate was then used to tempt the virus into
      infecting one or more of the bait files or the Boot sector or
      Partition Table.

      In all cases the virus was caught by ChekMate. Either by infecting
      one or more of the BAIT files or the Boot Sector or Partition Table.
      
      Many people do not perform a daily scan of their PC, because it takes
      too long (3-20 Minutes). ChekMate takes under 20 seconds to run, even
      on 80286 based systems.

 
 How ChekMate Works:
 ------------------
      ChekMate, when run for the first time will create a series of
      Finger-Print (.CHK) files of the following:

      COMMAND.COM
      CHEKMATE.EXE
      THE BOOT SECTOR
      THE PARTITION TABLE
      101.COM
      1001.COM
      1001.EXE
      4001.COM
      4001.EXE

      Any other time that ChekMate is run it will match the Finger-Print
      files with the actual files or image files taken at runtime.
 
      These Finger-Print (.CHK) files are not CRC's (Checksums, as these are  
      easily fooled by some viruses) but are actual code fragments of the 
      start of the file or area.

      If these Finger-Print files do NOT match the runtime images, then
      you will be warned that one or more of the files/areas have been
      changed. The actual area/file name will be displayed.

      If a change is detected then ChekMate will return to DOS without 
      checking any other files/areas for modifications.

      Most if not ALL viruses must change executable code at the begining
      of a file or area. ChekMate checks for this sort of modification.
 
 Tests:
 -----     
      Some of the Viruses ChekMate have been tested against are listed 
      below:

      Boot Sector/Partition Table Viruses:       Comments:
      ----------------------------------------------------------------
      Parity Boot.B                              Fully Stealthed
      V_Sign (Cansu)                             Slightly Polymorphic
      Form.A
      Antitel (Kampana Boot)                     Polymorphic/Stealth
      Michelangelo
      Stoned


      File Infector Viruses:                     Comments:
      ----------------------------------------------------------------
      Frodo.Fish.A                               Stealth/Polymorphic
      Cascade.1701
      Jerusalem.Vtech.2880
      Gene_1991 (Dalian_China)
      Ambulance (RedX)

 
 Installation:
 ------------
      Before installation, ensure that the Validation information is correct.

      The Validation information was generated by Validate 0.4 from McAfee 
      + -------------+--------+------------+---------+---------+
      | File:        | Size:  | Date:      | Check 1:| Check 2:|
      +--------------+--------+------------+---------+---------+
      | CHEKMATE.EXE | 34,310 | 11-26-1994 | 0B7B    | 0983    |
      | CHEKMATE.CHK | 128    | 11-26-1994 | A5E0    | 0692    |
      | FILECHEK.CHK | 160    | 11-26-1994 | 9A1E    | 124D    |
      | GETPART.EXE  | 11,485 |  9-17-1994 | 46DE    | 1264    |
      | 101.COM      | 101    |  8-18-1994 | 4457    | 15B4    |
      | 1001.COM     | 1001   |  8-18-1994 | 46E8    | 08C0    |
      | 1001.EXE     | 1001   |  8-18-1994 | F509    | 069C    |
      | 4001.COM     | 4001   |  8-18-1994 | F753    | 1DD5    |
      | 4001.EXE     | 4001   |  8-18-1994 | 8BC2    | 098C    |
      +--------------+--------+------------+---------+---------+
      If these value do NOT match the files included with this document
      then please inform me and do not run them.
   
   1. Create a directory (MUST be 'C:\BAIT') for this program and copy 
      the files listed below to that directory: 

      CHEKMATE.EXE     >     | The Main Program File
      CHEKMATE.CHK     >     | ChekMate Finger-Print file 
      GETPART.EXE      >     | Takes a Snap-Shot of the PARTITION TABLE
      FILELIST.INI     >     | Program INI File (See Later)
      FILECHK.CHK      >     | Bait files Finger-Print file
      101.COM          \
      1001.COM           \         
      1001.EXE             > | Bait files
      4001.COM            /
      4001.COM          /

      
      (Bait files are simple files that display a message and return to 
      DOS, they act as a decoy to attempt to get infected by a virus. They 
      have no other purpose and DO NOT execute any other code or files.)

      The BAIT files can be replaced with your own versions  of BAIT or any
      other executable file if you so wish.
      
      BUT, don't forget to edit the FILELIST.INI file if you do that.

   2. 
      a.If you want to run ChekMate from Windows then:

      Create an ICON in any Program Manager group.

