Common Ways of Detecting a Virus in MS-DOS

Last reviewed: February 28, 1995
Article ID: Q72796
The information in this article applies to:
  • Microsoft MS-DOS operating system versions 3.x, 4.x, 5.x

SUMMARY

Viruses commonly "hide" in little-used files such as FIND.EXE. Listed below are steps you can take to check for a virus without the benefit of a viral scanner. The procedure involves using CHKDSK and FIND (commonly targeted for infection) to check for changes in conventional memory and/or file size.

MORE INFORMATION

If you suspect your machine may have contracted a virus, do the following:

  1. Put write-protect tabs on your DOS disks. This will keep the disks from being written over, and they can be used as a reference for file size and date checking.

  2. Compare the file sizes and dates of the DOS disks to the corresponding files residing on the hard drive. One way you can accomplish this task is to boot up with the DOS system floppy disk and, at the A: prompt, type "DIR *.* > PRN" (without the quotation marks). This command will pipe a directory listing to the printer.

  3. Repeat step 2 using the DOS supplemental disk.

  4. Type "C:" and change to your DOS directory. Type "DIR *.* > PRN" again. Be sure to do this for COMMAND.COM as well (it may be in the root directory). If there is any discrepancy in file sizes or dates between the DOS disks and your hard disk, you may have a virus. In that event, you should obtain a virus cleaning program and/or reformat your hard disk.

  5. Run CHKDSK after powering on your computer (don't boot off the floppy disk). At the bottom of the read-out, CHKDSK will give a number for Total Bytes Memory, as well as Bytes Free. Write down these numbers.

  6. Change to the directory in which the DOS commands reside. Type "DIR FIND.EXE". Note the the size of the file and the date.

  7. Type "FIND". You will receive an error message telling you "No Parameters Specified", However, the command has been activated, even if in error.

  8. Run CHKDSK again. Check too see if there is any change in Total Bytes Memory or Bytes Free. Since FIND.EXE is not a memory-resident utility, there should not be a difference. If there is, you may have a virus. You should obtain a virus cleaning program and/or reformat the hard disk.

  9. Change to your DOS directory. Once again, type "DIR FIND.EXE". Compare the files size and date with the number you had written down previously. If there is a change, you should obtain a virus cleaning program and/or reformat the hard disk.

MS-DOS version 5.0 disks are shipped without a notch; therefore, they are write protected. The chances of these disks containing a virus are extremely small. The DOS 5.0 disks are compressed; therefore, the file sizing is different. You can tell a compressed file by the underscore that will be the last character of the extension on a compressed file. To expand a compressed file, use the expand utility on Disk 5 (for 5.25-inch disks) or Disk 3 (for 3.5-inch disks).


KBCategory: kb3rdparty
KBSubcategory: msdos

Additional reference words: 3.20 3.21 3.30 3.30a 4.00 4.01 4.01a 5.00


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 28, 1995
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.