
  Ŀ
                                                                     
                        HMVS 3.00 users manual                       
                                                                     
     HMVS - an advanced heuristic and neural network driven system   
          for detection of known and unknown macro viruses,          
                      ultimate macro dissector                       
                                                                     
          Copyright (c) Jan Valky, Lubos Vrtik, Richard Marko        
                                                                     
   Portions copyright (c) Maros Grund (database compiler/interface)  
      Portions copyright (c) Tomas Pail (Xed packing/encryption)     
                                                                     
          Xed is copyright (c) by Tomas Pail and Jan Valky           
                                                                     
          translation to English performed by: HMVS authors          
                                                                     
                       last update: 15-nov-98                        
                                                                     
  

 CONTENTS

 1. Introduction
 2. System requirements
 3. List of HMVS features
 4. Command line parameters
 5. Configuration file setting
 6. Scanning in simple mode
 7. Scanning in prompt mode
 8. What can be done from prompt mode
 9. Advanced mode (experienced users)
10. Inspecting suspected files
11. Features that are no more supported in HMVS 3.00+
12. Known problems and solutions
    A. Problems with long file names under Windows NT 4.0 and above
    B. Problems with long file names under Windows 95/98
    C. Problems with individual Excel 5.0-7.0 modules cleaning
    D. Scanning multiple drives


1. INTRODUCTION

HMVS is an advanced *SYSTEM* for scanning, cleaning and inspecting
of known and even unknown macro viruses.

HMVS is a 32-bit DOS application compiled with DJGPP GCC++. It works also
under Windows 3.1, Windows for Workgroups 3.11, Windows 95, Windows 98 and
Windows NT 4.0.

HMVS is not only macro virus scanner and cleaner.

Advanced features like built-in Word Basic (MS Word 6.0-7.0) and VBA3
(MS Excel 5.0-7.0) discompilers and VBA5 (MS Office '97) source
unpacker as well as neural network based scanner and on-the-fly neural
network teaching system allow advanced users to inspect suspected documents,
sheets or databases for viruses even if scanner and heuristics failed.

When an unknown virus was found or a file contains suspicious macros or
modules HMVS allows the user to inspect every macro or module by producing
their source code. If the user finds out that the file contains some viral
on unwanted macros or modules he will have an opportunity to switch to
advanced cleaning mode and to remove selected macros.

HMVS uses several methods to detect known and unknown macro viruses.

Exact virus identification using CRC32 or smart CRC32 checksumming
as well as identification strings as complementary method are being used
to detect known viruses.

Heuristic analysis, dedicated algorithms and neural network based scanner
are being used to detect unknown viruses, trojans and other malware.


2. SYSTEM REQUIREMENTS


Minimal configuration for using HMVS is:

- MS DOS 5.0, MS Windows 3.1, MS Windows for Workgroups 3.11, MS Windows 95,
  MS Windows 98 or MS Windows NT 4.0.
- system processor 80386 or higher
- math coprocessor 80387 or higher
- at least 4 MB of memory
- DPMI server if running under MS DOS (for instance 386MAX, QEMM
  or CWSDPMI.EXE).

  If you have no DPMI server installed, you can use CWSDPMI.EXE which is
  a part of HMVS package.


3. LIST OF HMVS FEATURES

* HMVS 3.00+ is a 32-bit DOS application compiled with DJGPP GCC+ compiler.
  It works under MS DOS 5.0 and above, MS Windows 3.x, MS Windows for
  Workgroups 3.11, MS Windows 95/98/NT 4.0.

* HMVS 3.00+ is modular system with object oriented achitecture

* HMVS 3.00+ supports plug-ins

* HMVS 3.00+ has new amazing on-the-fly neural teaching feature
  HMVS is able to detect frequently occuring macros/modules, what is
  common for virus infiltrations

* HMVS scans embedded and nested objects

* Because HMVS uses its own OLE2 complex structure parser it does not
  require MS Windows or MS Office to be installed

* HMVS has user friendly interface
  The new interface was designed with aim to get a user the full control
  over the process of inspecting and cleaning macros/modules inside files.
  HMVS switched to advanced cleaning mode navigates the user through several
  options to let him decide which actions should be performed with
  selected object.
  Because of the new modular architecture, multiple pass processing on
  selected objects is possible.

* HMVS supports long file names
  HMVS supports long file names (LFN) except for MS Windows NT 4.0 and above.
  There are some limitations and problems with using LFN.
  See the Known problems chapter for more details.

