PCjs Machines

Home of the original IBM PC emulator for browsers.


PC-SIG Diskette Library (Disk #3968)

[PCjs Machine "ibm5170"]

Waiting for machine "ibm5170" to load....


Three year - anti-virus support:

For three years from the date you register your copy of Integrity Master,
Stiller Research will provide the following support at our expense:

 o If we discover a virus which can infect your PC and not be detected by
   Integrity Master, we will be notify you as soon as we confirm this threat.

   This refers to Integrity Master's ability to detect unknown viruses
   by detecting changes to affected files or system areas on your PC.
   appear daily, this would be too costly.

   Please read the chapter on detecting unknown viruses for details on how
   Integrity Master detects (new) unknown viruses.  Clearly, Integrity
   Master can't name and otherwise identify a newly created virus.
   (This virus won't even have a name until it is analyzed and a name is
   agreed upon.) (In many cases, new viruses STILL can be identified by
   name, since most new viruses are not really new but are modifications
   of existing viewers.  Integrity Master works by detecting certain core
   virus characteristics which are often still present in a modified

 o We will provide instructions on what precautions to take and deliver
   a version of Integrity Master designed to handle this virus as soon
   as it's available.

 o This offer applies only to the hardware upon which you originally
   installed Integrity Master and the DOS operating environment.


Sample descriptions                                              Page 1 of 5

          - Integrity Master(tm), Version 1.51 - DESCRIBE.DOC -

                    I N T E G R I T Y    M A S T E R

                             Version 1.51

                    D E S C R I P T I O N    A N D

                 A U T H O R    I N F O R M A T I O N

                     Last updated:  June, 1993

This file includes sample descriptions which you may use to describe
the Integrity Master(tm) package.

Shareware distributors, disk vendors and computer clubs please refer
also to the VENDOR.DOC text file.  Bulletin board system (BBS) sysops
please refer to SYSOP.DOC.

                         Program Information:

File Name(s) for BBSs:

    I-M151.ZIP  -Integrity Master V1.51 - Data integrity/Anti-virus system

    If the program is compressed using some other file compression method,
    then please use the name "I-M151" with the appropriate extension
    (PAK, ARC, LZH, ZOO, etc.).

Sample descriptions                                              Page 2 of 5

            - Integrity Master(tm), Version 1.51 - DESCRIBE.DOC -

Integrity virus disk boot security diagnostic detection antiviral error ASP

   Utilities, Diagnostic or Virus

Minimum requirements:

    MS or PC/DOS Version 2 or later plus 256K of memory.

 Complete, easy to use, data integrity for your PC plus virus removal.

 Not just an anti-virus program!  It's an easy to use, anti-virus and data
 integrity system. Also useful for PC security, diagnostics and change control.

 Do you have a virus?  A flaky hard disk?  Did someone change something on your
 PC while you were out?  Find out for sure with Integrity Master(tm)!  Does not
 require periodic updates, but still identifies known viruses.

 Easy to use, anti-virus and PC integrity program that also provides
 security, change control and disk diagnostics.  Does not require periodic
 updates, yet identifies known viruses by name as well as unknown viruses.

 Do you have a virus?  A flaky hard disk?  Did someone alter a file while you
 were out?  Find out for sure with Integrity Master(tm)!  It enables detection
 and recovery from ANY virus, yet does not require periodic updates.  Protects
 against much more than just viruses!

 Complete, easy to use, data integrity plus virus removal.  It protects against
 much more than just viruses.  Hardware glitches, software bugs, even
 deliberate sabotage are detected.  If a virus strikes, Integrity Master
 identifies it by name and (unlike other programs) also identifies any damage
 caused by the virus.  It will even detect new and unknown viruses.

Sample descriptions                                              Page 3 of 5
           - Integrity Master(tm), Version 1.51d - DESCRIBE.DOC -

Integrity Master(tm) is a high performance (100% assembler) program offering
virus protection, data integrity, security and change management all in one easy
to use package. It detects hardware glitches, software bugs, and even deliberate
sabotage to your data. If a virus strikes, Integrity Master identifies it by
name and (unlike other programs) also identifies any damage caused by the
virus.  It will even detect new and unknown viruses. This saves you money and
time since you don't have to upgrade every month to detect the latest viruses.

 Do you have a virus?  A flaky hard disk?  Did someone change something on
 your PC while you were out?  Find out for sure with Integrity Master(tm)!
 Integrity Master is the easy way to defeat viruses and get extra benefits of
 PC security, change control and disk problem detection.  If there is a change
 anywhere on your disk, no matter what the cause, Integrity Master will track
 it down identify it, and then its built in Integrity Advisor(tm) will explain
 what to do.  Known viruses are identified by name, but Integrity Master does
 not require periodic updates (as other virus programs do) to keep up with the
 latest viruses.  Don't get a program that is just an anti-virus program.  Get
 something more powerful and more useful!  Integrity Master provides an all
 around PC integrity solution going far beyond mere virus checkers.

 Integrity Master, is the world's most powerful anti-virus, and PC integrity
 software.  This high performance assembly language program is written by
 the author of PC Magazine's PCdata integrity toolkit.  Integrity Master
 provides function and performance far beyond any other anti-viral or
 data integrity software, yet is easy enough for novice users.  Integrity
 Master features:

1) Integrity Master recognizes known viruses by name and will describe their
   characteristics and then guide you through their removal.

2) It can detect not only existing viruses, but also as yet unknown viruses.
   Unlike other programs, which you must constantly update to keep ahead of
   the current crop of viruses, Integrity Master continues to protect you.

3) Unlike other programs, it detects sectors and files which were damaged by
   a virus not just those that were infected.

4) Integrity Master understands which files and areas on your disk are
   special and provides special specific diagnosis and recovery if these
   areas have changed.

5) Integrity Master can reload system sectors on disks which are so badly
   damaged that DOS can no longer recognize them.

6) Integrity Master detects any form of file or program corruption, not
   just that caused by viruses.  This makes Integrity Master a useful tool
   to provide PC security, change management and hardware error detection.
   Why spend your time merely checking for viruses when you give your PC a
   complete check out with Integrity Master?

Sample descriptions                                              Page 4 of 5

           - Integrity Master(tm), Version 1.51 - DESCRIBE.DOC -

7) Integrity Master provides easy to use menus with built in help and the
   experience of a PC integrity expert through it's Integrity Advisor(TM)

8) Integrity Master is useful as an aid to PC security. If someone changes,
   adds or deletes any of your files you will know.

9) Integrity Master is useful with disk diagnostics.  You can run your
   normal test programs to check if your disk drive is working OK right now,
   but was it working correctly at 3 PM yesterday?  Integrity Master will
   detect if a disk error damaged some data yesterday.

10)You just restored your files from a backup.  Are all the files really OK?
   Integrity Master will tell you.

11)You just deleted *.BAT rather than *.BAK.  Integrity Master will tell you
   exactly which files you need to restore.

12)Your hard disk is having problems.  Now DOS will not even recognize it as
   a disk.  IM can diagnose and then reload your partition and boot sectors
   to "fix" your disk!

Registration Information:

   Integrity Master can be registered by cash check or credit card
   through our agents world-wide.

   Upon registration, the most current version of Integrity Master is
   shipped directly from the author.  One year free technical support is
   provided which includes assistance in removing viruses.  The
   professionally printed book: "Defeating Viruses and Other Threats to
   Data Integrity,"  a complete guide and reference manual for IM as
   well as information on data integrity and viruses is provided.
   Registration entitles the customer to Stiller Research's exclusive
   three year virus update service as described in file 3YEAR.DOC.

   For complete user registration information please refer to the
   ORDER.DOC text file.

Sample descriptions                                              Page 5 of 5

           - Integrity Master(tm), Version 1.51 - DESCRIBE.DOC -

Author/Publisher Information:

Stiller Research is a company specializing in operating systems related
software owned and operated by Wolfgang Stiller.  This expertise in
operating systems makes Stiller Research uniquely capable in the areas
of data integrity and viruses.  Wolfgang Stiller is the author of
PC Magazine's PCdata integrity toolkit and the accompanying article,
published in the February 13, 1990 issue of PC Magazine.

Stiller Research has been producing top quality computer software at
reasonable prices, continuously, since 1985.

Please feel free to contact me (Wolfgang Stiller) at any time if you have any
questions, comments or suggestions.  I can be reached by mail at the
following address:

   Wolfgang Stiller
   Stiller Research
   2625 Ridgeway St.
   Tallahassee, FL. 32310-5169

I can also be reached electronically as follows:

           72571,3352  on CompuServe

           72571.3352@compuserve.com on InterNet, Bitnet, etc.

           PHSH44A on Prodigy.



 ------> File: DISKHELP.TXT - what to do when IM can't access your disk <------
 Q: SETUPIM won't recognize my disk(s)!  What can I do?

 A: Remove any other memory resident software which you don't need.  If
    you are using DRIVER.SYS (in your \CONFIG.SYS file) to assign
    duplicate letters to the same disk, remove that and reboot.  If you
    are using disk monitoring or disk cache software try removing that
    and rebooting.  We have had a report of Norton Cache causing such a
    problem on a PC with a DTK/ERSO BIOS>

 Q: I'm getting errors when checking diskettes yet they appear to be

 A: Make sure that you are not writing the report file to the disk being
    checked.  This can cause a problem if the disk is write protected or
    if you change disk(ette)s.  If the report file is being written to a
    removable device such as a diskette, DOS (and IM) will become
    confused if the disk is removed while IM is still trying to write
    to this file.

    To fix this, either turn off the report file or use the OPTIONS menu
    to have it go to a specific disk other than the one being checked.

Q: I just tried to check or initialize on my hard disk. Integrity Master
   replied that this disk was not working.  What's going on?

A:  For some reason, Integrity Master is unable to access this disk.
    This could be due to the disk having a problem or because we are
    missing some software that is required access the disk.  This
    software is commonly known as a device driver.

   If this is a disk that Integrity Master formerly recognized, then you may
   wish to run any hardware diagnostics to make sure that it's working

   Here are the steps to solve this problem:

   1) Boot your PC as you normally do.  Enter a command such as "DIR" to
      verify that your disk is really working.

   2) Now execute SetupIM (this is the Integrity Master install program)
      without re-booting your PC.  Do either a new install or a reinstall.
      SetupIM will recognize most special disk software (such as Disk Manager)
      and will advise you exactly what to do.

   3) Follow the directions presented to you in SetupIM to finish the install.
      These directions are also written to file IMPROC.TXT.

   4) IM should now be able to access this disk.  If not, then you may
      be using some special software that is unknown to us a this time.
      Don't worry, this should be no problem; it'll just take a few more

   5) (Only do this step, if IM is still unable to access your disk.)
      Check the CONFIG.SYS file on the disk from which you normally boot.
      To do this, enter these commands:

         CD \                (hit the ENTER key)
         TYPE CONFIG.SYS     (hit the ENTER key)

      (If the IMVIEW.COM file is available, you could enter the command:
      "IMVIEW CONFIG.SYS"; this will allow you to view the file and scroll
      forwards and backwards.)

      This will display the contents of your CONFIG.SYS file.  Look for lines
      which begin with: "DEVICE=".  On the floppy from which you boot your
      PC prior to running IM, create a similar CONFIG.SYS file containing
      these same "DEVICE=" statements.  You will also need to copy the
      associated files from the "DEVICE=" statements.
For example, if your CONFIG.SYS file contains:
                DEVICE=C:\DOS\DRIVER.SYS /D:2
You will need to locate files DRIVER.SYS and DMDRIVR.SYS and copy them to
your boot diskette. Notice that the "DEVICE=" statement for DRIVER.SYS
specifies C:\DOS as the location of this file.  Since we'll be booting from
a floppy, we'll need to remove this so the statement will read:
Since the "DEVICE=" statement for DMDRIVR.SYS does not specify a directory,
it's OK as it stands.

If you see the following files referred to in "DEVICE=" statements, you may
safely assume that they are not needed for disk support and exclude them from
your CONFIG.SYS file:

         MOUSE.SYS           ANSI.SYS          SMARTDRV.SYS
         KEYBOARD.SYS        VDISK.SYS         SHARE.EXE
         PRINTER.SYS         DISPLAY.SYS

Continuing with our example; now that you've determined which DEVICE=
statements you might need, enter the following:  (or use a text editor)

       COPY CON A:CONFIG.SYS         (hit the ENTER key)
       DEVICE=DRIVER.SYS /D:2        (hit the ENTER key)
       DEVICE=DMDRIVR.BIN            (hit the ENTER key)
       (now hit F6 or control-Z)
       COPY C:\DOS\DRIVER.SYS A:     (hit the ENTER key)
       COPY C:\DMDRIVR.BIN A:        (hit the ENTER key)

If you're not sure about which "DEVICE=" statements and programs to include,
include them all (in this case, you could just copy your entire CONFIG.SYS
file to your boot floppy).

What you've just done is to create a CONFIG.SYS file containing just
the device drivers you need to be able to access the disk and then copied
the actual disk drivers to your IM boot floppy.

Boot from this floppy and try IM again.  If this still doesn't work,
repeat step five with your AUTOEXEC.BAT file.  You may be executing a program
in the AUTOEXEC.BAT needed to support this disk. (This is unusual!).
Create a matching AUTOEXEC.BAT file on your floppy and copy the corresponding
programs to the floppy.

If you needed to use step five, please contact Stiller Research and let
us know what special software you are using.  This will allow us to include
support in SetupIM for this software, so future installations will be easier.
We will compensate you for your trouble.

If for any reason this does not solve your problem, please contact Stiller
Research.  Include a copy of your CONFIG.SYS and AUTOEXEC.BAT file along
with a description of the disk hardware you are having a problem with.
Please let us know as much as possible about how your disk was setup and
what error messages you are getting from IM or SetupIM.

Read file SUPPORT.DOC for the complete list of ways to contact us
(IMVIEW SUPPORT.DOC) or just write to:

                    Stiller Research
                    2625 Ridgeway St.
                    Tallahassee, FL 32310


Version 1.51b  Released 6-17-93

Changes affect only SetupIM. IM.EXE is unchanged except for the version #.

1) Support for the new DOS 6 CONFIG.SYS parameters has been further
   enhanced.  SetupIM now recognizes the
   "DEVICEHIGH /L:xxxxx /S =C:\DOS\xxxx.sys" type lines as well as
   continuing to support the older "DEVICEHIGH SIZE=nnnnn C:\xxxxx" type
   of entry.  SetupIM will recognize DOS 6 blocks "[xxxxx]" blocks
   in the CONFIG.SYS file. It will check each block until it finds a
   block containing statements that would be needed on a boot floppy
   and will use those to prepare an emergency boot floppy.

2) A bug caused SetupIM V1.51a failed to recognize certain device
   Config.sys file.

Version 1.51a  Released 6-14-93

1) IM identifies over 75 new viruses by name and characteristic including:
   CV4, CyberTech, Dome, Dreamer, Frajer, Futhark, Gosia, Hoa, Intrep,
   Jerus3, July13, Kiev2, Lepr2, Liquid, Loren, Lurve, Ontario730,
   PrintMonster, RunTimeErr412, Sentnl-I, Shaman, Simple, Sinep, Star1,
   Sticky, Uruk-Hai, Uruk394, V160, Volga, Wild Thing, ZAPHOD

The following three items will affect you only if you do a "new" install
with SetupIM:

2) Compressed volume files by Stacker, DoubleSpace and SuperStore are
   now excluded from checking by default.  It's pointless to check
   these files since IM will be checking the files on the compressed
   volume.  The exclude menu in IM can be used to modify this.

3) Integrity Master (SetupIM) recognizes additional device drivers for
   Stacker, DoubleSpace, SuperStore and the Bernoulli (RCD.SYS) device

4) Integrity Master excludes OS/2 extended attribute files from default
   checking.  This was causing confusion since OS/2 changes these files
   without updating the time and date stamps normally. You can reverse
   this by using the Exclude menu.

Version 1.43c  Released 4-19-93

1) We've made virus naming corrections to adhere more closely to the CARO
   naming standard and reduced size of some text files.

Version 1.43b  Released 4-14-93 via ASP mailing

1) IM identifies over 250 new viruses by name and characteristic including:
   the following viruses: Tiny128, 2 minutes, A&A, ARCV1-9, Albanian, Alien,
   Barrotes, Beer, Benoit, BitAddict, Bubbles, CCCP, Chemnitz, Cinderella2,
   Costeau, Cpw, DIR3, DemoEXE, Demon, EXEbug, Experiment, Explode, FichvE1,
   GotchaF, Grunt2, Interceptor, IntruderB, Joanna, Jos, Joshua, Kamikaze2,
   Kiwi, Kthulhu, LPToff, Loki, Lovechild, Loz693, Luca, Lythyum, MD499,
   Malaise, Malign, Marauder, Mayak, Minimax, Ministry, Mix1b, Mr.Virus, NCU
   LI, Necropolis, Not586, Oxana, Pitch, PopooLar, Problem, Sandwich,
   Shadow, Shirley, SillyCR, Silly Willy, Silver Surfer, Skew, Stasi, Storm,
   Strange, SwissArmy, Tankard, Telecom3, Timemark, Todor, Tremor, Traveling
   Jack, Warrior, Wilbur, Wizard, Wolverine, X-2, X-1, Yeke.  IM now has
   improved algorithmic detection for viruses generated using the mutation
   engine (AKA mte or DAME) or with PS-MPC.  IM uses similar techniques to
   recognize Tremor and the V2Px or V2P6z related viruses.

2) You can now change directories by using the "/P" command line parameter.
   (e.g., "IM /P\DOS" /CR"  will check files in the \DOS subdirectory.)

3) You can now use the form "IM /Da:b:c:" to check disk a, b and then c.
   The older form of "IM /Dabc" is, of course, still supported for this.

4) We eliminated all remaining pauses in the screen display when you use
   the "/NE" command line parameter or if you have the "Halt" option set
   to "emergencies only".  This makes IM easier for sysops to run
   automatically to check uploads for viruses.

5) The "/VO" command line switch (scan current disk for viruses) is now

Version 1.42a  (Limited SYSOP only distribution)

Version 1.41c  (European Edition released 1-28-93)

Version 1.41b  (Shareware release only) 1-26-93

Version 1.41a  (released 01-16-93)

1) Integrity Master will now display dates in a variety of formats to
   suit national preference.  Months can be displayed in alphabetic form
   and years are now displayed in full four digit (e,g,. 1993) format.
   This makes it more obvious what's happening when viruses like 4096
   set the year ahead by 100 years.  The advanced option menu in SetupIM
   allows you to change the date and time format to suit your own
   preference if you don't like the standard used for your country;
   otherwise, IM will select the format appropriate to your country.  By
   default, IM now uses an alphabetic format for months and a four digit
   format for years to eliminate any possible confusion between months
   days and years.

2) IM will now report any file with its date stamp set beyond the
   current system date as a suspicious file and will explain in more detail
   when it finds problems with a file's directory information.

3) We've added the extended file/directory checks formerly found in only
   IM iteself to IM's stand alone file checker (IMcheck) which now
   checks for corruption or suspicious values in the directory entries
   and supports IM's enhanced date format.  IMcheck (now version 1.4)
   also uses a new technique to compute the check values so it will
   produce different results than the prior versions (1.3 and earlier).

4) Integrity Master now supports the "/VM" command line option to scan
   multiple diskettes.  The corresponding option is also on the virus
   scan submenu.  This allows you to scan several floppies hitting only
   a single key between each diskette unless a virus or other serious
   problem is found.

5) IM now writes two separator lines with a date/time stamp at the
   beginning of each report it writes to make it easier to find the results
   of a particular run.

6) In order to help less experienced users, IM will now present the
   initialize menu rather than the check menu whenever it thinks you
   need to run an initialize.

7) You now have greatly expanded control over your integrity data.  Using
   SetupIM, you can ask IM to give these files the DOS read-only or hidden
   attributes and you have several new naming options.

8) IM now supports variably named integrity data files.  In addition to
   giving your integrity data files any name of your choice you can now
   ask IM to give each file it creates a different (and apparently random)
   name.  This makes it very difficult for someone to recognize your
   integrity data files if you keep them on your hard disk.

9) IM identifies over 150 new viruses by name and characteristic.

Version 1.31e  (Europe only) Released 12-3-92)

Version 1.31d  (Released 12-3-92)

Minor changes.

Version: 1.31a  (Released 11-13-92)

1) IM identifies 95 additional new viruses by name.

2) IM now allows you to assign a name of your choice to integrity data files.

3) We removed the old "primary options" menu which duplicates the options
   menu in IM.

Version: 1.24a  (Released 9-03-92)

Over 150 new viruses are identified by name and characteristic

Version: 1.23a  (Released 7-14-92)

1) The COMMANDS menu now contains an "uninstall" option. to remove

2) We added three new command line options to scan files and system sectors.

3) New viruses and variants are identified by name.

Version: 1.22a  (Released 6-22-92)

1) SetupIM now allows you to exclude specific disks from checking.

2) New viruses.

Version: 1.21a

1) Files or directories may now be excluded.

2) During a virus scan, lines are now inserted in the report window (and
   file) any time suspect or infected files are detected.

Version: 1.20a  (Beta)

1) IM now offers automatic virus removal. This can be selected for
   specific viruses or for all viruses encountered.

2) The detail virus report screen can now be suppressed, either globally
   or only for specific viruses.

3) Keyboard handling has been modified to be compatible with the "NEWKEYS"
   keyboard and buffer enhancer.

4) New viruses.

Version: 1.13a (Released April 13, 1992)

1) New viruses.

2. Deleted directories are reported even if checking only programs.

Version: 1.12b (Released March 17, 1992)

Version: 1.12a (Released March 13, 1992)

(Details deleted)

Version: 1.11a (Released Feb 17, 1992)

(Details deleted)

Versions 1.03a/b/c and 1.10a/b were limited release beta versions.
   These versions are not for public use.

Version: 1.02b  (released 12/18/91)

Version 1.02a:  (released 12/16/91)

Version 1.01A: 11/15/92

   First general release (non-beta test) version of IM mailed world-wide.

Versions prior to 1.01a were limited beta versions.


                  I N T E G R I T Y     M A S T E R (tm)

                             Version  1.51

      An easy to use, data integrity and anti-virus program which also
       provides PC security, change control and disk error detection.

             Users Guide plus Data Integrity and Virus Guide


                Copyright 1990 - 1993 by Wolfgang Stiller
                           All rights reserved

                             Stiller Research
                            2625 Ridgeway St.
                         Tallahassee, Florida 32310

       Electronic mail to:

                CompuServe: 72571,3352
                InterNet, Bitnet, etc.: 72571.3352@compuserve.com
                Uunet: uunet!compuserve.com!72571.3352

   Integrity Master (tm)              -  2  -                 Version 1.51

    Third Edition November 1992  - Revised January 1993
    Copyright 1990-1993 Wolfgang Stiller.  All Rights reserved.

    The following paragraph does not apply where such provisions are
    inconsistent with law:

    Stiller Research provides this document "AS IS" without warranty of
    any kind, either express or implied, including, but not limited to the
    warranties of merchantability or fitness for a particular purpose.

    This document may include technical inaccuracies or typographical
    errors. We continually update and correct this document with the
    latest available information.

    Note to U.S. Government users:  Use, duplication, or disclosure by
    the U.S. Government of the computer software and documentation in
    this package shall be subject to the restricted rights applicable to
    commercial computer software as set forth in subdivision (b)(3)(ii) of
    Rights in Technical Data and Computer Software clause at 252.227-
    7013 (DFARS 52.227-7013).  The manufacturer is  Stiller Research,
    2625 Ridgeway St., Tallahassee, Florida 32310-5169.

    Integrity Master and Integrity Advisor are trademarks of Stiller
    Research.  Microsoft, Windows and MS/DOS are trademarks of
    Microsoft corporation.  IBM and OS/2 are trademarks of
    International Business Machines Corporation. Vines is a trademark of
    BANYAN Inc.  NetWare is a trademark of Novell Inc.  Unix is a
    trademark of AT&T. Sidekick is a trademark of Borland

    A P P R E C I A T I O N

    There are far too many individuals who have contributed to the
    development of Integrity Master and this accompanying book to thank
    individually.  Please accept my heartfelt appreciation!  I would like to
    express my appreciation to those who have freely given of their time
    and expertise to help us and other researchers: Vesselin Vladimirov
    Bontchev, Henri Delger, Paul Ferguson, Sara Gordon, Ross
    Greenberg, Frans Hagelaars, Glenn Jordan, Bill Lambdin, Yisrael
    Radai, Martin Roesler, Fridrik Skulason, Rob Slade, Harry Thijssen,
    Righard Zwienenberg, and Ken van Wyk.  All of you have made
    contributions which have made this book possible -- thank you!

    Integrity Master (tm)              -  3  -                 Version 1.51

    Use of Integrity Master(tm) (also known as IM) requires acceptance of
    the following license terms and warranty disclaimer.

    L I C E N S E    T E R M S


    Each PC must have its own licensed copy.  EACH COPY MAY
    ONLY BE USED ON ONE PC.  It may be removed from that PC
    and installed on another PC but IT MAY NOT BE INSTALLED ON
    MORE THAN ONE PC AT A TIME.  To use  Integrity Master on
    more than one PC, you must license extra copies.

    W A R R A N T Y    D I S C L A I M E R:





    Integrity Master (tm)              -  4  -                 Version 1.51
        T A B L E    O F    C O N T E N T S

    PART ONE - Integrity Master    User Guide

       License and Warranty Terms .......................  3

       Chapter One - Why Integrity Master
        Welcome! .................................... 7
        Don't Read This ............................. 7
        Why the User Guide .......................... 8
        What Can Integrity Master Do? ............... 8
        How Does Integrity Master Do These Things?... 9
        What Makes Integrity Master Special?......... 9
        Requirements and Limitations ............... 10

       Chapter Two - Installing Integrity Master
        Special Quick Install....................... 11
        Full Installation........................... 11
        Vital Files ................................ 12
        Screen Colors .............................. 13
        Using Integrity Master Menus................ 14

       Chapter Three - Running Integrity Master
        Integrity Master Screen Contents ........... 15
        Initializing Integrity Data................. 15
        What Is Integrity Data? .................... 16
        The Check Menu ............................. 16
        The Report File ............................ 18
        System Sectors ............................. 19
           Reloading ............................... 19
        The Commands Menu .......................... 20
           Disk Change and Directory Change ........ 20
           Quit - Exit the Integrity Master ........ 20
           Uninstall - Delete Integrity Data ....... 21
        The Statistics Summary ..................... 21
        Virus Checking Procedure ................... 22
           Scanning for Viruses .................... 23
           Detecting Viruses ....................... 23
           Detecting Unknown (new) viruses ......... 24
           The Integrity Master virus report ....... 25
           False Alarms ............................ 26
           Destroying Viruses ...................... 26
           Data Corruption ......................... 27
        Integrity Master and Disk Problems  ........ 27
        Integrity Master for PC Security ........... 28
        Integrity Master for Change Control ........ 29
        Command Line (BATCH) Execution ............. 30
           Syntax .................................. 30
           Error Levels  ........................... 31
        Using IMCHECK .............................. 31
        Other Operating Systems .....................33
           Microsoft Windows and OS/2............... 34
           Networks ................................ 34

    Integrity Master (tm)              -  5  -                 Version 1.51

       Chapter Four - Customizing
        The Parameter (Options) File ................ 35
        Options Menu ................................ 36
        Options in SETUPIM .......................... 41
        Integrity Data Options ...................... 42
        Updating Your Hardware Configuration ........ 43
        The Advanced Option Menu..................... 44

       Chapter Five -  Errors
        Error Recovery .............................. 47
        Solving Problems ............................ 47
        Answers to Common Questions ................. 48

    PART TWO - Data Integrity and Viruses

       Chapter One - Threats to your data
        Introduction - Viruses Get All The Glory .... 51
        Hardware Problems............................ 52
        Finger Checks ... ........................... 52
        Malicious or Careless Damage................. 52
        Software Problems ........................... 53
        Software Attacks ............................ 53
            Logic Bombs ............................. 53
            Trojans ................................. 54
            Worms ................................... 54
            Viruses ................................. 54
               General Virus Behavior................ 55
               System Sector Viruses................. 57
                  Boot Sectors ...................... 57
                  Partition Sectors ................. 57
               File Viruses ......................... 58
                  Miracle Infections ................ 59
        How Many Viruses Are There?.................. 60
        How Serious are Viruses?..................... 61

       Chapter Two - Protection for your PC
        Hardware Protection ......................... 63
        "Fixing" your disk .......................... 63
        Goof Protection  ............................ 64
        Intrusion Protection......................... 64
        Virus Defenses  ............................. 65
           Scanners ................................. 65
           Disinfectors ............................. 66
           Interceptors ............................. 67
           Inoculators .............................. 67
           ROM and Encryption ....................... 68
           Integrity Checkers ....................... 68
           Gadgets .................................. 70
           Prevention................................ 70

    Integrity Master (tm)              -  6  -                 Version 1.51

         Chapter Three - Virus Myths
          Mythical Sources ............................ 71
          Quick and Easy Cures ........................ 72
          Silly Tricks ................................ 72
          Certified Software? ......................... 72
          Retail Software Only? ....................... 73
          Write-Protecting Your Hard Disk ............. 73
          Safe Computing (Safe Hex?)................... 74
          Software Is Useless Against Viruses.......... 74

         Chapter Four - Virus Realities
          The ONLY Real Source of Viruses ............. 75
          Shareware Is as Safe or Safer ............... 75
          Few Virus Free Programs ..................... 76
          Write-Protecting Floppies ................... 76
          Beware the CE and the Demo! ................. 76
          Viruses Are Going to Get Worse .............. 76

         Chapter Five - What to do - Some Suggestions
          Action is Vital - Now! ...................... 77
          Backup Policy ............................... 77
          Integrity Checking Policy ................... 78
          Run CHKDSK .................................. 78
          Determining Causes of Corruption ............ 79
          Education ................................... 80
             Signs of Software Problems ............... 80
             Signs of Viruses ......................... 80
          Responsibility .............................. 81
          Policy and Routine .......................... 81
          Networks and Viruses ........................ 81
          Guidelines for Using Anti-virus Software..... 82

         Chapter Six - Handling a virus attack
          Don't Panic and Don't Believe the Virus ..... 83
          Report the Attack ........................... 83
          Play Detective............................... 83
          Clean House (Steps to Remove the Virus)...... 84
          Guard the House ............................. 84

    INDEX ............................................  85

    Integrity Master (tm)              -  7  -                 Version 1.51

    Part One - Integrity Master   Users Guide

    C H A P T E R   O N E   -   I N T R O D U C T I O N


    Welcome to the family of Integrity Master(tm) users!  Integrity Master
    (also known as IM) is the fastest, most powerful data integrity and
    anti-virus software available for any price.  I hope that you'll find
    Integrity Master an indispensable part of your PC tool kit.  From now
    on, you'll be back in control of all the data on your PC.


