Q72796: Common Ways of Detecting a Virus in MS-DOS
Article: Q72796
Product(s): Microsoft Disk Operating System
Version(s): MS-DOS:3.x,4.x,5.0
Operating System(s):
Keyword(s):
Last Modified: 17-DEC-2000
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft MS-DOS operating system versions 3.1, 3.2, 3.21, 3.3, 3.3a, 4.0, 4.01, 5.0
-------------------------------------------------------------------------------
SUMMARY
=======
Viruses commonly "hide" in little-used files such as FIND.EXE. Listed below are
steps you can take to check for a virus without the benefit of a viral scanner.
The procedure involves using CHKDSK and FIND (commonly targeted for infection)
to check for changes in conventional memory and/or file size.
MORE INFORMATION
================
If you suspect your machine may have contracted a virus, do the following:
1. Put write-protect tabs on your DOS disks. This will keep the disks from being
written over, and they can be used as a reference for file size and date
checking.
2. Compare the file sizes and dates of the DOS disks to the corresponding files
residing on the hard drive. One way you can accomplish this task is to boot
up with the DOS system floppy disk and, at the A: prompt, type "DIR *.* >
PRN" (without the quotation marks). This command will pipe a directory
listing to the printer.
3. Repeat step 2 using the DOS supplemental disk.
4. Type "C:" (without the quotation marks) and change to your DOS directory.
Type "DIR *.* > PRN" (without the quotation marks) again. Be sure to do
this for COMMAND.COM as well (it may be in the root directory). If there is
any discrepancy in file sizes or dates between the DOS disks and your hard
disk, you may have a virus. In that event, you should obtain a virus cleaning
program and/or reformat your hard disk.
5. Run CHKDSK after powering on your computer (don't boot off the floppy disk).
At the bottom of the read-out, CHKDSK will give a number for Total Bytes
Memory, as well as Bytes Free. Write down these numbers.
6. Change to the directory in which the DOS commands reside. Type "DIR FIND.EXE"
(without the quotation marks). Note the the size of the file and the date.
7. Type "FIND" (without the quotation marks). You will receive an error message
telling you "No Parameters Specified", However, the command has been
activated, even if in error.
8. Run CHKDSK again. Check too see if there is any change in Total Bytes Memory
or Bytes Free. Since FIND.EXE is not a memory-resident utility, there should
not be a difference. If there is, you may have a virus. You should obtain a
virus cleaning program and/or reformat the hard disk.
9. Change to your DOS directory. Once again, type "DIR FIND.EXE" (without the
quotation marks). Compare the files size and date with the number you had
written down previously. If there is a change, you should obtain a virus
cleaning program and/or reformat the hard disk.
MS-DOS version 5.0 disks are shipped without a notch; therefore, they are write
protected. The chances of these disks containing a virus are extremely small.
The DOS 5.0 disks are compressed; therefore, the file sizing is different. You
can tell a compressed file by the underscore that will be the last character of
the extension on a compressed file. To expand a compressed file, use the expand
utility on Disk 5 (for 5.25-inch disks) or Disk 3 (for 3.5-inch disks).
Additional query words: 3.20 3.21 3.30 3.30a 4.00 4.01 4.01a 5.00
======================================================================
Keywords :
Technology : kbMSDOSSearch kbMSDOS321 kbMSDOS400 kbMSDOS320 kbMSDOS330a kbMSDOS310 kbMSDOS500 kbMSDOS330 kbMSDOS401
Version : MS-DOS:3.x,4.x,5.0
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.