MemScan examines your working memory for resident MS-DOS computer viruses. If you have further questions about computer viruses, please read the files VIRSCAN.DOC & VIRSCAN.TXT (if available).

MemScan can also check the "UPPER" DOS Memory (UMB = memory between 640 KB and 1 MB) and the HMA (High Memory Area = 1088 KB) gate. MemScan needs approx. 450 KB of free working DOS memory for the virus database and hash tables! MemScan main memory usage was adapted especially to network environments and therefore needs only 450 KB of free memory!

MemScan detects due to heuristic scanning unknown viruses (option /UNB). MemScan usually reports such viruses with one of the following messages:

In case of detection of one of these two viruses please send me an infected file: To classify the virus (if VirScan reports the same virus type with the option /HEUR) and to include it in MemScan! Try to make the virus infect the "victim/bait/goat files" INFECTME.* included in this package!

We are using MemScan internally to quickly and securely add new viruses to VirScan. However, customers frequently asked us for a program that checks ONLY the working memory. For this reason MemScan was made accessible to the public for FREE.

MemScan detects approx. 98% of ALL new resident DOS or boot viruses with the option /UNB; however, this option is only for absolute virus gurus. Hint: If you suspect a virus on your system, execute VirScan Plus with the following parameters:

This screen shot is normally a false positive, because the "virus" is only found with

A normal virus infection looks like this, and MemScan won’t go to the main screen at all (in this case a 572 byte long new DOS COM infector):

MemScan return an error-code back to DOS that can be evaluated by the variable ERRORLEVEL. The following error-codes are used:

Q: can you help me fix the virus on my main memory…? attached is the view of MemScan and QMS…

A: I think this is a so called "false positive". Please read the attached document (MemScan_Eng.txt). If you have a DOS or boot virus, you should be able to trace it (as described in MemScan_Eng.txt) with QMS/MemScan and VirScan Plus. What DOS Version and Windows Version do you use. Some special DOS drivers in usage?

Q: Only the TESTBOOT routine found something. Since it was in German, I really didn’t know what it said. I went to an online translator and realized that it said "wert ermittelt" and "wurden gesichert" which translated "worth determines" and "became secured". After that I ran it again and it didn’t

A: That’s normal for the first (initial run) - I have added were possible an English translation in the new version!

The program contains an integrated check-sum tester to alert the user on a possible virus infection. The check-sum for the program can be found in the file with the extension ".XXX".

This check-sum contained in the file as well as the main program must not be changed nor modified in any case! Otherwise, the main program regards itself being possibly infected by a virus (a virus still unknown to the program)!

Following features of the EXE file are monitored and checked for modifications every time the program is executed:

I strongly recommend not making any changes to the EXE & XXX-file since the program will not run any more!

The file with the extension ".XXX" also contains the creation date and the standard MD5 checksum that can be checked with other tools like md5dir or hashall from ROSE SWE. Verifying the CRC32 checksum takes less than 1 second (depending on computer type and hard disk drive). If the check-sum is OK, the program is being executed. Otherwise a detailed error report with indications of possible error reasons will be displayed.

This is a screen shot of MemScan self check envelope finding itself infected with an 647 bytes EXE infector!

If you want to obtain the full versions of my antivirus software, please start the program REGISTER.COM, and an order form will be printed.

By the way: MemScan is compressed from 380 KB to currently 87 KB EXE + 183 KB overlay!

https://www.windows11downloads.com/win11-memscan/ (MemScan 23.5)

This program may be freely copied and passed on. It is considered as so- called Bannerware. I only request the following declarations to be kept:

Trademarks of other companies mentioned in this documentation and package appear for identification purposes only and are property of their respective companies.

NOTICE TO USER: You should read the following terms and conditions carefully before using this software. Your use of this software indicates your full acceptance of this license agreement and warranty. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.

The SOFTWARE is owned and copyrighted by ROSE SWE. Your license confers no title or ownership in the SOFTWARE and should not be construed as a sale of any right in the SOFTWARE.

No Warranty. The Software is being delivered to you AS IS and ROSE SWE makes no warranty as to its use or performance. ROSE SWE AND ITS SUPPLIERS DO NOT AND CANNOT WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE OR DOCUMENTATION. ROSE SWE AND ITS SUPPLIERS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO NON INFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL ROSE SWE OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING ANY LOST PROFITS OR LOST SAVINGS, EVEN IF AN ROSE SWE REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY.

In short: This software is provided as-is, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. If you do NOT agree simply do NOT install and use this software!