    Most people should never need to read the Integrity Master Users
    Guide.  If you're reading this to learn how to use Integrity Master,
    you're here for the wrong reason.  Just copy your files onto your
    hard disk and execute SetupIM.  The tutorial should tell you all you
    need to know to get started.  For additional help when using Integrity
    Master (IM), just hit F1 and select the index.  The odds are, what you
    need to know is there.

    While I think most people won't need to read Part One -
    Integrity Master Users Guide  (this part), I think everyone needs to
    read  chapters one through six of Part Two - Data Integrity and
    Viruses. This will help you understand the different threats to your
    PC and what you can do about them.  You'll understand more clearly
    how viruses work, how dangerous they are, and how to use Integrity
    Master or other products to protect yourself.

    Integrity Master (tm)              -  8  -                 Version 1.51


    I've written this users guide for three reasons:

    1) To provide more information on how to get the greatest benefit out
       of Integrity Master.  You'll learn how to:

       o use IM to detect totally new viruses

       o tell if file damage is likely due to a hardware problem or
         possibly a virus or a trojan

       o use IM to protect your PC from unauthorized tampering, etc.

    2) To explain certain aspects of Integrity Master in more detail and in
       different terms than the explanation available from IM's internal
       help screens.

    3) To satisfy people who prefer to read things on paper.  If you prefer
       to read things on paper, then you're here for the right reason.
       Although, I'll bet the tutorial in SetupIM will surprise you.  (Give
       it a try!)


    1) Detect and remove viruses.  IM will even detect viruses that are
       not known to exist at this point.  For known viruses, IM will
       recognize them by name and describe what they do.

    2) Detect possible file corruption due to hardware or software
       problems.   This type of file damage is apparently at least 100
       times more likely than virus infection, yet it usually goes

    3) Supplement or replace any PC security programs you have.  IM
       will inform you if anyone changes something on your PC's disk
       while you were gone.

    4) You just compressed your disk or you restored your files from a
       backup. Are all the files really OK?   IM will tell you.

    5) You wanted to delete all your .BAK files, but you entered: "DEL
       *.BAT" by mistake.  Oops!  IM will tell you exactly which files
       you need to restore.

    6) You need a change management system to keep track of growth on
       your hard disk.  Where is all that disk space going?  IM will tell

    7) You're having problems with your disk drive.  Your diagnostic
       programs say all is OK . . . now.  But were some files damaged
       last night?  IM tells you!

    Integrity Master (tm)              -  9  -                 Version 1.51

    8) Your hard disk is having problems.  DOS will not even recognize
       it as a disk.  IM can reload your partition and boot sectors to "fix"
       your disk!


    1) It reads files as well as parts of the operating system on your disk
       known as system sectors.  The first time you use IM, you will run
       an "initialize" that will read your disk and calculate cryptographic
       signatures for each file and system sector.  While it's doing this,
       IM is also checking for signs of known viruses.

    2) This signature data, along with other information such as the file
       size, is encrypted and recorded in the "integrity data" file.  IM
       creates one such file for each directory on your disk.

    3) On subsequent checks, the files and system sectors are read again
       and the computed integrity data is compared with the prior values.
       This allows IM to determine if anything has changed, even if the
       time and date stamps reveal no change.

    4) IM detects changes that a virus may make to associate itself
       (companion and cluster viruses) with an existing program.

    A virus can only infect your PC by associating itself with your
    programs or system sectors.  Each of these actions results in changes
    to data on your disk.  IM will detect these changes if a virus tries to
    infect your system.


    1) Integrity Master is not just an anti-virus product but a complete
       data integrity system.  Viruses are but one threat to the integrity
       of your PC. With Integrity Master you have a complete solution.

    2) Unlike other integrity check programs, Integrity Master contains
       extensive information regarding known viruses.  If IM recognizes
       part of a known virus, it will identify the specific virus and
       provide specific steps to remove it (offering to do this
       automatically) and check for possible damage.  If it detects other
       file changes that are characteristic of a virus, it will alert you to
       that fact and provide appropriate instructions.

    3) Unlike a virus scanner, Integrity Master allows you to detect
       unknown as well as known viruses.

    Integrity Master (tm)              - 10 -                 Version 1.51

    4) Unlike anti-virus products that merely find known viruses,
       Integrity Master also detects files and sectors damaged (not just
       infected!) by viruses.

    5) Integrity Master is fast!  We wrote it in 100% highly optimized
       assembler language.

    6) Integrity Master checks and protects areas on your disk known as
       system sectors (the DOS boot and partition sectors), not just the
       files.  If these sectors become infected or damaged, Integrity
       Master can quickly repair them.

    7) Integrity Master utilizes easy to use menus with lots of help. You
       don't have to fully understand some of the more complex areas of
       data integrity, such as system sectors, yet you can be fully

    8) The Integrity Advisor(tm) component of Integrity Master understands
       special files important to DOS and will give you special advice,
       with step by step instructions, if these files have changed.


    o IM requires a PC with 235K of available memory and DOS 2 or
      later.  (At least 365 thousand free bytes are needed for maximum

    o IM supports super large disks and files.

    o IM supports a maximum of 2621 files in a single directory.

    o Do not use the DOS APPEND, SUBST or ASSIGN commands
      together with IM.  These can cause results that are misleading if
      you don't carefully consider the effects of these commands.

    Integrity Master (tm)              - 11 -                 Version 1.51



    Since you may be wanting to do a quick evaluation of Integrity
    Master to see how it meets your needs, we offer this short cut install
    procedure.  In contrast, the full install procedure is intended to guard
    against unknown viruses already infecting your system or an attack by
    a sophisticated user and is not necessary for an evaluation under
    normal circumstances.


    1) Type "SETUPIM" and hit ENTER.  Answer all the questions that
       SetupIM will ask.  SetupIM will prepare a customized full install
       procedure for you and save it on a file.   Rather than follow the
       full procedure just continue with this quick install.

    2) Simply copy your IM files, IM.EXE and IM.PRM, to a convenient
       location.   ("COPY IM.* A:" would copy them to a floppy)

    3) Enter the command: "IM /IE /Dc"  Substitute for "c", in the
       "/Dc" parameter, the disk you wish to check.  That's it!

    The command line parameters (/IE, /Dc) are optional; to execute IM,
    just enter "IM".  The menus will guide you from there.


   1) Make sure your Integrity Master files are located somewhere other
      than drive A.  If they are on drive A, simply copy them to your
      hard drive or a diskette that you can insert in one of the other
      drives.  Here's an example of how to copy the IM files to your
      hard drive from the diskette in drive A:

             C:           <ENTER>
             CD \         <ENTER>
             MD IMASTER   <ENTER>
             CD IMASTER   <ENTER>
             COPY A:*.*   <ENTER>

    Integrity Master (tm)              - 12 -                 Version 1.51

   2) Now, to begin the actual install process, type:

             SETUPIM      <ENTER>

        Or, if you have an older (CGA type) LCD display, you may want
      to enter:
             SETUPIM /L    <ENTER>

      (most modern laptops work fine in color or monochrome mode

      If you have a two-color display on a color adapter, you may wish
      to try:
             SETUPIM /M    <ENTER>

       for a more readable display.  SetupIM automatically senses the
       type of video adapter you are using but the above two combinations
       can fool it occasionally.

    3) SetupIM will guide you from there.  SetupIM will provide you a full
       tutorial on using Integrity Master menus and give you an overview of
       how Integrity Master works.  SetupIM will then analyze your needs and
       check out your hardware configuration. SetupIM's Integrity
       Advisor(tm) component will customize IM's options so that it will
       work best to meet your needs.  The Integrity Advisor will also
       prepare a custom designed procedure to finish the install and a plan
       for day-to-day use of IM.  In addition to displaying this plan on
       your screen, the Integrity Advisor will write the plan to file
       IMPROC.TXT. You can use your favorite utility to read IMPROC.TXT or
       you can enter the command IMVIEW IMPROC.TXT to read it, or the
       command IMPRINT IMPROC.TXT to print the file.


     Please check file README.DOC for a full list of files that come
     with Integrity Master and what's important about each file.  To read
     README.DOC, type: "IMVIEW README.DOC" and hit ENTER.  If this file is
     not present, don't use your copy of IM.

     After you install Integrity Master, there will be only two files you
     absolutely need to use Integrity Master:

     IM.EXE  - Integrity Master itself

     IM.PRM  - The parameter file which controls how IM works
             - This file is created by SETUPIM.EXE

    Integrity Master (tm)              - 13 -                 Version 1.51

     If you want to reinstall IM, or change advanced features of IM, you
     will need:

     SETUPIM.EXE The setup and install program (It creates
                    and updates IM.PRM)

     When you install IM, SetupIM will create these files:

     IMPROC.TXT  Instructions on how finish installation and run IM

     IM.PRM           The parameter file (all option settings are stored


     IM normally automatically detects the type of video  adapter you have
     and uses appropriate colors for your equipment.  There are two things
     that can confuse IM:

    1) Some programs change the DOS video mode from color to
       monochrome or vice-versa.  To correct this, just enter the
       appropriate mode command (e.g., "MODE CO80")

    2) Some equipment appears to have a different display than it really
       has, such as an LCD display on a laptop.

    If you find your display hard to read, you may want to override IM's
    choice of video mode (colors).  The best way to do this is to experiment
    by using the command line parameters to specify an alternate set of
    colors.  Try each option and choose what looks the most pleasing.

    Both IM and SetupIM accept these command line parameters:

    /L  - For older CGA liquid crystal displays (e.g., Toshiba 1000 laptops)
    /M  - Forces monochrome mode
    /C  - Forces color mode
    /A  - Forces automatic video detection mode (default).

    Example: "IM /M" will use colors appropriate for a monochrome
    display even if the display appears to be of a color display.

    Once you've found the colors that work the best, it's usually best to
    use SetupIM to select that video mode so that you don't have to remember
    to enter the command line parameter.

    Integrity Master (tm)              - 14 -                 Version 1.51


    Integrity Master (IM) and SetupIM both employ an advanced menu system.
    When you first install using SetupIM, it will offer you  an extensive
    guided tour of how these menus work.  This is the best way to learn how
    to use the menus.  Within Integrity Master, just hit F1 and select "Help
    using the menus" from the help menu for assistance.

    On most menus you will see one selection shown in a different color (or
    underlined) than the other selections.  The different color (highlight)
    indicates that this is the chosen line.  You can use the arrow (cursor)
    keys to select any of the items on the menu.  Each menu line has a
    single capitalized letter showing in a different color. Pressing the key
    matching that letter will also select that menu item. On many menus, an
    extended explanation automatically appears as you select any menu line.
    After you have chosen the appropriate menu item, you must hit the ENTER
    key before anything will happen.

    Integrity Master (tm)              - 15 -                 Version 1.51



    The top part of the Integrity Master screen tells you what options are
    in effect and what IM is currently doing.  The menus appear below this.
    Be sure to go through the tutorial in SetupIM to learn how to use the
    menus.  When IM is busy checking your files, the report screen pops up
    and replaces the lower half of the screen including the menu area.

    The best way to get familiar with the information presented to you on
    the IM screen is by hitting the F1 (help) key and selecting the
    "Explanation of the display" entry.  This will give you a step by step
    guided tour of IM's display.


    Before you can check your disk, you must initialize the integrity data
    that describes the disk.  You can use either the command line parameter
    (/IE) or the Initialize menu within IM.  Hit "I" or alt/I (hold down the
    ALT key and press "I") to get to the Initialize menu.

    |   Help    Options   Check   |Initialize|    ReLoad    CoMmands  |
    .-------------------------- .-.          .-------------------. ---.
                                |  Entire disk integrity         |
                                |  Files on current Disk         |
                                |  Current and Lower directories |
                                |  Current diRectory only        |
                                |  Boot sector                   |
                                |  Partition sector              |

    From this menu, you create (initialize) the integrity data that
    describes your files and system sectors.  While IM is initializing the
    integrity data, it will (unless you turned virus checking off) check for
    known viruses, and check for other indications of viruses or system
    problems.  For the system (boot and partition) sectors, IM will save
    reload information.  This enables you to restore your system sectors
    (using the ReLoad menu) if anything should ever infect or damage them.
    IM writes the reload data to files BOOT.SRL and PART.SRL for the DOS
    boot and partition sectors respectively.  Be sure to read the section in
    Part Two, Chapter One, that explains why system sectors are important.

    When you first use IM, please select "Entire disk integrity" initialize
    the integrity data for all files and system sectors (the boot or partition

    Integrity Master (tm)              - 16 -                 Version 1.51

    sectors) that exist on the current disk.  IM will also create the system
    sector reload files (BOOT.SRL and PART.SRL).  Be sure to save a copy of
    these files on diskette to help you recover when your hard disk fails.
    (Not all disks have both boot and partition sectors).

    The other options on this menu correspond to matching options on the
    CHECK menu.


    When IM checks a file, it uses each byte of the file in a calculation to
    compute cryptographic signatures for that file.  A change to any part of
    a file will result in a different signature.  These signatures, along
    with other significant information such as file size, are what I call
    integrity data.  IM writes an integrity data file for each directory on
    your disk. These files can be stored with the files that they describe
    or stored on separate diskettes.

    When you first install, SetupIM chooses, at random, a unique algo-
    rithm to compute the cryptographic signatures, and also chooses a
    unique algorithm to encrypt your integrity data files.


    Just as your signature uniquely identifies you, the cryptographic
    signatures serve to identify the contents of each file.  If a virus or a
    hardware problem changes a file, the signature computed for that file
    will be different, although the file size and time and date stamps may
    be the same. A change or the rearrangement of data in a file will result
    in a different signature.  When you execute SetupIM, it will randomly
    select a unique algorithm for computing the cryptographic signatures.


    From the Check menu, you can check files or system sectors for changes.
    Use the up and down arrow keys to select the type of checking you'd like
    to do. You may choose to check only specific things on your disk, such
    as the system sectors or individual files, or you could check everything
    on the entire disk.  IM will report any added,  deleted, or changed
    files as well as any signs of viruses or other known problems.  If
    integrity checking is on, IM will read the files and check for any
    changes.  Use the Options menu to control whether full integrity
    checking is on and the type of files to check. The fourth line at the
    top of the screen shows the current status of integrity checking
    including the type of files to be checked.  If you

    Integrity Master (tm)              - 17 -                 Version 1.51

    see: "Integrity check: On", this indicates that full checking will be
    done on all files.

    You can reach the Check menu by hitting "C" or alt/C.

    |   Help    Options   |Check|   Initialize    ReLoad    CoMmands  |
    \----- /--------------/     \------------\ -----------------------/
          |  Entire disk integrity         |
          |  Files on current Disk         |
          |  Current and Lower directories  |
          |  Current diRectory only        |
          |  Specific file(s)              |
          |  Boot sector                 |
          |  Partition sector              |
          |  Disk for known Viruses        |

    Entire disk integrity
      Selecting this option and hitting the ENTER key will check any
      system sectors (the boot or partition sectors) that exist on the
      current disk for changes and then check all files in all directories.

    Files on current Disk
      Selecting this option and hitting the ENTER key will check only
      files on the current disk.  System sectors will not be checked.

    Current and Lower directories
      Selecting this option and hitting the ENTER key will check files in
      the current directory and any files in any directories which are
      defined descendant from the current directory.  If the current
      directory happens to be the root directory (e.g., C:\) then all files
      on that disk will be checked since all other directories are
      descendant from the root directory.  Another example: if you're in
      directory \DOS, directories such as \DOS\A, \DOS\UTILS or \DOS\A\B
      would be checked in addition to \DOS.

    Current diRectory only
      Selecting this option and hitting the ENTER key will check only
      files in the current directory.

    Specific file(s)
      Selecting this option and hitting the ENTER key allows you to
      enter the name of a specific file to check.

    Boot sector
      Selecting this option and hitting the ENTER key will read the DOS
      boot sector and check it for any changes.  Please see the
      explanation of system sectors later in this guide.
    Integrity Master (tm)              - 18 -                 Version 1.51

    Partition sector
      Selecting this option and hitting the ENTER key will read the
      partition sector (also known as the master boot record) and check it
      for any changes.  Please see the explanation of system sectors later
      in this guide.

    Disk for known Viruses
      The option to check "Disk for known Viruses" is intended only for
      one-time quick virus scans or to do checks of all files (not just
      those identified as executable files) for known viruses.  You can do a
      one-time quick virus scan on just the current directory or on the
      entire disk.  If you choose the entire disk, then the appropriate
      system sectors will be checked as well as all executable files.
      Checking all types of files is useful as a double check in the event
      that IM detects an existing virus.  This is suggested since it's
      possible that you may have a program somewhere that uses a file with a
      nonstandard extension to store executable code (e.g., overlays).  If
      you are aware of a program that uses extensions which IM does not
      recognize as executable, then you may wish to use the Advanced menu in
      SetupIM to add this extension to the list of extensions recognized by
      IM. You generally won't need the virus scanning option except in these
      special cases, since IM automatically checks for viruses during its
      normal processing.  You can also use the /VA, /VM, /VO, or /VR
      command line parameters to perform a virus scan.


    o Before using IM, be sure that you've run SetupIM (new install) and
      followed the directions provided for you in file IMPROC.TXT.

    o Before checking your files run an "Entire disk integrity" initialize.

    o For protection against previously unknown viruses, be sure you
      cold boot from a write-protected floppy before checking.

    T H E   R E P O R T   F I L E

    In addition to seeing a report of IM's findings on screen, you may wish
    to save a report on disk or on paper.  The Options menu in both IM and
    SetupIM allows you to set the type of report (if any) IM will create.  I
    recommend that you allow IM to write its findings to an "auto-named"
    disk file.  By saving these report files, you can discover what changed
    last April 1 or when you last changed a particular file.  Each time you
    run IM, it will write its findings to the end of the report file for
    that day.  For example, on June 1, 1992 the report would be on file
    ")(0601.REP".  By saving the report files, you can maintain a complete
    change history for your PC.  If you ever want to find out what happened
    to a file, the full history will be

    Integrity Master (tm)              - 19 -                 Version 1.51

    available. If you wish to keep more than  one year of history on-line,
    try copying all the report files (COPY *.REP) to another disk or

    If you choose an "auto-named" report file, you can elect that IM place
    the file in the root directory of whatever disk is being checked or you
    may choose to place it on a specific disk of your choice.  You can also
    give the report file absolutely any name you wish.  If you choose a
    specific filename, you may include the disk and directory as part of the
    filename.  If you do not specify a disk or directory as part of the
    filename, then IM will create this file in the current directory at the
    time you execute IM.

    If you elect printed output, IM will ask you to choose LPT1, 2,  or 3.
    In the rare event that this does not work with your printer, you may
    also print by asking IM to write the report to a specific file name such
    as "PRN" (the printer).  If you use "PRN", you will get less
    sophisticated error handling and messages since DOS drives the
    printer rather than IM.

    S Y S T E M   S E C T O R S

    System sectors are special areas on your disk containing programs
    that are executed when you boot your computer.  These sectors are
    invisible to normal programs but are vital for correct operation of
    your PC.  They are a common target for viruses.  Please read the
    detailed description of Boot and Partition sectors in Chapter one of
    PART TWO - Data Integrity and Viruses.

    R E L O A D I N G

    You can reach the ReLoad menu by hitting "L" or alt/L from any of
    the other primary IM menus.

    |   Help    Options   Check   Initialize    |ReLoad|    CoMmands  |
    .---------------------------------------- .-.      .------------. .
                                              |  Boot sector        |
                                              |  Partition sector   |
                                              |  Missing partition  |

    From the ReLoad menu, you may reload your DOS boot sector or your
    partition sector (master boot record), in the event that they have
    become damaged or infected with a virus.  The "reload Missing partition"
    option must be used if you have a disk so badly damaged that DOS will
    not recognize that the disk exists. You will then be prompted to
    identify the disk on which to reload. You can identify it either by the
    logical disk letter (A-Z) or by the physical device number (0 for the
    first physical hard drive, 1 for the second and so on).  If the disk you
    are about to reload is not the same disk from

    Integrity Master (tm)              - 20 -                 Version 1.51

    which the reload data was saved, IM will warn you, but will give you
    the option to continue with the reload.  You can take advantage of this
    if you need to reload the boot sector of multiple floppy diskettes:

   o Locate a clean diskette of the type that is infected

   o Initialize integrity data for the boot sector of that floppy.

   o Make sure that the BOOT.SRL file you just created is the only one
     IM can find.  (Temporarily move any other .SRL files)

   o Turn the report file off

   o Change to the drive containing an infected floppy (CoMmands

   o Tell IM to reload the boot sector.

   o Insert and another diskette and keep reloading. IM will locate the
     BOOT.SRL file on one of your other disks and reload the sectors
     on each floppy diskette.

    The Commands Menu

    You can reach the "CoMmands menu" by hitting "M" or alt/M from
    any of the other primary IM menus.

    |   Help    Options   Check    Initialize    ReLoad  |CoMmands|   |
    .------------------------ .--------------------------.        .-. .
                              |  Temporarily Shell out to DOS       |
                              |  Quit - exit the Integrity Master   |
                              |  Disk change                        |
                              |  DiRectory change                   |
                              |  Uninstall - delete integrity data  |

    Temporarily Shell out to DOS
      This allows you to exit IM to the DOS prompt, but leaves Integrity
      Master loaded in memory so you can quickly return by using the
      Exit command.  Shelling allows you to exit IM, and execute most
      other programs at the DOS prompt (such as copying files or
      formatting disks).

    Disk Change and DiRectory Change
      You'll mostly use this menu to change the current disk or
      directory.  (You can also use the "/D" command line option to
      change to one or more other disks or use the "/P" command line
      parameter to start in a different directory)

    Quit - exit the Integrity Master
      In addition to using the "Quit - exit the Integrity Master" option on
      the CoMmands menu, you can use the ESCape and alt/X keys to
      terminate IM from any point.  The ESCape key allows you to

    Integrity Master (tm)              - 21 -                 Version 1.51

      terminate most IM menus without taking any action and return to
      the prior menu.  The only exceptions to this are menus which
      require a response one way or the other.  These are usually the
      result of a detected error of some type.  If you hit ESCape enough
      times, IM will ask if you really want to quit.  You must select
      "Yes" and hit enter to exit.  The fastest way to exit IM, is by hit-
      ting alt/X (hold the ALTernate key down and hit the "X" key).
      This allows you to quickly exit without the final "Do you really want
      to quit?" prompt.

    Uninstall - delete integrity data
      If you have integrity data files in each directory of your hard disk,
      you can quickly delete these files by selecting Uninstall on the
      CoMmands menu.  If your integrity data is stored on a different
      disk than the files it describes (such as a floppy) then this option
      will have no effect.


    Whenever you finish checking files, IM will show you a summary of its
    findings.  Since the summary contains a time and date stamp, you can use
    the report file as a chronological log of all changes on your PC even if
    you have it going to the printer.  The summary shows statistics for all
    file changes as well as system sector and memory checking.  IM reports
    the number of times it checked a file's integrity data against the DOS
    directory information, as "files processed". It also reports a separate
    count of the number of files actually read and checked.  IM resets all
    statistics (with the exception of the memory check results) each time
    after it displays the summary statistics.  This means that on subsequent
    file checks, the system sectors will be indicated as "Not checked" even
    though they were indicated as checked on the prior display.  Why is
    this?   IM does this because some disks are removable and disk X may
    suddenly be a different disk.  IM shows the statistics for any viruses,
    suspicious files, or system corruption (which includes file open and
    read errors) in red.


    Viruses are but one of many threats to your data.  You are far less
    likely to be hurt by a virus than the other causes of data damage such
    as software conflicts and general glitches of various types.

    Viruses are programs that attach themselves to other programs  in such a
    way that when the other program is executed, the virus code will also
    execute.  The infected program usually appears to execute normally but
    the virus may be attaching itself to additional programs each time the
    infected program runs.  Many viruses are triggered by some event (such
    as a particular time or date) into an attack phase,

    Integrity Master (tm)              - 22 -                 Version 1.51

    resulting in anything from music to serious file damage.  Viruses
    often wait a long time before attacking; their goal is to spread as far
    as possible before revealing their presence.  Some viruses go resident
    in your PC's memory, taking over your PC.  This enables them to infect
    at will and elude detection attempts.

    A virus may attach itself to programs in two ways that many people
    are not aware of.  The first way is to infect the programs that are in
    the system (boot and partition) sectors of your PC.  The second way is
    by changing system information on your PC so that the virus code is
    executed before the intended program. The most obvious way to do this
    depends on the fact that if both a .COM and .EXE file have the same
    name, DOS will execute the .COM file instead of the .EXE file. Such a
    virus is commonly called a companion or spawning virus. These viruses
    locate .EXE files and then plant themselves as .COM files of the same
    name.  The virus (the .COM file) can execute, spread further, and then
    run the .EXE program so that everything appears normal. (Don't worry; IM
    detects all types of viruses!) Please read PART TWO Data Integrity and
    Viruses to learn more about viruses.


    When you install Integrity Master using SetupIM, the Integrity Advisor
    will prepare a complete procedure for running IM.  If you indicated that
    you wanted to detect viruses, then this procedure would include the
    steps you need to check for viruses.  This step by step procedure is
    customized to your own preferences, so be sure to read file IMPROC.TXT

    To be certain of detecting even unknown viruses, it is vital to cold
    boot from your write-protected floppy containing IM before checking for
    viruses.  Do NOT use Ctrl/alt/del to boot, but turn your PC off and then
    on.  Some PCs have a reset button that will force a cold boot.

    Whenever you engage in any activity that changes or rearranges many
    files, run at least a "Quick integrity update", so that your integrity
    data accurately reflects the status of your PC.  Use the Options menu to
    change the type of integrity checking.

   o With Integrity "CHECK ON", do a full integrity check (rather than
     a "quick update") of all files at least once a month to detect any
     unexpected changes.

   o If your work exposes you to programs that may be infected with viruses,
     do a daily full check of your disk for any unauthorized changes.  To
     save time, use the Options menu to limit checking to executable
     programs.  Check at least the current directory if you have executed
     any new or "strange" programs.

    Integrity Master (tm)              - 23 -                 Version 1.51

   o After installing any new software, IMMEDIATELY run IM to
     initialize the integrity data for the new files you have created.  Be
     sure that you save a write-protected disk containing a copy of the
     software.  It is vital that you do this before you start to use the

   o It is critical to do extra checking any time you copy programs (e.g.,
     *.EXE or *.COM files).  When you copy programs, be sure to copy your
     integrity data also.  For example, if you are doing something like a
     "COPY  *.EXE   D:\DOS", then also enter a command to copy the integrity
     data to "D:\DOS".  (If you're not sure what the names of your integrity
     data files are, check your IMPROC.TXT file or select "Integrity data
     options" on the SetupIM Change menu.)  If you simply copy all files
     (COPY *.*), then you won't have to worry; the integrity data will
     automatically be copied along with the programs.  Afterwards, run IM to
     check that the files were copied without damage or virus infection.
     Naturally, IM will report any files that weren't copied as deleted when
     you run this check.