* full control over HMVS via HMVS definition file

* different colors are used for displaying viral, legitimate and clean
  macros

List of HMVS' MS Word 6.0-7.0 engine key features

+ scans and cleans macros inside password protected files
+ allows cleaning of macros selected by user (in advanced mode)
+ allows converting template back to document (in advanced mode)
+ displays names of macros and encryption information
+ token based Word Basic heuristics
+ neural network driven scanner
+ on-the-fly neural network teaching system
+ built-in Word Basic discompiler/macro dissector

  MS Word dissector/discompiler supports two different token sets
  1. MS Word 6/7 token database (2093 tokens)
  2. MS Word 8 token database (2876 tokens)
     By using language specific MS Word 8 tokens set database it is
     possible to produce source code in 12 different languages:

     Brazil, Danish, Dutch, English, Finnish, French, German, Italian
     Norwegian, Portuguesse, Spanish, Swedish

List of HMVS' MS Word 8.0 (VBA5, MS Office'97) engine key features

+ scans inside password protected files
+ cleans (cures) infected files
+ converts templates back to documents
+ displays names of modules
+ MS Word 8.0 heuristics
+ built-in MS Word 8.0 source code unpacker/module dissector

List of HMVS' MS Excel 5.0-7.0 (VBA3) engine key features

+ scans modules inside password protected files
+ cleans (cures) infected files
+ allows cleaning of modules selected by user (in advanced mode)
+ displays names of modules
+ P-Code based VBA3 heuristics
+ VBA3 parser for exact virus identification
+ neural network driven scanner
+ on-the-fly neural network teaching system
+ built-in VBA3 discompiler/module dissector

List of HMVS' MS Excel 8.0 (VBA5, MS Office'97) engine key features

+ scans inside password protected files
+ cleans (cures) infected files
+ displays names of modules
+ MS Excel 8.0 heuristics
+ built-in MS Excel 8.0 source code unpacker/module dissector

List of HMVS' MS Excel Formula engine key features

+ scans Excel Formula sheets
+ displays names of MS Excel Formula sheets

List of HMVS' MS Access 8.0 (VBA5, MS Office'97) engine key features

+ scans inside password protected and encrypted databases
+ displays names of modules
+ MS Access 8.0 heuristics
+ built-in MS Access 8.0 source code unpacker/module dissector


4. COMMAND LINE PARAMETERS


/?, -?
/h, -h
/help, -help

Displays HMVS help screen.


/plug=filename1;filename2;...;filenameX
-plug=filename1;filename2;...;filenameX

Activates one ore more plug-ins specified after the 'plug' parameter.

The 'Plug' command is being used for instance to enable some extra HMVS'
features. If you want to activate more plugins each plugin file must be
separated by semicolon.

Examples: HMVS badvir.doc -source -wblng=bra -plug=wb.pnp
          HMVS c:\4src\test\ -source -plug=scan.pnp;wb.pnp

Note: This command overrides default HMVS' setting (file HMVS.DEF)
      Regardless of default setting (specified in HMVS.DEF file) only
      those plugins will be activated which were specified after the 'plug'
      command.


/source, -source
/make-source, -make-source
/produce-source, -produce-source

Extracts source code of macros/modules for given file(s) or directory.

HMVS is able to extract source code from MS Word 6/7/8, MS Excel 5/6/7/8
and MS Access 8.

Example1: To produce source code for one file use

          HMVS filename -source

Example2: To extract source from all files in the C:\VIRUS directory and all
          its subdirectories use

          HMVS C:\VIRUS -source

If you does not specify the 'wblng' command HMVS will use the default token
set ('wb6' unless the corresponding line in HMVS.DEF configuration file
is modified).

Example3: To produce source code for one file using French token set use

          HMVS filename -source -wblng=fre -plug=wb.pnp

or (if the 'wb.pnp' plugin is added to the HMVS.DEF file)

          HMVS filename -source -wblng=fre

If you want to extract source code from MS Word 6/7 files there
is a possibility to force built-in WordBasic discompiler to use language
specific token database.

This feature, for instance, allows you to convert macro written in one
language to 11 different languages. Or if you know that a file contains
a macro written in French Word just use French token database to
get original source code in French language.

For more details see using of the 'plug' and 'wblng' commands.


-wblng={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}
/wblng={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}
-wb-language={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}
/wb-language={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}

This command is being used together with the 'source' command to specify
which tokens set and language should be used to extract source
from MS Word 6/7 files or files down-converted from MS Word 8.

The following example shows how to extract source code from MS Word
document using French specific language tokens set database.

Example: HMVS unkfile.dot -source -wblng=fre -plug=wb.pnp

If you add the 'wb.pnp' plugin in HMVS' configuration file (file HMVS.DEF)
you will not need to use the 'plug' command in the previous example.

You can simply use HMVS unkfile.dot -source -wblng=fre

The list of available shortcuts one can use with 'wblng' command
is as follows:

  wb6 (English)       > uses WordBasic 6/7 token database
  bra (Brazil)        Ŀ
  dan (Danish)          
  dut (Dutch)           
  eng (English)         
  fin (Finnish)         >  for these languages HMVS uses
  fre (French)                 WordBasic 8 token database
  ger (German)          
  ita (Italian)         
  nor (Norwegian)       
  por (Portuguesse)     
  spa (Spanish)         
  swe (Swedish)       

For more details about using 'wblng' commands see description of the
'source' and 'plug' commands.


