SAGROTAN, THE ULTIMATE VIRUS-KILLER VERSION 4.14 A Public Domain program by Henrik Alt Kirkelweg 25, 7160 W.Germany. This manual is a free translation of the german textfile. I have no intention of translating the 30kB word by word. This is going to be short, but still with the necessary details. If you read any german, read the german ANLEITUNG file too. SAGROTAN is Public Domain. You can copy it freely. Commercial use is not allowed, except from using the SAGROTAN bootsectors on commercial disks. 30 DM would be a suitable amount to encourage the author to send you a new version (read READ_ME.1ST file!). The programmer wants all info you can send him about new viri (viruses?). Just remember to save them as bootprograms, since the "Save virus" option destroys the virus. HARDWARE REQUIREMENTS SAGROTAN only works in high and medium resolution. To be able to check even large programfiles, the program needs at least 500kB free ram. On 520STs it may be necessary to reduce the size of the libraries. The original manual contains a lot of information about virus. how it works in general, and on the Atari ST. I'm sorry, but I'm not able to translate all this. My knowledge to german is too limited. Maybe someone else could try? WHAT TO DO IF YOU'VE GOT A VIRUS INFECTION - Stay cool! Bootvirus can most of the time be removed without leaving any damage behind. - If the virus is known, just overwrite it with the SAGROTAN bootprogram, switch off the computer for at least 20 seconds (in order to get the virus out of the computers memory. When you're booting, use the immunised disk. As the first thing to appear on screen you should now be able to read: "No bootsector virus!" If you don't get this message, go back to SAGROTAN to continue the work. - If the bootprogram is not known by SAGROTAN, you'll need two empty disks to check if it really is a virus. Call then A and B If you have a harddisk connected to your system, please switch it off! - Copy the suspicious disk to disk A, using FastCopy 3 or other reliable copy programs which will copy the bootsector too. - Format disk B, and delete the bootsector, using SAGROTAN's >Delete bootsector< function. - Boot your ST with disk A. - Insert disk B in the drive, and open the directory (a window on the desktop). - Start SAGROTAN again, and check disk B's bootsector. If it contains an unknown bootprogram, this can only be a virus. Disk A, disk B and the original disk is virusinfected! - Inspecting the "Contents of bootsector" window in SAGROTAN will often reveal some sort of text in the right part of the screen. If there is any message here, use it to name the virus, and save the virus to the library, using that name. - Immunise the disk by pressing "S" = >Immunize bootsector<. - If your disk is infected by a LINKVIRUS, you might still have a chance to rescue your program. But there are linkvirus who completely destroys programs. How to check it: - Copy the suspected program together with a few other programs, and the TEST.PRG from your SAGROTAN disk to a new disk. All the other programs must have been tested, and in SAGROTAN's library by now! Switch off the harddisk. Start the suspected program first, and then all the others, several times. Go back to Sagrotan. Check the programs again. If they, and specially the TEST.PRG , which is only 52 Bytes long, have been changed, then you know that your system is infected by a linkvirus! You should even be able to see the changes on the desktop, as the linkvirus usually will increase the programfiles size. How to reveal a virus. Many viri are not Blitter compatible. If you have an ST with blitter, you may suddenly get up the message: "The disk is writeprotected!", even if you are not trying to write to it! Another indication may be bootprograms that stop working, f.ex. the 60hz switcher bootsector, or RAM-TOS loaders. With linkviri you will see it, as the programfiles grows longer. Programs will take more time to load etc... How to avoid getting a virus into your system: -Always boot with a disk immunized by SAGROTAN. -Never boot with a new disk. -Test all new disks with SAGROTAN before you start any programs. -Keep the disks writeprotected as long as possible. -Protect all disks with the SAGROTAN bootprotector, except, o course, those disks that need the bootsector to run. -Check your disks regularly with SAGROTAN. -Take regular backups of all your work, and keep a safety backup of all your programs. Linkvirus can only infect and be spread by executable programs. Linkvirus will often recognize programs by their names extentions (suffix?), such as .PRG. You can avoid getting your programs infected by doing the following: Load your DESKTOP.INF-file into a text editor. Somewhere in it you will find these lines: #G 03 FF *.PRG@ @ #G 03 FF *.APP@ @ #F 03 04 *.TOS@ @ #P 03 04 *.TTP@ @ Change the extentions to something else, f.ex. #G 03 FF *.RUN@ @ #G 03 FF *.EXE@ @ #F 03 04 *.ABC@ @ #P 03 04 *.123@ @ Then save the file (without any controlcodes) as an ASCII file, by overwriting the old file with WP-mode off (if in WordPlus). Now you must go to each single programfile