   To quickly do nothing but scan one or more disks for known viruses:

   o Use the CoMmands menu or the "/Dx" command line parameter to change to
     the drive you want to scan.  (do not use a colon (":") with the "x".)

   o Use the Options menu to turn the report off or to set the report to
     go to the printer or your hard disk.

   o From the Check menu choose "Disk for known Viruses".  Hit ENTER and
     select either   "One-time screening" or (if you're planning to check
     several floppies) "Check Multiple diskettes".

   o This scans the first disk.  When you see the display summarizing the
     results of the scan, insert the next diskette and hit enter to scan that
     diskette or hit ESCape if you're done scanning.

   IM will return a DOS error level of 64 or greater if it encounters a
   known virus so you an use IM in a batch file which checks for viruses.
   You can also use the command "IM /Dx /VM" to scan multiple diskettes
   in drive x.  Use "/VO" rather than "/VM" to scan only one diskette.

   To scan a disk for known viruses AND to get data integrity protection:

   o Use the Options menu and set the "Files to iNitialize" option to
     "Executable programs."

   o Use the Initialize menu to initialize "Entire disk integrity".

   The command line options: /VA, /VM, /VO and /VR are available for
   scanning.  Remember that virus scanning will detect only viruses known
   at the time this program was written.  As with any scan program, you
   should have the latest version if you intend to rely upon scanning for
   serious protection.


   o Make sure that you specified that you wanted virus protection when
     you installed IM.  If you didn't, then run SetupIM and select

   o Make sure you carefully followed SetupIM's instructions in

   o If a virus is found on your PC, IM will almost always recognize it
     by name and explain how to remove it.  IM will also advise if viral
     signs are present on changes that don't match known viruses.

    Integrity Master (tm)              - 24 -                 Version 1.51

   o Whenever IM reports a change to an executable program, it's important
     to discover the cause.  Some programs modify themselves when you change
     their options; some programs change themselves every time they run.
     Changes to executable programs are indicated in red on the report
     screen and are bracketed by "...." to make these changes obvious.

   o If only a single program has changed and IM does not reveal this to be
     corruption, then you probably do NOT have a virus.  If you have any
     doubt that a program change may be a virus, be very careful and run
     full checks with IM after executing this program. (Cold boot (power off
     and on) from a floppy before running IM)  Any program changes detected
     at this point indicate a virus.  Please report this (see file
     VIRREP.DOC for complete details).

   o For speed, use the Options menu to limit checking to executable files.


    IM has the capability to detect infection by an unknown (new) virus
    as well as the ability to identify known viruses and their
    characteristics.  If IM detects an unknown virus, it clearly can't
    provide the detailed information that it provides when it detects a
    known virus.  Because of some of the generic detection techniques used
    in IM, there's a good chance that it will identify and describe a new
    virus.  How is this possible?  This is only possible if the virus is not
    totally new but a modification of an existing virus.  In this case, IM
    may identify the "new" virus as a virus it knows about because someone
    created the new virus by simply making some changes to an existing
    virus.  (Most "new" viruses are created in exactly this way.) IM will
    usually notice the code from the old virus still present in the new
    virus and identify it in this way.

    What about totally new viruses?   These are a little more work to
    identify.  In this case, IM will inform you that it has detected a
    change in a file or a system sector, but won't announce that a virus is
    present, unless it's similar to a known virus.

    How do we decide whether a virus is responsible for the detected
    change?  Consider the following factors:

    o Has IM identified virus-like symptoms with this change?  Such
     symptoms include an unusual value in the DOS time or date stamp,
     and file corruption detected (no change to the time and date stamp
     but a change to the file).

    o Are numerous unrelated executable files changed?

    If the answer to one or both of these questions is "yes" then it's time
    to do some more checking to see if it's really a virus.  Please read the

    Integrity Master (tm)              - 25 -                 Version 1.51

    section on Virus Signs and Playing Detective in Part Two - Data
    Integrity and Viruses.  Following these procedures will let you
    determine if you have encountered a brand new virus (lucky you!).  If
    you have encountered a virus, or you are not sure, please contact us;
    see file VIRREP.DOC for details on reporting viruses.


    When IM detects a known virus it will optionally present at least one
    full screen of information.   The virus report screen gives you the
    following information:

   o The name of the virus.  This is usually the name used by the UK's Virus
     Bulletin but in some cases we use an abbreviated or more common name.
     This name corresponds to an entry in file VTEXT.DOC.  Many viruses have
     been built as modifications to existing viruses. By identifying common
     (hard to change) code elements in the base virus, IM can identify
     multiple viruses by spotting their common characteristics.  This means
     for example that if IM reports the Jerusalem virus, it could also be
     the Anarkia, Anarkia-B or the Payday virus. Since viruses go by many
     names, alternate names for the same virus are listed in this table too.

   o IM lists the type of files or system sectors infected by this virus.

   o If the virus is known to seriously interfere with normal operation of
     your PC, this is mentioned.  We don't classify messages, bouncing balls,
     or music as serious interference. We do consider slowing execution of
     your PC or halting the system as serious.

   o IM will mention if the virus is known to either deliberately or
     inadvertently damage data on your disk.  Beware, though, some idiot
     could, at any point in time, modify a previously harmless viruses to do
     something destructive.  An example of this is the Cascade virus
     (letters cascade down on your screen when this virus activates).  The
     first version of this virus was harmless but someone created a variant
     that will format your disk.  In this case, IM makes a special check for
     the dangerous variant of the virus and warns you if it's detected.  In
     spite of this, please, NEVER assume that a virus is harmless.  If we
     don't mention that a virus is known to damage files, it means only that
     no one has reported damage from this virus.  Be careful; you may have a
     variant of the virus that might very well be dangerous!

   o IM presents step by step removal instructions for the virus.

    Sometimes IM presents additional screens describing necessary or suggested
    actions.  This is true if the virus is detected in memory. When IM first
    starts, it checks the memory of the PC for presence of known viruses
    (unless you deactivate this check using SetupIM or the "/B" (bypass)

    Integrity Master (tm)              - 26 -                 Version 1.51

    command line parameter); if IM detects a virus, it will ask you to
    immediately cold boot your PC.  Checking further at this point could be
    very dangerous since it might spread the virus.  Other special viruses
    such as companion or cluster viruses (see PART TWO for details) will
    generate an extra screen identifying that specific virus and mentioning
    alternate ways to remove the virus.


    If IM announces detection of a known virus, could this be a false alarm
    (not really a virus)?  If IM has checked this file before or if it has
    found more than one file infected, then you very likely have a REAL
    VIRUS!  If this is the first time that IM checked this file, and if it
    found only one file infected after checking your entire disk, then it's
    probably a false alarm.  Although it is very unlikely, it IS possible
    that a legitimate program could contain code that matches a virus.


    Some anti-virus programs contain unencrypted virus fragments that IM may
    detect.  It's usually safe to assume these programs are not infected.
    Some of these programs also leave virus fragments in memory that IM may
    then detect and announce as a memory resident virus.  Please do not take
    any chances in such a case and follow IM's instructions to cold boot,
    even though it's likely to be a false alarm.

    If you have just read an infected disk or a file, there is a chance that
    IM may detect a piece of this file in memory and announce a resident
    virus when one really isn't resident.  In such cases, it's best to play it
    safe and cold boot from a write-protected diskette.


    If IM detects a known virus, it will display the steps to remove the
    virus and offer to remove it automatically.

    If IM detects program or system sector changes that may be due  to a
    virus, please follow these steps:

    o Save at least one infected diskette or file and report this to us. This
      will allow us update IM to recognize this virus and hopefully track
      down the source of the virus!  See file VIRREP.DOC for complete

    o Cold boot your PC (power off and on) from a write-protected
      floppy disk.

    Integrity Master (tm)              - 27 -                 Version 1.51

    o Run an "Entire disk integrity" check, noting any changed programs
      or other possible damage by the virus.

    o You can allow IM to remove the virus or follow its directions to
      remove the virus manually.  Restore infected files from the original
      program diskettes if possible.

    o Reload your system sectors if they were damaged.

    o Restore any damaged files or programs from the original diskettes
      if possible.

    o Very carefully, check any floppies you've used.

    o Run an "Entire disk integrity" check daily for a while.


    If a program changes a file by normal means, the file's time and date
    stamp will be updated to reflect this change.  On the other hand, if a
    virus or a hardware or software problem causes a file to be changed,
    there is often no change to file's time and date stamps. IM calls this
    file corruption and raises a special alarm if it detects this.  If you
    find a corrupted file, the odds are it's NOT a virus.  The most likely
    cause of corrupted files is software conflicts.  The next most common
    cause is hardware problems.  In any case, if you have a corrupted file,
    it's essential you find what the cause is.  In Part Two - Data Integrity
    and Viruses", I have a chapter titled Determining the Cause of Data
    Corruption.  Please read that chapter very carefully when (not if!) you
    detect a corrupted file. The next section describes using IM when you
    are having suspected disk hardware problems.


    It's an unfortunate fact of life that all disk drives will eventually
    fail; sometimes at the worst possible moment!  Before disk drives
    totally fail, they usually start exhibiting signs of problems, such as
    inability to reliably read and write certain areas on the disk.
    Unfortunately, these failures tend to be intermittent. The result may be
    that you have damaged files, but when you run your disk diagnostic
    software, no problems are found.  By using IM to do periodic full
    checks, you can detect these problems when they first begin and prevent
    more major disk problems, such as total failure,  from taking you by
    surprise.  If you have an MFM, RLL, or ESDI type of disk drive you
    probably can extend its life slightly by doing a low level format, or
    using a product such as Steve Gibson's SpinRite(R) that can do a
    nondestruc- tive low level format.  The key here is to detect disk
    problems early before any serious damage is done.

    Integrity Master (tm)              - 28 -                 Version 1.51

    IM replaces the DOS critical error handler with its own more advanced
    routine.  If a disk error occurs, you will see a warning screen
    explaining what has happened, rather than the dreaded "Abort, retry, or
    fail" message that DOS provides.  IM may also present a menu offering
    you additional options (depending upon the type of error and the
    circumstances) such as repeating (retrying) the operation.

    If an error occurs while IM is checking files, it will report either
    "Read fail" or "Open fail" in place of the normal signature data on its
                           Name and    Signature     File     Update   Update
         Status: Type:     Extension:  Val1: Val2:   Size:    Date:    Time:
         ------- --------  ----------   ---- ---- ---------- -------- --------
         Added   File      NORMAL   EXE 0D83 4E93       2048 11/05/92 14:00:56
         Added   File      DISKERR  EXE Read fail     140792 11/05/92 14:01:02
         Added   File      CANTOPN  FIL Open fail        123 10/05/91 10:11:20

    In addition to "Read fail" or "Open fail" appearing in the IM report,
    additional information regarding the type of error will also appear and
    be recorded in the report file (or printout) as well in the on screen

    Whenever IM encounters an error reading a file, it  will NOT replace the
    original integrity data with the current (in error) data. This means
    that if you have a read error on a file, and you either "fix" the file
    using some utility or restore the file from a backup, you can then run a
    check on that file and know whether or not your file was correctly

    If you run IM in an environment where more than one program can have a
    file open, you may get an "Open fail" or "IO error" due to another
    program having this file open.  This can happen on networks (LANs), with
    OS/2, or with windows. When this error occurs, you will see a detailed
    explanation along with a menu offering several options.  I recommend you
    select the option to ignore any further open errors; this way you will
    still see detailed information on any other problems discovered by IM.
    You can avoid this error display and most others by using the "/NE"
    command line parameter (pause on emergencies only).


    Although there are no 100 percent reliable techniques to prevent
    someone from making unauthorized changes to your data while you
    are away, IM does offer a 100 percent reliable way of detecting these

    If you specified that security was important when you first executed

    Integrity Master (tm)              - 29 -                 Version 1.51

    SetupIM, its Integrity Advisor will make recommendations on how to use
    IM to get the level of protection you need.  It saves these
    recommendations on file IMPROC.TXT.  By storing your integrity data on
    diskettes and keeping these diskettes in a safe location, you can detect
    any changes that occur on your PC.  This should provide you protection
    even against a user who understands how IM works and is technically
    adept.  For most situations this is probably overkill!

    Keeping the integrity data on diskette may provide more protection than
    you need.  Simply keeping your parameter file (IM.PRM) on a diskette
    will provide a very high level of protection.  Since a user breaking
    into your PC will not be able to tell how the integrity data is
    computed, this user will not be able to change a file and then adjust
    the integrity data to hide the changes, even if they have a copy of the
    IM program.  This provides almost as much protection as keeping the
    integrity data on diskettes.

    If you keep the parameter file on the same disk with the files you
    check, it's possible that someone could modify your files and then run
    IM to update the integrity data, in this way covering their tracks. This
    person would obviously have to have enough knowledge about your PC to
    know that you use IM.  If you'd like to keep your parameter file on the
    diskette with your files you can still achieve a high degree of security
    by renaming IM.PRM and locating it in an unlikely directory.  When you
    invoke IM you will have to specify the name of the directory and the new
    name for the parameter file.  For example, the command: "IM
    D:\DOS\UTILS\BORING.DAT" will read the IM parameter information from
    file BORING.DAT in directory \DOS\UTILS on disk D.


    To use IM for change management, you really don't need to use integrity
    checking.  Simply running IM, in "Quick Update" mode, (which does not
    actually read files unless the DOS time/date stamp or file size have
    changed), is adequate to provide change management. "Quick update" mode
    only requires about 10 seconds to check about 270 megabytes (8000
    files).  To keep a full record of what has changed on your PC, I
    recommend you use "auto-named" report files and that you keep all your
    report files.  At the end of the year, you may wish to copy all the old
    report files into a directory for that year. For example, on January 1,

    CD \
    MD REP93
    COPY *.REP \REP93
    DEL *.REP

    This creates a directory called "\REP93", copies all report files to

    Integrity Master (tm)              - 30 -                 Version 1.51

    that directory and then deletes the old report file.

    By following this procedure you have a complete record of all changes on
    your PC.  If you want to know when a particular file last changed, it's
    easy to search through the report files for that filename. If you want
    to know where all your disk space is going, you can go back and see
    which files were added or which files grew.

    Command Line Execution
    Integrity Master is really designed to work by use of its menus.
    However, most functions can be automatically invoked from the
    command line to allow you to start IM from batch files.

IM [Fspec] [/A] [/B] [/C] [/Cx] [/Dxyz] [/H] [/Ix] [/L] [/N] [/M] [/Pdir] [/Vx]
 FSpec specifies the name of the parameter file to be used.  The disk
       and directory path should be specified as part of the filespec.
       For example: use "IM C:\dos\NEW.PRM" rather than "IM NEW.PRM".
 "/Dxyz" change to disk "x", process and then change to disk "y", etc.
        If used with more than one disk, this should be used with one of the
        "/Cx", "/Ix" or "/Vx" parameters.  You may also use the /Dx:y:z:" form.

  "/Pdir" (Path) change to directory "dir" before starting any processing.

 "/N"   Nonstop: the same as setting "Halt" to "Serious problems"  on the
        Options menu.  IM will stop only on viruses or serious problems.
 "/NE"  Stop on Emergencies only.  This almost never stops.

 "/B"  bypass memory check
 /Cx values: do type "x" integrity check and then quit:

 "/CE"  Check Entire disk integrity.      "/CB"  Check boot sector.
 "/CD"  Check all files on DOS disk.      "/CP"  Check partition sector.
 "/CR"  Check files in this diRectory.    "/CF=filespec" Check this one file.
 "/CL"  Check files in the current directory and all lower directories.
 /Ix values: do type "x" integrity initialize and then quit:

   "/IE"  Init Entire disk integrity.       "/IB"  Init Boot sector.
   "/ID"  Init all files on DOS Disk.       "/IP"  Init Partition sector.
   "/IR"  Init files in this diRectory.
 /Rx values will reload one of the system sectors on the current disk and quit.
   "/RP"  Reload Partition sector           "/RB"  Reload DOS Boot sector
 /Vx options scan system sectors and files for signs of known viruses:

   "/VA"  Check ALL files on a disk (not just executables).
   "/VM"  Scan multiple diskettes with only one key press between diskettes.
   "/VO"  one-time quick screening of programs on current disk.
   "/VR"  one-time quick screening of programs in current directory.

 (REMINDER: Scanning by itself is not sufficient protection against viruses!)

    Integrity Master (tm)              - 31 -                 Version 1.51

 The following may be used to override video mode selected during install:
   "/A"   Auto adjust of video mode.        "/L"   Use colors for older LCD displays.
   "/C"   Force use of full color mode.     "/M"   Use monochrome colors.

    Ordinarily, you don't need ANY parameters. Just enter: "IM". IM  is menu
    driven with lots of on-line help.  The command line parameters are
    intended for automatic unattended integrity checking.  If you don't have
    "HALT" set to "Serious problems" or "Emergencies only" (on the Options
    menu), use "/N" (or "/NE") to avoid pausing for input. If you wish to
    have IM automatically locate your parameter file, DO NOT specify it on
    the command line.  If you specify it on the command line and it is not
    located in the current directory, then you must include the drive and
    directory of the parameter file along with the name.

     "IM /L /CE"  Uses colors appropriate for an older (CGA type) LCD
    display and checks the system sectors as well as all files on the
    current disk.

    "IM /IR"  Creates new integrity data for files in this diRectory.

    "IM /CF=A:\X\IO.SYS"  Checks the file IO.SYS in directory \X on
    disk A:.

     "IM D:\IO\X.PRM /CD"  Checks all files in the current disk using
    options saved in the parameter file "X.PRM" located in "D:\IO".

     "IM /RB /DA"  Reloads the DOS boot sector on disk A.

    To execute IM automatically in unattended (batch) mode, do the

   o Use the Options menu to activate the report file.  Save this change
     by selecting the first option on the Options menu, "Write option
     changes to disk."

   o Either set the halt options to "Serious problems" (on the Options
     menu) or use the "/N" command line parameter  ("IM /N").
     Remember that you can use multiple parameter files if you don't
     want your options always set to nonstop.

   o Prepare the IM control card to do the type of checking that you
     want.  For example: "IM /N /DG /CE" will run nonstop on disk G:
     and check the entire disk (/CE), including system sectors.

   o If you have a timed execution program, such as the one available
     with PCtools, you may want to have it invoke IM or add IM to any
     batch file that you run regularly, such as nightly backup batch file.

    Integrity Master (tm)              - 32 -                 Version 1.51


    Integrity Master returns the following DOS error levels.  You can check
    for these error levels in a batch file and execute your own special
    procedures depending upon IM's findings.  One of our beta testers has
    their PCs automatically phone their help desk if an error level 24 or
    greater is encountered.

    00   Processing complete with no changes detected
    08   Checking complete with added or deleted files detected
    12   Checking complete with changed files detected
    16   Checking complete with changed programs detected
    24   Checking complete with suspicious file changes detected
    32   Checking complete but a file or system sector showed signs of
        corruption or an I/O error.  This will be in addition to any of the
        lower valued indicators such as change to a program.  So if a
        program changed, the error level would be 16 + 32 = 48.
    64   One or more viruses were detected. Any of the lower status
        indicators will be included with this one.
    128  If a vital IM file is determined to be missing or damaged
    192  A fatal error occurred during execution, such as not enough
        memory or a disk error in internal processing.
    200  Control card error (an error in IM's "/" parameters).

    Using IMCHECK

    IMCHECK.EXE is a fast stand-alone file checker.  It will read
    whatever files you specify and compute signature data similar to what
    Integrity Master uses as part of its integrity data.

    If you print the IMPROC.TXT file created by SetupIM, you will see
    the check values that IMCHECK should report for IM.EXE and
    IMCHECK itself.

    Syntax is: IMCHECK [d:] [path] filename [/N]

       "filename" specifies the files to check. Wild card characters such
                 as * or ? may be used.
       "/N"      Display dates in US numeric MM/DD/YYYY format.

    Entering IMCHECK with no parameters will display an explanation
    of how to use IMCHECK.

    For example: IMCHECK D:\DOS\TEST.* would check all files in
    the DOS directory on disk D: that begin with TEST but with any file

    Integrity Master (tm)              - 33 -                 Version 1.51

    IMCHECK can be very handy when you send files to others and you
    want to make sure that they got a good copy of your files.  Simply
    run IMCHECK on your files.  You will see a report like:

    IMCHECK 1.4 - Integrity Master (TM) standalone file checker.
    Copyright 1990-1993 by Wolfgang Stiller - all rights reserved.
    Checking: MYFILE*.*

    File Name + Check Check    File    Update      Update
    Extension:  Val1: Val2:    Size:   Date:       Time:
    ----------   ---- ----    -------  ---------   ------
    MYFILE.001   DA37 1612       4512  9-Jun-1992  7:44:30
    MYFILE2.DAT  46F7 4F41        277 10-Feb-1993 16:47:58
    Total======> B518 56D9

    Record the check values and make sure the other person runs IMCHECK
    to compare the check values.  The "Total=====>" values will match
    only if the files are checked in the same order.


    When you purchase your copy of Integrity Master, you will get permission
    distribute copies of IMcheck to anyone with whom you share files so they
    can verify the integrity of these files.

    When you register, besides all the other benefits, you will get the
    advanced version 2 of IMcheck that provides multiple check algorithms,
    dirrectory checking, and more detailed file diagnostics.

    ONLY registered (licensed) IM users may distribute IMcheck.


    Although Integrity Master is designed to run in the DOS environment
    on Intel 80x86 family microprocessors, it is useful with other
    operating systems and processors such as OS/2, Unix, MicroSoft
    Windows and various Network (LAN) operating systems such as
    Netware and VINES.  You can even use it on a Macintosh with DOS
    emulation.  On most of these non-DOS systems you can't check the
    system sectors in the same way as under DOS since the underlying
    operating system support is different.  Since these operating systems
    are multitasking, Integrity Master may find that it can't read certain
    files that are in use by the operating system.  This is normal and will
    not interfere with a full system check.  There's more information on
    this in the section on Integrity Master and Disk Problems.

    While, it may be most convenient to do most of your checking under
    your normal operating system, I strongly suggest that you prepare a
    DOS boot check and occasionally check under native DOS.  This is
    currently the only way to give your system the most secure checking

    Integrity Master (tm)              - 34 -                 Version 1.51

    Microsoft Windows and OS/2

    Integrity Master will run quite happily under Windows or OS/2 as a
    DOS application.  You can even run IM in the background while you
    use a different application. However, this will probably prevent it
    from checking whatever files that you are currently using.

    If you are using a non-DOS file system such as the "High
    Performance File System" (HPFS) under OS/2, Integrity Master will
    be able to check only those files that DOS can access.  For OS/2
    HPFS this means that files with more than eight characters in the file
    name or more than three characters in the extension cannot be
    checked.  For example, IM could check file 12345678.ABC but not
    file 123456789.ABC.D under HPFS.


    If you have a local area network (LAN), you can use Integrity Master
    on both the file server and the workstations. IM can be used on a
    network by running it on the separate workstations as well as on the
    server.  It can be configured in different ways.  If you place IM.EXE
    on a shared disk available to all workstations, you can have separate
    parameter (IM.PRM) files for each workstation or you could have a
    central IM.PRM in the directory with the shared IM.EXE.  It is more
    secure to allow each workstation to have its own IM.PRM, but using
    a common file makes it easier to copy or move files and then
    immediately check to make sure the files are intact.  If the server
    does not run DOS, then you will need to check the files on the server
    from one of the DOS workstations.  Part Two contains a section titled
    Networks and Viruses that provides some general procedures to make
    sure you keep you LAN free of viruses. It's particularly important
    that you follow the guidelines there on access rights and supervisor
    privileges. If you periodically boot each workstation from a write-
    protected floppy and do a full check of that PC, you can be assured of
    maximum protection for your LAN.

    Integrity Master (tm)              - 35 -                 Version 1.51

    Chapter Four - Customizing

    Customizing Integrity Master

    When you first install Integrity Master, SetupIM does an initial
    customization for you based upon your needs and preferences.
    Integrity Master offers you a myriad of different options so that you
    can set it up to work just the way you want.

    From the Integrity Master Options menu, you can control almost all
    options that regulate how IM functions.  Your option changes may be
    either temporary or permanent.  To make your changes permanent,
    select "Write option changes to disk" from the Options menu.  This
    will save your option changes on the parameter file. These options
    will be in effect the next time you execute IM.

    In addition to initially installing IM, SetupIM allows you to change
    the less frequently used options.  The more advanced options (which
    you may never need to change) are segregated onto their own menu.
    These options include turning off virus checking, changing which
    files IM considers to be programs and deciding where IM will store
    your integrity data.  SetupIM also allows you to permanently change
    the colors that IM uses on the display.

    These options are stored on the parameter file (IM.PRM).  You may,
    if you wish, keep multiple versions of this file around to represent
    different sets of options.  You can specify a different name for this
    file on IM's command line.

    The Parameter (Options) File

    The parameter file (IM.PRM) contains all the options that control
    how IM works.  IM and SetupIM look for this file by searching the
    following locations:

      o  the current directory,

      o  the directory where IM.EXE is located,

      o  or the root directory on any disk.

    Whenever you change any options and save the changes, the
    parameter file is rewritten.  The option "Write option changes to
    disk" on IM's Options menu does this as well as SetupIM.

    Integrity Master (tm)              - 36 -                 Version 1.51

    T H E   O P T I O N S   M E N U

    You can reach the Options menu from any primary IM menu by hit-
    ting the "O" or alt/O keys.   From the Options menu, you can control
    almost all options that determine how IM works.  These options
    include all normal day-to-day choices.

    |   Help   |Options|   Check   Initialize    ReLoad    CoMmands  |
    .- .-------.       .--------------------------. -----------------.
       | Write option changes to disk             |
       | Integrity:  CHECKING ON.off=quick update |
       | Files to Check:      Executable programs |
       | Files to iNitialize: Executable programs |
       | Halt on: ALL changes, adds or deletes    |
       | Sound -------------------------> ON.off  |
       | Report: (file or print)--------> on.OFF  |
       | Video (screen) report ---------> ON.off  |
       | Ignore Time.date changes ------> on.OFF  |
       | Only changes reported ---------> on.OFF  |
       | Exclude:    OFF and exclude report OFF  |

    In addition to allowing you to set all the above options, the Options
    menu displays the current settings of these options.  The options that
    have "on/off" settings, are toggled between their "on" and "off" states
    by hitting the ENTER key.  The current setting of the option is
    displayed in capital letters, as well as in a distinctive color.

    Write option changes to disk
      This allows you to write any option changes to the parameter file,
      making your option changes effective the next time you execute IM
      also.  This option does not exist on the SetupIM version of the
      Options menu.

    Integrity:  CHECKING ON/off=quick update
      This is the most crucial item on the Options menu.  Hitting the
      ENTER key toggles IM between doing full integrity checking and
      doing only quick integrity data updating.  When you hit ENTER,
      either "Checking ON" or "OFF=Quick update" will be in all
      capital letters and in a different color (on most displays).  This
      discloses whether full integrity checking is on or off.  The status of
      integrity checking is also always visible on the fourth line at the top
      of the screen.

      Quick update mode provides a very fast way to bring all your
      integrity data up to date.  IM reads and integrity checks only files
      whose size, time stamp or date stamp have changed.  To detect file
      corruption and viruses, it's essential to regularly turn "Checking
      ON" to do full integrity checks.

    Integrity Master (tm)              - 37 -                 Version 1.51

    Files to Check:
      You can use this option to limit IM's checking to only executable
      or source programs.  Even if you are interested only in virus
      detection, I strongly recommend that you also periodically set this
      option to check all files, so that you can be alerted to the other
      (more common) causes of file damage.  The Advanced menu in
      SetupIM allows you to change which files IM considers to be
      executable or source programs.

    Files to iNitialize:
      Use this option to limit IM's initializing of integrity data to only
      executable or source programs.  Even if your primary interest is
      viruses only, I strongly recommend that you set this option to read
      all files, so that you can be alerted to the other (more common)
      causes of file damage.  The Advanced menu in SetupIM allows you
      to change which files IM considers to be executable or source

    Halt on: ALL changes
      When IM is checking your files for changes, it lists each new
      change that it detects at the top of the report screen.  The other
      changes on the screen shift downward (scroll) as each new line is
      added at the top of the screen.  By setting the halt options, you
      control when this scrolling will pause and wait for you to hit a key.
      This prevents a change from scrolling off the screen without you
      having seen it.  The halt options appear on this menu:

         | Halt on:                        |
         | All detected differences        |
         | Changed files only              |
         | Changes to Executable programs  |
         | Changes to any Program          |
         | File corruption or worse        |
         | Serious problems                |
         | Emergencies Only (not viruses)  |

      If you halt scrolling on "All detected differences", anytime a line
      written to the report screen is about to disappear off the bottom of
      the screen, the display will pause and wait for you to hit a key to
      acknowledge that you've seen all the lines on the display.  After
      you hit a key, the display will not pause until all the lines currently
      on the screen have scrolled off and a new unseen line is about to
      scroll off the screen.