/nos, -nos
/noscan, -noscan
/scan-, -scan-

Disables scanning using signatures / alg. modules.


/scan+, -scan+

Enables scanning using signatures / alg. modules.


/noh, -noh
/noheur, -noheur
/heur=no, -heur=no

Disables heuristics.

Note: Because one of inputs for neural network driven scanner is the result
      of heuristics, disabling heuristics causes disabling of neural
      network too.


/hlo, -hlo
/heur-lo, -heur-lo
/heur=lo, -heur=lo

Enables low level of heuristics or switches to low heuristics.


/analyse, -analyse
/heur=std, -heur=std

Enables standard level of heuristics or switches to standard heuristics.


/hhi, -hhi
/heur-hi, -heur-hi
/heur=hi, -heur=hi

Enables high level of heuristics or switches to high heuristics.


/noneur, -noneur
/disable-neural+, -disable-neural+

Disables neural network.


/disable-neural-, -disable-neural-

Enables neural network.

Note: Heuristics has to be enabled too in order to run neural network.


/all, -all
/doallfiles, -doallfiles
/allfiles+, -allfiles+

Scans files with *ANY* file extensions for viruses.

Examples:  HMVS C:\ -allfiles+
           HMVS C:\VIRUS /all
           HMVS D:\WORK -doallfiles


/allfiles-, -allfiles-

Scans only files with default file extensions (*.DOC, *.DOT, *.XL?, *.WIZ,
*.MD?)


/log, -log
/rep, -rep
/report, -report
/report+, -report+

Creates log file with name specified in configuration file (file HMVS.DEF)
The default name for log file is set in configuration file.

The amount of information which are logged to file is affected by
the 'report-level' command.

For more details see using of 'report-level' command.


/log=filename, -log=filename
/rep=filename, /rep=filename
/report=filename, -report=filename

As previous but all outputs depending on 'report-level' setting will
be logged to the given filename.


/report-, -report-

Disables logging.


/report-level={ok|mac|flags|susp|neur|heur|scan|never}
-report-level={ok|mac|flags|susp|neur|heur|scan|never}

Specifies what kind of information will be logged when
some of the commands for making report file is activated.

The meaning of shortcuts is given in the following table:

 Ŀ
  Shortcut  Priority   Meaning                                         
 Ĵ
    ok         1       log *ALL* files                                 
    mac        2       log all files containing macros                 
    flags      3       log all files containing heuristic flags        
    susp       4       log all suspected files                         
    neur       5       log all files marked as 'suspected' by neural   
                       network                                         
    heur       6       log all files marked as 'virus' by heuristics   
    scan       7       log all files containing known virus or variant 
    never      8       do not log any file                             
 

The rules for logging are simple. The highest number means highest priority.
If you specify for instance 'susp' (priority 4), all options with
the 'susp' and higher priority will be activated. That means that all options
with priority 4,5,6,7 and 8 will be activated.

Using the 'report-level' command you can control which scanned files
have to be reported in log file.

Example1: HMVS c:\ -report=myrep.log -report-level=scan
          (scans disk C:\ and logs all the files infected by known viruses
          to the myrep.log file)

Example2: HMVS c:\ -report=myrep.log -report-level=mac
          (scans disk C:\ and logs all files containing macros to the
          myrep.log file)


/nob, -nob
/nobreak, -nobreak
/break-, -break-

Disables the possibility to interrupt the program by pressing the ESC key.


/yesbreak, -yesbreak
/break+, -break+

Allows user to interrupt the program by pressing the ESC key.


/defaults, -defaults

Creates the default HMVS.DEF configuration file or replaces
an existing one.

Example: HMVS -defaults
         (creates the default HMVS.DEF configuration file with default
         setting)


/ok, -ok
/list, -list
/display_ok, -display_ok

Displays all scanned files (MS Word 6/7/8, MS Excel 5/6/7/8, MS Access 8).
It does not matter whether they contain macros or not.

These commands are being used if you want to display all files containing
macros or OLE2 files without macros.

Examples: HMVS C:\ -allfiles -ok
          HMVS C:\FORTEST -list

Note: The same as -report-level=ok


/nobak-, -nobak-
/dont-create-bak-, -dont-create-bak-
/dobak, -dobak

Forces HMVS to always create backup of the cleaned file.


/nobak+, -nobak+
/dont-create-bak+, -dont-create-bak+

Forces HMVS not to create backup before cleaning.


/nobeep, -nobeep
/beep-, -beep-

Prevents HMVS from making any sound.