Malware, or malicious software, is a generic term for a variety of malicious or intrusive software, including computer viruses, worms, Trojans, ransomware (ransoms), spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software. Malware is defined by its malicious intent, which violates the requirements of the computer user - and therefore does not include software that causes unintentional damage due to a defect.

Programs officially delivered by companies can be considered malware if they secretly violate the interests of the computer user.

A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and appending or inserting its own code. When this replication succeeds, the affected programs are then said to be "infected" with a computer virus.

The term "virus" is also commonly, but erroneously, used to refer to other types of malware. "Malware" encompasses computer viruses along with many other forms of malicious software, such as computer "worms", ransomware, spyware, adware, Trojan horses, keyloggers, rootkits, bootkits, malicious Browser Helper Object (BHOs) and other malicious software. The majority of active malware threats are actually Trojan horse programs or computer worms rather than classic computer viruses.

Roughly you can distinguished between - Memory resident (fast) infecting viruses and - Direct action viruses

A Trojan horse is a program that does something undocumented which the programmer intended, but that users would not accept if they knew about it. By some definitions, a virus is a particular case of a Trojan horse, namely, one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program.

Ransomware is a particularly invasive form of malware that hijacks a victim’s data or device and holds it hostage (or makes false claims of illegal activity, pornography use, or suggests a system is already infected with viruses) until a sum of money is paid to secure its release. Ransomware has been around since about 1989, in the form of the DOS-AIDS Trojan (also known as PC Cyborg), which encrypted files on a hard drive and then demanded a payment of $189 to unlock them. The ransom is usually paid nowadays in cryptocurrencies such as bitcoin, monero, etc., as this allows anonymity and is difficult to trace. Attackers may also set a deadline for payment, threatening to delete or release the encrypted data and files if the ransom is not paid; this deadline is set to limit the response time and force the victim to choose the payment option. Ransomware has become a significant and global threat in recent years. It is important to note that paying the ransom is no guarantee that the victim’s data and system access will be restored or that sensitive data will not be leaked. Some attackers do not even provide the key or demand additional payments. According to Statista, only 54 per cent of organisations regained access to their data or systems after the first payment in 2021. Paying the ransom also encourages attackers to continue their malicious activities. In addition, the vulnerability still exists and can be exploited by another criminal group.

What are the steps in a ransomware attack? This depends on the level of sophistication. In most cases, the process is automated, but in some cases targeting large organisations, criminal groups will spend more time preparing to ensure they can successfully force the organisation to pay.

Starting in 2018 Malware authors are increasingly relying on malicious mining software. This year for the first time there have been more infections of this type than with ransomware. More and more online criminals seem to turn their backs on ransomware and rely on crypto-miner. They secretly dig crypto money on infected computers - Monero is particularly popular. This is obviously extremely lucrative, as the latest figures show.

Reasons for the turnaround? If a ransomware/Trojan strikes and encrypts data from victims, they usually have to pay a ransom in the form of bitcoins. This is an obstacle that not every victim can or will take. Crypto-miner, on the other hand, only needs to infect computers. Afterwards, they dig in secret without any sacrifices and make silently sure that they bring the authors big profits - and not too short when you look at the exploding prices of different crypto currencies.

Nowadays even commercial antivirus software tries to use the user computer when idle for mining. So this kind of software is both a malware scanner and malware itself :-(

Grayware (or greyware) is a general term sometimes used as a classification for applications that behave in a way that is annoying or unwanted, but less serious or problematic than malware. Grayware includes spyware, adware, dialers, joke programs, remote access tools and any other unwanted files and programs other than viruses that are designed to affect the performance of computers. The term has been in use since at least September 2004.

Grayware refers to applications or files that are not classified as viruses or Trojans, but can still affect the performance of computers on the user’s network and pose significant security risks to the user’s business. Grayware often performs a number of unwanted actions, such as annoying users with pop-up windows, tracking user habits and unnecessarily exposing the computer to attacks.

A point of access to a hidden program/system. Backdoors are usually intentionally created by a programmer for debugging or maintenance purposes, but if compromised, they can pose a security risk to unauthorized users or software, allowing access and causing damage. Malware often installs Backdoors on compromised systems!

A bot is a programs that run automated tasks over the Internet. Botnets are collection of bots that run autonomously and automatically. Typically they perform repetitive tasks at a much higher rate than a human is capable of. They can be used for malicious purposes, such as denial of service attacks or infecting other computers. An infected computer is called a bot or zombie.

A macro is a piece of code that can be embedded in a data file. A macro virus is thus a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Document-based viruses are, and will likely continue to be, more prevalent than any other type of virus.

Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. Unlike viruses, however, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms also are often referred to as viruses.