      If you halt scrolling on "Changed files only", the scrolling will
      pause only when a modified file is about to disappear off the
      bottom of the screen.  After you hit ENTER, the display will not

    Integrity Master (tm)              - 38 -                 Version 1.51

      stop scrolling until a changed file is about to scroll off the bottom.
      This changed file must not have been on the screen during the prior

      If you halt scrolling on "Changes to Executable programs", the
      scrolling will pause only when a program is about to disappear off
      the bottom of the screen.  After you hit ENTER, the display will
      not stop scrolling until a program that was not on the previous
      display is about to scroll off the bottom.  You can use the
      "Advanced option" menu in SetupIM to check or change what IM
      considers to be executable programs.

      If you halt scrolling on "Changes to any Program", the scrolling
      will pause only when a program (either source or executable) is
      about to disappear off the bottom of the screen.  After you hit
      ENTER, the display will not stop scrolling until a program that
      was not on the previous display is about to scroll off the bottom.
      You can use the "Advanced option" menu in SetupIM to check or
      change what IM considers to be either source or executable

      If you halt scrolling on "File corruption or worse", only signs of
      viruses, corrupted files, or possible hardware errors will pause the

      If you tell IM to halt on "Serious problems", then the display will
      pause only when it detects a virus or critical error such as a
      hardware error.  This affects scrolling in the same way as using the
      "/N" parameter on the command line.  If you set halt to this option,
      be sure that IM is writing a report to a file or to the printer,
      otherwise you may miss some important warnings.

      If you tell IM to halt on "Emergencies Only", then the display will
      almost never pause.  IM will continue processing even if it detects
      a known virus in a file or can't read the disk.  IM will only stop if
      it considers it dangerous to continue or if you're in danger of losing
      important information.  This affects scrolling in the same way as
      using the "/NE" parameter on the command line.  If you set halt to
      this option, be sure that IM is writing a report to a file or to the
      printer, otherwise you may miss some important warnings.

      You can always halt scrolling by hitting the "P" key.

    Sound -------------------------> ON/off
      IM will provide beeps and tones to alert you that something
      important has happened (or that you've hit an unsupported key).
      Hitting ENTER toggles whether you will hear these sounds.

    Integrity Master (tm)              - 39 -                 Version 1.51

    Report: (xxxxxxxxxxxxx)--------> on/OFF
      This allows you to turn the report file off or to ask IM to write a
      report of its activities to either the printer or a disk file.  The
      "xxxxxxxxx" on the option line represents the name of the current
      report file or printer.  The disk file can be automatically named by
      IM or can be any file of your choice.  Please see "The Report
      File" in Chapter three for more details on these options.  This
      option line, along with the third line from top of IM's screen,
      display the status of the report file.

    Video (screen) report ---------> ON/off
      If you have a very slow video board (such as some very old CGA
      adapters), IM will run a little faster if you turn the screen report
      off. (Be sure to turn the report file on!)

    Ignore Time/date changes ------> on/OFF
      Sometimes the DOS time or date stamp on a file will change, but
      the file itself won't change.  If you do not want to have such files
      reported as changed, set this option to "ON".

    Only changes reported ---------> on/OFF
      If you do not want reports of added or deleted files, turn this option
      "on".  If "Only changes reported" is set to "on", then you will see
      only reports of file changes; IM will not report added or deleted
      files.  IM will still update the integrity data to reflect the added or
      deleted files, but it won't report these files.  All other processing
      also continues normally including the detection of companion
      viruses (viruses that appear only as added files).

    Exclude:   ON  and exclude report  OFF
      Selecting this option will pop up the Exclude menu:

         | IM will optionally exclude selected     |
         | files or directories from checking.     |
         |                                         |
         | Please hit ESCape when you are done.    |
         | Exclude checking is now OFF; turn it ON |
         | Reporting is now OFF; turn it ON        |
         | Select files or directories to exclude  |

      The Exclude menu allows you to exclude files or entire directories
      from checking, scanning, or initializing.  The bottom line of the
      Options menu along with the lines on the Exclude menu show
      whether excluding of files or directories is turned on and whether
      reporting of excluded objects is turned on.  Either may be toggled
      on or off at the press of a key.  If reporting of excluded files is
      "ON" and excluding itself is "ON", then a line will appear on the
      report every time a file or directory is bypassed from checking,
      scanning, or initializing. The line will list the particular file or
      directory that was excluded.

    Integrity Master (tm)              - 40 -                 Version 1.51

      You may exclude a file by specifying the precise file name or using
      the wild card characters to specify a series of files.  You can also
      exclude all files within a directory by excluding that directory from
      checking. Either files or directories  can be excluded based on wild
      cards.  For example, you can tell IM to ignore any directory
      beginning with the characters "IM" by  using the wild card: "IM*".
      Or you could tell IM to ignore all your ZIP files (all filenames
      ending in ".ZIP")  by using the wild card "*.ZIP".

      When you're entering file or directory names to exclude, you may
      use the DOS wild card characters: * and ?.  The "*" character
      matches zero or any number of characters, while "?" matches one
      and only one character.  Some examples:

      This name:    Would exclude:      But not:
       A?.*        AB.ABC, AC.D       ABC.ABC, A.DEF, AX
       ??.ABC      XY.ABC, AB.ABC    A.ABC, XYZ.ABC
       A*.A?       A.AB, ABC.AX      A.CB, A.ABC

      Note that a wild card in the form "X*" will exclude any filename
      beginning with "X" (with or without an extension) while "X.*" will
      exclude only files which have an extension.

      If a file or directory is excluded, Integrity Master will no longer
      record information for it.  If integrity data already exists, then  IM
      will remove it.  To make sure you are aware of this, IM will
      always notify you that it is updating the integrity data.   For this
      reason,  you may see changes reported in a directory when you
      otherwise wouldn't expect any.  By asking IM to report what is
      being excluded you can see exactly what is being affected.

      Be very careful when excluding directories.  If a directory is
      excluded, IM will not look at any of the files in that directory or
      any of the subdirectories within that directory.  This means you can
      exclude an entire series of subdirectories (and their associated files)
      by excluding a single directory.

      If you un-exclude files and directories, they will appear as "added"
      the next time you run a check.

    Integrity Master (tm)              - 41 -                 Version 1.51


    When you execute SetupIM for the first time, the Integrity Advisor(tm)
    will set your options in a way most likely to meet your needs and
    interests.  You can later go back and change any of the options that
    were set for you.  If you specify that it's not your first install of IM,
    you will see this menu:

         | Select an option and hit ENTER:      |
         |                                      |
         | Overview of IM setup and operation   |
         | Change how Integrity Master operates |
         | Repeat the install on this PC        |
         | Install IM on another PC             |
         | Quit                                 |

    From this menu, you can select "Change how Integrity Master
    operates" and hit ENTER.  This brings you to the Change menu:

         | Select an option and hit ENTER:      |
         |                                      |
         | Screen display mode                  |
         | Integrity data options               |
         | Advanced options                     |
         | Update hardware configuration        |
         | Exit  - save any changes and end     |
         | Abort - Quit and abandon any changes |


    SetupIM allows you to change certain options that you would only
    want to change very rarely.  All the options on this menu are not
    available within IM itself.


    This allows you to set the screen colors as explained in the Chapter
    Two section titled Screen Colors.  Unless you have problems reading
    the screen, I strongly recommend that you allow IM to continue to
    operate in automatic video mode.  This way it will choose whatever
    colors are best for your video equipment.

    Integrity Master (tm)              - 42 -                 Version 1.51


    This allows you to change how IM stores the integrity data describing
    your files and system sectors.  You can change the name, attribute, or
    the location of your integrity data files.  You can also use this menu
    selection to check what the characteristics of your integrity data files


      You can ask IM to make your integrity data files hidden, read- only,
      or both.  Unless you are used to working with read-only and hidden
      files and consider yourself fairly expert with DOS, I suggest that you
      not set these attributes.  There are quite a few programs that will
      cause confusing results when they work with hidden or read-only files.
      These attributes can easily by overridden by a knowledgeable user or


      You can choose the names that IM will use for the integrity data
      files.  These filenames can be either fixed or variable.  If you
      originally installed a IM version 1.24b or earlier, your integrity
      data was stored in files named ")(.ID".  Each file had this same fixed
      name.  You can now choose your own name for these files or ask IM to
      use variable names.


        To make it more difficult for rogue programs to attack your
        integrity data files, IM can use variable file names.  Both the file
        name and the extension contain some characters which will be
        different for each file. Plus, the remainder of the file name will
        be different for each installation.  When you first install, the
        Integrity Advisor usually selects variable file names to store your
        integrity data.  SetupIM will then explain how these file names are
        formed for your particular installation.  It will also record this
        in the IMPROC.TXT file in case you need to quickly check this later.
        If you install on another PC, these file names will be different
        unless you use the original parameter file.  To make these files
        easier for you to find, you may choose part of both the file name
        and the extension.


        If you choose fixed file names then every integrity data file will
        have the same name.  This makes it very easy to locate these files.
        The drawback is that this also makes it very easy for someone else
        to locate your integrity data files if you keep them in the same
        directory with the files they describe.  A destructive program could
        deliberately delete these files, causing loss of protection.

    Integrity Master (tm)              - 43 -                 Version 1.51


      As IM checks your files, it must store the integrity data that
      describes these files.  Using SetupIM you can change where IM
      stores these files.  There are two options:

      1) It can store the integrity data in the same directory along with
        the files being checked, or

      2) It can store the integrity data on a separate disk (usually a

      Storing the integrity data on a floppy gives you additional
      protection against a virus or a person changing a file and then
      modifying the integrity data to cover up the change.  For viruses,
      this threat is fairly remote since the virus would have to be written
      specifically to attack files created by IM.  This would be very
      difficult since these files are encrypted differently on each PC.
      Storing the integrity data with the files being checked is usually
      easier and more flexible since the integrity data can be copied
      along with the files.  This also makes it easy for you to use IM to
      verify that you've made a good copy when you copy or move the
      files. If you want to restore an old copy of a file from a backup,
      you can restore the integrity data along with the file and then ask
      IM to check that the file was restored correctly.  If you move your
      files, it's easier to move the integrity data along with the files if it's
      stored in the same directory as the files.

    Update hardware configuration

    Please use this option whenever you change the configuration of disk
    drives on your computer, or if you use software that changes the
    assignment of DOS logical disk letters (A to Z) to your physical disk
    drives.  SetupIM will check the capabilities of each of your installed
    disk drives.  This will produce a display showing the drives that
    SetupIM recognizes.  It will also list any drives that do not contain
    DOS boot sectors and any that do not have partition sectors (master
    boot records).

    Exit - save any changes and end

    This updates the parameter file (IM.PRM) with any option changes
    you've selected, and exits SetupIM.

    Abort - Quit and abandon any changes

    This Allows you to exit SetupIM without writing any of your
    changes.  All option changes will be as they were before you entered

    Integrity Master (tm)              - 44 -                 Version 1.51


    If you select this option on the SetupIM change menu, the Advanced
    option menu will appear.

         | Select an option and hit ENTER:                |
         | (Hit ESCape when you're done)                  |
         |                                                |
         | Specify Names of hidden system files           |
         | Define which files are Executable programs     |
         | Define which files are Source programs         |
         | Check for virus in memory is ON; turn it off   |
         | General virus checking is ON; turn it off      |

    This menu is intended for more technically advanced users.  Most IM
    users should never need to use this menu.  When you're finished
    making changes on this menu, just hit ESCape to go back to the
    previous menu.  The Advanced Option menu offers you these options:

    Specify Names of hidden system files

      Selecting this option will allow you to change the names of the files
      that IM recognizes as the hidden system files.  This option is only
      needed on nonstandard PCs that don't use the standard  Microsoft
      or the IBM names for the hidden system files.  The files SetupIM
      recognizes by default are: IBMBIO.COM, IBMDOS.COM,
      IO.SYS and MSDOS.SYS.  If you execute "IMCHECK *.*", in
      your root directory and you don't see two of the above files, but
      instead see two other similarly named files, you may wish to use
      this option so IM recognizes those files.  If you don't understand
      what this is all about, don't worry.  IM's ability to recognize your
      hidden system files is NOT that important.  It simply allows IM to
      provide more specific information in two warning messages.

    Integrity Master (tm)              - 45 -                 Version 1.51

    Define which files are Executable programs

      This option allows you to specify which file extensions (the letters
      after the "." in the file name) IM should consider to represent
      executable programs.  This is important for three reasons:

     1) Non-executable files are not normally checked for known

     2) IM provides special warning when executable programs change.

     3) If you use the Options menu to limit checking to executable
        programs, only these files will be checked.

      Initially, IM will consider files ending in the following extensions
      to be executable programs:

           Numeric extensions such as .123
           .OV?  (where ? can be any character)     .DRV
           .BAT                               .EXE
           .BIN                                             .PIF
           .COM                                            .SYS
           .DLL                              .SWP

      Note that not all these files can actually be affected by viruses, but
      all these files in one way or another contain instructions that are
      executed by your PC.

    Define which files are Source programs

      This option allows you to specify which file extensions (the letters
      after the "." in the file name) IM should consider to be source
      programs.  Source programs are the programs a programmer
      would use to create executable programs.  If you are not a
      programmer then you probably don't care about this option.  This
      option is intended mostly to provide programmers with extra
      warning if something has changed their source code.

    Integrity Master (tm)              - 46 -                 Version 1.51

    Check for virus in Memory

      Selecting this option will toggle the checking of memory for known
      viruses on or off.  If you toggle memory checking on, the option
      line will be changed to read:

         Check for virus in memory is ON; turn it off.

      This indicates that memory checking is now "ON".  If you hit
      ENTER at this point, you will turn it "off", and the option will
      then read:

         Check for virus in memory is OFF; turn it on.

      Having this option "ON" allows IM to detect known viruses that
      are resident in memory.  If you always cold boot from a known
      good copy of DOS on a write-protected diskette, you could safely
      turn this option off, since there would be no way for a virus to be
      resident in memory.  Since it's hard to guarantee that you always
      cold boot, please leave resident memory checking turned on. If you
      execute IM multiple times and you don't want to wait for the
      memory check to complete, you can use the"/B" (Bypass) com-
      mand line parameter to bypass the resident memory check.

    General virus checking

      Selecting this option and hitting enter will toggle checking of files
      for known viruses on or off.  If you have absolutely no interest in
      viruses, you can speed up IM's initialize processing and its check
      processing (only when it encounters changed files) by 10 to 20
      percent.  Since this option imposes so little overhead in normal file
      checking, I suggest everyone leave it turned on.

    Integrity Master (tm)              - 47 -                 Version 1.51

    Chapter Five - Errors

    Error recovery:
    IM replaces the normal DOS error recovery routines with its own
    more sophisticated routines.  If you encounter hardware errors, you'll
    generally see a message announcing what happened followed by a
    screen that will give you the option of retrying the failed operation,
    aborting (allowing whatever IM was trying to do, to fail), or other
    options depending upon the circumstances.  These other options may
    include "Shelling to DOS".  Shelling allows you to temporarily exit
    IM and execute any DOS command (such as formatting a disk) you
    wish.  You then return to IM by typing the EXIT command.  This
    returns you to the same point in IM, just as if you had never left.

    Solving problems:
    If you encounter a problem with IM, please read file
    QUESTION.TXT (for a list of common questions and answers)  and
    file SUPPORT.DOC (for the complete procedure on how to quickly
    get technical support).  File DISKHELP.TXT contains specific
    information on how to handle problems if IM won't recognize your
    disk drive.  You can use IMPRINT or IMVIEW to read any of these
    files. Example:  "IMVIEW SUPPORT.DOC"

    Answers to Common Questions:
    File QUESTION.TXT contains common questions and answers
    regarding IM.  You can read these by entering the command
    "IMVIEW QUESTION.TXT" at the DOS prompt or print with the
    command "IMPRINT QUESTION.TXT".  Here are some examples
    of common questions:

    Q: Sometimes IM comes up with different colors on the screen than
      before. What's going on?

    A: IM checks the DOS video mode indictor on your PC to see if you
      are in color or monochrome mode, as well as directly checking
      your video adapter.  This allows you to use the DOS "MODE
      BW80" to indicate that a two-color display is present on a color
      adapter card.  Some programs change this value to an incorrect
      value.  If this happens to you, use the DOS mode command to set
      the video mode back to the correct state.  For example, enter
      "MODE CO80" to restore normal color mode.  You can also use
      the command line override (or SetupIM) so IM comes up using
      whatever colors you prefer.  "IM /C" would force IM to run in
      color mode.

    Integrity Master (tm)              - 48 -                 Version 1.51

    Q: IM detected a virus on my PC.  I reloaded my system sectors  and
      either deleted or reloaded all infected files, yet the virus keeps
      coming back!  What should I do?

    A: Somewhere a virus is eluding your checks.  Please check the

      o Did you install IM after cold booting from a clean floppy?  It's
        absolutely vital to do a cold boot before checking.

      o Are you using a task switcher (or multi-tasker) such as
        windows?  If so, then this program may be saving some of your
        infected programs in its "swap" file.  This file often ends in the
        letters ".SWP".   Delete this file if it exists.

      o Be sure you check ALL files and floppies that come into  contact
        with your computer.  You may have missed a file or diskette
        somewhere.  Please take the extra time and check them all.

      o It's possible that viral code is hidden somewhere other than an
        executable file.  IM normally checks only executable files
        (programs and overlays) for known viruses.  Try selecting "Disk
        for known Viruses" on the Check menu and selecting "Check
        All files" on that menu.  This will check all files as well as
        system sectors on your disk.  Also, check any other disks that
        you've been using.

    Q: I was just checking a diskette for viruses and IM detected the
      DataCrime 2 virus in a file.  When I restarted IM, it detected the
      DataCrime virus resident in memory!  I never executed the
      program that was infected, so how did the virus get control of my

    A: The virus wasn't really resident or in control of your PC. What
      happened was that a piece of the viral code was left somewhere in
      memory - probably in one of DOS's file buffers.  Although IM
      takes great pains to clear its own buffers and areas of memory, it's
      not unusual to get a false indication of the virus being active in
      memory after detecting a virus in a file or system sector.

    Q: I just did a "DIR" on a diskette which had the "Stoned" boot
      sector virus.  When I ran IM, it reported the virus was active in
      memory.  Can I get a virus by just doing a DIR?

    A: No; you cannot get infected unless you execute an infected
      program or boot from an infected diskette.  When you did the
      "DIR", a copy of the infected boot sector was read into memory.
      IM detected this copy in memory.  Although the virus is in
      memory, this is harmless since the virus code is never executed.
    Integrity Master (tm)           - 49 -        Data Integrity and Viruses

                                   PART TWO

                          Data Integrity and Viruses

                How do I make sure that my programs and files
                               really are safe?

                What threats are even more likely to damage my
                              data than viruses?

                      What really works against viruses?

                      What doesn't work against viruses?

                        Why are viruses so dangerous?

                            How do I kill a virus?


         Copyright 1990-1992, Wolfgang Stiller, All rights reserved.

    Integrity Master (tm)           - 50 -        Data Integrity and Viruses

    Integrity Master (tm)           - 51 -        Data Integrity and Viruses




    Do you have data or programs on your PC which you can't afford to have
    unexpectedly damaged?  How can you make sure that your data is safe?  To
    protect the integrity of your data, you must first understand the nature
    of the threats against it.

    The most publicized threats to your computer are software-based attacks
    often lumped together as "viruses" by the media.  Although viruses are
    often over sensationalized by media coverage, they do present a very
    real menace to your data.  (See the section in this chapter titled How
    serious are viruses?.)  Even if a virus never attacks your PC, it is
    almost inevitable that system glitches will someday corrupt data or
    programs on your PC.  Considering that viruses are but one threat to
    your data and not the most likely threat by far, it's ironic that so
    many people have anti-virus software but so few people take steps to
    protect the integrity of their programs and data from other hazards.
    Can anyone afford NOT to know that each and every byte on their disk is

    So what's the explanation?  Why do so few people take steps to assure
    the integrity of the data on their PC?  The main reason is that data
    integrity gets almost no media coverage, (even in the trade journals),
    while a virus story may make the local evening news.  The result is that
    people just don't give data integrity a second thought. It's all too
    easy to take the reliability of our modern PCs for granted -- and, as
    you'll see, all too dangerous!

    You may be reading this primarily because you're interested in viruses.
    If that's true, then, for you, the media attention to viruses will have
    had a very beneficial effect.  You are about to learn how to protect
    your PC against much more than just viruses!  Data integrity is not a
    very glamorous subject, yet it's both crucial and fundamental to using
    any computer.  Without positive assurance of data integrity, computers
    cannot be depended upon to process any type of important data.  How
    would you respond if someone were going to change a byte of data
    somewhere at random on your disk?  You'd be pretty upset -- right?
    Well, the odds are,  it has already happened but you were not aware of
    it.  Perhaps the result was that a program quit working or CHKDSK found
    lost or cross-linked clusters.  Or per- haps, if you're lucky, the
    damage was to some inconsequential part of your disk.

    Integrity Master (tm)           - 52 -        Data Integrity and Viruses

    Let's explore the different threats to your files and programs:


    These are well known but also all too common.  We all know that when
    your PC or disk get old, they might start acting erratically and damage
    some data before they totally die.  Unfortunately, hardware errors
    frequently damage data on even young PCs and disks.

    Your PC is busy writing data to the disk and the lights go out!
    "Arghhhh!"  Is everything OK?  Maybe so, but it's vital to know for sure
    if anything was damaged.  If your disk drive is starting to fail, you
    can have the same problem.  Regrettably, it's not a question of "if",
    but a question of "when" in regard to disk failure.  There are tools
    (NORTON, MACE, PCtools, etc) to assist in recovery from disk problems,
    but how do you know all the data is OK?  These tools do not always
    recover good copies of the original files.  It's vital to have some way
    to check that these tools really do their job correctly.

    You can have hardware problems on a perfectly healthy PC if you have
    devices installed that do not properly share interrupts.  This problem
    is getting more and more frequent as we see multiple adapters installed
    in a PC that use the same interrupt (IRQ). Sometimes problems are
    immediately obvious, other times they are subtle and depend upon certain
    events to happen at just the wrong time, then suddenly strange things


    These are an all too frequent cause of data corruption.  This commonly
    happens when you are intending to delete or replace one file but
    actually get another.  By using wild cards, you may experience a really
    "wild" time.  "Hmmm I thought I deleted all the *.BAK files . . . but
    they're still here . . . something was deleted . . . what was it? . . .
    or was I in the other directory?"  Of course if you're a programmer or
    if you use sophisticated tools like Norton's sector editor (NU), then
    your fingers can really get you into trouble!


    Someone may accidentally or deliberately delete or change a file on your
    PC when you're not around.  If you don't keep your PC locked in a safe,
    then this is a risk.  Who knows what was changed or deleted?  Wouldn't
    it be nice to know if anything changed over the weekend?  Most of such
    damage is done unintentionally by someone whom you probably know.  This
    person didn't mean to cause trouble; they simply didn't know what they
    were doing when they used your PC.

    Integrity Master (tm)           - 53 -        Data Integrity and Viruses


    This category accounts for more damage to programs and data than any
    other.  We're talking about non-malicious software problems here, not
    viruses.  Software conflicts, by themselves, are much more likely
    threats to your PC than virus attacks.

    We run our PCs today in a complex environment.  There are many resident
    programs (TSRs such as Sidekick) running simultaneously with various
    versions of DOS, BIOS and device drivers.  All these programs execute at
    the same time, share data and are vulnerable to unforeseen interactions
    between each other.   Naturally, this means that there may be some
    subtle bugs waiting to "byte" us.  Anytime a program goes haywire,
    there's the risk it may damage information on disk.

    There's the further problem that not all programs do what we hope they
    will.  If you have just undeleted a file, did you really get all the
    correct clusters back in the right order?   When CHKDSK "fixes"
    your disk for you, isn't it essential to know exactly what files it
    changed to do its job?  This is one more reason why everyone must have
    the capability to verify data integrity.


    These are programs written deliberately to vandalize someone's computer
    or to use that computer in an unauthorized way.  Even though some
    viruses do not intentionally damage your data, I consider all viruses to
    be malicious software since they modify your programs without your
    permission, with occasional disastrous results.  There are many forms of
    malicious software; sometimes the media refers to all malicious software
    as viruses.  It's important to understand the distinction between the
    various types.  Let's examine the different types of malicious software:


    Just like a real bomb, a logic bomb will lie dormant until triggered by
    some event.  The trigger can be a specific date, the number of times
    executed, a random number, or even a specific event such as deletion of
    an employee's payroll record.   When the logic bomb is triggered, it
    will usually do something unpleasant. This can range from changing a
    random byte of data somewhere on your disk to making the entire disk
    unreadable.  Changing random data  may be the most insidious attack
    since it generally causes substantial damage before anyone notices that
    something is wrong. It's vital to have some data integrity software in
    place so that such damage can be quickly detected. Although you can
    detect it after the fact, there is unfortunately no way to prevent a
    well written logic bomb from damaging your system. On the other hand, a
    logic bomb that uses standard DOS or BIOS requests to do its dirty work
    can be caught by most interceptor type programs (see Chapter Two).

    Integrity Master (tm)           - 54 -        Data Integrity and Viruses


    These are named after the Trojan horse, which delivered soldiers into
    the city of Troy.   Likewise, a trojan program is a delivery vehicle for
    some destructive code (such as a logic bomb or a virus) onto a computer.
    The trojan program appears to be a useful program of some type, but when
    a certain event occurs, it does something nasty and often destructive to
    the system.


    A worm is a self-reproducing program that does not infect other programs
    as a virus will, but instead creates copies of itself, that create even
    more copies.   These are usually seen on networks and on
    multi-processing operating systems, where the worm will create copies of
    itself that are also executed.  Each new copy will create more copies
    quickly clogging  the system.  The so-called ARPANET/INTERNET "virus"
    was actually a worm. It created copies of itself through the ARPA
    network, eventually bringing the network to its knees.  It did not
    infect other programs as a virus would, but simply kept creating copies
    of itself that would then execute and try to spread to other machines.


    Viruses are a cause of much confusion and a target of considerable
    misinformation even from some so-called virus experts.  Let's define
    what we mean by virus:

    A virus is a program that reproduces its own code by attaching itself
    to other programs in such a way that the virus code is executed when the
    infected program is executed.

    You could probably also say that the virus must do this without the
    permission or knowledge of the user, but that's not a vital distinction
    for purposes of our discussion here.

    Most viruses do their "job" by placing self-replicating code in other
    programs, so that when those other programs are executed, even more
    programs are "infected" with the self-replicating code.  This
    self-replicating code, when triggered by some event, may do a
    potentially harmful act to your computer.  Viruses are initially
    distributed in the form of a trojan.  In other words, the virus code has
    been planted in some useful program.  Since the virus infects other
    useful programs, absolutely any piece of executable code will suddenly
    become a trojan delivery vehicle for the virus.

    Another way of looking at viruses is to consider them to be programs
    written to create copies of themselves.  These programs attach these
    copies onto other programs (infecting these programs).  When one of
    these other programs is executed, the virus code (which was attached to
    that program) executes, and links copies of itself to even more


    Viruses come in a great many different forms, but they all potentially
    have two phases to their execution, the infection phase and the attack

   1) When the virus executes it will infect other programs.  What's
      often not clearly understood is precisely WHEN it will infect the
      other programs.  Some viruses infect other programs each time
      they are executed; other viruses infect only upon a certain trigger.
      This trigger could be anything; it could be a day or time, an
      external event on your PC, a counter within the virus, etc.
      Modern viruses have become more selective about when they
      infect programs.  Being selective improves the virus' chance to
      spread; if they infect too often, they will tend to be detected before
      they have enough time to spread widely.  Virus writers want their
      programs to spread as far as possible before anyone notices them.
      This brings up an important point which bears repeating:

    Integrity Master (tm)           - 56 -        Data Integrity and Viruses

      Many viruses go resident in the memory of your PC in the same way as
      terminate and stay resident (TSR) programs such as Sidekick. This
      means the virus can wait for some external event before it infects
      additional programs.  The virus may silently lurk in memory waiting
      for you to insert a diskette, copy a file, or execute a program,
      before it infects any other programs.  This makes these viruses more
      difficult to analyze since it's hard to guess what trigger condition
      they use for their infection.  Resident viruses frequently corrupt the
      system software on the PC to hide their existence.  This technique is
      called "stealth" and I'll cover this in more detail shortly.