Note: Not supported yet.


/beep+, -beep+

Force HMVS to produce sound signal first time the virus was found.

Note: Not supported yet.


/virlist, -virlist

Displays the list of viruses from HMVS' signature definition file.

Note: Not supported yet.


/simple, -simple

Switches HMVS to simple mode.
It is not possible to perform cleaning in 'simple' mode.

Note: The same as '-prompt-level=never'


/mac, -mac
/prompt, -prompt
/prompt-on-every-macro, -prompt-on-every-macro

Forces HMVS to stop on any file containing a macro/module, doesn't matter
what kind of macro it is.

In prompt mode you can for instance perform global cleaning or individual
object cleaning or find out password of password protected files.

Note: The same as '-prompt-level=mac'


/prompt-level={ok|mac|flags|susp|neur|heur|scan|never}
-prompt-level={ok|mac|flags|susp|neur|heur|scan|never}

Specifies the behaviour of prompt-mode.

The meaning of the 'prompt-level' shortcuts is the same as of the
'report-level' shortcuts. The difference is that depending on 'prompt-level'
setting user controls when user's prompt will be activated.


/cv=no, -cv=no
/convert=no, -convert=no

Forces HMVS never to convert template to document during cleaning.


/cv=all, -cv=all
/convert=all, -convert=all

Forces HMVS to convert *ALL* templates to documents during cleaning.

Note: All user's customization will be lost


/cv=auto, -cv=auto
/convert=auto, -convert=auto

Let HMVS decide when to convert template to document during cleaning.

In fact document will be converted only if there are no user's
customizations in template.

Note: This prevents any loss of user's customization


-act={skip|cure|rename}, /act={skip|cure|rename}
-action={skip|cure|rename}, /action={skip|cure|rename}

Note: Unsupported yet.


PRIVATE COMMAND LINE PARAMETERS
-export-signatures       // disabled in public version
-heur-export             // disabled in public version
-export-tables           // disabled in public version
-dump-scan-buffer        // disabled in public version
.
.
.
... and more ...


5. CONFIGURATION FILE SETTING


The default HMVS' configuration setting is (file HMVS.DEF):

-plug=scan.pnp                 // plugin scan.pnp is active
-wb-language=wb6               // use WorBasic 6/7 token database (English)
-report=hmvs.log               // HMVS.LOG is the default report file name
-report-                       // do not create report file
-convert=auto                  // let HMVS decide when to convert template
                                  to document (automatic mode)
-heur=std                      // use standard heuristic level
-report-level=neur             // priority level 'neur' and higher
                                  files suspected by neural suspicion,
                                  files marked as infected by heuristics
                                  and by scanner will be reported
-prompt-level=heur             // prompt if the file is marked as infected by
                                  heuristics or contains known virus or
                                  variant
-allfiles-                     // scan only files with default extensions
-beep+                         // generate a sound when a virus was found
-dobak                         // create backup of the file during cleaning
-yesbreak                      // allow user to interrupt program
                                  by the ESC key
-scan+                         // enable scanning using signatures/CRC32
-disable-neural-               // enable neural network driven scanner

You can change this default setting by your own.

For instance you can change the default name for report file, the level of
heuristics, specify default language for WordBasic discompiler, activate
another HMVS' plugins and so on.

It is possible to override some of the default settings by using proper
command line switches or to make them default by modifying corresponding
lines in the configuration file.

If you deleted the configuration file you can create it again ('-defaults'
switch).


6. SCANNING IN SIMPLE MODE

When you forced HMVS to run in simple mode you can get only limited
information about suspected or infected files. It is not possible to clean
the infected files in this mode.

Simple mode is usualy used to scan virus collection.

Here is an example of user's screen during scanning:

                                   -===-
d:/A97M/ACCESSIV/A/ACCESSIV.MDB (0.0000:0.0000[-------]) - A97M.Accessiv.A virus
d:/W97M/ACID/A/ACID.DOC (0.0000:0.0000[-------]) - STEALTH.MACRO virus
d:/W97M/CLASS/F/WOOBIE.DOC (0.0000:0.0000[-------]) - W97M/Class.F virus
d:/WM/ABC/A/WWCOLIN.DOC (0.9928:0.0074[VI@----]) - WM/ABC.A virus
d:/WM/ERASER/P/ERASER-P.DOT (0.9908:0.0094[VI@----]) - NEURAL PATTERN
d:/WM/UGLYKID/A/UGLYKID.DOT (0.0312:0.9691[----CL@]) - POLY.CRYPT.STEALTH.MACRO virus
d:/X97M/IMPORT/A/X97IMPOR.XLS (0.0000:0.0000[-------]) - X97M/Import.A virus
d:/X97M/YOHIMBE/A/YOHIMB~1.XLS (0.0000:0.0000[-------]) - MACRO virus
d:/XF/PAIX/A/BOOK1.XLS (0.0000:0.0000[-------]) - XF.Paix pattern
d:/XM/DELTA/B/XMDELTAB.XLS (0.9952:0.0172[VI@----]) - XM/Delta.B virus
d:/XM/LMV/C/TAIWANES.XLS (0.9909:0.0108[VI@----]) - NEURAL PATTERN
                                   -===-

In simple mode the following information about scanned objects are displayed:
- the name of scanned file
- neural network results
- the name of virus if a virus was found or result of heuristics

Note: 'pattern' after the virus name means that the virus has been identified
       using scan string instead of CRC32.

