// vim:set fileencoding=utf8 fileformat=dos filetype=asciidoc tabstop=2 expandtab:

:author: ROSE SWE, Ralph Roth
:doctype: book
:data-uri:
:icons: font
:lang: en

= MemScan

MemScan - Memory Scanner: A rule based, universal memory virus scanner for *DOS*
viruses. Not limited to known viruses! Will not run on 64 bit Windows systems.

NOTE: Nowadays, pure DOS or Windows 9x and Win32 is hardly ever used, the main
use case for which MemScan was developed. Nevertheless, we continue to offer
MemScan for free use, because we believe that this is the only program that is
still maintained and developed worldwide for DOS compatible operating systems!

----
     __  __                ____                     ______   ___  ____
    |  \/  | ___ _ __ ___ / ___|  ___ __ _ _ __    / /  _ \ / _ \/ ___|
    | |\/| |/ _ \ '_ ` _ \\___ \ / __/ _` | '_ \  / /| | | | | | \___ \
    | |  | |  __/ | | | | |___) | (_| (_| | | | |/ / | |_| | |_| |___) |
    |_|  |_|\___|_| |_| |_|____/ \___\__,_|_| |_/_/  |____/ \___/|____/

                                 (c) 16.10.1990-2025 by ROSE SWE, Ralph Roth

    $Id: MemScan_Eng.txt,v 1.52 2025/12/10 14:22:54 ralph Exp $
    Written in ASCIIDOC using the UTF-8 code set and Windows LF/CR
    Umlaute and screen copy may look ugly if our text program don't use UTF-8

----

NOTE: A short English "FAQ" for QMS, MemScan and TestBoot can be found
      at the end of the document!

== Function of MemScan

MemScan examines your working memory for resident MS-DOS computer viruses. If you
have further questions about computer viruses, please read the files VIRSCAN.DOC
& VIRSCAN.TXT (if available).

MemScan can also check the "UPPER" DOS Memory (UMB = memory between 640 KB and 1
MB) and the HMA (High Memory Area = 1088 KB) gate. MemScan needs approx. 450 KB
of free working DOS memory for the virus database and hash tables! MemScan main
memory usage was adapted especially to network environments and therefore needs
only 450 KB of free memory!

MemScan detects due to heuristic scanning unknown viruses (option /UNB). MemScan
usually reports such viruses with one of the following messages:

        Execution-Function [Exec] or
        Generic File Open [Fopen] or
        Memory Control Of Blocks [MCB] or
        Generic Exeheader.????-???? or
        Generic Boot virus [BOOT] etc.

In case of detection of one of these two viruses please send me an infected file:
To classify the virus (if VirScan reports the same virus type with the option
/HEUR) and to include it in MemScan! Try to make the virus infect the
"victim/bait/goat files" INFECTME.* included in this package!

NOTE: MS-DOS 6.xx and Novell DOS 7.0 produce a false alarm with the option /UNB
together with the option /HIGH. In most cases a Generic Exec Virus is reported in
the segment Fxxx:xxxx which, however, is occupied by COMMAND.COM loaded high.


== Why MemScan?

We are using MemScan internally to quickly and securely add new viruses to
VirScan. However, customers frequently asked us for a program that checks ONLY
the working memory. For this reason MemScan was made accessible to the public
for FREE.


== Optional parameters

    /?                Displays a short help
    /HIGH             Search high memory (to 1 MB) too
    /IVT              Check interrupts for viruses, see also VIRSCAN.DOC
    /NOLIVEBAIT       Skip Live Bait Test
    /NOMEM            Skip complete "Quick Memory Check"
    /NOPATHCOMPANION  Skip path Companion Test
    /UNB /UNK         Search for new unknown viruses
                      No output on argument syntax (Guru option).
    /AKTION           Display information on virus special offer.

TIP: To see a short description of more options execute MemScan
     with the parameter /? for a short help!

===   Option /UNB

This option is only for the case of emergency!  This function ALWAYS produces
false alarms!  I use it for finding known and new viruses! Almost every new
resident MS-DOS virus can be found with MemScan!

===  Option /IVT

With the parameter /IVT the working memory can be examined for approx. 180 of
the most known DOS viruses.  This is being done by so called "Am I there" calls
in a split of a second (in comparison to the slow memory scan). Among other
things, the working memory is being examined for the following viruses:

  - Jerusalem and related viruses (at least 48 variants)
      * Frere Jacques
      * Fu Manchu
  - Tequila (Stealth virus)
  - Yankee Doodle/Vacsina (45 variants)
  - Cascade and Yap (14 variants)
  - Flip/Omicron (6 variant/Sub-stealth virus)
  - Parity (4 variants, boot virus)
  - dBase
  - Plastique (AntiCad, Invader, Tobacco, 4.21, 5.21 and Cobol)
  - Tremor (Stealth virus)
  - Hare (Stealth multipartite virus)

On detection of the virus the user is being informed about that.