   2) The second phase is the attack phase.  Many viruses do unpleasant
      things such as deleting files or changing random data on your disk,
      simulating typos or merely slowing your PC down; some viruses
      do less harmful things such as playing music or creating messages
      or animation on your screen.  Just as the virus's infection phase
      can be triggered by some event, the attack phase also has its own
      trigger.  Viruses usually delay revealing their presence by
      launching their attack only after they have had ample opportunity
      to spread.  This means that the attack may be delayed for years
      after the initial infection.  The attack phase is optional, many
      viruses simply reproduce and have no trigger for an attack phase.
      Does this mean that these are "good" viruses?  No, unfortunately
      not!  Anything that writes itself to your disk without your
      permission is stealing storage and CPU cycles.  This is made
      worse since viruses that "just infect", with no attack phase,
      damage the programs or disks they infect.  This is not an
      intentional act of the virus, but simply a result of the fact that
      many viruses contain extremely poor quality code.  One of the
      most common viruses, the STONED virus is not intentionally
      harmful. Unfortunately, the author did not anticipate the use of
      anything other than 360K floppy disks.  The virus will try to hide
      its own code in an area on 1.2mb diskettes, resulting in corruption
      of the entire diskette.

    Integrity Master (tm)           - 57 -        Data Integrity and Viruses

    Now that we've examined general virus behavior, let's take a closer
    look at the two major categories of viruses and how they operate.


    These are viruses that plant themselves in your system sectors.
    System sectors are special areas on your disk containing programs
    that are executed when you boot your PC.  Sectors are not files but
    simply small areas on your disk that your hardware reads in single
    chunks.  Under DOS, sectors are most commonly 512 bytes in length.
    These sectors are invisible to normal programs but are vital for
    correct operation of your PC.  They are a common target for viruses.
    There are two types of system sectors found on DOS PCs:

    DOS Boot Sectors

      The very first sector on disk or diskette that DOS is aware of is the
      boot  sector.  From a DOS perspective, this is the first sector on
      the disk.  This sector can contain an executable program whether
      the disk is bootable or not.  Since this program is executed every
      time you power on or boot your PC, it is very vulnerable to virus
      attack.  Damage to this sector can make your disk appear to be
      unreadable.  This sector is rewritten whenever you do a "SYS" or
      a "FORMAT /S" to a disk.

      Warning: Even a non-bootable floppy can contain a virus in  the
      boot sector.  If you leave the floppy in your PC when you power
      on or boot, you will be infected even though the PC won't
      successfully boot from that floppy.

    Partition Sectors

      On hard (fixed) disk drives, the very first sector is the partition
      sector (also known as the master boot record or partition table).
      Each physical hard disk drive has one of these sectors.  A single
      physical disk can be partitioned into one or more logical disks.  For
      example, you may have a physical drive partitioned into C: and D:
      logical disks so that your single physical disk appears (to DOS) to
      be two logical disks.  The  single partition sector contains the
      information that describes both logical disks. If the partition sector
      is damaged, then DOS may not even recognize that your disk

      The partition sector also contains a program that is executed every
      time you power up or boot your PC.  This program executes and
      reads the DOS boot sector that also contains a program.  Many
      viruses plant their code in the partition sector.

    Integrity Master (tm)           - 58 -        Data Integrity and Viruses

    System sector viruses modify the program in either the DOS boot
    sector or the partition sector.  Since there isn't much room in the
    system sector (only 512 bytes), these viruses usually have to hide
    their code somewhere else on the disk.  These viruses sometimes
    cause problems when this spot already contains data that is then
    overwritten.  Some viruses, such as the Pakistani BRAIN virus, mark
    the spot where they hide their code as bad clusters.  This is one
    reason to be alarmed if CHKDSK suddenly reports additional bad
    sectors on your disk.  These viruses usually go resident in memory on
    your PC, and infect any floppy disk that you access.  Simply doing a
    DIR on a floppy disk may cause it to be infected.  Some viruses will
    infect your diskette immediately when you close the drive door.
    Since they are active in memory (resident), they can hide their
    presence.  If BRAIN is active on your PC, and you use a sector editor
    such as Norton's NU to look at the boot sector of an infected diskette,
    the virus will intercept the attempt to read the infected boot sector and
    return instead a saved image of the original boot sector.  You will see
    the normal boot sector instead of the infected version.  Viruses that
    do this are known as stealth viruses.

    In addition to infecting diskettes, some system sector viruses spread
    by also infecting files.  Viruses of this type are called "multipartite"
    (multiple part) viruses.  Since they can infect both files and sectors
    have more avenues to spread and are more difficult to remove.

    File Viruses

    In terms of sheer number of viruses, these are the most common kind.
    The simplest file viruses work by locating a type of file that they know
    how to infect (usually a file name ending in ".COM" or ".EXE") and
    overwriting part of the program they are infecting. When this program is
    executed, the virus code executes and infects more files.  These
    overwriting viruses do not tend to be very successful since the
    overwritten program rarely continues to function correctly and the virus
    is almost immediately discovered.  The more sophisticated file viruses
    save (rather than overwrite) the original instructions when they insert
    their code into the program.  This allows them to execute the original
    program after the virus finishes so that everything appears normal.
    Just as system sector viruses can remain resident in memory and use
    "stealth" techniques to hide their presence, file viruses can hide this
    way also.  If you do a directory listing, you will not see any increase
    in the length of the file and if you attempt to read the file, the virus
    will intercept the request and return your original uninfected program
    to you.  This can sometimes be used to your advantage.  If you have a
    "stealth" virus (such as 4096 or Dir-2), you can copy your program files
    (*.EXE and *.COM files) to files with other extensions and allow the
    virus to automatically disinfect your files!  If you "COPY *.COM
    *.CON", and then cold boot your PC from a known good copy of DOS and
    "REN *.CON *.COM", this will disinfect the renamed files.

    Integrity Master (tm)           - 59 -        Data Integrity and Viruses

    Some file viruses (such as 4096) also infect overlay files as well as
    the more usual *.COM and *.EXE files.  Overlay files have various
    extensions, but ".OVR" and ".OVL" are common examples.


    Would you believe that a virus can infect your files without changing a
    single byte in the file?  Well, it's true!  There are two types of
    viruses that can do this.  The more common kind is called the companion
    or spawning type virus.  This virus infects your files by locating a
    file name ending in ".EXE".  The virus then creates a matching file name
    ending in ".COM" that contains the viral code. Here's what happens;
    let's say a companion virus is executing (resident) on your PC and
    decides it's time to infect a file.  It looks around and happens to find
    a file called "WP.EXE".  It now creates a file called "WP.COM"
    containing the virus.   The virus usually plants this file in the
    current directory although it could place it in any directory on your
    DOS path.  If you type "WP" and hit enter, DOS will execute "WP.COM"
    instead of "WP.EXE".  The virus executes, possibly infecting more files
    and then loads and executes "WP.EXE". The user probably won't notice
    anything wrong.  This type of virus is fortunately easy to detect by the
    presence of the extra ".COM" files. There are some instances where it is
    normal to have both ".COM" and ".EXE" files of the same name (such as
    DOS 5's DOSSHELL) but this is relatively rare.

    There is a new type of virus known as a "cluster" virus that infects
    your files not by changing the file or planting extra files but by
    changing the DOS directory information so that directory entries point
    to the virus code instead of the actual program.  When you type the name
    of the program, DOS loads and executes the virus code, the virus then
    locates the actual program and executes it.  Dir-2 is an example of this
    type of virus and is now spreading rapidly around the world.  I am
    deliberately keeping the description of this type of virus rather vague
    to avoid making it easier to write this type of virus.


    To confound virus scanning programs, virus writers created polymorphic
    viruses.  These viruses are more difficult to detect by scanning because
    each copy of the virus looks different that the other copies.  One virus
    author even created a tool kit for other virus writers to use called the
    "Dark Avenger's Mutation Engine" (also known as MTE or DAME).  This
    allows someone who has a normal virus to use the mutation engine with
    their virus code.  If they use the mutation engine, each file infected
    by their virus will have what appears to be totally different virus code
    attached to it.  Fortunately, the code isn't totally different and now
    anyone foolish enough to use the muta- tion engine with their virus will
    be creating a virus that will be immediately detected by most of the
    existing scanners.  The existing viruses (such as Pogue, Dedicated,
    CoffeeShop, CryptLab, and Groove) which use the mutation engine pose
    little threat since they are all simple minded and rather buggy.

    Integrity Master (tm)           - 60 -        Data Integrity and Viruses


    Besides the mutation engine, there are now several tool kits available
    to help people create viruses.  Several of these programs allow someone
    who has no knowledge of viruses to create their own "brand new" virus.
    One of these tool kits known as the Virus Creation Laboratory (VCL) has
    a very slick user interface with pull down menus and on-line help.  You
    just pick your choices from the various menus and in a flash you've
    created your very own virus.  While this sounds like a pretty ominous
    development for scanning technology, it's not as bad as it sounds.  All
    the existing tool kits (such as VCS, VCL and MPC) create viruses that
    can be detected easily with existing scanner technology.  The danger
    with these tool kits lies in the fact that it's possible to create such
    a tool kit that could create viruses that really are unique.
    Fortunately, this hasn't been done yet, but it's only a matter of time
    before this tool kit will be created.  This will make scanning-based
    products useless; the only reliable way to detect these viruses will be
    with an integrity check product.


    There are more PC viruses than all other types of viruses combined (by a
    large margin).  Estimates of exactly how many there are vary widely and
    the number is constantly growing.  In 1990, estimates ranged from 200 to
    500; then in 1991 estimates ranged from 600 to 1300 different viruses.
    In late 1992, estimates are ranging from 1000 to 2300 viruses.  This
    confusion exists partly because it's difficult to agree on how to count
    viruses.  New viruses frequently arise from some idiot taking an
    existing virus that does something like put a message out on your screen
    saying: "Your PC is now stoned" and changing it to say something like
    "Donald Duck is a lie".  Is this a new virus?  Most "experts" say "yes."
    This is a trivial change that can be done in less than two minutes
    resulting in yet another "new" virus.  Another problem comes from
    viruses that try to conceal themselves from scanners by mutating.  In
    other words, every time the virus infects another file, it will try to
    use a different version of itself. These viruses are known as
    "polymorphic" viruses.  One example, the WHALE (a huge clumsy 10,000
    byte virus) creates 33 different versions of itself when it infects
    files.  At least one person counts this as 33 different viruses on their
    list.  Many of the large number of viruses known to exist have not been
    detected in the wild but probably exist only in someone's virus
    collection. Several authors of anti-virus products, including Mark
    Washburn and Ralph Burger, have written sophisticated viruses that are
    now on the loose, but other viruses that they created apparently exist
    only in virus collections.
    Integrity Master (tm)           - 61 -        Data Integrity and Viruses

    David M. Chess of IBM's High Integrity Computing Laboratory reports in
    the November 1991 Virus Bulletin that "about 30 different viruses and
    variants account for nearly all of the actual infections that we see in
    day-to-day operation."  We now find that about 38 different viruses
    account for all the viruses that actually spread in the wild. How can
    there be only 38 viruses active when some "experts" report such high
    numbers?  This is probably because most viruses are poorly written and
    cannot spread at all or cannot spread without betraying their presence.
    Although the actual number of viruses will probably continue to be hotly
    debated, what is clear is that the total number of viruses is increasing
    rapidly, although perhaps not quite as rapidly as the numbers might


    It's important to keep viruses in perspective.  There are many other
    threats to your programs and data that are MUCH more likely to harm you
    than viruses.  A well known anti-virus researcher once said that you
    have more to fear from a cup of coffee (which may spill) than from
    viruses.  While the growth in number of viruses now puts this statement
    into question, it's still clear that there are many more occurrences of
    data corruption from other causes than from viruses. So, does this mean
    that viruses are nothing to worry about? Emphatically, no!  It just
    means that it's foolish to spend much money and time on addressing the
    threat of viruses if you've done nothing about the other more likely
    threats to your files.  Because viruses are deliberately written to
    invade and possibly damage your PC, they are the most difficult threat
    to guard against.  It's pretty easy to understand the threat that disk
    failure represents and what to do about it (although surprisingly few
    people even address this threat).  The threat of viruses is much more
    difficult to deal with.  There are no "cures" for the virus problem.
    Why is this so?  We'll explore this in the next chapter on Protecting
    Your PC.

    Integrity Master (tm)           - 62 -        Data Integrity and Viruses

     N O T E S :

    Integrity Master (tm)           - 63 -        Data Integrity and Viruses



    Hardware is the foundation upon which your whole system is built. If you
    have more than one or two PC's, you probably owe it to yourself to buy
    some diagnostic programs.  If your PC is performing strangely or if a
    file is damaged, it's crucial to be able to determine whether hardware
    is the cause.  You probably don't want to call in a repair person each
    time something strange happens.  Even if you have just one or two PCs,
    there are some modestly priced diagnostic programs that are worth

    One problem with diagnostic software (and hardware too, for that matter)
    is that when you run the diagnostics, everything may work perfectly, yet
    some time earlier there definitely was a problem. Intermittent problems
    like this are all too common.  Disk problems can be the most insidious
    in this respect.  When you run the diagnostics everything works fine.
    How can you find out what's happening?  Run a comprehensive data
    integrity product (surprise)! This way you can find out if some data was
    damaged, but you don't have to spend days running diagnostics.  This
    also gives you early warning if your disk just starting to have

    If you haven't already, consider buying whatever you can to prevent your
    hardware from failing in the first place.  Buy surge protectors, keep
    your PC clean, and regularly clean the heads on your tape and diskette
    drives.  Be sure to protect your PC and keyboard from spilled coffee and
    similar threats.

    Your hard disk is going to fail!  It's not "if" but "when"!  It's
    absolutely vital to be able to deal with this threat.  Basic to dealing
    with this threat and most of the others is having backups.  Please read
    the section in Chapter five on Backup Policy.  Your hard disk will most
    likely start performing erratically before it totally fails. It's
    essential to detect this as early as possible before much data gets
    damaged.  It will very likely NOT be obvious to you whether a hardware
    problem, software problem or a virus is damaging your files.  More on
    making this determination in the section in Chapter Five  titled
    Determining Causes of Corruption.


    Damage to your files could be caused by hardware, software or who knows
    what.  When you are having the problem, your main concern is often not
    what caused it, but how to fix the damage.  This is where the disk
    utility programs offered by Gibson, Norton, Mace, and Central Point are
    often very handy.  They can sometimes take unreadable data and extract

    Integrity Master (tm)           - 64 -        Data Integrity and Viruses

    some of it, or if you have logical damage to your disk such as
    cross-linked clusters, these programs (and DOS CHKDSK) may be able to
    fix things for you.  Unfortunately, things are not always fixed
    perfectly when these programs say they are. Using a data integrity
    product (such as Integrity Master) will allow you to determine if
    everything really was put back together again. More importantly, a data
    integrity product can be used to more accurately diagnose what is wrong
    to begin with, so you don't attempt a repair which actually makes things

    Who has never accidentally deleted or copied onto the wrong files? Very
    few of us!  If you have a data integrity product (such as Integrity
    Master), a  utility package (Norton, Mace, PCtools, etc.) and current
    backups, you're all set.  You could probably do without the utilities,
    but it's rather convenient to be able to unerase files after you
    inadvertently delete the wrong ones (this is built into DOS 5).  Of
    course, a backup program or an undelete utility won't help you if you
    didn't notice the incorrect delete when it happened and you now don't
    know what to restore or undelete.  That's why data integrity software is
    a vital component to handling this threat.


    This may not be an issue if you keep your PC is kept locked in a vault
    when you're not using it, but otherwise you can never be sure that an
    intruder hasn't changed something on your PC.  Do you think I am
    exaggerating?  I am not!  The intruder may be your spouse or offspring.
    They probably have no intention of changing anything but may be confused
    on how to use one of the programs on your PC, with the result that they
    inadvertently change the wrong file.  On the other hand, you may work in
    an environment where someone may want to deliberately do you harm or
    perhaps just "play a little joke" on you.

    There are programs available that modify the partition sector on your PC
    so that the hard disk is unavailable unless someone provides a password.
    There are add-in boards that provide the same function. Some PCs (e.g.,
    PS/2 PCs) come with a power-up password.  You can lock the case to your
    PC to make it more difficult to open.  You may wish to consider any of
    these options depending upon how much risk you face, but please realize
    that they can all be bypassed in less than ten minutes by a
    knowledgeable user.  Surveillance cameras are regarded as a fairly good
    deterrent to PC tampering.

    While you can't totally stop someone from breaking into your PC, you can
    detect and correct the damage.  By using an integrity program that
    allows you to encrypt the integrity data or store the data off-line (on
    floppies), you can detect any illegal tampering, even from a technically
    advanced adversary.

    Integrity Master (tm)           - 65 -        Data Integrity and Viruses


    There are various methods in use to protect against viruses. What
    follows is a quick review of the viral defense mechanisms that are
    widely used today.


    Once a virus has been detected, it is possible to write programs that
    look for telltale code (signature strings) characteristic of the virus.
    The writers of the scanner then extract identifying strings from the
    virus.  The scanner uses these signature strings to search memory,
    files, and system sectors.  If the scanner finds a match, it announces
    that it has found a virus.  This obviously detects only known, pre-
    existing, viruses.  Many so-called "virus writers" create "new" viruses
    by modifying existing viruses. This takes only a few minutes but creates
    what appears to be a new virus. It happens all too often that these
    viruses are changed simply to fool the scanners.

    The major advantage of scanners is that they allow you to check programs
    before they are executed.  Scanners provide the easiest way to check for
    new software for old (known) viruses.  Since they have been aggressively
    marketed and since they provide what appears to be a simple painless
    solution to viruses, scanners are the most widely used anti-virus

    Too many people seem to regard "anti-virus product" and "scanner" as
    synonymous terms.  The peril here is that if too many people depend
    solely upon scanners, newly created viruses will spread totally
    unhindered causing considerable damage before the scanners catch up with
    the viruses.  An example of this was the attack by the Maltese Amoeba
    (Irish) virus in the UK.  This virus was not detected prior to its
    destructive activation on November 1, 1991.  Prior to its attack, it
    had managed to spread quite widely and none of the existing (mostly
    scanner-based) products detected this virus. According to the December
    1991 Virus Bulletin:

    "Prior to November 2nd, 1991, no commercial or shareware scanner (of
    which VB has copies) detected the Maltese Amoeba virus.  Tests showed
    that not ONE of the major commercial scanners in use (the latest
    releases of Scan, Norton Anti-virus, Vi-Spy, VISCAN, Findvirus, Sweep,
    Central Point Anti-virus, et al.) detected this virus."

    This indicates the hazard of depending upon scanner technology or active
    monitor technology for virus protection.

    Integrity Master (tm)           - 66 -        Data Integrity and Viruses

    Another major drawback to scanners is that it's dangerous to depend upon
    an old scanner.  With the dramatic increase in the number of viruses
    appearing, it's risky to depend upon anything other than the most
    current scanner.  Even that scanner is necessarily a step behind the
    latest crop of viruses since there's a lot that has to happen before the
    scanner is ready:

   o The virus has to be detected somehow to begin with.  Since the existing
     scanners won't detect the new virus, it will have some time to spread
     before someone detects it by other means.

   o The newly discovered virus must be sent to the programmers to analyze
     and extract a suitable signature string.  This string must be tested
     for false positives on legitimate programs.

   o This string must be incorporated into the next release of the virus

   o The virus scanner must be distributed to the customer.

   o In the case of retail software, the software must be sent to be
     packaged, to the distributors, and then on to the retail outlets.
     Commercial retail software takes so long to get to the shelves, that it
     is almost certainly out of date.  Yet, many retail products depend upon
     their scanner for most of their effectiveness.

    If you depend upon a scanner, be sure to get the latest version directly
    from the author.  Also, be sure that you boot from a clean
    write-protected copy of DOS before running the scanner; there's a good
    chance that the scanner can detect a resident virus in memory, but if it
    misses the virus in memory, the scanner will wind up spreading the virus
    rather than detecting it.  Every susceptible program on your disk could
    be infected in a matter of minutes this way!


    Most vendors that sell scanners also sell a disinfector (sometimes it's
    the same program).  A disinfector has the same limitations that a
    scanner has, in that it must be current to be safe to use and it's
    always one step behind the latest crop of viruses.  The disinfector,
    however, has an even bigger disadvantage:  Many viruses simply cannot be
    removed without damaging the infected file.  There have also been
    numerous reports that files are still damaged even when the program
    claims to have disinfected the file.  A disinfector like a scanner can
    be a very handy tool in your anti-virus arsenal, but it must be used
    with care.  If you use a disinfector, be sure you have the latest
    version direct from the author and use an integrity check to verify that
    all files and system sectors are correctly restored.

    Integrity Master (tm)           - 67 -        Data Integrity and Viruses

    Currently, one of the oldest and most common infectors of files is the
    Jerusalem (1813) virus.  All disinfectors naturally claim to be able to
    remove this virus.  Yet the Jerusalem virus frequently overwrites part
    of the original file (due mostly to its many bugs) making it impossible
    to restore the infected program.  In spite of this, most (if not all)
    disinfectors claim to disinfect Jerusalem infected files.  A very
    dangerous situation!  I'd like to stress that:



    Interceptors (also known as resident monitors) are particularly useful
    for deflecting logic bombs and trojans.  The interceptor monitors
    operating system requests that write to disk or do other things that the
    program considers threatening (such as installing itself as a resident
    program).  If it finds such a request, the interceptor generally pops up
    and asks you if you want to allow the request to continue.  There is,
    however, no reliable way to intercept direct branches into low level
    code or to intercept direct input and output instructions done by the
    virus itself.  Some viruses even manage to disable the monitoring
    program itself.   It is important to realize that monitoring is a risky
    technique.  Some products that use this technique are so annoying to use
    (due to their frequent messages popping up) that some users consider the
    cure worse than the disease!  An interception (monitoring) product would
    be a useful adjunct to a data integrity program, as protection against
    some the more simple minded logic bombs.


    There are two types of inoculators or so-called "immunizers." One
    modifies files or system sectors in an attempt to fool viruses into
    thinking that you are already infected.  The inoculator does this by
    making the same changes that the viruses use to identify the file or
    sector as infected.  Presumably, the virus will not infect anything
    because it thinks  everything is already infected.  This works only for
    a very small number of viruses.

    The second technique is actually an attempt to make your programs
    self-checking by attaching a small section of check code onto your
    programs.  When your program executes, the check code first computes the
    check data and compares it with the stored data.  It will warn you if it
    finds any changes to the program. Not only can this be circumvented by
    existing stealth viruses, but the self-checking code and check data can
    be modified or disabled as well.   Another problem arises because some
    programs refuse to run if they have been modified in this way.  This
    also creates alarms from other anti- virus programs since the attached
    self-check code changes the original program in the same way a virus
    would. Some products use this technique to substantiate their claim to
    detect unknown viruses.

    Integrity Master (tm)           - 68 -        Data Integrity and Viruses

    ROM and Encryption

    Placing executable code on a hardware write-protected device, will
    protect all those programs on that device.  Some PCs provide DOS in ROM
    (Read Only Memory). This provides some degree of protection, but all the
    other programs are still vulnerable to infection. The more programs you
    can isolate on a write-protected device, the more effective this
    technology is.

    Encryption is a promising technique that so far has not been
    successfully used to protect a system.  Encrypting as many of your files
    as possible makes life harder for viruses, but does not stop them since
    there is always some unencrypted code around (boot sector, BIOS, DOS,
    device drivers, etc).


    Integrity check based products work by reading your entire disk and
    recording integrity data that acts as a signature for the files and
    system sectors.  An integrity check program is the only solution that
    can handle all the threats to your data along with viruses.  Integrity
    checkers also provide the only reliable way to discover what damage a
    virus has done.  A well-written integrity checker should be able to
    detect any virus, not just known viruses.
    So, why isn't everyone using an integrity checker?  Well, until
    recently, there hasn't been an integrity checker available without some
    significant drawbacks.  In fact, many anti-virus products now
    incorporate integrity checking techniques.  One problem with many
    products is that they don't use these techniques in a comprehensive way.
    There are still too many things not being checked. Some older integrity
    checkers were simply too slow or hard to use to be truly effective. A
    disadvantage of a bare-bones integrity checker is that it can't
    differentiate file corruption caused by a bug from corruption caused by
    a virus.  Only recently have advanced integrity checkers (e.g.,
    Integrity Master) become available that incorporate the smarts to
    analyze the nature of the changes and recognize changes caused by a
    virus.  Some integrity checkers now use other anti-virus techniques
    along with integrity checking to improve their intelligence and ease of

    Integrity Master (tm)           - 69 -        Data Integrity and Viruses

    If you choose an integrity checker, be sure it has all these

    o It's easy to use with clear, unambiguous reports and built-in help.

    o It hides complexity, so that complicated details of system file or
      system sector changes are only presented if they present
      information the user must act upon.

    o The product recognizes the various files on the PC so it can alert
      the user with special warnings if vital files have changed.

    o It's fast.  An integrity checker is of no use if it's too slow to run.

    o It recognizes known viruses, so the user doesn't have to do all the
      work to determine if a change is due to a software conflict, or if it's
      due to a virus.

    o It's important that the integrity computation be more sophisticated
      than a mere checksum.  Two sectors may get reversed in a file or
      other damage may occur that otherwise rearranges data in a file.  A
      checksum will not detect these changes.

    o It's comprehensive.  Some integrity checkers, in order to improve
      their speed, don't read each file in its entirety.  They read only
      portions of larger files.  They just spot check.  This is unacceptable
      -- it's important to know the file hasn't changed, not just that some
      of the file hasn't changed.

    o It checks and restores both boot and partition sectors.  Some
      programs check only files.

    (Fortunately, Integrity Master does all these things.)

    Integrity Master (tm)           - 70 -        Data Integrity and Viruses


    There are currently some gadgets (hardware devices) that are sold as
    virus protection.   So far, I haven't seen anything that provides
    protection beyond what is offered by software-only products.  Beyond
    putting some of the anti-virus code in read only memory (ROM), I've seen
    little that can be accomplished by existing hardware.  In one product,
    the hardware was used to store some integrity data; a floppy disk can do
    the same thing and it's actually more secure.


    Hardware techniques, such as placing all your programs in read only
    memory (ROM), can, in theory, provide virus prevention, but nothing even
    comes close to doing this yet.  Pure software techniques can probably
    not prevent all viruses.  There are all sorts of schemes that make it
    more difficult for a virus to penetrate your system, but none totally
    eliminate the threat of a virus.  For each software-based technique,
    there is a way a virus could circumvent it.  Software helps a lot, but
    isn't absolute protection.  While prevention of viruses may not be
    possible, detection is.  Detection, if applied carefully, can detect all
    viruses, no matter how tricky.  If viruses are detected before they
    spread, the most serious aspect of the virus threat is eliminated.  If
    integrity checking (detection) is practiced widely, the threat of a
    virus spreading to millions of PCs and then years later doing a
    destructive act can be eliminated.

    Integrity Master (tm)           - 71 -        Data Integrity and Viruses



    Attachment to a network or BBS
      Simply being attached to a network (such as CompuServe, or
      Internet), a bulletin board system (BBS), or even a local area
      network (LAN) will not make you susceptible to viruses.  The only
      way you can get a virus is to execute a program on your PC that
      you obtained over the network.  The mere act of downloading the
      program is harmless; it's only by downloading and then executing
      an infected program that your PC can become infected.  I hope it's
      clear that the mere act of reading electronic mail cannot infect your

      There is one thing that can happen though.  If you have the device
      driver ANSI.SYS (or an equivalent) loaded (in your CONFIG.SYS
      file), someone could send a sequence of characters to your screen
      (ANSI sequence) that assigns a set of key strokes to a key on your
      keyboard. These keystrokes could easily be something harmful like
      "DEL *.*".  When you hit the key that was reassigned, the
      command would execute just as if you had typed it yourself. This
      "practical joke" could cause some trouble, but it certainly can't
      reproduce and isn't a virus.

    From Data
      Since data is not executed, you cannot become infected from data.
      If someone sent you a data file that contained a virus, you would
      have to rename the file and then execute it to become infected!
      You can, however, become infected from a diskette that is not
      bootable and contains no (apparent) programs.  The explanation for
      this is that all diskettes have a boot sector that contains a program
      that can become infected by a boot sector virus.  If you leave such
      an infected diskette in your drive when you power up or boot, your
      PC will be infected!

    From CMOS Memory
      PC AT (80286 and 80386 based) type computers and later models
      contain a small amount of battery backed CMOS memory to store
      the configuration and to maintain the time and date.  This memory
      is never executed, so although it could be damaged by a virus, you
      can never become infected from CMOS memory.