If neural network support exists for given target then non-zeros values
as the result of neural network scanner will be displayed immediately after
the scanned file name:

    (0.9909:0.0108(VI@----])
        
                      CL@ means CLEAN
                   VI@ means VIRUS
               'probability' of being CLEAN
         'probability' of being INFECTED

If the information collected by neural network is not sufficient to decide
whether the file is infected or not both 'CL@' and 'VI@' flags will be
displayed.

Note: Because of using linear approach in neural network model to evaluate
      total probability, likelihood of infection can be in some cases greater
      than 1 and likelihood of being clean can be less than zero (negative
      number). This should be interpreted as allmost 1 or allmost 0.
      In fact probability should be a number from the <0,  1> interval.

Heuristic keyword displayed by heuristic analysis

POLY        - might be polymorphic, self modifying virus
CRYPT       - contains encrypted macros
STEALTH     - uses 'stealth' methods
MACRO       - macro virus suspicion

Keyword displayed by neural network driven scanner

NEURAL PATTERN - means that file is suspected. This suspicion is a result
                 of neural network based scanner or on-the-fly neural
                 network teaching system.


7. SCANNING IN PROMPT MODE

HMVS in prompt mode displays extended information about scanned
object. Sensitivity of prompt mode is affected by '-promp-level' command.

Besides the name of scanned file following information will be displayed:

Scanned target
Macros
Scanner results
Heur results
Target flags
Other

Scanned target

Scanned target can be either type of scanned file or type of scanned
object (VBA3 project, VBA5 project ...)

In the case scanned target contains type of scanned file there can be found
one of the following:

  Ŀ
   Scanned target           Description            
  Ĵ
   MS Word 6.0              MS Word 6.0-7.0 file   
  Ĵ
   MS Excel (BIFF 5/6/7)    MS Excel 5.0-7.0 file  
  Ĵ
   MS Excel (BIFF 8)        MS Excel 8.0 file      
  Ĵ
   VBA5 (Word)              MS Word 8.0 file       
  Ĵ
   VBA5 (Access)            MS Access 8.0 file     
  

Because of HMVS' object oriented architecture and capability of scanning
embedded objects scanned target can contain also type of object (VBA3,
VBA5 (Excel), VBA5 (Access), VBA5 (Word) ...)

If the file is complex and contains embedded objects HMVS displays
consecutively type of scanned objects as 'scanned targets'.

Macros

Displays either real names of macros or modules or object type.
In other words 'Macros' are objects inside 'Scanned target'

For instance if 'Scanned target' was 'MS Word 6.0' then 'Macros'
contains real names of macros.

Note: Macros enclosed in [] are unencrypted, macros enclosed in <> are
      encrypted.

For better understanding see examples bellow this text.

Scanner results

Contains the name of detected virus.

Heur results

Contains results of heuristics.

Target flags

Contains information about actions which can be performed on the given
target.

  Ŀ
   Flag            Meaning                                             
  Ĵ
   CONVERTABLE     target is cleanable, template can be converted      
                   back to document or table.                          
  Ĵ
   CLEANABLE       global cleaning is possible                         
                   (either all macros/modules can be removed *AT ONCE* 
                   or it is possible to cure given target by removing  
                   *ALL ITEMS* from that target)                       
  Ĵ
   CLEAN-1         cleaning of individual macros/modules               
                   is possible too                                     
  Ĵ
   CUSTOMIZED      target contains some user's customizations          
  Ĵ
   PASSWORD        file is password protected (password can be         
                   displayed in advanced mode)                         
  

Other

Contains result of neural network.

Note: Neural network is not supported for given target if zero.


 Example 1: Scanned file is Word 6.0-7.0, contains 4 encrypted macros,
            conversion from template to document and global cleaning
            is possible, deletion of user selected macros is possible.

 Ŀ
  c:/infected/E-1.DOC                                             
  Scanned target: MS Word 6.0                                     
  Macros: <Bob> <Alice> <Colin> <AutoOpen>                        
  Scanner results: WM/ABC.A virus                                 
  Heur results: CRYPT.MACRO virus                                 
  Target flags: CONVERTABLE CLEAN-1                               
  Other:  (0.9928:0.0074[VI@----])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 2: Scanned file is Word 6.0-7.0, macros are not encrypted,
            conversion from template to document and global cleaning
            is possible, deletion of user selected macros is possible,
            template contains some user customization.

