MemoryScanner: A rule based, universal memory virus scanner for DOS viruses. Not limited to known viruses! Will not run on 64 bit Windows systems.

     __  __                ____                     ______   ___  ____
    |  \/  | ___ _ __ ___ / ___|  ___ __ _ _ __    / /  _ \ / _ \/ ___|
    | |\/| |/ _ \ '_ ` _ \\___ \ / __/ _` | '_ \  / /| | | | | | \___ \
    | |  | |  __/ | | | | |___) | (_| (_| | | | |/ / | |_| | |_| |___) |
    |_|  |_|\___|_| |_| |_|____/ \___\__,_|_| |_/_/  |____/ \___/|____/

                                 (c) 16.10.1990-2018 by ROSE SWE, Ralph Roth

    $Id: MemScan_Eng.txt,v 1.38 2018/01/22 11:18:03 ralph Exp $
    Written in ASCIIDOC using the UTF-8 code set and Windows LF/CR
    Umlaute and screencopy may look ugly if our text program don't use UTF-8
Note
 A short English "FAQ" for QMS, MemScan and TestBoot can be found at the end of the document!

Function of MemScan

MemScan examines your working memory for resident MS-DOS computer viruses. If you have further questions about computer viruses, please read the files VIRSCAN.DOC & VIRSCAN.TXT (if available).

MemScan can also check the "UPPER" DOS Memory (UMB = memory between 640 KB and 1 MB) and the HMA (High Memory Area = 1088 KB) gate. MemScan needs approx. 450 KB of free working DOS memory for the virus database and hash tables! MemScan main memory usage was adapted especially to network environments and therefore needs only 450 KB of free memory!

MemScan detects due to heuristic scanning unknown viruses (option /UNB). MemScan usually reports such viruses with one of the following messages:

Execution-Function [Exec] or
Generic File Open [Fopen] or
Memory Control Of Blocks [MCB] or
Generic Exeheader.????-???? or
Generic Boot virus [BOOT] etc.

In case of detection of one of these two viruses please send me an infected file: To classify the virus (if VirScan reports the same virus type with the option /HEUR) and to include it in MemScan! Try to make the virus infect the "victim/bait/goat files" INFECTME.* included in this package!

Note
 MS-DOS 6.xx and Novell DOS 7.0 produce a false alarm with the option /UNB together with the option /HIGH. In most cases a Generic Exec Virus is reported in the segment Fxxx:xxxx which, however, is occupied by COMMAND.COM loaded high.

Why MemScan?

We are using MemScan internally to quickly and securely add new viruses to VirScan. However, customers frequently asked us for a program that checks ONLY the working memory. For this reason MemScan was made accessible to the public for FREE.

Optional parameters

/?                Displays a short help
/HIGH             Search high memory (to 1 MB) too
/IVT              Check interrupts for viruses, see also VIRSCAN.DOC
/NOLIVEBAIT       Skip Live Bait Test
/NOMEM            Skip complete "Quick Memory Check"
/NOPATHCOMPANION  Skip path Companion Test
/UNB /UNK         Search for new unknown viruses
                  No output on argument syntax (Guru option).
/AKTION           Display information on virus special offer.
Tip
 To see a short description of more options execute MemScan with the parameter /? for a short help!

Option /UNB

This option is only for the case of emergency! This function ALWAYS produces false alarms! I use it for finding known and new viruses! Almost every new resident MS-DOS virus can be found with MemScan!

Option /IVT

With the parameter /IVT the working memory can be examined for approx. 180 of the most known viruses. This is being done by so- called "Am I there" calls in a split of a second (in comparison to the slow memory scan). Among other things, the working memory is being examined for the following viruses:

  • Jerusalem and related viruses (at least 48 variants)  — Frere Jaque  — Fu Manchu

  • Tequila (Stealth virus)

  • Yankee Doodle/Vacsina (45 variants)

  • Cascade and Yap (14 variants)

  • Flip/Omicron (6 variant/Sub-stealth virus)

  • Parity (4 variants, boot virus)

  • dBase

  • Plastique (AntiCad, Invader, Tobacco, 4.21, 5.21 and Cobol)

  • Tremor (Stealth virus)

  • Hare (Stealth multipartite virus)

On detection of the virus the user is being informed about that.