    Integrity Master (tm)           - 72 -        Data Integrity and Viruses


    I've discussed the various approaches to the virus problem, and
    you've no doubt seen that there are no instant cures for viruses, yet
    many products make claims that they can't quite support.  Everyone
    would like to just buy product X, run it, and be rid of viruses forever.
    Unfortunately there is no such easy cure.


    There have been many articles and books written by various virus
    "experts" that propose doing all kinds of things to virus proof your PC.
    Here are some of the tricks that I consider most widespread and most

    Write-protecting Your Files

      You can use the DOS ATTRIB command to set the read only bit on files.
      This is so easy for a virus (or any program) to bypass, that it simply
      causes far more problems than it cures.

    Hiding or renaming COMMAND.COM

      COMMAND.COM is a program that executes each time you boot your PC.
      There was an early virus that only infected COMMAND.COM, so the idea
      of hiding or renaming this file began.  Today, many viruses actually
      go out of their way to avoid infecting this file, since some
      anti-virus products single out this file and a few others for special
      scrutiny. With today's viruses, hiding COMMAND.COM is utterly futile.

    Checking Time and Date Stamps

      While it's helpful to check the time and date stamps of your
      executable files for unexpected changes, this is not a reliable way to
      catch viruses.  Many viruses are smart enough not to change the time
      and date stamps when they infect a file.  Some viruses even hide the
      change to a file's size when they infect a file.


    It's the policy in some companies to have a certification desk where all
    software executed on PCs must be checked out.  The person at the
    certification desk usually runs the software through an anti-virus
    product to check for known viruses and then sets the date ahead on the
    PC and checks for anything strange.  If all looks OK, the software is
    certified clean.  This is actually a reasonable idea.  The danger comes
    from the "certified clean" label.  As we've seen in our discussion of
    virus triggers, simply setting the date ahead is not a reliable way to
    set off most virus triggers.  The hazard comes from people taking the
    "Certified clean" label too seriously.  It's just not

    Integrity Master (tm)           - 73 -        Data Integrity and Viruses

    possible to know for sure that any piece of software doesn't contain a
    virus.  An unknown virus could be lurking that simply hasn't triggered
    yet.  If the virus screening desk should get such a virus, they could
    easily spread the virus to all other disks that they are certifying


    Several "virus experts" have suggested that users avoid downloading
    software and avoid shareware.  There are no facts to support this
    viewpoint.  The most common viruses are boot sector viruses such as
    Stoned and Michelangelo that spread when someone boots from an infected
    disk. To spread these viruses, a physical disk must be passed around and
    then booted.  Michelangelo spread widely because software distribution
    disks were infected with this virus.  There was no reported incident of
    this virus spreading via shareware.  It is, of course, wise to make sure
    that you download your software from a source that screens each program
    for known viruses.  You are actually more likely to be infected from
    software purchased at a retail outlet than from shareware.  Quite a few
    viruses have been shipped directly from the software manufacturer in the
    shrink wrapped packages.  One major software company has on at least two
    separate occasions shipped a virus with their product.  Buying shrink
    wrapped retail software is much more dangerous than many people think it
    is, since many retailers accept returned software and then simply rewrap
    the software and sell it again.  This software could have easily been
    infected by the first user who tried it and then returned it.


    There are several programs that claim to write-protect your hard disk.
    Since this is done in software, it can be bypassed by a virus.  This
    technique, however, will stop a few viruses and will protect your disk
    from someone inadvertently writing to it. These programs are generally
    less effective than the virus interception products.

    It IS possible to write-protect a disk using hardware, but this does not
    seem to be readily available.


    As we've seen in examining the other threats to the integrity of your
    data, viruses are among the less likely threats that you face.  Don't
    protect yourself against viruses and ignore the other threats!

    Integrity Master (tm)           - 74 -        Data Integrity and Viruses


    You may have heard this rumor: "You don't need an anti-virus product,
    just backup your disk regularly and keep an eye on your programs."
    Yes, it is vital to have good backups, but that is no longer enough.
    You may also have heard that provided you don't share programs or
    download (practice "safe hex"), you have nothing to worry about.  This
    is no longer sufficient protection; every time you buy a software
    package you are exposing yourself to virus infection.  It is not
    possible to be safe from viruses by secluding your PC!

    There are now some very sophisticated viruses that can do considerable
    damage.  The worst ones damage your files slowly so even your backups
    may be useless unless you detect the damage before it's too late.
    Although viruses may not be very likely to attack your system when
    compared to other threats, they do represent a very real and very
    dangerous threat -- a threat you cannot ignore or combat merely with
    good backups, seclusion or common sense.


    Maybe we should just surrender to viruses and wait for a fool-proof
    hardware solution?   Viruses can defeat any software defense -- right?
    Wrong!  The viruses are playing on your turf, so you have an advantage.
    By cold booting from a good copy of DOS on diskette, you can bring up a
    clean operating system (DOS) and then use an integrity checker to look
    for any unexpected changes.  A virus will betray itself in the system
    sectors or executable files.

      Integrity Master (tm)           - 75 -        Data Integrity and Viruses



    You can't get a virus merely by being connected to a network or
    bulletin board system (BBS).

    There is only one way you can get a virus and that's to execute a
    program containing a virus.  Period.  End of story.  Well, almost the
    end of the story.  What some people don't know is that every disk and
    diskette has a program on it, even if it appears empty.  This program is
    in the boot sector.  Most people don't think of boot sectors as programs
    or perhaps even know that boot sectors exist.  If you leave a data
    diskette in your A drive and boot your PC, you could be executing an
    infected program in the boot sector, thereby infecting your PC with a
    virus.  Make sure you NEVER boot from a diskette unless it's a known
    good copy of DOS.


    There is no reason to avoid shareware.  If you want to get the latest
    anti-virus software, it's easiest to get it as shareware since you are
    buying directly from the author. Shareware does not have to go from the
    author to the publisher, then through the distribution chain before it
    even gets to sit on the shelf.  Who knows how long your retail package
    has been on that shelf?


    Unfortunately, there is no way to look at a program (unless you wrote
    the program yourself in assembly language) and positively declare
    there's no virus in it.  All you can say is that the program contains no
    known virus.  You never know what may be lurking inside of a program
    waiting for just the right trigger to begin infection or perhaps an

    While you can't be sure of detecting a virus while it's inert inside a
    program, you definitely CAN detect it as it infects or attacks your
    files.  The changes which must be made by a virus can always be detected
    with the appropriate software.

    Integrity Master (tm)           - 76 -        Data Integrity and Viruses


    Viruses are not the greatest threat to your data, so let's not forget
    about the other threats too.


    While write-protecting your files and your hard disk is of questionable
    value, you definitely CAN write-protect your floppy disks.  Just cover
    the notch on the 5.25 inch diskettes, or on 3.5 inch diskettes, slide
    the little tab to expose the hole.  The only risk here is that some
    diskette drives may be defective and still allow writing on the
    diskette.  If in doubt, do a test and check out your drive.


    According to our reports, one of the major sources for infections is the
    customer engineer (CE) or repairman.  The CEs frequently carry
    diagnostic diskettes with them when they go from PC to PC on service
    calls.  It's all too easy for these diskettes to become infected. Sales
    people doing demos on various PCs are also very susceptible to getting
    their demo diskettes infected.


    Not only are we seeing the number of viruses grow at an alarming rate,
    but we are seeing more sophisticated and better written viruses. The
    rate of reported infections has increased rapidly.  One company (Certus
    International, a vendor of anti-virus software) was quoted in
    Information Week (a national trade journal) that based on their reports,
    one out of four PCs was infected every month!  While one PC in four may
    be a bit hard to believe, it's clear that viruses are no longer
    something one can dismiss as very unlikely.  Viruses are, in fact, a
    threat that we must address one way or the other.

    Integrity Master (tm)           - 77 -        Data Integrity and Viruses


    Too many people wait for a virus to attack their PC before they take any
    action.  Once a virus reveals its presence on your PC, it may be too
    late to recover damaged files.  There are many viruses that cannot be
    successfully removed due to the way the virus infects the program. It's
    absolutely vital to have protection before the virus strikes.

    It's vital that you protect against all threats to data integrity, not
    just viruses.  All threats to data integrity are much easier to deal
    with if they are detected as early as possible.  If you wait until you
    notice that your hard disk is losing data, you may already have hundreds
    of damaged files.


    It's essential to carefully protect all your software and regularly
    backup the data on all your disks.  Do you have a single disk that you
    can afford NOT to regularly backup?  It's rare to find any PC that does
    not have some type of important data stored on it.


    1) All original software (program) diskettes should immediately be
       write-protected, copied and stored in two secure, separate, locations
       after installation.  If you are using an integrity check program,
       immediately record (initialize) the integrity data for the new
       programs after installing.

    2) Determine a schedule for full backups by considering how frequently
       your data changes.  It is an excellent idea to have three full sets of
       backup tapes or diskettes and to store one set at another location to
       protect against fire, theft, or some other disaster.  If your data is
       critical, you may wish to have a separate cycle of backups (e.g.,
       quarterly or yearly) that can be used to recover when someone damages
       (or deletes) a vital file, but the deletion isn't discovered until
       months later.

    3) The full backups should be coordinated with periodic incremental
       backups.  The incremental backup, which copies just the files that
       have changed,  normally runs very quickly and takes just a minute or
       so.  Many people find that an incremental backup run at the end of
       each day works quite well.  This way their data is protected should
       anything happen overnight.

    Integrity Master (tm)           - 78 -        Data Integrity and Viruses

    4) Make sure you use reliable backup hardware and software.
       Periodically test by restoring from a backup.  Too many people
       have discovered that their backup program couldn't recover their
       files when it was too late.  If you use an integrity check program
       you can verify that the restored files are correct.


    Each PC which has data that you can't afford to lose or have corrupted
    should have a schedule of regular integrity checking, similar to the
    backup schedule.  By doing once a week full integrity checks, you can
    stay one step ahead of any trouble.  By doing a quick update of your
    integrity data on a daily basis, you can stay aware of exactly what
    changes on your PC and why.  This way if you start to encounter a
    software conflict, a failing hard disk, or a virus, you'll be able to
    quickly differentiate the unusual changes from the usual ones.

    Whenever you install new software, immediately record the integrity data
    for those programs, so that any future infection or damage can be

    Whenever you copy programs, check that the new programs are exact copies
    of the originals.  The easiest way to do this is to always copy
    integrity data along with the programs.  You can also use any integrity
    checker, checksum program, CRC program, cryptographic signature program,
    or even the DOS COMPARE utility to verify that you made good copies.  Do
    this check only when you know no virus is in control of your PC;
    therefore, it's best to cold boot from a write- protected floppy to
    verify your program copies are good.

    If you have diagnostic software, plan to run it at intervals. If you
    leave your PCs turned on at night, why not leave them running


    Run CHKDSK (or some equivalent program) regularly on each PC, and pay
    attention to the results.  If you are seeing problems, be sure you
    understand what's causing the problems.  If you are experiencing
    cross-linked or lost clusters, something is being damaged.  Run an
    integrity checker to find out exactly what is being damaged.  Also pay
    attention to the amount of available memory.  If this suddenly changes
    with no new resident (TSR) software installed, you may have a virus.


    It's not a question of "if" but a question of "when"; all too soon you
    are going to encounter a damaged file (a file that has changed for
    unknown reasons).  How can you discover what caused the damage? o First
    gather as much information as possible.  Did you do anything unusual?
    Did you install any new software?  Did you execute any programs that you
    don't normally use?  Have you seen any signs of hardware problems? (See
    the section following on signs of hardware problems).

    Integrity Master (tm)           - 79 -        Data Integrity and Viruses

    o Run CHKDSK to see if your directories and other areas are OK.

    o Run a full integrity check to see if anything else has changed.

    o If you suspect hardware problems as the culprit, then run any
      diagnostic programs you have.  If the diagnostics don't turn anything
      up, but you still suspect a hardware problem, then run your integrity
      check in full check mode daily for a while.  This should help track
      down exactly what's happening on your PC.

    o If you suspect software problems, run the software in question and
      then run your integrity check to see if anything is being corrupted.
      When doing this, it's very helpful to duplicate the original situation
      of the problem as closely as possible. Make sure the hardware is the
      same and that you have exactly the same resident programs and device
      drivers loaded as when the problem first occurred.

    o Could the problem be a virus?  If you think so, have you seen any of
      the signs of virus activity listed in the next section?  Are only
      executable files (such as files ending in .EXE, .COM, .OVR, .OVL .BIN,
      or .SYS) affected?  If so, how many?  If more than one or two
      unrelated program files have mysteriously changed, it could likely be
      a virus.  Remember that some programs (such as Wordstar and SETVER)
      modify themselves as part of normal execution.  If the programs have
      changed but the DOS time and date stamps haven't, this is further
      reason to suspect either a serious problem or a virus.  If you are not
      using an advanced integrity checker  (such as Integrity Master) that
      recognizes known viruses, you may wish to get a virus scanner at this
      point to see if you have a known virus.  If this turns up nothing,
      then it's time to play detective - you may have discovered a brand new
      virus (lucky you!).  Please see the section in Chapter Six on Playing


    One very important thing that you can do to assure the integrity of the
    data on your PCs is to educate everyone who uses a PC.  It's vital that
    they understand how to backup their files and which files normally
    change on their PC and which ones don't.  If you can teach them to
    understand the output of a thorough integrity check program, then you'll
    be able to sleep at night knowing that all is well with your PCs!  Even
    lacking an integrity check program, it's vital that everyone be aware of
    what problem signs to look out for. This way the more dangerous threats
    to data integrity will not go unnoticed.
    Integrity Master (tm)           - 80 -        Data Integrity and Viruses


    Watch out for recurring error messages that the disk is not ready when
    you try to boot the PC.  If you periodically experience any type of
    disk-error message, or if disk accesses seem to be getting consistently
    slower, you may be experiencing the beginning of a serious disk problem.


    These symptoms could reveal software conflicts or bugs:

    o CHKDSK reporting problems.

    o A file that was just processed by a program (such as a spread sheet)
      is damaged or unreadable by the program but you can copy the file
      with no error messages.


    These symptoms may betray the existence of a virus:

    o Disk activity when there should not be any activity. (Some disk
      caches cause this to happen normally.)

    o Programs taking longer to load but the disk drive appears to be

    o Any unexplained behavior on the PC such as music, bouncing balls,
      black areas on the screen, falling letters, weird messages, or
      unexplained slowdown of the PC.

    o Less total or free (available) memory on your PC (use CHKDSK or
      MEM).  This should change only when you add new resident
      programs or device drivers.  Note, most PCs have 655360 total
      bytes of memory but certain models (ie. some PS/2s) reserve a
      thousand bytes of high memory.

    o Unexplained bad spots on your disk or fewer total bytes (as
      reported by CHKDSK).

    o If you find extra executable files (e.g., ".COM" files) showing up,
      you may have a companion style virus.

    Integrity Master (tm)           - 81 -        Data Integrity and Viruses


    If you are in a larger organization, it's crucial that someone has the
    responsibility for assuring data integrity.  The first task facing this
    person would be to assure that all important data is backed up and that
    all users are educated with respect to normal operation of their PC.
    The next step would be to start a regular program of integrity checking.


    The procedures for backing up and checking the integrity of critical
    data cannot be left to word of mouth, but should be clearly explained
    in a written set of procedures.  Data integrity is too important to leave
    to chance.  If this isn't done, guess what gets put on the back burner
    (in other words: not done), when people get busy? (Who isn't busy?).
    Some recommended procedures:

    o Never leave a floppy disk inserted in a drive longer than necessary.
      Remove all diskettes immediately.  This reduces the chance of
      inadvertently booting from the diskette and picking up a boot sector

    o Check the integrity of all files after installing new software or
      copying programs.

    o If a stranger (such as a sales or repair person) runs software on a
      PC, do a full integrity check immediately afterwards.

    o Immediately write-protect and backup all diskettes containing

    o Schedule regular incremental and full backups.

    Make sure that any shared executable files allow only execute or read
    access.  Execute only is best, but it's essential not to allow write
    access.  Most network compatible programs allow you to store the files
    they write to on separate disks from the programs themselves. Be sure to
    limit write access with access rights not with file attributes (Netware
    FLAG or FLAGDIR).  A virus can easily bypass file attributes, but access
    rights can thwart the virus's attempts to write to the shared disk.  The
    person who supervises the LAN needs to have two accounts -- one
    privileged and one not.  For normal use, they should use the less
    privileged account. The privileged account should be used only  when the
    job requires supervisor rights.  It's critical that any user with
    supervisory rights log off as soon as possible and never execute any
    other programs, especially those on a workstation.

    Integrity Master (tm)           - 82 -        Data Integrity and Viruses

    Run regular integrity checks on the file server.  This is important on
    the workstations too, but is critical on the file server since an
    infected file here could quickly infect all the workstations on the

    Never access an unchecked workstation with network administrator
    (supervisor) authority!


    Most modern anti-virus products use a combination of the techniques I
    just mentioned.  Unfortunately, most products still get almost all of
    their protection from their scanner component. It's vital to understand
    exactly how your product works so that you understand what type of
    protection you really have.  Here are some rules that will help you make
    sure that you get maximum protection out of whatever product you already

    o Be sure to cold boot your PC from a write-protected diskette before
      virus checking.  Most anti-virus products make this
      recommendation, but this rarely gets done because the
      recommendation is often buried in some obscure location in the
      documentation.  If your PC is infected with a virus that your
      scanner does not recognize, you could infect all the programs on
      your disk. Don't take this chance; boot from a write-protected
      diskette before you scan.

    o If you are using a product which depends mostly on its scanner
      component, make sure that you always have the latest version.
      Scanners are often updated every 30 days.

    o Before you execute or install any new software, check it first.  If it
      comes with an install program, check again after you install the
      software; an install program will frequently change or decompress
      executable programs.  After you first execute brand new software
      do an additional check of your system to make sure everything is as
      it should be.

    o If your product contains a scanner component, consider checking
      the boot sector on all diskettes brought in from another location --
      EVEN DATA DISKETTES!  Inevitably someone will leave these
      diskettes in their A drive, potentially spreading a boot sector virus.

    Integrity Master (tm)           - 83 -        Data Integrity and Viruses


    Don't do anything rash if you suspect a virus attack.  Be skeptical,
    there are quite a few practical joke programs that behave exactly like
    viruses.  There's even a virus simulator that simulates the Ping Pong
    (bouncing ball), Jerusalem (black hole), Cascade (falling letters on the
    screen), Yankee doodle (music) and a few other viruses.  It's perfectly
    harmless, but it has alarmed many people.  Don't do anything drastic
    until you confirm that it really is a virus.

    If a virus tells you to do (or not to do) something,  don't believe it!
    One virus asks you not to turn off your PC while it is busy formatting
    your disk.  Generally, it's best to ignore what the virus says and cold
    boot from clean write-protected copy of DOS.   Don't blindly obey a


    Report the virus attack to the police or to a virus researcher or anti-
    virus developer.  We need to stop sweeping this under the rug.  If we
    can track where viruses first get started, then maybe we can apprehend
    the culprits who are writing and distributing these things.


    It is very important that you track down how you got the virus.  If you
    got it from someone's software, it's vital that they be notified. The
    sooner these viruses are detected, the less damage they can do.

    Suppose you have indications of a virus, but your software doesn't
    identify it as a known virus.  What do you do?  First, cold boot (hit
    the red reset button or power off and back on) from a known good
    write-protected copy of DOS on a diskette.  Run a full integrity check.
    Run CHKDSK and print the results.  Now execute any suspect programs.
    Execute them several times.  Viruses may wait for some trigger event to
    begin infection.  Run CHKDSK again to see if the amount of free memory
    has been reduced.  This is a sign of a virus going resident in memory.
    Now cold boot again and rerun an integrity check.  Repeat this cycle
    with the various suspect programs. This should track down the guilty
    program if you've got one. Keep in mind that if it's a virus, it will
    modify other programs and those programs should themselves further
    modify other programs. By executing the modified programs, it's possible
    to tell whether you really have a virus or you just have a buggy program
    that is accidentally writing to other programs.

      Integrity Master (tm)           - 84 -        Data Integrity and Viruses


    Follow these steps when removing a virus from your PCs:

    o Cold boot (Power off and on or hit the reset button) from a known
      good write-protected copy of DOS.

    o Delete all infected files.

    o Reload any infected system sectors.  If you do not have a utility to
      reload the DOS boot sector, you can use the DOS "SYS" command
      after cold booting from a write-protected diskette (e.g., "SYS C:").

    o Rerun a full integrity check, or at least a scan if you don't have an
      integrity checker.

    o Check any floppies that may have been infected. Remember, if you
      have a system sector virus such as Stoned, Joshi or Brain, even
      empty data diskettes can be infected.  Check them all.

    o Notify any other PC user you have contact with to check their PCs.


    Virus infections return in a very high number of cases.  This is usually
    because somewhere there is an infected file or diskette that was missed
    in the first cleaning.  Run your integrity checker or anti- virus
    program daily, for the next month, to catch a possible repeat infection.

   Integrity Master (tm)            -  85  -              I N D E X

    4096 virus, 59                        Copying programs, 23, 78
    Abandon changes, 44                   Corruption, 8, 21, 24, 27, 32, 36,
    Abort, 44                                 38, 51, 52, 56, 68, 78
    Advanced Option Menu, 18, 35, 44      Counting viruses, 60, 76
    Algorithms, 16, 32                    Critical error, 28
    Alternate colors, 13                  Cross-linked clusters, 51, 64, 78
    ALTernate key, 21                     Cryptographic signatures, 9, 16
    Alt/X, 20                             Current and Lower directories, 17
    ANSI.SYS, 71                          Current diRectory only, 17
    APPEND, 10                            Current option settings, 36
    ASSIGN, 10                            Customer engineer (CE), 76
    Attack phase, 22, 56                  Customizing, 35
    Automatic video mode, 13, 30          Data integrity, 9, 27, 51, 53, 64
    Auto-named report file, 18, 19, 29    Data recovery tools, 52
    Backup, 63, 64, 74, 77, 79, 81        Date stamp, 9, 29, 39, 72, 79
    Bad clusters, 58                      Deleting files, 64
    Badly damaged disks, 19               Demo diskettes, 76
    Batch files, 30, 32                   Descendant directories, 17
    BBS, 71, 75                           Destroying viruses, 26
    BIOS, 53, 54, 68                      Detecting unknown viruses, 24
    Bitnet, 1                             Detecting viruses, 23
    Boot sector, 17, 19, 43, 57, 58,      Device number, 19
        69, 71, 75, 81, 82                Diagnostic programs, 9, 27, 63, 64,
    Brain virus, 58, 84                       78, 79
    Bugs, 53                              Directory change, 20
    Bypass memory check, 26, 46           Dir-2 virus, 58
    Cascade virus, 25, 83                 Disinfection, 25, 26, 66
    Certified software, 72                Disk change, 20
    CGA, 39                               Disk errors, 9, 27, 28, 32, 43, 47,
    Change history, 18                        52, 63, 80
    Change management, 8, 29              Disk failure, 16, 19,52, 63, 78
    Change menu, 41                       Disk letters, 43
    Changes to executable programs, 24    Disk space, 30
    Check disk for known viruses, 18, 23  Downloading, 71, 73, 74
    Check menu, 48                        Education, 79
    Check values, 32                      Electronic mail, 1, 71
    Checking specific files, 17           Encryption, 9, 16, 43, 68
    Checksum, 69                          Entire disk integrity,15, 17, 23, 27
    CHKDSK, 51, 53, 58, 64, 78, 80, 83    Error levels, 32
    Cluster viruses, 26, 59               Error recovery, 19, 47
    CMOS, 71                              Errors, 32
    Cold boot, 22, 24, 26, 27, 46, 48,    ESCape, 21, 44
        82, 83, 84                        Evaluation, 11
    Cold booting, 82                      Example report, 28
    Colors, 13, 35, 47                    Exclude menu, 39
    Command line, 13, 18, 26, 30, 35,     Excluding directories or files, 39
        38, 46, 47                        Executable files, 18, 23, 24, 37, 38,
    Commands menu, 20                        38, 45, 48, 55, 58, 68, 71, 72,
    COMMAND.COM, 72                          74, 77, 79, 81
    Common Questions, 47                  Exit, 43
    Companion viruses, 22, 26, 39, 59,    Explanation of the display, 15
        80,                               Extend disk life, 27
    Configuration, 43                     F1 (help), 14, 15
    Control card, 30, 31                  False alarms, 26, 48
    Copying IM files, 11                  Fastest way to exit, 21

   Integrity Master (tm)          -  86  -                 I N D E X

    File corruption, 8, 21, 24, 25, 27, 32InterNet "virus", 54
        36, 38, 51, 53, 56, 68, 78        Introduction, 51
    Files on current Disk, 17             Intrusion protection, 64
    Files to check, 37                    Jerusalem virus, 25, 67, 83
    Files to iNitialize, 23, 37           Joke, 64, 71, 83
    Files (vital for IM), 12              Known viruses, 8, 9, 18, 25, 26,
    Finger checks, 8, 52                      46, 65, 69
    Fixing your disk, 10, 63              LAN, 28, 33, 34, 71, 81
    Full installation, 11                 Laptop, 13, 30
    Full integrity checking, 36, 78,      Large disks, 10
        79, 83, 84                        LCD, 12, 13, 30
    General virus checking, 46            License terms, 3, 33
    Glitches, 51                          Limitations, 10
    Guided tour, 14                       Logic bombs, 53, 67
    Hardware configuration, 43            Logical disk, 19, 43, 57
    Hardware errors, 47, 52, 80           Low level format, 27
    Hardware problems, 27                 LPT1, 19
    Hardware protection, 63               Malicious damage, 52
    Harmless viruses, 25, 56              Maltese Amoeba virus, 65
    Help, 15                              Master boot record, 18, 19, 43, 57
    Help Index, 7                         Maximum number of files, 10
    Help menu, 14                         Media coverage, 51
    Hidden system files, 44               Memory check, 26, 46
    Hiding IM.PRM, 29                     Menus, 10, 14, 21
    How viruses infect, 9, 21, 55         Minimum memory, 10
    HPFS, 34                              Miracle Infections, 59
    Ignore Time/date changes, 39          Misleading results, 10
    IMcheck, 44                           Monitoring, 67
    IMcheck license, 33                   Monochrome mode, 13, 30, 47
    IMCHECK.EXE, 32, 33                   Multiple parameter files, 31, 35
    IMprint, 47                           Multiple sets of options, 31, 35
    IMPROC.TXT, 12, 13, 22, 23, 32, 42    Music, 22, 25, 56, 80, 83
    Imview.exe, 47                        Mutating virus, 60
    IM.EXE, 12, 32                        Mutation engine, 59, 60
    IM.PRM, 12, 13, 29, 35, 43            Networks, 28, 54, 71, 75, 81
    Infection phase, 55                   New viruses, 24
    Initialize, 46                        No halt, 30, 38
    Initialize menu, 23                   Nonstop execution, 30, 31, 38
    Initializing integrity data, 15       Norton utilities, 52, 58, 63, 64
    Installing new software, 23, 78,      Only changes reported, 39
        79, 81, 82                        Open fail, 28
    Instructions, 10                      Open files, 28
    Integrity Advisor,10, 12, 22, 41, 42  Option settings, 13
    Integrity checking, 22, 36, 68, 69,   Options menu, 18, 22, 23, 35
        70, 74, 78, 81                    OS/2, 28, 33, 34
    Integrity data, 9, 15, 16, 20, 21,    Overlays, 18, 48, 59
        22, 23, 28, 29, 35, 36, 37,       Parameter file, 12, 13, 29, 30, 35,
        39, 40, 42, 43, 68, 77, 78            36, 43
    Integrity data file names, 23, 42     Parameters, 30, 32
    Integrity data location, 21, 43       Partition sectors, 18, 19, 43, 57,
    Integrity data off-line, 43               58, 64, 69
    Integrity initialize, 9               Partition table, 57
    Interceptor, 54, 67                   Pause (P) key, 38
    Intermittent problems, 27, 63         Pausing, 37
    InterNet, 1                           Physical disk drive, 19, 43, 57

