Anti Virus Boot disk

Run F-Prot Antivirus for DOS of a floppy


Inhoud :

The Problem

Somehow, your PC got infected with a virus. You've turned thecomputer off, so that the virus can not do anything. Now you have to get rid of it, but you're afraid that the virus will activate again as soon as your computer starts. Maybe it's a boot sector virus, or maybe it's activated by an entry in the Windows Registry, as soon as you load Windows. What you need now is a way to boot your computer and run an antivirus program, without starting Windows, even without booting from your hard disk. You need a bootable medium (a floppy disk, a CD), with an antivirus program.
You could use a bootable CD-ROM with Linux and some antivirus programs, but the poor man's way of getting this done is just as good : a diskette that boots your PC into DOS, and runs F-PROT anti-virus for DOS. If the PC in question can boot from a CD, you can also try a Bootable DOS CD.

What makes it interesting ...

is that the anti-virus program + its signature files may not fit on a floppy. To work around this problem we'll compress (zip) them and use a RAM drive. To zip, there's PKware's PKzip and PKunzip. These are DOS tools to compress files. They're completely compatible with WinZip.

A RAM drive is part of the memory that is made to look like a drive (like a hard disk). Creating a Ram drive (and unzipping files to it to run them) is an obsolete technique from in those days when PC's did not have a hard disk, or a very small one. To play games or run other, rather large programs (large to the standards of those days, that is), you'd keep them compressed (eg. on a floppy), and unzip them to a RAM drive to run them from there. An additional advantage was speed : compared to the mechanical actions of moving heads to read from or write to a 'real' hard drive, RAM drives, wich are 100% electronical, are extremely fast.

The RAM drive technique is still in use, eg. on Windows98 Emergency Disks : the 'emergency tools' are copied to a ram drive. Linux setup tools use RAM drives as well to create a file system during setup, and 'live CD's often use RAM drives for speed and to create a writable file system.


Recent Updates

Since this page was first published, the following changes ware made :


Step 1 : create a bootable floppy

To create a bootable floppy disk, you need a floppy disk or a diskette, and format it with
format a: /S, the /S meaning : add System files. Or just copy system files from a not infected computer with the command
sys c: a:.

Next, copy the following files (from \DOS or Windows\Command directory) to the floppy. These are files you'll need later on. Check the download page if you don't have certain files such as pkunzip a.o.

And maybe also these, so that your DOS environment will be more comfortable :

If you can find a mouse driver for DOS, you may add that as well. It's not necessary but can make the use of the anti-virus program a bit more comfortable

You'll also need a config.sys and autoexec.bat. These are configuration files for DOS. They will, amongst other things, be used to 'install' the RAM drive and automatically do some tasks like copying and starting programs.

the config.sys may look like this :

		device=himem.sys /testmem:off
		files=10
		buffers=10
		dos=high,umb
		stacks=9,256
		devicehigh=ramdrive.sys /E 4096
		lastdrive=z
		device=display.sys con=(ega,,1)
		country=032,850,country.sys
		install=mode.com con cp prepare=((850) ega.cpi)
		install=mode.com con cp select=850
		install=keyb.com be,,keyboard.sys
	

Pretty standard. Note the line that says "devicehigh=ramdrive.sys /E 4096" : create a RAM drive in Extended memory, with size 4096 kB. To have access to extended memory, you need "device=himem.sys". The 4 last lines are mainly to create a 'Belgian' environment (eg. with AZERTY keyboard etc.). Here you can also add a line install=mouse.com,,mouse.sys which will install the mouse driver so you'll be able to use a mouse.

The autoexec.bat is like a script that is executed automatically when the system starts. It allows you to automatically execute commands or start other programs and batch files. The autoexec.bat here is a modification of the autoexec.bat used on the Windows98 Emergency Disk.

The complete autoexec.bat can be seen here : Autoexec.bat for bootable anti-virus diskette.

Step 2 - copy tools to your floppy

From the autoexec.bat and start.bat file, you can see that you'll need some additional programs to be copied to your bootable diskette. ( see file list for an overview and download locations).

config.sys, autoexec.bat and start.bat
Config.sys is a configuration file that you'll need, at least lo load ramdrive.sys. Autoexec.bat and start.bat are the 2 main files that everything else depends up on : they automate the whole process.
pkunzip.exe
used to unzip signature files
f-prot program and configuration files
download f-prot antivirus for DOS. Extract the files to a directory. You do not need the macro.asc, macro.def, sign.asc, sign.def, sign2.asc and sign2.def files. All others you copy to your bootable diskette. The signature files will be taken care of later.
setramd.bat, findramd.exe
These files come from the Windos98 Emergency Diskette or windows\command\ebd directory and are used to check if a ram drive exists, and find the drive letter to it. That's because the drive letter of the ramdrive depends on how many drives / partitions are already on your computer. You can also use this slightly simplified version of setramd.bat.