 Ŀ
  c:/infected/NORMAL.DOT                                          
  Scanned target: MS Word 6.0                                     
  Macros: [AAAZAO] [AAAZFS] [PayLoad] [FileSaveAs]                
  Scanner results: is like WM/Concept.X virus                     
  Heur results: MACRO virus                                       
  Target flags: CONVERTABLE CLEAN-1 CUSTOMIZED                    
  Other:  (0.9928:0.0074[VI@----])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 3: Scanned file is MS Excel 5.0-7.0, it contains one VBA3
            project with one module (laroux), global cleaning is possible,
            deletion of user selected macros is possible

 Ŀ
  c:/infected/LAROUX.XLS                                          
  Scanned target: MS Excel (BIFF 5/6/7)                           
  Macros: [VBA3]                                                  
  Target flags:                                                   
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  c:/infected/LAROUX.XLS                                          
  Scanned target: VBA3                                            
  Macros: [laroux]                                                
  Scanner results: XM/Laroux.C virus                              
  Heur results: MACRO virus                                       
  Target flags: CLEANABLE CLEAN-1                                 
  Other:  (1.0062:-0.0053[VI@----])                               
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 4: Scanned file is MS Word 8.0, contains one VBA5
            project with two modules (ThisDocument, FuSR_1),
            global cleaning and conversion from template to document
            is possible, deletion of user selected macros is possible

 Ŀ
  c:/infected/ANSR1A-1.DOC                                        
  Scanned target: VBA5 (Word)                                     
  Macros: [ThisDocument] [FuSR_1]                                 
  Scanner results: W97M/AntiSR1.A virus                           
  Heur results: MACRO virus                                       
  Target flags: CONVERTABLE CLEANABLE CUSTOMIZED                  
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 5: Scanned file is MS Excel 95/97 with one VBA3 and one
            VBA5 project (double stream file),
            Both VBA3 and VBA5 objects contains two modules (NoMercy2
            and Members)
            Global cleaning and deletion of user selected macros
            are possible for VBA3 project as well as for VBA5 project.
            There are some user customization in VBA5 project.

 Ŀ
  c:/infected/VS016095.DOC                                        
  Scanned target: MS Excel (BIFF 5/6/7)                           
  Macros: [VBA3]                                                  
  Target flags:                                                   
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  c:/infected/VS016095.DOC                                        
  Scanned target: VBA3                                            
  Macros: [NoMercy2] [Members]                                    
  Scanner results: XM/Team.A virus                                
  Heur results: MACRO virus                                       
  Target flags: CLEANABLE CLEAN-1                                 
  Other:  (0.9883:0.0093[VI@----])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
  1                                                               
  c:/infected/VS016095.DOC                                        
  Scanned target: MS Excel (BIFF8)                                
  Macros: [VBA5 (Excel)]                                          
  Target flags:                                                   
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  c:/infected/VS016095.DOC                                        
  Scanned target: VBA5 (Excel)                                    
  Macros: [NoMercy2] [Members]                                    
  Heur results: MACRO virus                                       
  Target flags: CLEANABLE CUSTOMIZED                              
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

Did you understand ? Do not worry ! Inside it is more complicated than
it seems ...


8. What can be done from prompt mode

The bootom line in prompt mode is:

  Ŀ
   1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
  

HMVS waits for a user input.

Press the '1' key if you do not want to perform any action on the file.

If you want to cure this file (better say if you want to cure current
scanned target) press the '2' key.
See the '-convert' command to know what is going on if there is
user customization.

*ALL* macros/modules does not matter whether they are viral or not will
be removed from the file. We call this process 'global cleaning'.
This is the safest way how to remove virus from the file, however, it is not
suitable if the file contains user macro. In this case it would be better to
switch to advanced mode (for experienced users) or to produce source of
the user macro before cleaning.

Press the '3' key if you want to rename the file. File extension will be
renamed from ??? to V?? (for instance, file MYFILE.XLS will be renamed
to MYFILE.VLS)

You can delete the file by pressing the '4' key (not recommended).

Experienced users can switch to advanced mode by pressing the '5' key.
Action which can be performed in advanced mode can be found in
another part of user manual).

Press '6' if you want to switch to 'simple' mode. You will not be prompted
anymore during the rest of scanning.


9. ADVANCED MODE (EXPERIENCED USERS)

This mode was designed for experienced users, however, it can be used
even by beginners because HMVS navigates you through the whole process.