and change their extentions according to the new desktop.inf-file. All PRG files must be called RUN, all APP-files to EXE etc... Switch off your ST and reboot it. You will now see that all RUN, EXE, 123 and ABC-files have the program icon instead of the file icon, and they will all be executable! Since many viri are resetproof is it recommended to switch the computer completely off from time to time, or use the Coldboot-function available on all TOS 1.4 and 1.6 machines. A little warning against other virus killers. Most of these programs have no libraries, and doesn't know a bootprogram from a virus, so they can easily do lots of damage. Tips for harddisk owners! Even though you can boot from your harddisk, the ST will still read and execute the bootsector of any disk laying in drive A. Always keep a disk which has been immunised with SAGROTAN in drive A when you boot. With resets it is not so dangerous, since the bootsector only rarely will be executed then. Normally you will not read the message "No bootsector virus" when you reset your ST. (Translators note: I just discovered that by having no disk at all in drive A, I could start up the harddisk and the ST at the same time. The ST would then wait for the harddisk! No needs for resets!) How SAGROTAN reveals linkvirus. SAGROTAN is always checking the length of the file, length of program segments and data segments as well as the CRC checksum. The advantage by doing this is that all changes to the progam will be revealed immediately. In this way, SAGROTAN will even be able to reveal viri not known today. The disadvantage of this test is that programs very often are updated, and changed by the programmers. Even this english translation of SAGROTAN will be suspicious to the program, since it has been changed (the length is still the same!). With commercial programs it is enough that the serial number is different. 360 programinfos are included in the original library. They are of little use to you. what you need is to build your own programinfo library, as soon as possible. SAGROTAN use another diagnose too. This is looking for certain byte-combinations which are typical for some viri. If it finds these combinations, virusinfections is very likely. When possible will you also be able to restore the programs by simply removing the virus. But SAGROTAN has also a third way of testing the programs. It will check if the programs "construction" is correct. Is the symboltable only consisting of symbols? Is the Relocationtable OK, or are data added to the file, which not belongs there? Some compilers are adding some data-trash(?) to he programfile when compiling. SAGROTAN will recognise this, and let you know what it is. Does the file have an additional symboltable??? If so, virusinfection is very likely. SAGROTAN will also tell you if a program is damaged and not able to run properly. (But SAGROTAN are wrong sometimes! I have checked files which SAGROTAN says are damaged which works perfectly alright, and they do NOT spread linkvirus! - translators comment.) TO WORK WITH SAGROTAN - is simplicity itself. The program has online help for all functions, and warnings for all risky tasks. I'm not going to describe all the menues in detail. This is my third day working on this program and manual translation, it's 11.00 PM and I'm tired. Here is only a few suggestions: When you have started the program, press the key "O", nothing else, just "O" (as in OK). This will open an OPTIONS window. Experiment a little with the settings, Normally it is not necessary to do any changes except for one. In the lower left corner of the window you get the question if you want to include new programinfos automatically in the library. Click on YES, at least when you have worked with the program for a time. It will save you a lot of work, since you won't have to answer OK for each program you are testing. I have never found a virus in a file where SAGROTAN said that "Virusinfection is not likely, but can not be completely ruled out" Always remember to save all programinformations before you quit the program! The easiest way to do so is just by pressing down the key "C", and with the SAGROTAN disk in the drive just pressing OK in the file selector box for the PGM_INFO.DAT file. Finally, have a good look at the menues. You will find that there is keyboard commands for everything! One more thing. You can scroll the "tinytool"-like window in the top of the screen up and down, in order to read the whole bootsector. You can also move the upper border of the DIALOG window up and down, depending on which part of the screen you find most important. Remember to read the READ_ME_.1ST file too! I am really looking forward to get in contact with you to build a new, always updated, huge bootprogram and bootvirus library! If there is something you don't understand, which is not explained in this file, don't hesitate to contact me. If you want a reply, please include a 3.5" disk, preferably with some good PD or Shareware to cover my postal expences. Good luck you viruskillers! Stein Arne Jensen Skogenfelt B N-3630 Rodberg Norway