NOTE: You should not use this option if you have Novell Netware installed
      because it results in overlapping of the interrupt calls. This function
      used to be executed automatically, but it emerged that the so called "Am
      I There" calls were not 100% compatible with different operating systems
      and configurations. So, if unusual side effects occur, this option might
      be the reason. This option also checks the high memory (HMA) - if
      available - for viruses.


=== Notes on parameter usage

Customers familiar with the American or UNIX parameter syntax (minus sign)
instead of the slash ('/') can also use the minus sign ('-') to start an option.

    Example: -IVT is equivalent to /IVT

NOTE: There must be at least one blank between the individual arguments!
      The arguments are not case sensitive.


=== The environment variable MemScan

Instead of always calling MemScan with arguments, MemScan can be controlled with
a so called environment variable.  For example, enter the following at the DOS
prompt:

                        SET MEMSCAN=/unb -high -IVT

If you start MemScan now, MemScan reads all required arguments from the
variable.


===  Rollback of preset values

Sometimes it might be desired to reset already set options (i.e.  set by SET
MEMSCAN=...) This can simply be done by a minus sign following the option on the
command line.  With this action the option is being switched off.

For example, you have entered the following:

                             SET MEMSCAN=/high

Then start MemScan with the following argument:

                               MEMSCAN /high-

In this case the command line option overrides the option set by the environment
variable! Command line always override environment options.


== False alarms of MemScan

MemScan detects approx. 98% of ALL new resident DOS or boot viruses with the
option /UNB; however, this option is only for absolute virus gurus. Hint: If you
suspect a virus on your system, execute VirScan Plus with the following
parameters:


                            Virscan -auto -HEUR -log

NOTE: If VirScan Plus finds in several EXE/COM files the same virus as
      MemScan: New virus! If VirScan finds a different virus in many COM/EXE
      files, for example: Crypt/FamZ, then it is a new ENCRYPTED virus! In
      these cases please send me an email with the infected files! Note: The
      option /HEUR is available only in the full version of VirScan Plus!

This screen shot is normally a false positive, because the "virus" is only
found with

. the `-unb` option
. only in the main screen

----

¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦   MemScan 20.x.x - (c) 03.01.1991-2025 by ROSE SWE, Ralph Roth  ¦¦¦¦¦¦
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦+-------------------------------- Messages ----------------------------+¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦  ¦ Free memory available for MemScan: 68.000/68.000                  ¦¦¦¦
¦¦¦  ¦ Command line: -unb                                                ¦¦¦¦
¦¦¦  ¦ Signatures created: Mi 25. Feb. 2004, build 3.073, 5.165 signs    ¦¦¦¦
¦¦¦  ¦ This PC has 640/640 kb free base memory                           ¦¦¦¦
¦¦¦  ¦ HMA/A20 gate present at segment: 0xFFFF:0000                      ¦¦¦¦
¦¦¦  ¦ Checking conventional memory (640 kb)                             ¦¦¦¦
¦¦¦  - Found the Type_Exec2a.35C6-D0A0 virus!                            ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦  Warning: A virus found in your main memory!                         ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦¦                                                                      ¦¦¦¦
¦¦+----------------------------------------------------------------------+¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+---------- Scanning ---------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦     Please press a key!     ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+-----------------------------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

----

A normal virus infection looks like this, and MemScan won't go to the main
screen at all (in this case a 572 byte long new DOS COM infector):

----

-----[ Quick scan of the system and memory for viruses ]----------------------

  MBR - HDD 0 (512) .......(45FC:2A00)..... -- OK! --
  Interrupt 13h (DOS) .....(0D58:18C5)..... -- OK! --
  Interrupt 13h (Orig) ....(F000:E3FE)..... -- OK! --
  Interrupt 21h (DOS) .....(9F75:0119)..... Type_Exec1a.4A77-F232 Virus
  Interrupt 40h (DOS) .....(F000:EC59)..... -- OK! --
  Memory (Low-System) .....(0000:0000)..... -- OK! --
  Memory (639 KB) .........(9C00:0000)..... Type_Exec1a.4A77-F232 Virus
  Memory (HMA) ............(FFFF:0001)..... -- OK! --
  HDD-IRQ 76h .............(0CC5:0117)..... -- OK! --
  Path Companion Test ..................... -- OK! --
  Live Bait Test ..........(295 KB)........ Type: COM=572 Virus
Heuristic mode:
  Single Step .............(0070:06F4)..... -- OK! --
  Misc BIOS ...............(0D58:19A0)..... -- OK! --
  Reboot ..................(0D3B:002F*).... -- OK! --
  Multiplex ...............(14E2:1180)..... Type_Exec2b.CF14-B4E4 Virus
  VCPI ....................(F000:FF53)..... -- OK! --
  Interrupt D3h ...........(F000:FF53)..... -- OK! --
  Interrupt 0Dh ...........(F000:FF53)..... -- OK! --
  Interrupt 0Eh ...........(0CC5:00B7)..... -- OK! --