   Integrity Master (tm)          -  87  -                 I N D E X

    Plan for day-to-day use, 12           Shareware, 73, 75
    Pogue virus, 60                       Shelling to DOS, 20, 47
    Policy, 81                            Short-cut install, 11
    Polymorphic viruses, 59               Signatures, 16, 28, 32, 68, 72
    Power faults, 52                      Silly tricks, 72
    Printed output, 19                    Software Attacks, 53
    PRN, 19                               Software problems, 53, 79, 80
    Probability of file damage, 8         Solving problems, 47
    Procedure for running IM, 22          Sound, 38
    Procedures, 81                        Source programs, 38, 45
    Program changes, 26                   Space (disk), 30
    Programs, 22, 23, 24, 37, 38, 45,     Spawning virus, 59
        48, 55, 57, 70, 71, 75, 77, 78,   Special characteristics, 9
    QUESTION.TXT, 47                      Speed, 10, 24, 29, 46, 69
    Quick evaluation, 11                  Statistics Summary, 21
    Quick Install, 11                     Stealth, 56, 58, 68
    Quick integrity update, 22            Stoned virus, 56, 60, 84
    Quick Update, 29, 36, 78              SUBST, 10
    Quit, 44                              Suggestions, 77
    Read fail, 28                         Surge protectors, 63
    README.DOC, 12                        Syntax, 30
    Reinstall, 13                         SYS command, 57
    Reload data, 20                       System files, 44
    Reload files, 16                      System sector changes, 26
    ReLoad menu, 19                       System sector viruses, 9, 19, 24,
    Reload Missing partition, 19              57, 58
    Reloading system sectors, 15, 84      System sectors, 9, 10, 15, 17, 19,
    Reminders Before Checking, 18             22, 57, 58, 65
    Removal instructions, 25              Technical support, 47
    Repair, 10, 63                        Threats, 9, 21, 51, 53, 61, 73, 74,
    Report, 28                                76, 77
    Report file, 18, 19, 29, 31, 39       Trigger, 21, 53, 54, 55, 56, 83
    Report screen, 15                     Trojans, 54, 55, 67
    Reporting viruses, 25                 TSR, 53, 56, 78, 79
    Requirements, 10                      Tutorial, 7, 15
    Resident monitor, 67                  Two-color display, 12
    Resident programs, 53, 56, 78, 79     Typos, 8, 52
    Retail software, 66, 73, 75           Unattended processing, 31
    ROM, 68, 70                           Unauthorized changes, 22, 29
    Safe computing, 74                    Unknown viruses, 8, 11, 18, 22, 24,
    Save changes, 43                          68, 73, 79, 83
    Saving option changes, 35, 43         Unreadable data, 64
    Scanning, 9, 18, 23, 30, 39, 59,      Unusual video adapters, 12
        60, 65, 66, 79, 82                Update hardware configuration, 43
    Screen colors, 13, 35, 41             Variably named integrity data, 42
    Screen layout, 15                     Video adapter, 12, 13
    Screen report, 39                     Video mode, 13, 47
    Scrolling, 37, 38
    Sectors, 57
    Security, 8, 29, 64
    Self-check, 68
    Self-modifying programs, 79
    SetupIM, 7, 11, 12, 13, 14, 16, 18,
        22, 29, 35, 41, 43, 44

   Integrity Master (tm)          -  88  -                 I N D E X

    Virus                                 Virus
       checking, 18, 35, 45, 46              variants, 60, 61
       checking procedure, 22                what is it, 54
       companion, 22                      Virus report, 25
       damage, 15, 19, 22, 25, 27         Vital files, 12
       Destroying, 26                     Warranty, 3
       Detecting, 23, 24                  Whale virus, 60
       detection, 32, 36                  Why read, 8
       infection, 19                      Wild card characters, 40
       infections, 21                     Windows, 28, 33, 34, 48
       known, 9                           Worm, 54
       names, 25                          Write option changes, 35, 36
       New, 24                            Write protection, 68, 72, 73, 76,
       removal, 25                            77, 81
       removing, 48
       Reporting, 25, 26
       resident, 22, 26, 46, 48
       scanning, 9, 18, 23, 30, 39
       Signs, 23, 38
       symptoms, 25
       system sector, 9, 19, 24
       trigger, 21
       unknown, 22, 24
       variants, 25
       what is it, 21
       checking, 65
       cluster, 59
       collection, 61
       companion, 59, 80
       damage, 53, 56, 61, 66, 71, 74,
           77, 83
       defenses, 65
       definition, 54
       detection, 65, 68, 70, 75
       experts, 54, 72, 73
       how many, 60, 76
       infection, 71
       infections, 55, 58, 66, 84
       known, 65, 69
       multipartite, 58
       mutating, 59, 60
       myths, 71
       new, 60, 79
       phases, 55, 56
       polymorphic, 59, 60
       prevention, 70
       removing, 66, 77
       resident, 56, 66
       scanning, 59, 65, 66, 79, 82
       signs, 79, 80
       stealth, 56, 58, 68
       system sector, 57, 58
       toolkits, 60
       trigger, 54, 55, 56, 72, 83
       unknown, 68, 73, 79, 83 


 Integrity Master(tm) ordering information:

 To order quickly, call ASG at 1-800-788-0787 (toll free) or
 1-314-256-3130 or fax to 314-966-1833 with VISA or MasterCard or see
 our list of authorized agents below.

 On CompuServe, you can order easily; just enter "GO SWREG" at any prompt.
 Order Registration ID 373 inside the US or Canada, and Registration ID 374
 in other countries.

 This file contains all the information you need to register your copy
 of Integrity Master.  For license and warranty information, please read
 information provided when you execute SETUPIM or read file I-M.DOC.

 If you wish to use Integrity Master on more than one PC, you must
 license multiple copies.  There are two ways to do this.

 1) One way is to simply purchase more than one copy; you will get a
    price reduction on multiple copies.  In this case, you will get
    complete packages including the book and disk.

 2) The other way is to purchase a site license for the extra copies.
    In this case, you do not get extra copies of the book and diskettes
    unless you specifically order them, but you pay a lower price than
    if you had ordered the complete package.
                Benefits of Registering Integrity Master

 1) The latest licensed version of Integrity Master direct from Stiller
    Research with availability of automatic updates.

 2) The 112 page professionally printed book: "Defeating Viruses and Other
    Threats to Data Integrity," will be shipped for no charge to customers who
    order before Nov 1, 1993.  This is a complete guide and reference manual
    for IM as well as a guide on data integrity and viruses.  It now includes
    expanded information on: details of common viruses, how viruses mutate
    and spread, the virus underground, how to use advanced anti-virus tools,
    guidelines for consultants, stealth viruses, and why people write viruses.

 3) Our guide to installing and safely using DOS 6, DoubleSpace, SmartDrive
    (also applies to other compression and cache programs).  It contains the
    tips and step-by-step directions gained from helping 100s of users.

 4) Special offers, including a FREE introductory CompuServe subscription
    ($39 value) with up to 2.5 hours of connect time.  (This may be a time
    limited offer so order today)

 5) Exclusive three year virus updates (see file 3YEAR.DOC for details)

 6) Twelve month free technical support for IM, which includes direct
    assistance (from Stiller Research) with virus attacks (if needed).

 7) The good feeling knowing that you are supporting low cost, high quality
    software, where the $$$ go into development not into expensive marketing.
Copying this file your to printer (or entering: IMPRINT ORDER) will produce
this documentation plus the following order form and mailer.  You can
print just the order form  and mailer by copying file ORDER.FRM to your
printer or entering the command:


If you have a continuous form type printer, make sure your printer is
positioned at the top of page before you print the order form (do a page
 | Mail to:             Stiller Research                                    |
 |                      2625 Ridgeway St.                                   |
 |                      Tallahassee, Florida 32310                          |
 |                      U.S.A.                                              |
 |    O R D E R     F O R M         (Please fill out completely)            |
 |                                                                          |
 |    Name:_________________________________  Title:___________________     |
 |                                                                          |
 |    Company:_________________________________________________________     |
 |                                                                          |
 |    Address:____________________________ City:___________________         |
 |                                                                          |
 |    State:___________   Zip:_____________  Country:______________         |
 |                                                                          |
 |    Date:____/____/____    Type of PC: ___________ DOS Version:___        |
 |                                                                          |
 |    Disk: 5-1/4" ___  3-1/2" ___     Telephone: ____________________      |
 |            DESCRIPTION                      |# | Price  |  Each  | Total |
 | Integrity Master Package   (first copy)     | 1|$35.00  | $39.50 | $39.50|
 |     Shipping and Handling                   |  | $4.50  |        |       |
 | Additional copies (includes book + disk)    |  |        |        |       |
 | $$ from multiple copy table in QUANTITY.DOC |  |        |        |       |
 |- - - - - - - - - - - - - - - - - - - - - - -|  |--------|        |       |
 |     Shipping and Handling (per copy)        |  | $4.50  |        |       |
 | Multiple PC usage (site license)            |  |        |        |       |
 |  (enter amount from site license table)     |  |        |        |       |
 |   (Extra books/disks only for site license) |  |        |        |       |
 |   Enter # of additional books and disks     |  | $7.50  |        |       |
 |- - - - - - - - - - - - - - - - - - - - - - -|  |--------| $12.00 |       |
 |     Shipping and handling (per copy)        |  | $4.50  |        |       |
 | SUBTOTAL ----------------------------------------------------->  |	    |
 | Outside the U.S./Canada, add $5 additional  |  |        |        |       |
 | per package(each book and disk for shipping)|  |        |        |       |
 | Add $6 for non-prepaid purchase orders ------------------------> |       |
 | Florida residents add local sales tax:  (6 - 7%)  -------------> |       |
 | TOTAL ENCLOSED     (Payment must be in US dollars unless you are |       |
 | sending a check from Australia, Belgium, Canada, England,        |       |
 | France, Germany, Ireland, Japan, or Switzerland)  ------------>  |       |
 | Where did you get your copy of Integrity Master?                 (V1.51b)|
 |    Download  from:   ____________________________                        |
 |    other:            ____________________________                        |
 | Comments: (Suggestions, what you like, don't like etc.)                  |
 |  _______________________________________________________________________ |
 |  _______________________________________________________________________ |
 |  _______________________________________________________________________ |
 |______(with credit card call 1-800-788-0787 or fax to 314-966-1833________|
------- Separate or fold near here, on continuous form printers---

  1) Please place the order form on the back of this page, then fold both
     pages together as indicated.

  2) Insert your check or money order then staple or tape both ends.

  3) Stamp and mail.  Orders are normally shipped within 24 hours of receipt.

  Reminder: Did you include $4.50 shipping/handling for each copy of IM that
            includes a book and disk? If you are outside of the U.S. or
            Canada,  did you include the extra $5.00 for overseas shipping as
            well as the $4.50 (basic shipping) for each copy?

          T H A N K Y O U    F O R   Y O U R    O R D E R !

 ----------------------------- Fold here first -------------------------------

                                                                | Place |
                                                                | stamp |
                                                                | here  |

                                Stiller Research - Dept I51

                                2625 Ridgeway St.

                                Tallahassee, FL. 32310-5169


 ---------------------------- Fold here last ---------------------------------

 T                                                                            a
 a                                                                            p
 p                                                                            e

 h                                                                            h
 e                                                                            e
 r                                                                            r
 e                                                                            e
                             (or staple here)

    ------- Separate near here, on continuous form printers-------------

  A u t h o r i z e d   A g e n t s:

Note, at present, Stiller Research will air-mail Integrity Master
directly to you so you can be assured of getting the most current
version.  Some of our agents will shortly be shipping directly. In this
case, we electronically transmit the latest software to that agent to
make sure your copy is the very latest version.

Integrity Master can be ordered from the following sources:


      BUDGETWARE    (Visa and MasterCard/Bankcard) accepted
      P.O. Box 496
      Newtown NSW 2042
      Phone (02) 519-4233
      Fax  (02) 516-4236



      P.O. Box 57
      37004 Ceske Budejovice

(We have special introductory pricing for east block countries until
 February 1993)



      CopySoft SC
      Rue Du Menuisier, 109
      1200 Bruxelles

      Tel:     32 (0) 2 772.47.00
      Fax:     32 (0) 2 772.47.51



     Dispro Software Ltda. (Roger Versteeg, President)
     Av. Paulista, 2073
     Horsa I - 11 Andar - Cnj. 1101
     01395-900 SAO PAULO, SP

     Tel: 55 (11) 251-2344
     Fax: 55 (11) 288-6898


     DP Tool Club  (Visa and MasterCard or EuroCheck with EC # on back accepted)
     102 rue des Fusilles
     B.P. 745
     59657 Villeneuvre d'Ascq

     Tel: 33-
     Fax: 33-

Germany (Deutschland):

      CDV-Software      isa and MasterCard/Eurocard) accepted
      Neureuterstr. 37b
      7500 Karlsruhe 21
      West Germany
      Tel 0049/721/97224-0 (-10 / -11 / -12 / -13)
      Fax 0049/721/21314
      BTX *CDV#
      CIS [100022,274]


    Mikio Shimojo.
    Personal Data Factory
    Shimoueki-cho 451-3,
    Gunma-ken 372 JAPAN.

The Netherlands:

    HaSa Software Applications
    Munnekeholm 14
    9711 Ja Groningen
    The Netherlands

    Tel:  31 (0) 50 183233
    Fax:  31 (0) 50 183233
    BBS:  31 (0) 50 125697



    Quality Software
    Kroppanmarka 34
    7039 Trondheim

    Tel:  47 (0) 7 88 88 24



    E & J Global Enterprises
    MCPO BOX 1139

    Fax:   (632) 817-5410
    Telex: 14895

    Software International (Visa and MasterCard/Eurocard) accepted
    Sorzana, 21 1B
    28043 Madrid

    Tel: (91) 416-6587
    Fax: (91) 519-1957


    Marc Tanner
    Software News!
    Sissacherstr. 57
    4052 Basel

    phone 01141 61 313 45 45 (office hours only)
    fax   01141 61 313 42 02


United Kingdom (Great Britain):

    Precision Software Applications     (Visa, MasterCard or Switch)
    3 Valley Court Offices
    Lower Road
    Croydon, Nr Royston
    SG8 0ES

    Tel: 0223 208288  (Outside the UK dial your international access cod
    Fax: 0223 208089

Outside the UK dial your international code then 44 followed by
these numbers (typically this would be "0044 223 208288").

    PC Independent User Group
    87 High Street
    Tonbridge, Kent, England
    TN9 1RX

    Tel: (0732) 771512
    Fax: (0732) 771513

    The PC Independent User Group can accept cheques drawn on a UK bank,
    Eurocheques (made out in pounds sterling) or else payment by Visa or
    Mastercard credit cards

    Mikio Shimojo.
    Personal Data Factory
    Shimoueki-cho 451-3,
    Gunma-ken 372 JAPAN.

    Nildram Software
    82 Akeman Street
    HP23 6AF

    Tel/Fax: 0442 890303
    BBS: 0442 890807


United states:

   Advanced Support Group   (Visa and MasterCard)
   11900 Grant Place
   Des Peres, MO 63131
   1-800-788-0787 or

   Shareable Software International  (Visa and MasterCard)
   PO Box 59102
   Shaumburg, IL 60159
   Tel: 1-800-622-2793 or 1-708-397-1221   Fax: 1-708-397-0381

   Stiller Research  (orders in US dollars only: cash or payable on a US bank)
   2625 Ridgeway St.
   Tallahassee, FL. 32310

   On CompuServe, you can license single copies.

   Just enter "GO SWREG" at any prompt.

   Order Registration ID 373 inside the US or Canada,
   and Registration ID 374 everywhere else.


                     N O N  -  U. S.  O R D E R S :
 If you are outside the United States, you can order directly from us or
 contact any of our agents.  Our agents usually accept orders by
 telephone or mail using Visa and MasterCard/Eurocard. Your copy of
 Integrity Master will be air-mailed directly from us here in the U.S.
 or from our agent, so you can be assured of getting the very latest
 release.  We can now accept checks payable in non-US funds from the
 following countries:


       Please use the current exchange rates for purchase of dollars to
       determine how much of your currency to write a check for.

 In all other countries, please contact one of our agents or send payment
 only in U.S. dollars. Checks must be payable in dollars through a U.S. bank.
 We do accept postal money orders made out in dollars.

 If you send cash, please register your letter to confirm delivery; we can
 not be responsible for cash lost in the mail.  Please do not sent currency
 other than US dollars in the form of cash.
 Q u a n t i t y    o r d e r s    a n d    S i t e   L i c e n s e s :
 Please read file QUANTITY.DOC if you want to use Integrity Master on
 multiple PCs.



This file has quantity order and site licensing information for Integrity
Master(TM).  Please refer to file ORDER.DOC for complete ordering information
or file ORDER.FRM for the order form and mailer.

(Note: site licenses are generally less expensive than quantity orders unless
you need complete copies of the manual and disk with each licenesed copy)

                     Q u a n t i t y    o r d e r s :
 Please use this table if you want to use Integrity Master on multiple
 PCs, with the complete Integrity Master package including book and disk
 for each PC.  To order from this table, select the number of ADDITIONAL
 copies you wish to order.  You must order the first copy at full price
 and then select the number of additional copies from the table below.
 If you have already licensed your first copy (on an earlier order), you
 can cross out that price on the order form and pay only the price for
 that additional copies.

 The following prices apply to Integrity Master packages after the first copy:

 |                              |                            |
 | Number of ADDITIONAL copies: | Price per additional copy  |
 |  1 to 5                      |  $30.00 (US) each          |
 |  6 to 10                     |  $27.00 (US) each          |
 |  11 to 15                    |  $25.00 (US) each          |
 |  16 to 20                    |  $24.00 (US) each          |
 |  21 to 25                    |  $23.00 (US) each          |
 |  26 to 30                    |  $22.25 (US) each          |
 |  31 to 35                    |  $21.60 (US) each          |
 |  36 to 40                    |  $21.00 (US) each          |
 |  41 to 45                    |  $20.50 (US) each          |
 |  46 to 50                    |  $20.10 (US) each          |
 |  51 to 55                    |  $19.80 (US) each          |
 |  56 to 60                    |  $19.50 (US) each          |
 |  61 to 65                    |  $19.25 (US) each          |
 |  66 to 70                    |  $19.00 (US) each          |
 |  71 to 80                    |  $18.75 (US) each          |
 |  81 to 100                   |  $18.50 (US) each          |
 |  101 +                       |  $18.25 (US) each          |

 Example of ordering multiple copies:

   To order 12 copies, you would pay $39.50 for the first copy which includes
   $4.50 for domestic shipping. You now want to order 11 additional copies.
   Looking in the table, you see that 11 copies are $25.00 each.  $25 plus
   $4.50 shipping brings the unit cost to 29.50.  The total on the order
   would be $364 which is $39.50 plus 11 times 29.50.   If you live outside
   the US or Canada you would need to include $5 for each copy to cover
   the additional shipping and support expenses.

                       S i t e   L i c e n s e :
 Please use this table if you want to use Integrity Master on multiple
 PCs, and you do NOT need the complete package including book and disk
 You can order additional copies of the book and disk for $7.50 each
 with your site license.

 To order from this table, select the number of ADDITIONAL PCs you wish
 to license to use Integrity Master.  You must order the first copy at
 full price and then select the number of additional licensed copies.
 This way each site license has at least one copy of the book and disk.
 If you have already licensed your first copy (on an earlier order), you
 can cross out that price on the order form and pay only the price for
 the additional copies.

 To qualify for a site license:

  1) You must purchase at least one book/disk set and then select the
     number of additional PCs which may use Integrity Master.

  2) You must designate a single point of contact. This need not be a
     particular person, but should be a single address with a single
     telephone number to coordinate all purchasing and support activity.
     Any requests for technical support or license upgrades must go
     through that person or office before contacting Stiller Research.

  3) Site licenses may NOT be transferred to another organization or person.

 These licenses can be upgraded at any time for only an incremental payment:

 |                           |                              |
 | Number of ADDITIONAL PCs: | Price per additional license |
 |  1 to 5                   |  $20.00 (US) each            |
 |  6 to 10                  |  $18.00 (US) each            |
 |  11 to 15                 |  $16.00 (US) each            |
 |  16 to 20                 |  $15.00 (US) each            |
 |  21 to 25                 |  $14.30 (US) each            |
 |  26 to 30                 |  $13.75 (US) each            |
 |  31 to 35                 |  $12.95 (US) each            |
 |  36 to 40                 |  $12.60 (US) each            |
 |  41 to 45                 |  $12.30 (US) each            |
 |  46 to 50                 |  $12.05 (US) each            |
 |  51 to 60                 |  $11.85 (US) each            |
 |  61 to 70                 |  $11.70 (US) each            |
 |  71 to 80                 |  $11.55 (US) each            |
 |  81 to 90                 |  $11.40 (US) each            |
 |  91 to 100                |  $11.30 (US) each            |
 |  101 to 120               |  $11.20 (US) each            |
 |  121 to 140               |  $11.11 (US) each            |
 |  141 to 160               |  $11.05 (US) each            |
 |  160 to 180               |  $11.00 (US) each            |
 |  180 to 200               |  $10.95 (US) each            |
 |  201 +                    |  $10.90 (US) each            |

 Additional copies of the book and disk are available for $7.50 each to
 site license customers.

 Example of ordering a site license:

   To use IM on 161 PCs, you would pay $39.50 for the first copy which
   includes  $4.50 for domestic shipping.  You now want
   to order 160 additional licenses. Looking in the table, you see that 160
   licenses are $11 each.  No shipping is needed for the additional licenses.
   The total on the order would be $1799.50 which is $39.50 plus
   160 times $11.   If you live outside the US or Canada you would
   need to include $5 for the book and disk to cover the additional
   shipping and support expenses.

            S p e c i a l    S i t e   L i c e n s e :
 If you are a large organization and have your own help desk, we offer
 special low-support license rates of only $6.00 per license, for licenses
 between 100 and 500 copies.  For over 500 licenses, we offer a $5.00
 rate.  Under this special license, we provide only limited support.
 Support is provided only through the Advanced Support Group (ASG).
 Problem reports may still be sent directly to Stiller Research.

 Dealer inquiries are welcome.  We also offer special educational discounts
 to public educational institutions.  Please contact us for details.


║                                                                             ║
║ Welcome to QUESTION.TXT!  Hopefully you'll find the answer to your question ║
║ in this collection.                                                         ║
║                                                                             ║
║ o If you have a general question about data integrity, security, viruses,   ║
║   system sectors or similar things, the help index in Integrity Master may  ║
║   provide the answer (Hit F1 and then "I").  If that fails, read the manual ║
║   (file I-M.DOC), especially part two on "Data Integrity and Viruses".      ║
║                                                                             ║
║ o If you're having trouble using the menus in Integrity Master try the      ║
║   tutorial offered in SetupIM.                                              ║
║                                                                             ║
║ o If all else fails, please contact us or the Advanced Support Group for    ║
║   assistance.  See details in file SUPPORT.DOC (IMVIEW SUPPORT.DOC          ║
║   to read this file).                                                       ║
║                                                                             ║
Q: I start SetupIM and suddenly nothing happens or I see the display
   scroll and then get disorganized.  The program seems to be stuck.

A: Insert formatted media (e.g., diskettes) in all removable drives, run
   SetupIM, and try waiting about 10 seconds and hitting the ENTER key
   several times.  You may be using a program which is trying to write a
   message to the screen while SetupIM is checking out your disk drives.
   You can safely ignore any garbage which appears on your screen. SetupIM
   will write a full report to file IMPROC.TXT.  Be sure to check this
   file.   The most common cause for this type of problem is using
   DRIVER.SYS to assign a duplicate drive letter to a floppy drive:

   You may have a statement like this in the \CONFIG.SYS file:

                 DEVICE=DRIVER.SYS /D:0 /F:0

   The numbers could be 0 as above or have some other value.  DRIVER.SYS
   may try to write a message to the screen to ask you to insert a new
   disk and hit a key when SetupIM checks this drive. Deleting this line
   should solve the problem. Once you finish running SetupIM you may
   restore the line. IM will have know enough not to access the
   duplicate logical drive.

Q:  How do I scan multiple disks for viruses?

A:  Please hit F1 in IM and select "Scanning for viruses" from the help
    index or read the section on scanning in the user guide (I-M.DOC
    file). From the command line you can use the /VM parameter to
    quickly scan multiple disks.  Use /Dx to tell IM which drive to
    scan.  IM will return a DOS error level of 64 or greater if it
    encounters a virus.

Q:  I want to do nothing other than scan a disk for known viruses how do
    I use Integrity Master to accomplish that?

A:  If this is a disk that you've already "INITIALIZED" with Integrity Master
    then just use the CHECK menu to check that disk.  If this a new disk to
    Integrity Master then use the INITIALIZE menu, to do an initialize of
    all the files.  You can save time in both cases by using the option
    menu to limit initializing or checking to executable programs.  You can
    also use the "V" option on the check menu to ONLY check for known viruses,
    but if you do this you lose all the additional benefits of integrity

Q:  I'd like to setup a batch file that sometimes does a quick check and
    sometimes does normal, full integrity checking.  Since there's no command
    line option to change the type of checking, how do I do this?

A:  Set your options for quick checking by using the OPTIONS menu.  Then
    select the first option on that menu to save (Write) the parameter file.
    This saves your options in file IM.PRM.  You can now copy that file to a
    different file  let's say QC.PRM ("COPY IM.PRM QC.PRM").  Now execute IM
    and set your options back for full checking.  Save (Write) those
    options.  You now have two files: QC.PRM (for quick checking) and IM.PRM
    (for normal checking).  IM with no change will use the options in IM.PRM.
    Anytime, you want to do a quick check just invoke IM with: "IM QC.PRM" and
    you'll be using the quick check options.  If QC.PRM is not in the current
    directory, be sure to code the complete path on the control card
    (e.g., "IM D:\utils\QC.PRM").

Q:  Sometimes IM comes up with different colors on the screen than before.
    What's going on?

A:  IM checks the DOS video mode indictor on your PC to see if you are
    in color or monochrome mode, as well as directly checking your video
    adapter.  This allows you to use the DOS "MODE BW80" to indicate
    that a two-color display is present on a color adapter card.  Some
    programs change this value to an incorrect value.  If this happens
    to you, use the DOS mode command to set the video mode back to the
    correct state.  For example, enter "MODE CO80" to restore normal
    color mode.  You can also use the command line override (or SetupIM)
    so IM comes up using whatever colors you prefer.  "IM /C" would
    force IM to use color mode.

Q:  I just tried to do a check or initialize on my hard disk. Integrity Master
    replied that this disk was not working.  It IS working!  What's wrong?
A:  File "DISKhelp.TXT" describes how to correct this problem. Read file
    DISKhelp.TXT using your favorite program, copy it to your printer ("COPY
    DISKHELP.TXT PRN") or enter the command:
    to display this file.

Q: I just entered the command IMVIEW (or IMPRINT) and nothing happened. My
   PC just said "Bad command or file name".

A: IMVIEW.COM and IMPRINT.BAT must be either in the current directory or
   in one of the directories in your DOS path.  To put these in the path,
   enter the command PATH at the DOS prompt and you'll see a list of
   directories on your disk.  You can copy IMVIEW.COM or IMPRINT.BAT into any
   of these directories.

Q: I don't have my original DOS install diskettes to do a clean boot from. How
   do I install Integrity Master?

A: It's only important to have a certified clean copy if a virus may already
   in control of your PC.  In most cases you can safely install using your
   DOS files in place on your hard disk.  

Q: I use DOS 4.0. I get a message saying that SHARE needs to be loaded for
   large media, when I boot from diskette.   Do I need to copy SHARE.EXE to
    my Integrity Master boot floppy?

A:  Integrity Master does not need SHARE.  You may wish to copy it so other
    programs can use it.  If so, just copy it to your diskette. DOS will
    automatically load it when you boot.

Q:  I just checked several disks but I can't find the report file.  What

A:  If you have the report file option turned on in automatic mode (check the
    OPTION menu), then the report file is written to the first disk that you
    check.  If you later switch to check another disk, without turning off the
    report file, the reports will still go to the same file on the same disk.
    You can choose to have this file always written to the same disk by
    selecting this on the OPTION menu.

    If you specified a report file name "of your choice", and did not
    include a drive or directory specification as part of the file
    name, then it will be written to the current disk and directory when
    you start checking or initializing.

Q:  Other anti-virus products don't say I have to boot my PC before checking
    my files; why do I have to boot before checking with Integrity Master?

A:  Actually, if you thoroughly read your documentation you'll probably see
    that your product DOES suggest you boot from a diskette; we're just
    a bit more up front about this issue.  If you're satisfied with the level
    of protection obtained from other products without booting, then you don't
    VIRUSES.  The reason we ask you to boot from a write protected floppy
    before checking, is that this is the ONLY way to be sure that a virus is
    not already resident and in control of your PC.   Integrity Master
    checks memory for resident viruses, so it is somewhat safe NOT to boot.
    If you choose to do this, be sure you always have the latest version
    of Integrity Master.

Q:  I want to write my reports to my printer.  IM reports that my printer
    isn't working, but it is!  What can I do?

A:  You have a printer which is not compatible with the standard IBM BIOS
    functions that IM uses.  There's an easy way around this.  Just use
    the OPTION menu to write the reports to a file called "PRN".  This
    will allow DOS to route the print for you.