      Use the File New menu option in Program Manager to create
      the entry for this program.

      b.If you are running it from DOS then: 
      
      Add it to your AUTOEXEC.BAT, add the line below:

      C:\BAIT\CHEKMATE.EXE

      c.Edit the FILELIST.INI file (Shown Below) if required:
     +---------------------+---------------------------------------------+ 
     | Example File        |  What each line is/means                    |
     +---------------------+---------------------------------------------+
     | C:\BAIT             | The Directory That ChekMate is Installed in |
     | C:                  | Location of COMMAND.COM, Usualy C: or C:\DOS|                
     | 1                   | Number of drives (Physical or Logical)      |                                      |
     | 101.COM             | 101 byte .COM Bait file                     |
     | 1001.COM            | 1001 Byte .COM Bait file                    |
     | 4001.COM            | 4001 Byte .COM Bait file                    |
     | 1001.EXE            | 1001 Byte .EXE Bait file                    |
     | 4001.EXE            | 4001 Byte .EXE Bait file                    |
     +---------------------+---------------------------------------------+
     This file MUST exist and the contents MUST be correct or ChekMate
     will NOT work correctly.

 
 Help/Command Line Switches:
 --------------------------
     To get help, run: 
     
     CHEKMATE.EXE /H
     or
     CHEKMATE.EXE /?

     Other command line switches:

     /CREATE                    Creates a 'new' set of Finger-Print files.
                                Usualy only used after DOS upgrade or after
                                cleaning up after a virus attack.

     /NOEXPOSE                  Used to only check Finger-Print files against
                                original files/area. Does NOT execute BAIT
                                files.
                                Mainly used if you substitute the BAIT files
                                for other executable program files.


 Known problems/limitations:
 --------------------------
  1) May not detect Companion viruses very quickly. But as soon as one of 
     the bait files are infected it will alert you. A companion virus is
     very easy to spot as it makes a 'Companion' .COM file for ANY .EXE
     file on the infected system.
  
  2) May not detect direct action non-TSR viruses very quickly. Most new
     viruses are TSR (memory resident) variants.
  
  3) Will not run on 8088/8086/V20 or V30 based systems.

 
 Latest Version:
 --------------
   The latest version of this application should always be available
   from the site that you originally obtained it.
   
   Source code is only available to companies interested in developing 
   a comercial version of ChekMate or program based on ChekMate.

   Source code will also be made available to companies who wish to have
   a customised version written. Contact the author to discuss.
 
 
 Bug reports, suggestions, etc...
 --------------------------------
   If you catch a virus with ChekMate in one of the Bait files, then please
   send me a copy for analysis. I will send a reply to anyone who sends me
   such a file. If possible I will send a search string to correctly identify
   the new virus to aid removal.

   Mail files to the E-Mail or Postal address at the top of this document.
   (If you e-mail the file(s) then please use UUENCODE or MIME.)

   Send all bug reports, suggestions, etc to E-Mail or Postal address at 
   the top of this document.
   
   If you like this program, let other people know about it!
   Post your comments in comp.virus or anywhere else that is relevant.  
   Let people know about it!

   If you use and/or like ChekMate, then please drop me a line to let
   me know that you are using it. This will allow me to know the future
   development requirements.

   !!! STOP PRESS !!!
   ------------------
   If enough interest is shown, then a Windows version will be written.
   So, if you want a Windows version, then let me know, NOW!

 
 History, Revisions:
 ------------------
   1.04e (26/11/94)              This Version.

   1. Fixed the 'Parity Boot.B' detection. It will now detect it fine.
   2. Changed the file access routines to make them more efficient.
   3. Added checking of 'Boot Sectors' on up to 3 more physical/logical
      drives. Now supports up to drive 'F:' This will be of most use
      to those using disk compression producrs where the drive letters are
      swapped. Many 'Boot Sector' viruses will infect the 'ORIGINAL' C:
      drive. The disk compression program usually changes this to the
      highest drive letter after your existing drive(s).

      Eg Original Drive C:  (You have 2 Drives C: & D: before compression)
         after compression installed C: becomes E: (compressed drive E:
         becomes C:)

         Boot sector virus infects system, drive E: (originaly C:). ChekMate 
         can now detect the infected 'Boot Sector' on drive E:.

 ----------------------------------------------------------------------------  
   1.04d (23/11/94)              Internal test version (Not Released)

   1. Tested & modified the improved file access routines.
 ----------------------------------------------------------------------------
   1.04c (11/11/94)              First public release.
 ----------------------------------------------------------------------------  
   1.00 - 1.04b  & Others        Beta versions, used personally and by
                                 Beta-testers.
 ----------------------------------------------------------------------------
 *** END OF DOCUMENT ***