Please deactivate the virus through a cold boot from a system disc!
Press any key to continue...
----

== Program Return Values


MemScan return an error-code back to DOS that can be evaluated by the variable
ERRORLEVEL. The following error-codes are used:

----

        ERRORLEVEL              Short description
        -----------------------------------------------------------------
        0                       All OK, Option -?, -h etc.
        1                       Internal error
        2                       Option -exit
        3                       Overlay (MemScan.ovr) handling error
        8                       Not enough free memory available

        10                      QuickMemoryScan found a virus
        11                      NOSTEALTHTEST found a virus
        12                      NOWINTEST found a virus
        13                      Found a virus in the main scan function

----

== Hints and FAQ

Q: can you help me fix the virus on my main memory...? attached is the view of
MemScan and QMS...

A: I think this is a so called "false positive". Please read the attached
document (MemScan_Eng.txt). If you have a DOS or boot virus, you should be able
to trace it (as described in MemScan_Eng.txt) with QMS/MemScan and VirScan Plus.
What DOS Version and Windows Version do you use. Some special DOS drivers in
usage?

Q: Only the TESTBOOT routine found something. Since it was in German, I really
didn't know what it said. I went to an online translator and realized that it
said "wert ermittelt" and "wurden gesichert" which translated "worth determines"
and "became secured". After that I ran it again and it didn't

A: That's normal for the first (initial run) - I have added were possible an
English translation in the new version!


TIP: How you can possibly detect a file-/boot virus:

. MemScan -unb -high
. QMS -unb
. put testboot.exe into the Autoexec.bat as last command
  (DOS/Win9x based systems only)
. rhbvs -auto -log -all -high


== Integrated virus protection


The program contains an integrated check-sum tester to alert the user on a
possible virus infection.  The check-sum for the program can be found in the
file with the extension ".XXX".

This check-sum contained in the file as well as the main program must not be
changed nor modified in any case!  Otherwise, the main program regards itself
being possibly infected by a virus (a virus still unknown to the program)!

Following features of the EXE file are monitored and checked for modifications
every time the program is executed:

* Check-sum (CRC32) - If only one bit of the program is changed by a virus, the
* check-sum will no longer match (own secure routine, according to ANSI X3.66 -
* CRC-Poly is: 0xDEBB20E3).

* File size - If a program becomes one or two KB longer, it is infected!

* Overlay size - If the program uses overlays (".OVR").

I strongly recommend not making any changes to the EXE & XXX-file since the
program will not run any more!

The file with the extension ".XXX" also contains the creation date and the
standard MD5 checksum that can be checked with other tools like md5dir or
hashall from ROSE SWE. Verifying the CRC32 checksum takes less than 1 second
(depending on computer type and hard disk drive). If the check-sum is OK, the
program is being executed. Otherwise a detailed error report with indications of
possible error reasons will be displayed.

This is a screen shot of MemScan self check envelope finding itself
infected with an 647 bytes EXE infector!

----

#####   Länge der Datei MEMSCAN.EXE hat sich geändert!   #####

Hierfür gibt es mehrere Möglichkeiten für diese Fehlermeldung:

¦    Ein Virus hat das Programm befallen!
     Am besten gleich mit VirScan Plus testen ...
     WARNUNG: Programm ist um 647 Bytes größer geworden!!!
     SENDEN SIE UNS DIESE DATEI ZU ANALYSEZWECKEN ZU! TYPISCH FÜR VIREN!

¦    Sie haben die Datei MEMSCAN manipuliert, deshalb ist die
     Checksumme verändert worden.

¦    Sie haben nicht alle Dateien mit kopiert (s. o.), oder auf dem
     Datenträger sind Informationen verloren gegangen (Bits umgekippt).

¦    Verwenden Sie die Option /NOCHECKCRC um diese Überprüfung zu umgehen!

Bitte die ENTER-Taste zum Fortsetzen drücken...