Q:  IM just detected a change to a program.   Only this one program changed,
    I don't think it's a virus.   What are some programs known to change

A:  There are too many programs to list them all here.  Many programs will be
    changed when you run the install or option update program for that
    program.  WordStar is a well known example.  A new program is SETVER.EXE
    which is part of DOS 5.  Whenever you run SETVER to set the DOS version
    for a program, SETVER stores this information by modifying its own code.
    This will result in IM reporting a change to SETVER.EXE every time you
    run the program.    Changing certain options in MicroSoft Windows (R)
    will also change the program itself (WIN.COM).

Q:  IM keeps reporting that my boot sector has changed.  It is NOT reporting
    a known virus. The boot sector seems to change every day. I don't think
    I've got a virus.  What's going on?

A:  If your boot sector keeps changing repeatedly and you have an older HP
    or Zenith PC, you may have one of the models that changes its boot
    sector every time you boot.  If you use a program like STACKER which
    establishes a virtual (not a real) disk, do not be concerned if the boot
    sector on the virtual (e.g., Stacker) disk keeps changing.  This is normal
    behavior.  As a matter of fact, changes to the boot sector of any disk
    which can not be booted from, generally do not represent a problem.  If
    you have any doubt about whether it's a virus, save a few of your
    BOOT.SRL files (Run an Initialize boot sector after IM reports a change)
    and send these along with the other information called for in file
    SUPPORT.DOC to us.  We'll check to see if a virus might be present in
    your boot sector.

Q:  IM detected a virus on my PC.  I reloaded my system sectors and either
    deleted or reloaded all infected files, yet the virus keeps coming back!
    What should I do?

A:  Somewhere a virus is eluding your checks; please check the following:

  o Did you install IM after booting from a clean floppy?  It's absolutely
    vital to do a cold boot before checking.

  o Are you using a task switcher (or multi-tasker) such as windows?  If so,
    then this program may be saving some of your infected programs in its
    "swap" file.  This file often ends in the letters ".SWP".   Delete
    this file if it exists.

  o Be sure you check ALL files and floppies which come into contact with
    your computer.  You may have missed a file or diskette somewhere.  Please
    take the extra time and check them all.

  o It's possible that viral code is hidden somewhere other than an executable
    file.  IM normally checks only executable files (programs and overlays)
    for known viruses.  Try selecting "Disk for known Viruses" on the CHECK
    menu and selecting "Check All files" on that menu.  This will check
    all files as well as system sectors on your disk.  Check any other
    disks that you've been using.

Q:  I use an executable compression program (e.g., LXEXE or PKlite), am I in
    danger of the compressed files being infected?

A:  If a virus should infect ANY of your files, compressed or not, IM can
    detect this fact.  So if a virus should infect a compressed executable
    file, IM will have no trouble detecting this.  On the other hand if a
    known virus infects a program and then that program is compressed, IM
    may or may not recognize the virus in the compressed file.  However if
    the virus should attempt to spread, IM will detect this.

Q:  IM just detected a virus in one of my system sectors, and says to
    reload the system sector.  I've never run an "Initialize", so I don't
    have the sector reload file (.SRL).  Help!   What do I do?

A:  This reinforces an important point: DO AN INITIALIZE ON ALL YOUR DISKS
    DO IT NOW!  If you lost your boot sector, you're in luck, otherwise you
    have some serious work ahead of you.


  o You can manually reload the DOS boot sector by entering the command:
    "SYS C:" where "C" is the drive with the damaged boot sector.  You must
    logged on to drive A: when you enter this command.

  o Manually reloading partition sectors is MUCH more difficult.  Before you
    go any further, make sure you have as much of your data backed up as
    possible.  There is a serious risk that what you are about to do may
    render your disk unreadable!  Try one of the following options:

    1) If you have DOS 5, try the command: "FDISK /MBR" to create a new
       partition sector (AKA Master Boot Record).  Be careful; this is NOT
       documented and may not always work.

    2) If you can locate an identically formatted hard disk you could use IM
       (INITIALIZE partition sector) to capture the sector reload file and
       then reload it on your damaged disk (use Reload "Missing Partition")
       to accomplish this.

    3) Some of the utility programs such as Norton or MACE may be able to
       repair this sector. If they don't replace the sector, you could use
       one of the sector editors to write zeros over the first part of the
       boot sector and then turn the "disk fix-it" program loose again.  Our
       testing shows that these programs don't always succeed and may
       further damage your disk.

    4) The last alternative is to do a low level format.  This completely
       removes all data from your hard disk.  See the next question for
       details on how to do this.

Q:  How do I do a low-level format?

A:  This procedure varies with the type of computer your have and the type
    of disk controller board.  If you have an IBM PC then you have (or can
    get) a diskette containing a program to low level format your drive.
    Some other manufacturers provide this also.  Running SPINRITE to do a
    low-level format is NOT what we want to do here.  We MUST do a
    DESTRUCTIVE format. Check the documentation that came with your disk
    controller board for the technique to low-level format or call the
    manufacturer for information on how to do this.  Be sure to explain that
    all you really want to do is to replace the partition sector (master
    boot record).  They may have a utility to do just that.  The procedure
    for some common Western Digit controllers is as follows:

    Enter "DEBUG"  (from your DOS boot diskette)

    at the DEBUG prompt ("-") enter: "g=C800:5"   (press ENTER)

    at this point you should be able to follow the directions. You will need
    to know whether you are formatting your first on second hard disk and
    the layout (heads and cylinders plus and bad tracks) but often you can
    just hit ENTER and accept the defaults.  To find the bad track list open
    your PC and look on the drive itself.

Q:  I was just checking a diskette for viruses and IM detected the
    DataCrime 2 virus in a file.  When I restarted IM it detected the
    DataCrime virus resident in memory!  I never executed the program
    which was infected, so how did the virus get control of my PC?

A:  The virus wasn't really resident or in control of your PC. What happened
    was that a piece of the viral code was left somewhere in memory -
    probably in one of DOS's file buffers.  Although IM takes great pains to
    clear its own buffers and areas of memory, it's not unusual to get a
    false indication of the virus being active in memory after detecting
    a virus in a file or system sector.

Q:  When I first start IM, I see something red flash on my screen, but I
    can't make out what it says.

A:  When IM first starts, it looks for the parameter file (IM.PRM)
    which contains all your option settings.  On some PCs this can be a
    slow process, so IM announces that it is: "Searching for and reading
    parameter file."   On faster PCs, this message appears as barely a blur!

Q: IM reports invalid time and date stamps on many of my files.  Do I have
   a virus?

A: Maybe!  If it's only executable files with the illegal values, you'll
   need to check further to make sure there's no unknown virus on the
   loose.  If you have such a virus, IM should be detecting unexplained
   changes to executable programs.  Try following the procedures
   outlined in the manual (or the I-M.DOC file) for determining if file
   changes are due to viruses.  (Basically, what you do is to run a full
   check, execute a suspect program, cold boot, and run another full
   check.)  There are some common causes for files to have illegal time
   and date stamps (such as 62 seconds):

   1) There is reportedly a backup program ("Intelligent Backup") which
      marks files by setting the seconds field to an illegal value.

   2) Some anti-virus products attempt to "immunize" your files by setting
      the seconds of time stamp of your programs to 62.  This works only
      against a handful of viruses but some programs do this anyway.

   3) Central Point's (PC Tools) Datamon will reportedly mark encrypted files
      by setting the seconds field to 62.

Q:  IM says I have a virus resident in memory, but I doubt this, since I have
    another anti-virus product which reports nothing.  What's going on?

A:  Some anti-virus products execute as a resident program (TSR) to monitor
    your system and check for signs of known viruses.  To check for these
    viruses, they use fragments of the same viruses that IM checks for.
    It's a standard practice to keep these fragments encrypted or stored in
    pieces, but some products don't follow this practice.  You probably have
    such a product.  To double check, remove any line in your CONFIG.SYS and
    AUTOEXEC.BAT file which executes this product.  Cold boot your PC.  Now
    run IM.  If the other product was at fault, IM will now detect no virus.

Q:  When I run IM under Microsoft Windows, it reports "General failure"
    reading some files.  This is supposed to be a hardware error.  What's

A:  Microsoft Windows has certain files open.  When IM tries to read these
    files it is unable to.  The message returned to IM varies from one PC
    to another.  On some PCs, you may see merely that certain files can not
    be opened.  On other PCs (such as yours), a critical error is returned to
    IM.  IM is simply reporting the error returned to its critical error
    handler.  We are looking into ways to determine the true rather than
    the simply the reported cause of errors such as this.

Q:  I'm using STACKER on my PC and IM keeps reporting boot sector corruption
    on my stacker volume.  What gives?

A:  STACKER closely simulates an actual DOS disk drive on its volume. It
    pretends to have an actual boot sector.  This boot sector is not a real
    boot sector and may change from moment to moment.  Viruses can not spread
    by infecting this boot sector and since it can change at any time,
    checking this boot sector is a waste of time.  When you check a STACKER
    volume, just check the files and not the system sectors. Don't do a
    "Check Entire disk integrity" which includes the system sectors on the
    STACKER volumes.  If you use the command line, use "/CD" rather than
    "/CE".  Automatic handling of STACKER volumes will be available soon.

Q:  IM reports corruption of its own report file.  Why?

A:  This can happen in only one circumstance.  If you select a report
    file with a name of your own choice and then check the disk and
    directory containing that report file, IM will write to that file
    between the time that it checks it and the time that the file is
    closed.  We recommend using auto-named report files or placing them
    on a disk different from the disk being checked to avoid this message.

Q:  I am getting errors when reading a disk I think is working OK.
    Why does IM report an error.

A:  See file DISKhelp.TXT

Q:  How do I get rid of that wait for keypress at the end of processing.

A:  If you enter a command line parameter such as "/CR" or "/CD", and
    specify no pause either by using the option menu or with the
    "/N" or "/NE" parameter, IM will pause only briefly after it
    finishes checking.

Q:  How can I quickly remove boot sector viruses (such as Stoned or
    Michelangelo) from numerous diskettes?

A:  If your diskettes are bootable, the DOS "SYS" command can be used to
    quickly remove boot sector viruses.  (You can always try the SYS command
    it won't hurt anything)  Be sure to boot from a write protected copy
    of DOS and then issue the "SYS x:"  command (x is the disk you wish
    to clean).

    For non-bootable disks, locate an uninfected disk of the same type
    as that which is infected.  Use IM to initialize the boot sector data
    for that diskette.  Temporarily remove all other "BOOT.SRL" files
    from your disks.  Make sure the "BOOT.SRL" (boot sector reload file)
    which IM just created is present either in your current directory
    or in the root directory of one of your disks.  Now:

    o Run IM and turn the report file off.

    o Change to the drive containing an infected floppy (Commands menu).

    o Tell IM to reload the boot sector.

    o Insert and another diskette and keep reloading. IM will locate the
      BOOT.SRL file on one of your other disks and reload the sectors on
      each floppy diskette.

Q:  How can I avoid having separate report files on each disk IM checks?

A:  Use the Options menu to set the auto-named report file to go to
    a specific disk of your choosing.  All reports will then go to this
    disk, independent of the disk being checked.

Q:  I see:  "Changes in directory xxxxxx:" but no changes appear on my
    screen.  Why is this?

A:  If you have asked IM to exclude files or directories from checking,
    IM will remove their associated integrity data the next time you
    run a check.  If you have asked IM not to tell you about excluded files
    or directories, it will still alert you that it is updating the
    integrity data for directories where something is being excluded.
    This notice appears only once when IM first removes the preexisting
    integrity data for the excluded files and directories.

Q:  Integrity Master reported a file as having a problem or being suspicious
    yet I didn't see why.  Where's the explanation?

A:  You probably have your halt options set to halt only on serious
    problems or emergencies.  In this situation the detail information is
    written only to your report file.  Please read the report for the
    detail information on what was found wrong with the file.

Q:  I tried the "/L" option on my laptop but the screen is not very legible.

A:  The "/L" (LCD) option is intended for older CGA compatible laptops such
    as the Toshiba 1000.  Newer laptops (especially VGA gray scale displays)
    should work fine with no special video override.  If the display doesn't
    look right on a newer laptop try the "/M" rather than the "/L" command
    line switch.

Q:  I just did a "DIR" on a diskette which had the "Stoned" boot sector
    virus.  When I ran IM, it reported the virus was active in memory.
    Can I get a virus by just doing a DIR?

A:  No; you cannot get infected unless you execute an infected program
    or boot from an infected diskette.  When you did the "DIR", a copy of
    the infected boot sector was read into memory.   IM then detected this
    image of the virus in memory.  Although the virus is in memory, this
    is harmless since the virus code is never executed.

Q:  When I run Integrity Master on an empty directory, it lists a large
    number of files as deleted (or sometimes added).  These files don't
    exist there.

A:  You are using the DOS "APPEND" command.  This makes files appear to
    present in any directory which are actually in the appended directory.
    Type "APPEND" and hit ENTER to see if you are using it. When you
    installed DOS this command may have been placed in your AUTOEXEC.BAT
    file.   You almost certainly don't need it.  If you don't want to
    get rid of it, just enter the command "APPEND ;" before you execute IM
    or include this in a .BAT file to execute IM.

Q:  I don't like the way IM displays dates or times.

A:  Execute IMsetup and select "Change Format for date or time" from the
    "Advanced option" menu.


This is the shareware (evaluation) version of Integrity Master(tm)
(Version 1.51b).  It will run on any PC with at least 250K free memory
and DOS 2.0 or later. A hard disk is recommended. Registration is $35
plus shipping and handling.  Please upload or share Integrity Master
with your friends, but keep all these files together. Read file
HISTORY.DOC to learn what's new with this release and read or print
file ORDER.DOC for a complete list of agents.

|  To get started, just type SETUPIM and hit ENTER.  You don't need to  |
|  read the documentation first!   SetupIM contains a tutorial to tell  |
|  you all you need to get started.  Please read I-M.DOC later (use the |
|  command: IMVIEW I-M.DOC or IMPRINT I-M.DOC) after you have completed |
|  SetupIM and used IM for a while.   READ THIS FILE (README.DOC) TO    |

  (We frequently refer to Integrity Master by its nickname, "IM")

 Once you install Integrity Master, there will be only two files you
 absolutely need to use Integrity Master:

   IM.EXE       - Integrity Master itself
   IM.PRM       - The parameter file which controls how IM works
                - This file is created by SETUPIM.EXE

 If you want to reinstall IM, or change advanced features of IM, you will need:

   SETUPIM.EXE  - The setup and install program (It creates and updates IM.PRM)

 When you install IM, SetupIM will create file:

   IMPROC.TXT   - Complete instructions to finish install and run IM
   IM.PRM       - The parameter file (all option settings are stored here)
   IMCONFIG.SYS - Sample CONFIG.SYS file for floppies (optional)

 When you run (initialize) IM, it will create integrity data files.  These
 files will be called ")(.ID" unless you use SetupIM to select a new
 name. These files contain the integrity data describing your files.  Files:
 BOOT.SID, BOOT.SRL, PART.SID and PART.SRL contain system sector integrity
 (.SID) and reload (.SRL) information.

 The following files are provided as additional aids but are not required
 to use or modify Integrity Master:
 3YEAR.DOC ---- Special three year virus and data integrity update offer
 DESCRIBE.DOC - Contains short descriptions of IM for BBS and vendor use
 IMCHECK.EXE -- Supplemental stand-alone integrity check program
 IMPRINT.BAT -- Batch file to print files.  Syntax: "IMPRINT filename"
 IMVIEW.COM --- File viewer program. Syntax: "IMVIEW filename"
 OMBUDSMN.ASP   Information of how to contact the ASP ombudsman for help with
                resolving a problem with an ASP member
 ORDER.DOC ---- Complete information on how to license Integrity Master
                order form for IM
 QUANTITY.DOC - Table of discounts for licensing multiple copies of IM
 README.DOC --- Contains latest information concerning IM
                Read this for documentation on the latest changes.
 SUPPORT.DOC -- How to contact Stiller Research for product support and help
 SYSOP.DOC   -- How to post Integrity Master on a BBS and info for BBS SYSOP
 VENDOR.DOC --- Distribution requirements for disk vendors and clubs
 VIRREP.DOC --- How to report a virus attack

If you downloaded your copy of Integrity Master, the following files may be
included as part of a separate archive file:

 README2.DOC  - This file is present ONLY when there are two sets of files
                to download.
 DISKHELP.TXT - Contains information to help with accessing disk drives
 GENVIR.EXE  -- Execute this program to create SAMPVIR.BIN a fake test virus
 HISTORY.DOC -- List of versions and changes made to Integrity Master
 I-M.DOC ------ Documentation file for IM and information on data integrity
 QUESTION.TXT - Enter "IMVIEW QUESTION" to see common questions and answers
 VTEXT.DOC  --- List of viruses IM identifies by name

The following optional files may or may not be present:
 FILE_ID.DIZ -- Description file for PCboard, Wildcat other BBSes.
 DESC.SDI   --- Another short description

The latest version of Integrity Master can be obtained from these sources:

o Download from CompuServe in IBMSYS  and ZNT:UTILFORUM  (one of the
  Ziff-Net, PC Magazine forums) file I-MAST.ZIP.

o We offer free downloads and support for Integrity Master on Solitude BBS
  (Fido 1:300/23)   (1-602-747-5236 - all speeds).  FIDO users can also
  freq it from this BBS.  The file name will be: I-M###.ZIP where ### is
  the current version number (e.g., I-M151.ZIP for V1.51).

o Free downloads of Integrity Master and support are also available via
  the Runway BBS. You must join Conference 77.
  Runway BBS:
  215-623-6203 2400
  215-623-9462 v.32
  215-623-4897 HST

o In the UK, Integrity Master is supported by The Farm BBS UK. 9 nodes
  Dual Standard HST. 7.2gb 0223 208094/208472/208363/208525/208598/208287.

o In the UK, The Shareware Support BBS (0442) 890807 HST-DS.  We provide
  support and downloads via conference 10 - "Runway Link"

o Any major shareware diskette vendor should have a current copy of Integrity
  Master.   All ASP affiliated disk vendors automatically get new copies.


                         THE LATEST CHANGES:

  If you have been using a prior release of Integrity Master, please read
the HISTORY.DOC file to see what has change since your version.

  Integrity Master provides automatic international time and date support
plus you can override the date and time format by using SetupIM.

  IMCHECK now provides some of the advanced directory information checking
previously only done by IM itself. IMcheck will display dates in either
numeric form or with alphabetic months.  An even more advanced version
of IMcheck comes with the registered version of IM.

  Integrity Master will now present you with the INITIALIZE rather than
the CHECK menu if it doesn't find any integrity data in the current
directory. This is intended to make it easier for new users, since
you've got to initialize before you can check.

  Some other anti-virus products contain fragments of unencrypted viruses.
If you get an indication of a known virus in another product, do not
be too alarmed.  In one case, IM will only report this if you ask it
to check all files.  In this case it will check a file for viruses which
would not normally infect that type of file.   If you have an anti-virus
product in the form of an .EXE file which is infected by a virus which
only infects .COM files, it's probably a false alarm.


How to report problems or submit comments regarding Integrity Master:

Read file QUESTION.TXT to see if your concern may be documented there.
If you don't have your own utility, enter "IMVIEW QUESTION.TXT" to read this

If you have a problem, please gather the following information:

   1) Describe the problem.  What do you see on your screen?   Under what
      circumstances does it happen?

   2) Please describe the steps required to reproduce the problem:

   3) Print your CONFIG.SYS and AUTOEXEC.BAT files.

   4) Print the IMPROC.TXT file you used to install Integrity Master.

   5) Please describe your computer:

      PC type:                Video Adapter:              Hard disk:
      DOS Version:            Other adapters:             Floppies:
      BIOS version:

  6) Do you use special disk partitioning software such as DMdriver?

  7) Serial number (from the diskette label) and version number of Integrity
     Master (You are NOT required to already be a registered user to report
     a problem)

If you have suggestions for improvements, complaints, compliments...whatever,
P L E A S E  let us know.  We'd like to meet your needs!

Mail the above information to:

   Stiller Research
   2625 Ridgeway St.
   Tallahassee, FL  32310

   to call the Advanced Support Group (ASG) at  1-900-88-HELP8
   (1-900-884-3578) and have the relevant information ready.  If you can
   not place 1-900 phone calls you may call the Advanced Support Group
   at 1-314-256-3130 and use your VISA or Mastercard. ASG is providing
   this support as a service to Stiller Research customers.  They are
   specialists in PC technical support and are familiar with Integrity
   Master; they should be able quickly assist you with any IM problem
   you are having.  There is a $2 charge per minute (after the first 24
   seconds) which will be added to your phone bill for this service.
   (Registered users of Integrity Master will be eligible for free
   telephone support directly from Stiller Research plus free assistance
   in dealing with virus attacks)

or extract the above points you think may have relevance and
   send via electronic mail to:

           72571,3352  on CompuServe
           72571.3352@compuserve.com on InterNet, Bitnet, etc.
           uunet!compuserve.com!72571.3352 on Uunet
           PHSH44A on Prodigy.

o In the UK, Integrity Master is supported by The Farm BBS UK. 9 nodes
  Dual Standard HST. 7.2gb 0223 208094/208472/208363/208525/208598/208287.

o In the UK, The Shareware Support BBS (0442) 890807 HST-DS.  We provide
  support and downloads via conference 10 - "Runway Link"

(Registered users have direct telephone access to Stiller Research)


BBS sysop information                                            Page 1 of 1

           - Integrity Master, Version 1.51 - SYSOP.DOC -

                 I N T E G R I T Y    M A S T E R

                          Version 1.51

                  B B S    I N F O R M A T I O N

This file contains information regarding the posting of the
Integrity Master package, version 1.51, on Bulletin Board Systems.

For sample descriptions which you may use to describe the product
please refer to the DESCRIBE.DOC text file.

Please refer to the VENDOR.DOC file for complete distribution

If your BBS would like to receive automatic updates then please
take advantage of our Distributor Update Program described in the



Vendor information                                               Page 1 of 5

                   I N T E G R I T Y    M A S T E R

                             Version 1.51

                   V E N D O R    I N F O R M A T I O N

This file provides information for Shareware Distributors, Disk Vendors and
Computer Clubs who wish to distribute the Integrity Master package.

Individual and Company Users:  Please refer to ORDER.DOC text file for

BBS SYSOPs:  Please refer to the SYSOP.DOC and DESCRIBE.DOC text files
for information.

For sample descriptions which you may use to describe the product please
refer to the DESCRIBE.DOC text file.

                         Distribution Requirements

Individuals who wish to distribute Integrity Master to their friends or
Computer Clubs and User Groups wishing to add the Integrity Master package to
their disk library may do so in accordance with the Distribution Restrictions
listed below.

   If you would like your Computer Club or User Group to be placed on our
   mailing list for future upgrades to any of our products, please contact us
   for complete details.  Our address, and Email addresses are listed in

Limited Distribution License:
As the exclusive copyright holder for Integrity Master, Stiller Research
authorizes distribution only in accordance with the following restrictions.

Vendor information                                               Page 2 of 5

               - Integrity Master, Version 1.51 - Vendor.DOC -

Upon written notification from us, you will stop distribution of the
software as soon as possible.  Under no circumstances, may you
distribute or list our software more than 3 months after having been
given notice to stop distribution.

The Integrity Master package is defined as containing all the files listed in
the README.DOC text file.  If any files listed in the README.DOC text file
are missing, then the package is not complete and distribution is forbidden.
Please contact us to obtain a complete package suitable for distribution.

The Integrity Master package - including all related program files and
documentation files - MAY NOT be modified in any way and must be distributed
as a complete package, without exception.

   Small additions to the package, such as the introductory or installation
   batch files used by many shareware disk vendors, are acceptable.

You must make it clear that the user is obligated to pay for these
programs if they decide to continue to use them.  If you charge for
distribution, it must be clear that your customers are paying for your
distribution, NOT for the software.

Bundling and Rack Sales
The Integrity Master package CANNOT be sold as part of some other inclusive
package.  Nor can it be included in any commercial software packaging
offer, without a written agreement from Stiller Research.

Vendors who wish to distribute the Integrity Master package on retail
racks must obtain permission from Stiller Research prior to beginning
such a distribution.  If you already have such permssion, you need not
contact us again.

Vendor information                                               Page 3 of 5

               - Integrity Master, Version 1.51 - Vendor.DOC -

The PRINTED User's Guide may not be reproduced in whole or in part, using
any means, without the written permission of Stiller Research.  In other
words, the disk-based documentation may not be distributed in PRINTED
(hardcopy) form.

The Integrity Master package cannot be "rented" or "leased" to others.

Licensee shall not use, copy, rent, lease, sell, modify, decompile,
disassemble, otherwise reverse engineer, or transfer the licensed program
except as provided in this agreement.  Any such unauthorized use shall
result in immediate and automatic termination of this license.

U.S. Government Information:  Use, duplication, or disclosure by the U.S.
Government of the computer software and documentation in this package shall
be subject to the restricted rights applicable to commercial computer
software as set forth in subdivision (b)(3)(ii) of the Rights in Technical
Data and Computer Software clause at 252.227-7013 (DFARS 52.227-7013).  The
Contractor/manufacturer is Stiller Research, 2625 Ridgeway St., Tallahassee,
Florida 32310-5169.

All rights not expressly granted here are reserved to Stiller Research.

Vendor information                                               Page 4 of 5

               - Integrity Master, Version 1.51 - Vendor.DOC -

Please Help Us Serve You Better:

We would appreciate copies of anything you print regarding Integrity Master.
Please send us a copy of any reviews, articles, catalog descriptions, or
other information you print or distribute regarding the Integrity Master

Please refer to ORDER.DOC for our mailing address.

Thank you for your support!

Vendor information                                               Page 5 of 5

               - Integrity Master, Version 1.51 - Vendor.DOC -

Distributor Update Program:

Most disk vendors have standard procedures for acquiring new files.
They get them from other vendors, BBSs, etc.
We can not afford to mail disks to thousands of vendors each month.
If you would like to obtain programs directly from us, automatically, then
please help us to cover the cost.

Under this program you can receive updates for an entire year for only $10
(this helps to offset our costs).  Integrity Master is updated monthly with
the latest virus information, but we anticipate doing 7 general mailouts each

To receive updates, simply send us a letter with your name, company
name, mailing address, the name of the person we should contact (such as
your disk librarian), the program (or programs) for which you would like
to receive updates, and a check or money order for $10 (Countries
outside of North America please add an additional $10).
Payment in U.S. funds or in the funds of these countries:

Everyone participating in our Update Program will automatically receive any
NEW programs which we may release while their Update Program is in effect.

The Distributor Update Program is only intended to help us cover our
expenses. You will have the latest version directly from the source as soon
as it is available.  This gives you an advantage over everyone else sine you
will be the first to have the latest virus and data integrity protection.


 o If you encounter a virus, please do us and other PC users a favor by
   reporting it.  This allows us to track the spread of PC viruses and
   hopefully determine their source.

 o If you encounter a virus that IM doesn't recognize, please save at least
   one infected floppy or file and report this to us.  We will determine if
   it's a virus and send an updated version of IM at no charge.

Mail the appropriate information to:
   Stiller Research
   2625 Ridgeway St.
   Tallahassee, FL  32310

 or send via electronic mail to:

   72571,3352  on CompuServe
   72571.3352@compuserve.com on InterNet, Bitnet, etc.
   uunet!compuserve.com!72571.3352 on Uunet
   PHSH44A on Prodigy.

To report a known virus, just send the following information:

   Name of the virus:

   Your name and telephone #, plus a good time to call (or your address if you
   prefer not to be called).

   The number of PCs affected.

   Describe and damage or loss of data:

   Describe any noticable effect of the virus on your PC.

To report a virus which IM doesn't recognize by name (an unknown virus):

   Serial number and version number of Integrity Master (You are NOT
   required to already be a registered user to report a virus)

   Your name and telephone # (optional), plus a good time to call.

   Your mailing address

   The number of PCs affected.

   Describe and damage or loss of data:

   Describe any noticable effect of the virus on your PC.

   What type of PC do you have?

   What version of DOS?

   Please mail an infected file or preferably entire infected floppy.  Do
   NOT delete any files from the floppy, if the virus infects diskettes.
   We will extract and analyze the virus.  Your files will be kept confidential
   and will be either destroyed or returned to you upon your discretion.  As
   a reward for your trouble, we will send you the latest version of Integrity

Directory of PC-SIG Library Disk #3968

 Volume in drive A has no label
 Directory of A:\

IMSHARE  BAT      4824   6-18-93   3:58p
I-MSHARE ZIP    317562   6-20-93   3:40p
UNZIP    EXE     30226   8-22-92  12:49p
GO       BAT        10   8-18-93  11:02a
        4 file(s)     352622 bytes
                        7168 bytes free