Only in this mode is possible:

- to clean only selected macros/modules
- to decrypt selected encrypted macros (MS Word 6.0-7.0 only)
- to produce source code for selected macros
- to display name and description of macros
- to detect and display password if file is password protected

Note: We recommend that you log all actions performed in advanced mode to keep
      track of what has been done (and not to forget, for instance, displayed
      password for later use)

Most of the features of HMVS' advanced mode are illustrated in following
example.

  Example: the example of advanced mode features (logged)
  Ŀ
   c:/infected/WMPWD-A.DOC (0.9936:0.0066[VI@----]) - WM/Pwd.A virus  
   [c:/infected/WMPWD-A.DOC] (filename) Remove file? [Y|N|S] - NO     
   [c:/infected/WMPWD-A.DOC] (filename) Rename file? [Y|N|S] - NO     
   c:/infected/WMPWD-A.DOC                                            
   Scanned target: MS Word 6.0                                        
   Macros: <Autoclose>                                                
   Scanner results: WM/Pwd.A virus                                    
   Heur results: CRYPT.MACRO virus                                    
   Target flags: CONVERTABLE CLEAN-1 PASSWORD                         
   Other:  (0.9936:0.0066[VI@----])                                   
   [MS Word 6.0] (target) Revert to document? [Y|N|S] - NO            
   [MS Word 6.0] (target) Decrypt? [Y|N|S] - YES                      
   [Autoclose] () Clean macro? [Y|N|S] - NO                           
   [Autoclose] () Decrypt? [Y|N|S] - NO                               
   [Autoclose] () Produce source? [Y|N|S] - YES                       
   Performing second pass on file c:/infected/WMPWD-A.DOC             
   Password: 'password'                                               
   c:/infected/WMPWD-A.DOC - second pass ok                           
   File c:/infected/WMPWD-A.DOC will be rescanned                     
                                                                      
   c:/infected/WMPWD-A.DOC (0.9936:0.0066[VI@----]) - WM/Pwd.A virus  
   [c:/infected/WMPWD-A.DOC] (filename) Remove file? [Y|N|S] - NO     
   [c:/infected/WMPWD-A.DOC] (filename) Rename file? [Y|N|S] - NO     
   c:/infected/WMPWD-A.DOC                                            
   Scanned target: MS Word 6.0                                        
   Macros: <Autoclose>                                                
   Scanner results: WM/Pwd.A virus                                    
   Heur results: CRYPT.MACRO virus                                    
   Target flags: CONVERTABLE CLEAN-1 PASSWORD                         
   Other:  (0.9936:0.0066[VI@----])                                   
   [MS Word 6.0] (target) Revert to document? [Y|N|S] - NO            
   [MS Word 6.0] (target) Decrypt? [Y|N|S] - NO                       
   [Autoclose] () Clean macro? [Y|N|S] - NO                           
   [Autoclose] () Decrypt? [Y|N|S] - NO                               
   [Autoclose] () Produce source? [Y|N|S] - NO                        
  

   Note: [Y|N|S] in example means 'Y' (Yes) or 'N' (No) or 'S' (Skip)

Short comments to the previous example:

HMVS detected that the file was infected by known virus. It offered
renaming or removing but user denied it.

Then HMVS displayed target flags - it was obvious that the file was password
protected, file could be reverted from document back to template, global
cleaning as well as individual (user selected) macros deletion was possible.

HMVS asked whether the user wanted to revert template back to document.

Note: If the user answered 'Y' (Yes) *ALL* macros would be removed from file
      and template would be converted to document. All this would be
      performed in one step. So be carefull what you answer !

User did not want revert template back to document.

Then user was asked if he wanted to decrypt given target (in this case
MS Word 6.0 document, not macro !) that means if he wants to remove
password protection from the file. User answered yes.
(Password was not removed from the file because this feature was not
supported yet.)

In next three steps the user was questioned if he wanted to clean or decrypt
the only one encrypted macro in file (Autoclose) or if he wanted to produce
source code for this macro. The user wanted only producing source code.

Note: If the user at first cleaned macro he would not be asked if he wanted to
      decrypt macro or to produce source. Once macro is cleaned it is
      logical that it is not possible to do anything with it.
      Again be carefull what you answer !

Because there were no more macros HMVS finished first pass and displayed
password of password protected file.

After the first pass is completed, HMVS continues with further passes until
the user removes either all macros from all objects in the file or interrupts
the process by pressing the 'S' key.

We think this example illustrates sufficiently enough of advanced mode
features.

Just try it and enjoy !


10. INSPECTING SUSPECTED FILES

If HMVS finds a known or unknown virus using heuristics or neural
network technology it will give you an opportunity to inspect suspected files
by producing source code of their macros/modules (see the list of HMVS'
features to find out what kind of discompilers and dissector are currently
supported and for which file types).

You can also extract source code of own macros before global cleaning
to prevent loss of user's macros.

From the prompt mode it is possible to check whether a file contains
macros/modules or not. However some files (for instance Word 8.0 files)
always contain at least one object (ThisDocument) which may contains
viral code.