----

== Other/Misc

If you want to obtain the full versions of my antivirus software, please
start the program REGISTER.COM, and an order form will be printed.

By the way: MemScan is compressed from 380 KB to currently 87 KB EXE + 183
KB overlay!

== Reviews/Awards

https://www.windows11downloads.com/win11-memscan/  (MemScan 23.5)

==  What's new?

----
Version             Changes
#######################################################################

    3.00            Parts of MemScan were swapped out to the overlay
                    file MEMSCAN.OVR, therefore MEMSCAN needs 50 KB less
                    working memory. Added checksum tester.
    3.10            Extended 'Am I There' Virus test.
    3.17            Program does not wait any more for key stroke
                    if NO virus was found!
    3.33            Number of detected viruses: approx. 3.000!
    3.36            The package now includes HMS.COM.
    3.50            Live Bait Test to detect
                    unknown file viruses.
    3.53            New ChkPC version (Hare & Boot-437)
    3.55            50 new viruses, i. e. CriCri & Grief.
    3.98            4180 viruses. QMS, TestBoot & HMS were
                    considerably enhanced. The Live Bait
                    Test was considerably enhanced.

    4.xx            New Viruses.

    5.0.1           Completely redesigned version. Program in English!
    5.1.0           Added Stealth Live Goat Test.
    5.6             /NOPATHCOMPANION, /NOLIVEBAIT
    5.7             /NoMem
    6.0             Win32 Live Bait Test
    6.2.7           /NoWin32Test, /NoStealthTest, DOKU revised
    6.3.1           This English documentation added
    6.5.5           /NoHMA fixes, A20-Gate/HMA fixes
    6.6.8           Tons of new viruses due to F_Mirc Linux porting
    9.5.5           adapted to run with DosEMU (Linux)
    9.5.8           30.08.2017 - Ported this documentation to ASCIIDOC
    10.1.5          22.01.2018 - new viruses
    23.5            April 2023 - new viruses
    30.0            June 2024 - new viruses, maintenance release
    40.0            December 2025 - new viruses, maintenance release
----

== BANNERWARE from ROSE SWE

This program may be freely copied and passed on.  It is considered as so-
called Bannerware.  I only request the following declarations to be kept:

* (C)opyright by ROSE SWE, Ralph Roth (the so-called Banner)
* sale and/or industrial transmitting of the programs is forbidden. No
commercial transmitting without ours hard-copy consent!
* the programs MUST distributed free and/or passed on against a small
copying-charge (Shareware trader) (max. EUR 10,--).
* the program/documentation must not be changed!
* the program package must be passed on complete and unchanged!

Trademarks of other companies mentioned in this documentation and package appear
for identification purposes only and are property of their respective companies.

NOTICE TO USER: You should read the following terms and conditions carefully
before using this software. Your use of this software indicates your full
acceptance of this license agreement and warranty.  BY INSTALLING THIS SOFTWARE
YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.

The SOFTWARE is owned and copyrighted by ROSE SWE. Your license confers no title
or ownership in the SOFTWARE and should not be construed as a sale of any right
in the SOFTWARE.

No Warranty.  The Software is being delivered to you AS IS and ROSE SWE makes no
warranty as to its use or performance.  ROSE SWE AND ITS SUPPLIERS DO NOT AND
CANNOT WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE
OR DOCUMENTATION.  ROSE SWE AND ITS SUPPLIERS MAKE NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO NON INFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, OR
FITNESS FOR ANY PARTICULAR PURPOSE.  IN NO EVENT WILL ROSE SWE OR ITS SUPPLIERS
BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING
ANY LOST PROFITS OR LOST SAVINGS, EVEN IF AN ROSE SWE REPRESENTATIVE HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY.

In short: This software is provided 'as-is', without any express or implied
warranty.  In no event will the authors be held liable for any damages arising
from the use of this software. If you do NOT agree simply do NOT install and use
this software!


== Copyright

----

(C)opyright by (ALL RIGHTS RESERVED!)


__________ ________    ____________________   ___________      _____________
\______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
 |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
 |    |   \/    |    \/        \ |        \  /        \\        / |        \
 |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
        \/         \/        \/         \/          \/       \/          \/

 -------------------------------------=-----------------------------------
     ROSE SWE                           See ROSEBBS.TXT for
     Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
     http://rose.rult.at
     rose_swe@hotmail.com               All Rights Reserved!
 -------------------------------------=-----------------------------------

----

NOTE: Initial Translation by ez-web Digital Services, ezweb@gmx.net in 03/2002

include::viruses.adoc[Virus Description]

// vim:set fenc=utf8 ff=dos ft=asciidoc ts=2 et:
