Copy Link
Add to Bookmark
Report
40Hex Issue 06 File 001
40Hex Number 6 Volume 2 Issue 2 File 001
-------------------------------------------------------------------------------
Memory Resident Anti-Virus Detection
and Removal
-------------------------------------------------------------------------------
Here is a list of ways to see if anti-viral utils are present in memory.
I got the list out of PC interupts, a book by Ralph Brown. Here they are:
F.-DRIVER.SYS (Part of the F-Protect virus package by Fridrik Skulason.)
This program "grabs" the INT 21 monitoring code, if it was not
already taken by another program.
INT 21h, Function 4Bh, Sub Function EEh
AX must = 4BEEh at call, and call returns AX=1234h if F-Prot
sucessfully grabbed INT 21, and AX=2345h if the grab failed.
F-DLOCK.SYS (A HD access restrictor, part of F-Protect Package)
Call INT 2Fh, Funct. 46h, SubFunct 53h
At call, AX must = 4653h, CX=0005h, BX= 0000h
If present in ram, AX will return FFFFh. To uninstall, call
with AX & CX the same as above, but BX= 0001h. AX, ES, & BX
will be destroyed.
F-LOCK.EXE (Part of F-Protect package, looks for "suspicious" activity)
INT 2Fh, Funct 46h, SubFunct. 53h
To call: AX = 4653h, CX=0002h, BX=0000h (installation check)
BX=0001h (uninstall)
BX=0002h (disable v1.08 & below)
BX=0003h (enable v1.08 & below)
Call returns AX=FFFFh if installed ( BX=0000h at call)
AX, BX, and ES destroyed, if uninstalled (BX=0001 at call)
F-POPUP.EXE (Pop up menu for F-Protect)
INT 2Fh, Funct. 46h, SubFunct. 53h
To call: AX=4653h, CX=0004h, BX= 0000h, 0001h or 0002h
(See above - BX same as F-Lock)
Returns: Same as F-LOCK.EXE
F-XCHK.EXE (Prevents execution of any progs which don't have self-checking
code added by F-XLOCK)
INT 2Fh, Funct. 46h, SubFunct 53h
To Call: Registers = same as F-Popup, except CX=0003h, and
BX = 0000h (installation check) or 0001h (uninstall)
Returns: same as F-LOCK, above.
TBSCANX (Resident Virus scanning Util by Frans Veldman)
INT 2Fh, Function CAh, SubFunct 00h
Call: AX=CA01, BX=5442h ("TB")
Returns: AL=00h if not installed, AL=FFh if installed
BX=7462h ("tb") if BX was 5442h during call
INT 2Fh, Function CAh, Subfunction 02h (Set state of TBSCANX)
Call: AX=CA02h, BL = new state (00h=disabled, 01h=enabled)
VDEFEND (Part of PC-tools. Works on v7.0)
INT 21h, Function FAh
To call: AH=FAh, DX=5945h, AL=subfunction (01h to uninstall)
returns: CF set on error, DI = 4559h (?)
DATAMON (PC Tools 7.0 file protection)
INT 2Fh, Funct 62h, Sub Funct 84h
Call: AX=6284h, BX=0000h (for installation check), CX=0000h
Returns: AX=resident code segment, BX & CX = 5555h
Flu Shot, or Virex PC
INT 21h
Call: AX=0ff0fh
Returns if either is installed: AX=101h
If anyone has any more Anti-Viral IDs, post 'em on Digital Warfare and I'll
update this list.
---DecimatoR PHALCON/SKISM