Inspecting suspected or unknown files is effective way how to prevent
virus infection. Experienced user can check code inside macro/module
and in case of viral infiltartion he can remove infected macros.

However it requires user to be familiar with macro viruses and he must
have some knowledges or experiences with Word Basic, Visual Basic
for Application (VBA) etc.

If you are able to inspect source code and to decide what macros/modules
must be removed, you have macro viruses under your control.

HMVS gives you all you need - macro discompilers/dissectors for
producing source code and advanced mode to perform required actions.

It depends only on you how much of the HMVS power you will utilise.

(see the '-source' command line parameter and related topics)


11. FEATURES THAT ARE NO MORE SUPPORTED IN HMVS 3.00+

Because of new concept in HMVS 3.00+ we decided not to support following
features which were available in HMVS 2.60:

- HMVS does not display heuristic flags anymore
  (former /FLG switch is not supported)

- HMVS can not be forced to decrypt encrypted MS Word 6.0-7.0 macros
  from command line (former /EXT switch is not supported).
  This can be done only in advanced mode.

- it is not possible to force HMVS to clean files from command line anymore
  Macro/module cleaning is possible *ONLY* in prompt or advanced mode now.

- some command line switches are no more supported
  See the list of command line parameters available in current version.

If you are missing these features you should keep an old HMVS 2.60
on your hard disk.


12. KNOWN PROBLEMS AND SOLUTIONS


A. Problems with long file names under Windows NT 4.0 and above

   HMVS is not able to work with long file names (LFN) under MS Windows
   NT 4.0 and above. Command line must not contain LFN (both directories
   and files should have short names) in order to work properly with HMVS.

   However scanning of single file or single directory with LFN is possible
   even under Windows NT 4.0 and above. All you need to do is using their
   short name equivalents.

   For instance if you want to scan single directory "c:\My Documents"
   and all its subdirectories you can not use

                      HMVS "c:\My Documents"

   but you have to use

                      HMVS C:\MYDOCU~1
                  or
                      HMVS C:\MYDOCU~1\

   where C:\MYDOCU~1 is the short name for "c:\My Documents" directory

   Similar way use
                      HMVS C:\MYDOCU~1\VERYLO~1.DOC

   if you want to scan single file

                      "c:\My Documents\Very Long File Name.doc"

   The easiest way how to solve problems with LFN is using a commander
   which uses short names (for instance Volkov Commander or similar)
   or commander which can be forced to use short file names (like our
   favourite Far Commander)


   If HMVS runs under MS Windows 95/98 it does not handle LFN
   correctly in following cases

B. Problems with long file names under Windows 95/98

   HMVS fully supports long file names under Windows 95/98 but problems
   can occure if a wrong syntax is used.

   Following examples show possible problems which could occure during
   scanning files or directories with LFN and solution of those problems.

   Example 1: scanning a single directory, the directory name contains spaces

   HMVS c:\My Documents              (wrong syntax - will not work)
   HMVS "c:\My Documents\"           (wrong syntax - will not work)
   HMVS "c:\My Documents"            this is the right syntax

   Example 2: scanning a single directory, the directory name is a long file
              name

   HMVS c:\VeryLongDirectory         this is correct
   HMVS c:\VeryLongDirectory\        this is correct
   HMVS "c:\VeryLongDirectory"       this is correct
   HMVS "c:\VeryLongDirectory\"      (wrong syntax - will not work)

   Example 3: scanning a single file, the file name is a long name or
              contains spaces

   HMVS c:\Danger\Do Not Run.doc         (wrong syntax - will not work)
   HMVS "c:\Danger\Do Not Run.doc"       this is correct
   HMVS c:\Danger\DoNotRunPlease.doc     this is correct
   HMVS "c:\Danger\DoNotRunPlease.doc"   this is correct

   Note: If scanned directory or file contains spaces you have to
         enclose whole pathname with quotes !

C. Problems with the individual Excel 5.0-7.0 modules cleaning

   If you choose (in advanced mode) deletion of selected modules,
   the code from selected modules will be removed but references
   to these deleted modules will remain untouched in the file.

   In other words, names of modules and names of macros they contain
   remain in the file but there is no code in them.

   So use the deletion of selected modules in case of MS Excel 5.0-7.0
   files only if it is really necessary.

   If the file does not contain modules you really need, it will be
   better to perform global cleaning.

D. Scanning multiple drives

   Some examples:

   - to scan drives C and D use

         HMVS C: D:
      or
         HMVS C:\ D:\

   - to scan files in three different directories use

         HMVS C:\DIR1\ C:\DIR2\ D:\DIR3\

   Understood ?


If you find any bugs or if you have any suggestions for further HMVS'
improvements - feel free to send us an e-mail.

