ChekMate Version 2.0

January 16, 1996

A new version (2.0) of ChekMate, the virus detection utility, has just been
released. A list of the Web and FTP sites at which it can be found is
given below.

Version 2.0 is a major upgrade of ChekMate. Built on the strengths of
Version 1.06, it offers improved resistance to attack, additional
unknown-virus-discovery capabilities and repair facilities.

What does ChekMate do?:

ChekMate detects known and *UNKNOWN* File, Boot, Partition Table, .COM,
EXE, Companion, Stealth, Multipartile, Polymorphic VCL (and other
virus-writing-kit-developed) viruses as well as many memory-resident
viruses. ChekMate also detects slow-acting viruses and defends against the
newly-active Word Macro viruses.

ChekResQ (Registered Version) is a ChekMate utility that can remove Boot
Sector and Partition Table viruses both from memory and your hard disk.

As ChekMate uses generic techiques, not scan strings, it avoids the major
problem of false alarms. ChekMate should be used alongside a good virus
scanner. It is designed to work with any scanner you wish to use.

ChekMate detects changes to the areas that are frequently attacked by
viruses. It also launches decoy or bait files purposely to get a virus to
infect them.

The Areas Protected Are:

- The Boot Sector(s)        : (Up to 4 drives are supported)
- The Partition Table       :
- Top Of Memory             : Many viruses change this.
- The Command Processor     : This can be NDOS, 4DOS or COMMAND.COM
- The BAIT Files            : 6 different files are used.
- Interrupts                : Key interrupts are checked.
- CMOS                      : Registered version only.
- Word for Windows Macros   : A recent target of new viruses
- AUTOEXEC.BAT + CONFIG.SYS : A potential new target for viruses

Protection Mechanisms:

- 128 bit cryptographic fingerprints (using MD5 from RSA).
- Byte for byte analysis against clean code fragments stored
  after first use.
- Length of file against stored values.
- Interrupt checking for memory resident viruses.
- CMOS verification.

From What Does This Protect Me?

Known/unknown viruses of the following types:
- Boot Sector Viruses
- Partition Table Viruses
- File Infecting Viruses
- Stealth Viruses
- Virus-Toolkit-Created Viruses
- MtE or Any Other Polymorphic Viruses
- Word Macro Viruses

Can ChekMate rescue me from some virus attacks?

Yes, ChekResQ (Registered Version) is a ChekMate utility that can remove
Boot Sector and Partition Table viruses both from memory and your hard
disk.

Is ChekMate easily installed on Networks?

Yes, The addition of the /AUTO switch to SETUP means that ChekMate can be
installed from a network server onto workstations centrally and auto-
matically.  This will lighten the support burden.  /NODRIVES is required
for use on Windows NT systems when using /AUTO.

On What Operating Systems Does ChekMate Work?:

- MS or PC-DOS 3.3 or later
- Windows 3.0, 3.1. 3.11. Workgroups, Windows '95, and Windows NT.
- OS/2 2.0, 2.1 and Warp

Special requirements:  IBM PC Compatible running DOS 3.3 or later with at
least 256Kb of memory and a hard disk.  DEBUG must also be in the Path.

To date, ChekMate has detected numerous unknown viruses which had not been
detected by virus scanners.

What's new in Version 2.0?:

1. Added ChekResQ Boot sector and Partition Table repair utility.
   (REGISTERED version ONLY)

This will allow removal of known and unknown boot [DBR] and partition table
[MBR] viruses (including 'Monkey') from a hard disk -- without the need
for a rescue disk.  This will even work if the virus is stealthed (as is
Monkey) and still in memory.

This repair can be set up to be automatic after a change is detected!

2. Added support for Windows NT.  Added /NOBP switch.

ChekMate does both boot and partition checking.  However, this switch,
which disables both checks, allows ChekMate to be compatible with NT.