Make sure to write-protect all diskettes when they're ready. You don't want to risk getting a virus on these antivirus diskettes.

Step 3 - copy F-Prot signature files to floppies

These zip archives can be downloaded from the f-prot website. make sure you download recent signature files so that the most recent viruses will also be detected. You can leave them zipped, and copy them to any diskette. It does not need to be the bootable diskette with all the other stuff. You just need to remember (label !) the diskettes with signature files, because you'll be asked to 'insert floppy with fp-def.zip' etc.

Again, make sure to write-protect all diskettes when they're ready. You don't want to risk getting a virus on these antivirus diskettes.


Lately, the signature files from F-PROT have increased to the point that fp-def.zip does not fit on a 1.44 MB floppy anymore. There are a number of sollutions. One would be to remove 1 or more files from the fp-def.zip archive to the macrdef2.zip. Or to unzip the files and create new zip archives that fit. Or even (with PKzip) make a zip file that spans multiple disks. (Read the Pkzip command line help, or see e.g. WinZip help : Winzip can work together with PKzip to make multi-disk zipfiles)

Note that, with these modifications, start.bat still expects to find files named fp-def.zip and macrdef2.zip. If you change the names of the files, or use only one, you'll have to edit start.bat accordingly.


Step 4 - How to use it ?

You're all set. Put the boot diskette in the infected computer and turn it on. It will start MS-DOS (or Windows98 in DOS mode), and run F-Prot Antivirus for DOS.
screenshot F-PROT Antivirus for DOS
You can set preferences such as 'automatically disinfect' or 'query' (ask what to do when a virus is found).

Note that F-prot is a very good anti-virus tool, but as you are running the DOS version, there is one flaw : it can not read or edit the Windows registry. So although F-Prot will detect (and delete or disinfect or ...) even the newer viruses (if your signature files are up to date), it can not remove the changes in the Registry that this virus may have made. But as the main virus executable files already will have been detected and deleted, you're already quite save. You can now search the web and look for a removal tool specific for the virus that f-prot detected, and use that to further clean up the registry and any additional files the virus might have created. You can find thes tools at the major virus protection companies (Symantec, McAfee, F-Prot) or do a Google for 'Bugbear removal tool' or 'YahaE removal instructions' or so.

How does it work ?

the autoexec.bat

The autoexec.bat act as a script. It will copy files to the ram drive, then start an other script (start.bat) to get the anti-virus program running.
The more interesting parts of this autoexec.bat are:

Create a RAM Drive

From Microsoft Windows98 Emergency Diskette : finding an available drive letter and assign it to the ram drive. This part uses 'setramd.bat' and findramd.exe.

	ECHO TRYING TO CREATE RAM DRIVE
	rem *** determine driveletter for RAMDRIVE ***
	rem **** parameters for findramd.exe and setramd.bat
	set LglDrv=27 * 26 Z 25 Y 24 X 23 W 22 V 21 U 20 T 19 S 18 R 17 Q 16 P 15
	set LglDrv=%LglDrv% O 14 N 13 M 12 L 11 K 10 J 9 I 8 H 7 G 6 F 5 E 4 D 3 C
	cls
	call setramd.bat %LglDrv%

	rem *** use ram drive for temp files ***
	set temp=%RAMD%:\
	set tmp=%RAMD%:\

	

Copy f-prot files to ramdrive

These files are copied to the Ram drive so that they can be run from there, instead of off the floppy. Note the 'start.bat' file. This will be called later on to transfer control from the floppy drive to the ram drive.

	rem *** F-PROT section ***
	ECHO ***** copy f-prot files to ramdrive  *****
	copy a:\f-prot.* %RAMD%:\ > NUL
	copy a:\english.tx0 %RAMD%:\ > NUL
	copy a:\start.bat %RAMD%:\ > NUL

	

run from ram drive ...

The command interpreter (command.com) is copied to the ram drive, and it is activated with 'comspec'. The command.com on the floppy will no longer be used. Along with that some more files are copied to the ram drive, and then start.bat is executed. Start.bat is already on the ramdrive, so now the floppy drive can be used for additional diskettes that contain eg. virus signature files, and start.bat wil unzip them and copy them to the ram drive.

	ECHO ***** transfer control to Ramdrive ******
	path=%RAMD%:\;a:\;c:\
	copy command.com %RAMD%:\ > NUL
	copy choice.com %RAMD%:\ > NUL
	set comspec=%RAMD%:\command.com
	%RAMD%:
	start
	

the start.bat file

The complete start.bat can be seen here : bat file for bootable anti-virus diskette. It justs prompts to insert floppies, then unzips the virus signature files to the ramdrive so they can be used by f-prot.exe. It then starts f-prot.exe to disinfect your computer.

Copy rights and lefts, and the (un)usual disclaimer
Koen Noens
12 april 2003

The Silly Software Company Silly Software Company
-=oOo=-


A poor man's way of doing things
is still a way to get things done