Note
 You should not use this option if you have Novell Netware installed because it results in overlapping of the interrupt calls. This function used to be executed automatically, but it emerged that the so called "Am I There" calls were not 100% compatible with different operating systems and configurations. So, if unusual side effects occur, this option might be the reason. This option also checks the high memory (HMA) - if available - for viruses.

Notes on parameter usage

Customers familiar with the American or UNIX parameter syntax (minus sign) instead of the slash (/) can also use the minus sign (-) to start an option.

Example: -IVT is equivalent to /IVT
Note
 There must be at least one blank between the individual arguments! The arguments are not case sensitive.

The environment variable MemScan

Instead of always calling MemScan with arguments, MemScan can be controlled with a so called environment variable. For example, enter the following at the DOS prompt:

SET MEMSCAN=/unb -high -IVT

If you start MemScan now, MemScan reads all required arguments from the variable.

Rollback of preset values

Sometimes it might be desired to reset already set options (i.e. set by SET MEMSCAN=…) This can simply be done by a minus sign following the option on the command line. With this action the option is being switched off.

For example, you have entered the following:

SET MEMSCAN=/high

Then start MemScan with the following argument:

MEMSCAN /high-

In this case the command line option overrides the option set by the environment variable! Command line always override environment options.

False alarms of MemScan

MemScan detects approx. 98% of ALL new resident DOS or boot viruses with the option /UNB; however, this option is only for absolute virus gurus. Hint: If you suspect a virus on your system, execute VirScan Plus with the following parameters:

Virscan -auto -HEUR -log
Note
 If VirScan Plus finds in several EXE/COM files the same virus as MemScan: New virus! If VirScan finds a different virus in many COM/EXE files, for example: Crypt/FamZ, then it is a new ENCRYPTED virus! In these cases please send me an email with the infected files! Note: The option /HEUR is available only in the full version of VirScan Plus!

This screen shot is normally a false positive, because the "virus" is only found with

1) the -unb option

2) only in the main screen

¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦    MemScan 9.7.9 - (c) 03.01.1991-2016 by ROSE SWE, Ralph Roth  ¦¦¦¦¦¦
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦+-------------------------------- Messages ----------------------------+¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦  ¦ Free memory available for MemScan: 68.000/68.000                  ¦¦¦¦
¦¦¦  ¦ Command line: -unb                                                ¦¦¦¦
¦¦¦  ¦ Signatures created: Mi 25. Feb. 2004, build 3.073, 5.165 signs    ¦¦¦¦
¦¦¦  ¦ This PC has 640/640 kb free base memory                           ¦¦¦¦
¦¦¦  ¦ HMA/A20 gate present at segment: 0xFFFF:0000                      ¦¦¦¦
¦¦¦  ¦ Checking conventional memory (640 kb)                             ¦¦¦¦
¦¦¦  - Found the Type_Exec2a.35C6-D0A0 virus!                            ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦  Warning: A virus found in your main memory!                         ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦+----------------------------------------------------------------------+¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+---------- Scanning ---------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦     Please press a key!     ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+-----------------------------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

A normal virus infection looks like this, and MemScan won’t go to the main screen at all (in this case a 572 byte long new COM infector):

-----[ Quick scan of the system and memory for viruses ]----------------------

  MBR - HDD 0 (512) .......(45FC:2A00)..... -- OK! --
  Interrupt 13h (DOS) .....(0D58:18C5)..... -- OK! --
  Interrupt 13h (Orig) ....(F000:E3FE)..... -- OK! --
  Interrupt 21h (DOS) .....(9F75:0119)..... Type_Exec1a.4A77-F232 Virus
  Interrupt 40h (DOS) .....(F000:EC59)..... -- OK! --
  Memory (Low-System) .....(0000:0000)..... -- OK! --
  Memory (639 KB) .........(9C00:0000)..... Type_Exec1a.4A77-F232 Virus
  Memory (HMA) ............(FFFF:0001)..... -- OK! --
  HDD-IRQ 76h .............(0CC5:0117)..... -- OK! --
  Path Companion Test ..................... -- OK! --
  Live Bait Test ..........(295 KB)........ Type: COM=572 Virus
Heuristic mode:
  Single Step .............(0070:06F4)..... -- OK! --
  Misc BIOS ...............(0D58:19A0)..... -- OK! --
  Reboot ..................(0D3B:002F*).... -- OK! --
  Multiplex ...............(14E2:1180)..... Type_Exec2b.CF14-B4E4 Virus
  VCPI ....................(F000:FF53)..... -- OK! --
  Interrupt D3h ...........(F000:FF53)..... -- OK! --
  Interrupt 0Dh ...........(F000:FF53)..... -- OK! --
  Interrupt 0Eh ...........(0CC5:00B7)..... -- OK! --