3. Added encryption of the boot and partition table .SEC and .CHK
   files

This will discourage virus writers who may try to target the .CHK files.
The entire file is encrypted.  A test is then made when it is decrypted in
order to see if it is still valid.  If not, it will not be written to the
hard disk's track 0.

4. Added Word Macro detection utility. (CHEKWORD.DOC)

This follows ChekMate's generic (non-virus-specific) approach to detecting
unwanted changes to files.

In the case of ChekWord, the macros in the GLOBAL template (normally
NORMAL.DOT) are checked and the user is informed of the number(s), name(s)
and desriptions of macros in this template.  For your protection, the
AutoExec and AutoOpen macros (the primary way for a macro virus to gain
control) are also disabled automatically.

Any document opened using the standard File/Open menu option will also be
checked for macros.  If macros are contained in the document they will be
listed.  Otherwise, file loading continues as normal, without
interruption.

5. Improved the stealth virus detection routines. Even tunneling
   viruses such as Necropolis and Peanut are now detected.

This means that ChekMate now detects even the extremely clever viruses if
they are active on your system, even if the virus is NOT known to any
conventional or heuristic-based virus scanner.

6. Added /AUTO switch to SETUP.EXE

This will allow installation to be painless.  It means that ChekMate can be
installed from a network server onto workstations centrally and auto-
matically.  This will lighten the support burden.  /NODRIVES is required
for use on Windows NT systems when using /AUTO.

7. Added /SPARSE switch to catch slow infectors.

8. Added /SYSTEM switch to check AUTOEXEC.BAT and CONFIG.SYS files.
   (REGISTERED Version ONLY)

This will detect ANY change to the AUTOEXEC.BAT and CONFIG.SYS.  This is
extremely useful against the newer viruses that attack these files.  It is
also very useful to detect users that are modifying their systems,
especially in corporates that have a standard setup.

This also adds detection of .BAT file viruses.

We believe that the next thrust of virus writers will be to put out viruses
that attack or are written in batch file language As a virus they will
have to change their new target (*.BAT files).  Therefore, detecting
changes to AUTOEXEC.BAT will detect them too.

Where can I find ChekMate?:

Via anonymous ftp at:

        ftp.coast.net/SimTel/msdos/virus/cm200.zip
        ftp.demon.co.uk/pub/simtel/msdos/virus/cm200.zip
        ftp.demon.co.uk/antivirus/ibmpc/av-progs/cm200.zip
        ftp.gate.net/pub/users/ris1/cm200.zip

At the World-Wide Web site:

        http://www.valleynet.com/~joe/avdos.html

What is the cost of the Registered Version and how can I order it?:

The cost of a one-year license for the Registered version for a single
machine is $45 U.S. (or 30 Pounds Sterling).  The per-machine cost
decreases with number of licenses ordered.  Discounts are available for
educational centers and students.

Orders from the U.S. and Canada (*) should be sent to

     Ed Fenton (ChekWARE)
     Rockville Information Services, Inc.
     P.O. Box 14
     Rockville Centre, NY 11571-0014
     U.S.A.

     Internet ID: ris@transit.nyser.net

     (*) Checks, Bank Money Orders or Postal Money Orders in US
         dollars, please.

All other orders (**) should be sent to:

     Martin Overton (ChekWARE),
     8 Owl Beech Place,
     Horsham,
     West Sussex, RH13 6PQ,
     ENGLAND.

     Internet ID: chekmate@salig.demon.co.uk

     (**) International Money Orders or Checks in Sterling drawn on
          United Kingdom banks, please.
 
 =========================================================
 From the 'New Product News' Electronic News Service on...
 AOL (Keyword = New Products) and Delphi (GO COMP PROD)
 =========================================================
 This information was processed from data provided by the
 company/author mentioned. For additional details, please
 contact them directly at the address/phone# indicated.
 Trademarks are the property of their respective owners!
 =========================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  USA
 Email:   rbakerpc@delphi.com   --or--   rbakerpc@aol.com
 =========================================================