In March 2022, a developer of node-ipc was caught adding malicious code to the popular open source package that deleted files on computers in Russia and Belarus. This was part of a protest that angered many users and raised concerns about the security of free and open source software. The node-ipc update is just one example of what some researchers call protestware. Most protest programs related to the Russian invasion of Ukraine simply display anti-war and pro-Ukrainian messages. However, in at least one project, virus-like code was added that aimed to cripple computers in Russia and Belarus. This led to criticism and accusations of causing collateral damage. But there are also examples of protest in the open source scene. Observers of the scene so far found about two dozen software projects that inserted "code against war."

Open-source programs can be modified and viewed by anyone, making them more transparent - and, at least in this case, more vulnerable to sabotage. The protestware event highlights some of the risks that arise when legions of volunteer developers create the code that is critical to running hundreds or thousands of other applications. Some open source software automatically downloads and integrates new versions, and even for those that don’t, the vast amount of code often makes manual review infeasible. This means that an update by a single person can mess up an untold number of downstream applications. In that sense, this can be considered a "game changer."

Russia’s largest bank has asked its customers to stop updating its software because it is under threat from "protestware". In response to the threat, Russian state-owned bank Sberbank even advised its Russian customers to manually check the source code of the software they need - a security measure that is not feasible for most users. "We urge users to stop updating software and developers to tighten monitoring when using external code," Sberbank said, according to Russian media and cybersecurity firms.

What is a stealth virus? A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus’s modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed, and the antivirus program may be able to detect its presence.

The very first DOS virus, Brain, a boot-sector infector for example monitored physical disk input/output and redirected any attempt to read a Brain-infected boot sector to the disk area where the original boot sector was stored.

One method of evading malware detection is to use simple encryption to encipher (encode) the body of the malware, leaving only the encryption module and a static cryptographic key in clear text which does not change from one infection to the next.

Armored viruses use special tricks to make the tracing, disassembling, and understanding of their code more difficult. A good example is the Whale virus. An armored virus uses various techniques to evade detection, such as encrypting its code, obfuscating its code, and using anti-debugging and anti-tampering methods.

Armored viruses pose a serious threat because they can be used to perform malicious activities such as stealing sensitive information, altering or corrupting data, and slowing performance without being detected. They can also be used as part of more complex attacks, such as advanced persistent threats (APTs), to maintain a foothold on a target network over an extended period of time.

Phishing and vishing are types of scams used to steal sensitive information such as passwords, credit card numbers and other personal data.

Phishing is a type of scam that tricks people into providing sensitive information through fake emails or websites that appear to be from a reputable source, such as a bank or a well-known company. The goal of phishing scams is to trick people into revealing personal information, such as passwords or credit card numbers, by posing as a trustworthy entity.

Vishing, short for voice phishing, is a type of phishing scam where people are tricked into revealing sensitive information over the phone. In vishing scams, scammers often pretend to be from a bank, government agency or technology company and use persuasive techniques to get people to reveal sensitive information.

Both phishing and vishing scams are becoming increasingly sophisticated and it is important to be wary of unsolicited emails or phone calls. To protect yourself from these types of scams, never provide sensitive information in response to an unsolicited request and independently verify the identity of the recipient before providing any personal information.

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot as a crucial defense mechanism against a growing and sophisticated security threat: malware targeting the system’s firmware, specifically the BIOS. The BIOS, or Basic Input/Output System, is the firmware responsible for initializing hardware components and loading the operating system every time a computer is powered on. Malware that infects the BIOS poses an especially insidious threat because it can establish a foothold deep within the system, evading traditional detection methods and persisting through operating system reinstalls. Once entrenched, such malware can execute before the operating system and any security software, making it extremely difficult to detect and remove.

The threat of BIOS-dwelling malware had long been considered theoretical, heightened by the creation of the ICLord BIOS rootkit by a Chinese researcher in 2007. ICLord was a proof-of-concept rootkit, a type of malware designed to gain and maintain privileged access to a system while remaining hidden from standard security measures. This proof of concept not only demonstrated the feasibility of BIOS rootkits but also underscored their potential power. While ICLord remained a theoretical threat, it set the stage for the realization of more dangerous malware.

In 2011, the landscape of firmware security changed dramatically with the discovery of Mebromi, the first-known BIOS rootkit to be observed in the wild. Mebromi marked the transition from theoretical to actual threat, underscoring the vulnerability of BIOS firmware to sophisticated attacks. Mebromi was capable of infecting the BIOS, overwriting it with malicious code, and maintaining persistence even after the operating system was reinstalled—a stark reminder of the critical need for stronger security measures.