Please deactivate the virus through a cold boot from a system disc!
Press any key to continue...

Program Return Values

MemScan return an error-code back to DOS that can be evaluated by the variable ERRORLEVEL. The following error-codes are used:

        ERRORLEVEL              Short description
        -----------------------------------------------------------------
        0                       All OK, Option -?, -h etc.
        1                       Internal error
        2                       Option -exit
        3                       Overlay (MemScan.ovr) handling error
        8                       Not enough free memory available

        10                      QuickMemoryScan found a virus
        11                      NOSTEALTHTEST found a virus
        12                      NOWINTEST found a virus
        13                      Found a virus in the main scan function

Hints and FAQ

Q: can you help me fix the virus on my main memory...?
attached is the view of memscan and qms...

A: I think this is a so called "false positive". Please read the attached document (MemScan_Eng.txt). If you have a DOS or boot virus, you should be able to trace it (as described in MemScan_Eng.txt) with QMS/MemScan and VirScan Plus. What DOS Version and Windows Version do you use. Some special DOS drivers in usage?

Q: Only the TESTBOOT routine found something. Since it was in German, I really
didn't know what it said. I went to an online translator and realized that
it said "wert ermittelt" and "wurden gesichert" which translated "worth
determines" and "became secured". After that I ran it again and it didn't

A: That’s normal for the first (initial run) - I have added were possible an English translation in the new version!

Tip
 How you can possibly detect a file-/boot virus:

  1. MemScan -unb -high

  2. QMS -unb

  3. put testboot.exe into the Autoexec.bat as last command (DOS/Win9x based systems only)

  4. rhbvs -auto -log -all -high

Integrated virus protection

The program contains an integrated check-sum tester to alert the user on a possible virus infection. The check-sum for the program can be found in the file with the extension ".XXX".

This check-sum contained in the file as well as the main program must not be changed nor modified in any case! Otherwise, the main program regards itself being possibly infected by a virus (a virus still unknown to the program)!

Following features of the EXE file are monitored and checked for modifications every time the program is executed:

  • Check-sum (CRC32) - If only one bit of the program is changed by a virus, the check-sum will no longer match (own secure routine, according to ANSI X3.66 - CRC-Poly is: 0xDEBB20E3).

  • File size - If a program becomes one or two KB longer, it is infected!

  • Overlay size - If the program uses overlays (".OVR").

I strongly recommend not making any changes to the EXE & XXX-file since the program will not run any more!

The file with the extension ".XXX" also contains the creation date and the standard MD5 checksum that can be checked with other tools like md5dir or hashall from ROSE SWE. Verifying the CRC32 checksum takes less than 1 second (depending on computer type and hard disk drive). If the check-sum is OK, the program is being executed. Otherwise a detailed error report with indications of possible error reasons will be displayed.

This is a screen shot of MemScan self check envelope finding itself infected with an 647 bytes EXE infector!

#####   Länge der Datei MEMSCAN.EXE hat sich geändert!   #####

Hierfür gibt es mehrere Möglichkeiten für diese Fehlermeldung:

¦    Ein Virus hat das Programm befallen!
     Am besten gleich mit VirScan Plus testen ...
     WARNUNG: Programm ist um 647 Bytes größer geworden!!!
     SENDEN SIE UNS DIESE DATEI ZU ANALYSEZWECKEN ZU! TYPISCH FÜR VIREN!

¦    Sie haben die Datei MEMSCAN manipuliert, deshalb ist die
     Checksumme verändert worden.

¦    Sie haben nicht alle Dateien mitkopiert (s. o.), oder auf dem
     Datenträger sind Informationen verloren gegangen (Bits umgekippt).

¦    Verwenden Sie die Option /NOCHECKCRC um diese Überprüfung zu umgehen!

Bitte die ENTER-Taste zum Fortsetzen drücken...

Other/Misc

If you want to obtain the full versions of my antivirus software, please start the program REGISTER.COM, and an order form will be printed.

By the way: MemScan is compressed from 380 KB to currently 87 KB EXE + 183 KB overlay!

What’s new?

Version         Changes
#######################################################################
3.00            Parts of MemScan were swapped out to the overlay
                file MEMSCAN.OVR, therefore MEMSCAN needs 50 KB less
                working memory. Added checksum tester.
3.10            Extended 'Am I There' Virus test.
3.17            Program does not wait any more for key stroke
                if NO virus was found!
3.33            Number of detected viruses: approx. 3.000!
3.36            The package now includes HMS.COM.
3.50            Live Bait Test to detect
                unknown file viruses.
3.53            New ChkPC version (Hare & Boot-437)
3.55            50 new viruses, i. e. CriCri & Grief.
3.98            4180 viruses. QMS, TestBoot & HMS were
                considerably enhanced. The Live Bait
                Test was considerably enhanced.
4.xx            New Viruses.
5.0.1           Completely redesigned version. Program in English!
5.1.0           Added Stealth Live Goat Test.
5.6             /NOPATHCOMPANION, /NOLIVEBAIT
5.7             /NoMem
6.0             Win32 Live Bait Test
6.2.7           /NoWin32Test, /NoStealthTest, DOKU revised
6.3.1           This English documentation added
6.5.5           /NoHMA fixes, A20-Gate/HMA fixes
6.6.8           Tons of new viruses due to F_Mirc Linux porting
9.5.5           adapted to run with DosEMU (Linux)
9.5.8           30.08.2017 - Ported this documentation to ASCIIDOC
  10.1.5              22.01.2018 - new viruses

BANNERWARE from ROSE SWE

This program may be freely copied and passed on. It is considered as so- called Bannerware. I only request the following declarations to be kept:

  • ©opyright by ROSE SWE, Ralph Roth (the so-called Banner)

  • sale and/or industrial transmitting of the programs is forbidden. No commercial transmitting without ours hard-copy consent!

  • the programs MUST distributed free and/or passed on against a small copying-charge (Shareware trader) (max. EUR 10,--).

  • the program/documentation must not be changed!

  • the program package must be passed on complete and unchanged!

Trademarks of other companies mentioned in this documentation and package appear for identification purposes only and are property of their respective companies.

NOTICE TO USER: You should read the following terms and conditions carefully before using this software. Your use of this software indicates your full acceptance of this license agreement and warranty. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.

The SOFTWARE is owned and copyrighted by ROSE SWE. Your license confers no title or ownership in the SOFTWARE and should not be construed as a sale of any right in the SOFTWARE.

No Warranty. The Software is being delivered to you AS IS and ROSE SWE makes no warranty as to its use or performance. ROSE SWE AND ITS SUPPLIERS DO NOT AND CANNOT WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE OR DOCUMENTATION. ROSE SWE AND ITS SUPPLIERS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO NON INFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL ROSE SWE OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING ANY LOST PROFITS OR LOST SAVINGS, EVEN IF AN ROSE SWE REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY.

In short: This software is provided as-is, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. If you do NOT agree simply do NOT install and use this software!

Copyright

(C)opyright by (ALL RIGHTS RESERVED!)


__________ ________    ____________________   ___________      _____________
\______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
 |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
 |    |   \/    |    \/        \ |        \  /        \\        / |        \
 |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
        \/         \/        \/         \/          \/       \/          \/

 -------------------------------------=-----------------------------------
     ROSE SWE                           See ROSEBBS.TXT for
     Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
     http://rose.rult.at
     rose_swe@hotmail.com               All Rights Reserved!
 -------------------------------------=-----------------------------------
Note
 Initial Translation by ez-web Digital Services, ezweb@gmx.net in 03/2002

End of documentation