Recognizing the severity of the threat posed by Mebromi and other potential firmware attacks, the architects of Secure Boot developed a sophisticated security framework aimed at fortifying the pre-boot environment. Integrated into the Unified Extensible Firmware Interface (UEFI)—which was designed to replace the aging BIOS system—Secure Boot leverages public-key cryptography to verify the integrity and authenticity of firmware and software components before they are loaded. Specifically, Secure Boot only allows the execution of code that is signed with a recognized and trusted digital signature, effectively preventing unauthorized or malicious code from compromising the system at such an early and vulnerable stage.

To this day, Secure Boot is regarded by security experts and organizations—including Microsoft and the US National Security Agency—as a foundational element in protecting devices, particularly in critical environments such as industrial control systems and enterprise networks. Its role in establishing a chain of trust from the hardware through to the operating system is considered essential in defending against the sophisticated and persistent malware threats that continue to evolve. The adoption of Secure Boot represents a significant milestone in the ongoing effort to enhance cybersecurity and protect against the increasingly complex landscape of malware attacks.

In 2024 Secure Boot is considered to be broken as cryptografic keys to protect secure boot were leaked (PKfail)

Ransomware attacks can be extremely damaging and complex, and the timeframe for action is very limited. The best way to deal with them is to avoid them in the first place, and use mechanisms to prevent and mitigate their impact. The best way to prevent a malware attack is to follow good operational and security practices, such as

https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms

MS-DOS viruses were particularly prevalent during the early days of personal computing, exploiting the relatively limited security measures of that era. Here are some notable MS-DOS viruses:

# CIH (Chernobyl) - Origin: Taiwan, 1998 - Type: File virus - Description: Known for its destructive payload that triggered on April 26, it could overwrite critical parts of the BIOS, rendering computers unbootable. Although not an MS-DOS virus, it affected Windows 9x systems that were based on DOS.

# Sasser - Origin: Germany, 2004 - Type: Worm - Description: While not strictly an MS-DOS virus, Sasser exploited vulnerabilities in Windows systems to spread. It caused widespread disruptions in the early 2000s.

# Melissa - Origin: USA, 1999 - Type: Macro virus - Description: This virus spread through Microsoft Word documents and email, causing substantial email server disruptions. While primarily a macro virus, its impact was significant across various Windows environments.

# Lehigh - Origin: USA, 1987 - Type: Boot sector virus - Description: One of the early boot sector viruses, it specifically targeted the master boot record and could corrupt the entire hard disk.

# Form - Origin: Probably Swiss, early 1990s - Type: Boot sector virus - Description: This virus became widely known for its payload that activated on the 18th of each month, causing the keyboard to behave erratically.

# Elk Cloner - Origin: USA, 1982 - Type: Boot sector virus (on Apple II, not MS-DOS, but historically significant) - Description: One of the earliest known viruses, it displayed a poem on the 50th boot of an infected system. Although not an MS-DOS virus, it is significant in the history of computer viruses.

# Ping Pong (Bouncing Ball) - Origin: Italy, 1988 - Type: Boot sector virus - Description: This virus caused a bouncing ball effect on the screen and infected the boot sector of floppy disks.

These viruses highlight the diverse strategies employed by malware developers in the MS-DOS era, from boot sector infections to file-based and polymorphic techniques, illustrating the early challenges of computer security.

# The Brain Virus: The Birth of the Computer Virus Era

The Brain virus, often cited as the first IBM PC-compatible virus, marked a significant milestone in the history of computer security. Created in 1986 by two brothers in Pakistan, it initiated an era of growing cybersecurity threats and responses.

The Brain virus was developed by Basit and Amjad Farooq Alvi, who operated a computer store in Lahore, Pakistan. Frustrated with the piracy of their medical software, they created the virus as a form of copy protection, embedding their contact information within the code to raise awareness about piracy.

The Brain virus serves as a historical landmark in cybersecurity, highlighting the early challenges of digital security and the unintended consequences of technological interventions. It underscored the need for ongoing vigilance and education in the evolving landscape of cybersecurity.

## Technical Details

The Brain virus is a boot sector virus, infecting the boot sector of storage media like floppy disks. It becomes resident in memory when the computer boots from an infected disk and then infects any clean disks accessed by the system. It displays a message with the authors' names and contact details, an unusual feature among viruses.

Infection Mechanism:

Attributes:

## Impact and Spread

The Brain virus’s impact was significant, as it was the first widely recognized PC boot virus. It spread rapidly through the common practice of sharing floppy disks, reaching users worldwide by the late 1980s.

Geographical Spread:

Economic and Social Impact: