
  Ŀ
                                                                     
                        HMVS 3.10 users manual                       
                                                                     
     HMVS - an advanced heuristic and neural network driven system   
          for detection of known and unknown macro viruses,          
                      ultimate macro dissector                       
                                                                     
          Copyright (c) Jan Valky, Lubos Vrtik, Richard Marko        
                                                                     
   Portions copyright (c) Maros Grund (database compiler/interface)  
      Portions copyright (c) Tomas Pail (Xep packing/encryption)     
                                                                     
          Xep is copyright (c) by Tomas Pail and Jan Valky           
                                                                     
          translation to English performed by: HMVS authors          
                                                                     
                       last update: 20-dec-98                        
                                                                     
  

 CONTENTS

 1. Introduction
 2. System requirements
 3. List of HMVS features
 4. Command line parameters
 5. Configuration file setting
 6. Scanning in simple mode
 7. Scanning in prompt mode
 8. What can be done from prompt mode
 9. Advanced mode (experienced users)
10. Inspecting suspected files
11. Features that are no more supported in HMVS 3.00+
12. Using language plugins
13. Known problems and solutions
    A. Problems with long file names under Windows NT 4.0 and above
    B. Problems with long file names under Windows 95/98
    C. Problems with individual Excel 5.0-7.0 modules cleaning
    D. Scanning multiple drives



LICENCE

HMVS is SHAREWARE program. You can evaluate and test it for 30 days.

If you continue using HMVS beyond a 30-days trial period, you MUST PURCHASE
a licence for it.

See the file REGISTER.TXT for more information about the registration.


1. INTRODUCTION

HMVS is an advanced *SYSTEM* for scanning, cleaning and inspecting of known
and even unknown macro viruses.

HMVS is a  32-bit DOS application compiled with DJGPP  GCC++. It works also
under Windows 3.1, Windows for Workgroups  3.11, Windows 95, Windows 98 and
Windows NT 4.0.

HMVS is not only macro virus scanner and cleaner.

Advanced features like  built-in Word Basic (MS Word  6.0-7.0) and VBA3 (MS
Excel  5.0-7.0) discompilers  and VBA5  (MS Office  '97) source unpacker as
well as neural network based scanner and on-the-fly neural network teaching
system  allow  advanced  users  to  inspect  suspected documents, sheets or
databases for viruses even if scanner and heuristics failed.

When an  unknown virus was  found or a  file contains suspicious  macros or
modules HMVS allows the user to  inspect every macro or module by producing
their source code. If the user finds  out that the file contains some viral
on  unwanted macros  or modules  he will  have an  opportunity to switch to
advanced cleaning mode and to remove selected macros.

HMVS uses several methods to detect known and unknown macro viruses.

Exact virus identification using CRC32  or smart CRC32 checksumming as well
as identification strings as complementary  method are being used to detect
known viruses.

Heuristic analysis,  dedicated algorithms and neural  network based scanner
are being used to detect unknown viruses, trojans and other malware.


2. SYSTEM REQUIREMENTS


Minimal configuration for using HMVS is:

- MS DOS  5.0, MS Windows 3.1,  MS Windows for Workgroups  3.11, MS Windows
  95, MS Windows 98 or MS Windows NT 4.0.
- system processor 80386 or higher
- math coprocessor 80387 or higher
- at least 4 MB of memory
- DPMI  server  if  running  under  MS  DOS  (for  instance 386MAX, QEMM or
  CWSDPMI.EXE).

  If you  have no DPMI server  installed, you can use  CWSDPMI.EXE which is
  a part of HMVS package.


3. LIST OF HMVS FEATURES

* HMVS 3.00+ is a 32-bit DOS application compiled with DJGPP GCC+ compiler.
  It  works under  MS DOS  5.0 and  above, MS  Windows 3.x,  MS Windows for
  Workgroups 3.11, MS Windows 95/98/NT 4.0.

* HMVS 3.00+ is modular system with object oriented achitecture

* HMVS 3.00+ supports plug-ins

* HMVS 3.10+ supports language plugins
  It allows HMVS to speak many languages

* HMVS 3.00+ has new amazing on-the-fly neural teaching feature

  HMVS is able to detect frequently occuring macros/modules, what is common
  for virus infiltrations

* HMVS scans embedded and nested objects

* Because  HMVS uses  its own  OLE2 complex  structure parser  it does  not
  require MS Windows or MS Office to be installed

* HMVS has user friendly interface

  The new  interface was designed with  aim to get a  user the full control
  over the process of inspecting  and cleaning macros/modules inside files.
  HMVS  switched  to  advanced  cleaning  mode  navigates  the user through
  several options to let him decide  which actions should be performed with
  selected object.

  Because  of the  new modular  architecture, multiple  pass processing  on
  selected objects is possible.

* HMVS supports long file names

  HMVS  supports long  file names  (LFN) except  for MS  Windows NT 4.0 and
  above. There  are some limitations and  problems with using LFN.  See the
  Known problems chapter for more details.

* full control over HMVS via HMVS definition file

* different  colors are  used for  displaying viral,  legitimate and  clean
  macros

List of HMVS' MS Word 6.0-7.0 engine key features

+ scans and cleans macros inside password protected files
+ allows cleaning of macros selected by user (in advanced mode)
+ allows converting template back to document (in advanced mode)
+ displays names of macros and encryption information
+ token based Word Basic heuristics
+ neural network driven scanner
+ on-the-fly neural network teaching system
+ built-in Word Basic discompiler/macro dissector

  MS Word dissector/discompiler supports two different token sets
  1. MS Word 6/7 token database (2093 tokens)
  2. MS Word 8 token database (2876 tokens)
     By  using  language  specific  MS  Word  8  tokens  set database it is
     possible to produce source code in 12 different languages:

     Brazil,  Danish,  Dutch,  English,  Finnish,  French,  German, Italian
     Norwegian, Portuguesse, Spanish, Swedish

List of HMVS' MS Word 8.0 (VBA5, MS Office'97) engine key features

+ scans inside password protected files
+ cleans (cures) infected files
+ converts templates back to documents
+ displays names of modules
+ MS Word 8.0 heuristics
+ built-in MS Word 8.0 source code unpacker/module dissector

List of HMVS' MS Excel 5.0-7.0 (VBA3) engine key features

+ scans modules inside password protected files
+ cleans (cures) infected files
+ allows cleaning of modules selected by user (in advanced mode)
+ displays names of modules
+ P-Code based VBA3 heuristics
+ VBA3 parser for exact virus identification
+ neural network driven scanner
+ on-the-fly neural network teaching system
+ built-in VBA3 discompiler/module dissector

List of HMVS' MS Excel 8.0 (VBA5, MS Office'97) engine key features

+ scans inside password protected files
+ cleans (cures) infected files
+ displays names of modules
+ MS Excel 8.0 heuristics
+ built-in MS Excel 8.0 source code unpacker/module dissector

List of HMVS' MS Excel Formula engine key features

+ scans Excel Formula sheets
+ displays names of MS Excel Formula sheets

List of HMVS' MS Access 8.0 (VBA5, MS Office'97) engine key features

+ scans inside password protected and encrypted databases
+ displays names of modules
+ MS Access 8.0 heuristics
+ built-in MS Access 8.0 source code unpacker/module dissector


4. COMMAND LINE PARAMETERS


/?, -?
/h, -h
/help, -help

Displays HMVS help screen.


/plug=filename1;filename2;...;filenameX
-plug=filename1;filename2;...;filenameX

Activates one ore more plug-ins specified after the 'plug' parameter.

The 'Plug'  command is being used  for instance to enable  some extra HMVS'
features. If  you want to  activate more plugins  each plugin file  must be
separated by semicolon.

Examples: HMVS badvir.doc -source -wblng=bra -plug=wb.pnp
          HMVS c:\4src\test\ -source -plug=scan.pnp;wb.pnp

Note: This  command  overrides   default  HMVS'  setting  (file  HMVS.DEF)
      Regardless of default setting (specified in HMVS.DEF file) only those
      plugins  will  be  activated  which  were  specified after the 'plug'
      command.


/source, -source
/make-source, -make-source
/produce-source, -produce-source

Extracts source code of macros/modules for given file(s) or directory.

HMVS is  able to extract source  code from MS Word  6/7/8, MS Excel 5/6/7/8
and MS Access 8.

Example1: To produce source code for one file use

          HMVS filename -source

Example2: To  extract source from all  files in the C:\VIRUS  directory and
          all its subdirectories use

          HMVS C:\VIRUS -source

If you does not specify the 'wblng' command HMVS will use the default token
set ('wb6' unless the corresponding  line in HMVS.DEF configuration file is
modified).

Example3: To produce source code for one file using French token set use

          HMVS filename -source -wblng=fre -plug=wb.pnp

or (if the 'wb.pnp' plugin is added to the HMVS.DEF file)

          HMVS filename -source -wblng=fre

If  you  want  to  extract  source  code  from  MS  Word 6/7 files there is
a possibility  to  force  built-in  WordBasic  discompiler  to use language
specific token database.

This  feature, for  instance, allows  you to  convert macro  written in one
language to  11 different languages.  Or if you  know that a  file contains
a macro  written in  French Word  just  use  French token  database to  get
original source code in French language.

For more details see using of the 'plug' and 'wblng' commands.


-wblng={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}
/wblng={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}
-wb-language={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}
/wb-language={wb6|bra|dan|dut|eng|fin|fre|ger|ita|nor|por|spa|swe}

This command  is being used together  with the 'source' command  to specify
which tokens set and language should be used to extract source from MS Word
6/7 files or files down-converted from MS Word 8.

The  following  example  shows  how  to  extract  source  code from MS Word
document using French specific language tokens set database.

Example: HMVS unkfile.dot -source -wblng=fre -plug=wb.pnp

If you add the 'wb.pnp' plugin  in HMVS' configuration file (file HMVS.DEF)
you will not need to use the 'plug' command in the previous example.

You can simply use HMVS unkfile.dot -source -wblng=fre

The  list of  available shortcuts  one can  use with  'wblng' command is as
follows:

  wb6 (English)       > uses WordBasic 6/7 token database
  bra (Brazil)        Ŀ
  dan (Danish)          
  dut (Dutch)           
  eng (English)         
  fin (Finnish)         >  for these languages HMVS uses
  fre (French)                 WordBasic 8 token database
  ger (German)          
  ita (Italian)         
  nor (Norwegian)       
  por (Portuguesse)     
  spa (Spanish)         
  swe (Swedish)       

For  more  details  about  using  'wblng'  commands  see description of the
'source' and 'plug' commands.


/nos, -nos
/noscan, -noscan
/scan-, -scan-

Disables scanning using signatures / alg. modules.


/scan+, -scan+

Enables scanning using signatures / alg. modules.


/noh, -noh
/noheur, -noheur
/heur=no, -heur=no

Disables heuristics.

Note: Because one of inputs for neural network driven scanner is the result
      of  heuristics,  disabling  heuristics  causes  disabling  of  neural
      network too.


/hlo, -hlo
/heur-lo, -heur-lo
/heur=lo, -heur=lo

Enables low level of heuristics or switches to low heuristics.


/analyse, -analyse
/heur=std, -heur=std

Enables standard level of heuristics or switches to standard heuristics.


/hhi, -hhi
/heur-hi, -heur-hi
/heur=hi, -heur=hi

Enables high level of heuristics or switches to high heuristics.


/noneur, -noneur
/disable-neural+, -disable-neural+

Disables neural network.

This also prevents displaying of neural information in 'simple' mode.


/disable-neural-, -disable-neural-

Enables neural network.

Note: Heuristics has to be enabled too in order to run neural network.


/all, -all
/doallfiles, -doallfiles
/allfiles+, -allfiles+

Scans files with *ANY* file extensions for viruses.

Examples:  HMVS C:\ -allfiles+
           HMVS C:\VIRUS /all
           HMVS D:\WORK -doallfiles


/allfiles-, -allfiles-

Scans only files with default file extensions (*.DOC, *.DOT, *.XL?, *.WIZ,
*.MD?, *.RTF)


/log, -log
/rep, -rep
/report, -report
/report+, -report+

Creates log file with name  specified in configuration file (file HMVS.DEF)
The default name for log file is set in configuration file.

The  amount of  information which  are logged  to file  is affected  by the
'report-level' command.

For more details see using of 'report-level' command.


/log=filename, -log=filename
/rep=filename, /rep=filename
/report=filename, -report=filename

As  previous but  all outputs  depending on  'report-level' setting will be
logged to the given filename.


/report-, -report-

Disables logging.


/report-level={ok|mac|flags|susp|neur|heur|scan|never}
-report-level={ok|mac|flags|susp|neur|heur|scan|never}

Specifies what kind of information will be logged when some of the commands
for making report file is activated.

The meaning of shortcuts is given in the following table:

 Ŀ
  Shortcut  Priority   Meaning                                         
 Ĵ
    ok         1       log *ALL* files                                 
    mac        2       log all files containing macros                 
    flags      3       log all files containing heuristic flags        
    susp       4       log all suspected files                         
    neur       5       log all files marked as 'suspected' by neural   
                       network                                         
    heur       6       log all files marked as 'virus' by heuristics   
    scan       7       log all files containing known virus or variant 
    never      8       do not log any file                             
 

The  rules  for  logging  are  simple.  The  highest  number  means highest
priority. If you specify for instance 'susp' (priority 4), all options with
the  'susp' and  higher priority  will be  activated. That  means that  all
options with priority 4,5,6,7 and 8 will be activated.

Using the 'report-level'  command you can control which  scanned files have
to be reported in log file.

Example1: HMVS c:\ -report=myrep.log -report-level=scan
          (scans disk C:\ and logs all  the files infected by known viruses
          to the myrep.log file)

Example2: HMVS c:\ -report=myrep.log -report-level=mac
          (scans  disk C:\  and logs   all files  containing macros  to the
          myrep.log file)


/nob, -nob
/nobreak, -nobreak
/break-, -break-

Disables the possibility to interrupt the program by pressing the ESC key.


/yesbreak, -yesbreak
/break+, -break+

Allows user to interrupt the program by pressing the ESC key.


/defaults, -defaults

Creates  the default  HMVS.DEF configuration  file or  replaces an existing
one.

Example: HMVS -defaults
         (creates  the  default  HMVS.DEF  configuration  file with default
         setting)


/ok, -ok
/list, -list
/display_ok, -display_ok

Displays all scanned files (MS Word  6/7/8, MS Excel 5/6/7/8, MS Access 8).
It does not matter whether they contain macros or not.

These commands are  being used if you want to  display all files containing
macros or OLE2 files without macros.

Examples: HMVS C:\ -allfiles -ok
          HMVS C:\FORTEST -list

Note: The same as -report-level=ok


/nobak-, -nobak-
/dont-create-bak-, -dont-create-bak-
/dobak, -dobak

Forces HMVS to always create backup of the cleaned file.


/nobak+, -nobak+
/dont-create-bak+, -dont-create-bak+

Forces HMVS not to create backup before cleaning.


/nobeep, -nobeep
/beep-, -beep-

Prevents HMVS from making any sound.

Note: Not supported yet.


/beep+, -beep+

Force HMVS to produce sound signal first time the virus was found.

Note: Not supported yet.


/virlist, -virlist

Displays the list of viruses from HMVS' signature definition file.

Note: You can redirect the output to file with using 'report' switch

Example: HMVS -virlist -report=viruses.lst


/simple, -simple

Switches HMVS to simple mode.
It is not possible to perform cleaning in 'simple' mode.

Note: The same as '-prompt-level=never'


/mac, -mac
/prompt, -prompt
/prompt-on-every-macro, -prompt-on-every-macro

Forces HMVS to  stop on any file containing  a macro/module, doesn't matter
what kind of macro it is.

In prompt mode  you can for instance perform  global cleaning or individual
object cleaning or find out password of password protected files.

Note: The same as '-prompt-level=mac'


/prompt-level={ok|mac|flags|susp|neur|heur|scan|never}
-prompt-level={ok|mac|flags|susp|neur|heur|scan|never}

Specifies the behaviour of prompt-mode.

The  meaning  of  the  'prompt-level'  shortcuts  is  the  same  as  of the
'report-level'   shortcuts.   The   difference   is   that   depending   on
'prompt-level' setting user controls when  user's prompt will be activated.


/cv=no, -cv=no
/convert=no, -convert=no

Forces HMVS never to convert template to document during cleaning.


/cv=all, -cv=all
/convert=all, -convert=all

Forces HMVS to convert *ALL* templates to documents during cleaning.

Note: All user's customization will be lost


/cv=auto, -cv=auto
/convert=auto, -convert=auto

Let HMVS decide when to convert template to document during cleaning.

In  fact  document   will  be  converted  only  if   there  are  no  user's
customizations in template.

Note: This prevents any loss of user's customization


-act={skip|cure|rename}, /act={skip|cure|rename}
-action={skip|cure|rename}, /action={skip|cure|rename}

Note: Unsupported yet.


PRIVATE COMMAND LINE PARAMETERS
-export-signatures       // disabled in public version
-heur-export             // disabled in public version
-export-tables           // disabled in public version
-dump-scan-buffer        // disabled in public version
.
.
.
... and more ...


5. CONFIGURATION FILE SETTING


The default HMVS' configuration setting is (file HMVS.DEF):

-plug=scan.pnp                 // plugin scan.pnp is active
-wb-language=wb6               // use WorBasic 6/7 token database (English)
-report=hmvs.log               // HMVS.LOG is the default report file name
-report-                       // do not create report file
-convert=auto                  // let HMVS decide when to convert template
                                  to document (automatic mode)
-heur=std                      // use standard heuristic level
-report-level=neur             // priority level 'neur' and higher
                                  files suspected by neural suspicion,
                                  files marked as infected by heuristics
                                  and by scanner will be reported
-prompt-level=heur             // prompt if the file is marked as infected
                                  by heuristics or contains known virus or
                                  variant
-allfiles-                     // scan only files with default extensions
-beep+                         // generate a sound when a virus was found
-dobak                         // create backup of the file during cleaning
-yesbreak                      // allow user to interrupt program
                                  by the ESC key
-scan+                         // enable scanning using signatures/CRC32
-disable-neural-               // enable neural network driven scanner

You can change this default setting by your own.

For instance you can change the default  name for report file, the level of
heuristics,  specify default  language for  WordBasic discompiler, activate
another HMVS' plugins and so on.

It is  possible to override  some of the  default settings by  using proper
command line  switches or to  make them default  by modifying corresponding
lines in the configuration file.

If you deleted the configuration file  you can create it again ('-defaults'
switch).


6. SCANNING IN SIMPLE MODE

When  you forced  HMVS to  run in   simple mode  you can  get only  limited
information about suspected or infected files.  It is not possible to clean
the infected files in this mode.

Simple mode is usualy used to scan virus collection.

Here is an example of user's screen during scanning:

                                   -===-
d:/ACCESSIV.MDB (0.0000:0.0000[-------]) - A97M.Accessiv.A virus
d:/ACID.DOC (0.0000:0.0000[-------]) - STEALTH.MACRO virus
d:/WOOBIE.DOC (0.0000:0.0000[-------]) - W97M/Class.F virus
d:/WWCOLIN.DOC (0.9928:0.0074[VI@----]) - WM/ABC.A virus
d:/ERASER-P.DOT (0.9908:0.0094[VI@----]) - NEURAL PATTERN
d:/UGLYKID.DOT (0.0312:0.9691[----CL@]) - POLY.CRYPT.STEALTH.MACRO virus
d:/X97IMPOR.XLS (0.0000:0.0000[-------]) - X97M/Import.A virus
d:/YOHIMB~1.XLS (0.0000:0.0000[-------]) - MACRO virus
d:/BOOK1.XLS (0.0000:0.0000[-------]) - XF.Paix pattern
d:/XMDELTAB.XLS (0.9952:0.0172[VI@----]) - XM/Delta.B virus
d:/TAIWANES.XLS (0.9909:0.0108[VI@----]) - NEURAL PATTERN
                                   -===-

In  simple  mode  the  following  information  about  scanned  objects  are
displayed:
- the name of scanned file
- neural network results
- the name of virus if a virus was found or result of heuristics

Note: 'pattern'  after  the  virus  name  means  that  the  virus has been
      identified using scan string instead of CRC32.

If neural network support exists for  given target then non-zeros values as
the result  of neural network  scanner will be  displayed immediately after
the scanned file name:

    (0.9909:0.0108(VI@----])
        
                      CL@ means CLEAN
                   VI@ means VIRUS
               'probability' of being CLEAN
         'probability' of being INFECTED

If the information collected by neural  network is not sufficient to decide
whether the  file is infected  or not  both  'CL@' and 'VI@'  flags will be
displayed.

Note: Because of using linear approach  in neural network model to evaluate
      total  probability,  likelihood  of  infection  can  be in some cases
      greater than  1 and likelihood of  being clean can be  less than zero
      (negative number). This should be interpreted as allmost 1 or allmost
      0. In fact probability should be a number from the <0, 1> interval.

Heuristic keyword displayed by heuristic analysis

POLY        - might be polymorphic, self modifying virus
CRYPT       - contains encrypted macros
STEALTH     - uses 'stealth' methods
MACRO       - macro virus suspicion

Keyword displayed by neural network driven scanner

NEURAL PATTERN - means that file is suspected. This  suspicion is a result
                 of  neural  network  based  scanner  or  on-the-fly neural
                 network teaching system.


7. SCANNING IN PROMPT MODE

HMVS  in prompt  mode displays  extended information  about scanned object.
Sensitivity of prompt mode is affected by '-promp-level' command.

Besides the name of scanned file following information will be displayed:

Scanned target
Macros
Scanner results
Heur results
Target flags
Other

Scanned target

Scanned target can be either type of scanned file or type of scanned object
(VBA3 project, VBA5 project ...)

In the case scanned target contains type of scanned file there can be found
one of the following:

  Ŀ
   Scanned target           Description            
  Ĵ
   MS Word 6.0              MS Word 6.0-7.0 file   
  Ĵ
   MS Excel (BIFF 5/6/7)    MS Excel 5.0-7.0 file  
  Ĵ
   MS Excel (BIFF 8)        MS Excel 8.0 file      
  Ĵ
   VBA5 (Word)              MS Word 8.0 file       
  Ĵ
   VBA5 (Access)            MS Access 8.0 file     
  

Because of  HMVS' object oriented  architecture and capability  of scanning
embedded  objects scanned  target can  contain also  type of  object (VBA3,
VBA5 (Excel), VBA5 (Access), VBA5 (Word) ...)

If  the  file  is  complex  and  contains  embedded  objects  HMVS displays
consecutively type of scanned objects as 'scanned targets'.

Macros

Displays either  real names of macros  or modules or object  type. In other
words 'Macros' are objects inside 'Scanned target'

For instance if  'Scanned target' was 'MS Word  6.0' then 'Macros' contains
real names of macros.

Note: Macros enclosed  in []  are unencrypted,  macros enclosed  in <> are
      encrypted.

For better understanding see examples bellow this text.

Scanner results

Contains the name of detected virus.

Heur results

Contains results of heuristics.

Target flags

Contains  information about  actions which  can be  performed on  the given
target.

  Ŀ
   Flag            Meaning                                             
  Ĵ
   CONVERTABLE     target is cleanable, template can be converted      
                   back to document or table.                          
  Ĵ
   CLEANABLE       global cleaning is possible                         
                   (either all macros/modules can be removed *AT ONCE* 
                   or it is possible to cure given target by removing  
                   *ALL ITEMS* from that target)                       
  Ĵ
   CLEAN-1         cleaning of individual macros/modules               
                   is possible too                                     
  Ĵ
   CUSTOMIZED      target contains some user's customizations          
  Ĵ
   PASSWORD        file is password protected (password can be         
                   displayed in advanced mode)                         
  

Other

Contains result of neural network.

Note: Neural network is not supported for given target if zero.


 Example 1: Scanned  file is  Word 6.0-7.0,  contains 4  encrypted macros,
            conversion  from template  to document  and global  cleaning is
            possible, deletion of user selected macros is possible.

 Ŀ
  c:/infected/E-1.DOC                                             
  Scanned target: MS Word 6.0                                     
  Macros: <Bob> <Alice> <Colin> <AutoOpen>                        
  Scanner results: WM/ABC.A virus                                 
  Heur results: CRYPT.MACRO virus                                 
  Target flags: CONVERTABLE CLEAN-1                               
  Other:  (0.9928:0.0074[VI@----])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 2: Scanned  file  is  Word  6.0-7.0,  macros  are not encrypted,
            conversion  from template  to document  and global  cleaning is
            possible,  deletion  of  user   selected  macros  is  possible,
            template contains some user customization.

 Ŀ
  c:/infected/NORMAL.DOT                                          
  Scanned target: MS Word 6.0                                     
  Macros: [AAAZAO] [AAAZFS] [PayLoad] [FileSaveAs]                
  Scanner results: is like WM/Concept.X virus                     
  Heur results: MACRO virus                                       
  Target flags: CONVERTABLE CLEAN-1 CUSTOMIZED                    
  Other:  (0.9928:0.0074[VI@----])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 3: Scanned file is MS  Excel 5.0-7.0, it contains one VBA3 project
            with one module (laroux), global cleaning is possible, deletion
            of user selected macros is possible

 Ŀ
  c:/infected/LAROUX.XLS                                          
  Scanned target: MS Excel (BIFF 5/6/7)                           
  Macros: [VBA3]                                                  
  Target flags:                                                   
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  c:/infected/LAROUX.XLS                                          
  Scanned target: VBA3                                            
  Macros: [laroux]                                                
  Scanner results: XM/Laroux.C virus                              
  Heur results: MACRO virus                                       
  Target flags: CLEANABLE CLEAN-1                                 
  Other:  (1.0062:-0.0053[VI@----])                               
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 4: Scanned file is MS Word 8.0, contains one VBA5 project with two
            modules (ThisDocument, FuSR_1),  global cleaning and conversion
            from  template  to  document  is  possible,  deletion  of  user
            selected macros is possible

 Ŀ
  c:/infected/ANSR1A-1.DOC                                        
  Scanned target: VBA5 (Word)                                     
  Macros: [ThisDocument] [FuSR_1]                                 
  Scanner results: W97M/AntiSR1.A virus                           
  Heur results: MACRO virus                                       
  Target flags: CONVERTABLE CLEANABLE CUSTOMIZED                  
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

 Example 5: Scanned  file is  MS Excel  95/97 with  one VBA3  and one VBA5
            project  (double  stream  file),  Both  VBA3  and  VBA5 objects
            contains two modules (NoMercy2 and Members)

            Global  cleaning  and  deletion  of  user  selected  macros are
            possible for  VBA3 project as  well as for  VBA5 project. There
            are some user customization in VBA5 project.

 Ŀ
  c:/infected/VS016095.DOC                                        
  Scanned target: MS Excel (BIFF 5/6/7)                           
  Macros: [VBA3]                                                  
  Target flags:                                                   
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  c:/infected/VS016095.DOC                                        
  Scanned target: VBA3                                            
  Macros: [NoMercy2] [Members]                                    
  Scanner results: XM/Team.A virus                                
  Heur results: MACRO virus                                       
  Target flags: CLEANABLE CLEAN-1                                 
  Other:  (0.9883:0.0093[VI@----])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
  1                                                               
  c:/infected/VS016095.DOC                                        
  Scanned target: MS Excel (BIFF8)                                
  Macros: [VBA5 (Excel)]                                          
  Target flags:                                                   
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  c:/infected/VS016095.DOC                                        
  Scanned target: VBA5 (Excel)                                    
  Macros: [NoMercy2] [Members]                                    
  Heur results: MACRO virus                                       
  Target flags: CLEANABLE CUSTOMIZED                              
  Other:  (0.0000:0.0000[-------])                                
                                                                  
  1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
 

Did you understand ?  Do not worry ! Inside it is  more complicated than it
seems ...


8. What can be done from prompt mode

The bootom line in prompt mode is:

  Ŀ
   1 - skip 2 - cure 3 - rename 4 - delete 5 - advanced 6 - simple 
  

HMVS waits for a user input.

Press the '1' key if you do not want to perform any action on the file.

If  you want  to cure  this file  (better say  if you  want to cure current
scanned target) press the '2' key.

See  the '-convert'  command to  know what  is going  on if  there is  user
customization.

*ALL* macros/modules does not matter whether  they are viral or not will be
removed from the file. We call this process 'global cleaning'.

This is the  safest way how to remove  virus from the file, however,  it is
not suitable  if the file  contains user  macro.  In this case  it would be
better to  switch to advanced  mode (for experienced  users) or to  produce
source of the user macro before cleaning.

Press the '3'  key if you want to  rename the file. File extension  will be
renamed from ???  to V?? (for instance, file MYFILE.XLS  will be renamed to
MYFILE.VLS)

You can delete the file by pressing the '4' key (not recommended).

Experienced  users can  switch to  advanced mode  by pressing  the '5' key.
Action which can be performed in advanced mode can be found in another part
of user manual).

Press '6' if you want to switch  to 'simple' mode. You will not be prompted
anymore during the rest of scanning.


9. ADVANCED MODE (EXPERIENCED USERS)

This mode was designed for experienced  users, however, it can be used even
by beginners because HMVS navigates you through the whole process.

Only in this mode is possible:

- to clean only selected macros/modules
- to decrypt selected encrypted macros (MS Word 6.0-7.0 only)
- to produce source code for selected macros
- to display name and description of macros
- to detect and display password if file is password protected

Note: We recommend  that you log all actions performed  in advanced mode to
      keep track  of what has been  done (and not to  forget, for instance,
      displayed password for later use)

Most of  the features of HMVS'  advanced mode are illustrated  in following
example.

  Example: the example of advanced mode features (logged)
  Ŀ
   c:/infected/WMPWD-A.DOC (0.9936:0.0066[VI@----]) - WM/Pwd.A virus  
   [c:/infected/WMPWD-A.DOC] (filename) Remove file? [Y|N|S] - NO     
   [c:/infected/WMPWD-A.DOC] (filename) Rename file? [Y|N|S] - NO     
   c:/infected/WMPWD-A.DOC                                            
   Scanned target: MS Word 6.0                                        
   Macros: <Autoclose>                                                
   Scanner results: WM/Pwd.A virus                                    
   Heur results: CRYPT.MACRO virus                                    
   Target flags: CONVERTABLE CLEAN-1 PASSWORD                         
   Other:  (0.9936:0.0066[VI@----])                                   
   [MS Word 6.0] (target) Revert to document? [Y|N|S] - NO            
   [MS Word 6.0] (target) Decrypt? [Y|N|S] - YES                      
   [Autoclose] () Clean macro? [Y|N|S] - NO                           
   [Autoclose] () Decrypt? [Y|N|S] - NO                               
   [Autoclose] () Produce source? [Y|N|S] - YES                       
   Performing second pass on file c:/infected/WMPWD-A.DOC             
   Password: 'password'                                               
   c:/infected/WMPWD-A.DOC - second pass ok                           
   File c:/infected/WMPWD-A.DOC will be rescanned                     
                                                                      
   c:/infected/WMPWD-A.DOC (0.9936:0.0066[VI@----]) - WM/Pwd.A virus  
   [c:/infected/WMPWD-A.DOC] (filename) Remove file? [Y|N|S] - NO     
   [c:/infected/WMPWD-A.DOC] (filename) Rename file? [Y|N|S] - NO     
   c:/infected/WMPWD-A.DOC                                            
   Scanned target: MS Word 6.0                                        
   Macros: <Autoclose>                                                
   Scanner results: WM/Pwd.A virus                                    
   Heur results: CRYPT.MACRO virus                                    
   Target flags: CONVERTABLE CLEAN-1 PASSWORD                         
   Other:  (0.9936:0.0066[VI@----])                                   
   [MS Word 6.0] (target) Revert to document? [Y|N|S] - NO            
   [MS Word 6.0] (target) Decrypt? [Y|N|S] - NO                       
   [Autoclose] () Clean macro? [Y|N|S] - NO                           
   [Autoclose] () Decrypt? [Y|N|S] - NO                               
   [Autoclose] () Produce source? [Y|N|S] - NO                        
  

   Note: [Y|N|S] in example means 'Y' (Yes) or 'N' (No) or 'S' (Skip)

Short comments to the previous example:

HMVS detected that the file was infected by known virus. It offered
renaming or removing but user denied it.

Then  HMVS  displayed  target  flags  -  it  was  obvious that the file was
password protected, file could be  reverted from document back to template,
global cleaning as  well as individual (user selected)  macros deletion was
possible.

HMVS asked whether the user wanted to revert template back to document.

Note: If  the user answered  'Y' (Yes) *ALL*  macros would be  removed from
      file and template  would be converted to document.  All this would be
      performed in one step. So be carefull what you answer !

User did not want revert template back to document.

Then user was asked  if he wanted to decrypt given target  (in this case MS
Word 6.0 document,  not macro !) that means if  he wants to remove password
protection from the file. User answered yes. (Password was not removed from
the file because this feature was not supported yet.)

In  next three  steps the  user was  questioned if  he wanted  to clean  or
decrypt the only one encrypted macro in file (Autoclose) or if he wanted to
produce source code  for this macro. The user  wanted only producing source
code.

Note: If the user at first cleaned macro he would not be asked if he wanted
      to decrypt  macro or to produce  source. Once macro is  cleaned it is
      logical  that it  is not  possible to  do anything  with it. Again be
      carefull what you answer !

Because there  were no more macros  HMVS finished first pass  and displayed
password of password protected file.

After the first pass is completed, HMVS continues with further passes until
the  user  removes  either  all  macros  from  all  objects  in the file or
interrupts the process by pressing the 'S' key.

We  think this  example illustrates  sufficiently enough  of advanced  mode
features.

Just try it and enjoy !


10. INSPECTING SUSPECTED FILES

If HMVS finds  a known or unknown virus using  heuristics or neural network
technology it  will give you an  opportunity to inspect suspected  files by
producing  source  code  of  their  macros/modules  (see  the list of HMVS'
features to find out what kind  of discompilers and dissector are currently
supported and for which file types).

You can  also extract source code  of own macros before  global cleaning to
prevent loss of user's macros.

From  the prompt  mode it  is  possible  to check  whether a  file contains
macros/modules  or not.  However some  files (for  instance Word 8.0 files)
always contain at least one  object (ThisDocument) which may contains viral
code.

Inspecting suspected or unknown files is effective way how to prevent virus
infection. Experienced user can check  code inside macro/module and in case
of viral infiltartion he can remove infected macros.

However it requires user to be familiar with macro viruses and he must have
some  knowledges   or  experiences  with  Word   Basic,  Visual  Basic  for
Application (VBA) etc.

If you  are able to inspect  source code and to  decide what macros/modules
must be removed, you have macro viruses under your control.

HMVS gives you  all you need - macro  discompilers/dissectors for producing
source code and advanced mode to perform required actions.

It depends only on you how much of the HMVS power you will utilise.

(see the '-source' command line parameter and related topics)


11. FEATURES THAT ARE NO MORE SUPPORTED IN HMVS 3.00+

Because of  new concept in HMVS  3.00+ we decided not  to support following
features which were available in HMVS 2.60:

- HMVS does not display heuristic flags  anymore (former /FLG switch is not
  supported)

- HMVS can not  be forced to decrypt encrypted MS  Word 6.0-7.0 macros from
  command line (former /EXT switch is not supported). This can be done only
  in advanced mode.

- it is not possible to force HMVS to clean files from command line anymore
  Macro/module cleaning is possible *ONLY* in prompt or advanced mode now.

- some command line switches are no  more supported See the list of command
  line parameters available in current version.

If you are missing these features you  should keep an old HMVS 2.60 on your
hard disk.


12. USING LANGUAGE PLUGINS

HMVS ver. 3.10 supports language plugins. Default language file is the file
DEFAULT.LNG  and  by  default  it  contains  all  needed strings in English
language. Even if you delete this file HMVS will use English language.

However  if  you  want  use  different  language  which  is  on the list of
supported  languages just  replace the  file DEFAULT.LNG  with one of files
*.LNG from \LANGUAGE directory.

If  you  want   for  instance  use  Italian  language,   replace  the  file
DEFAULT.LNG with file ITALIAN.LNG from  \LANGUAGE directory. From this time
HMVS will speak Italian until you delete the file DEFAULT.LNG or replace it
with further language plugin.


13. KNOWN PROBLEMS AND SOLUTIONS


A. Problems with long file names under Windows NT 4.0 and above

   HMVS is not able to work with  long file names (LFN) under MS Windows NT
   4.0 and above.  Command line must not contain  LFN (both directories and
   files should have short names) in order to work properly with HMVS.

   However scanning of single file or single directory with LFN is possible
   even under Windows NT  4.0 and above. All you need to  do is using their
   short name equivalents.

   For instance if you want to  scan single directory "c:\My Documents" and
   all its subdirectories you can not use

                      HMVS "c:\My Documents"

   but you have to use

                      HMVS C:\MYDOCU~1
                  or
                      HMVS C:\MYDOCU~1\

   where C:\MYDOCU~1 is the short name for "c:\My Documents" directory

   Similar way use
                      HMVS C:\MYDOCU~1\VERYLO~1.DOC

   if you want to scan single file

                      "c:\My Documents\Very Long File Name.doc"

   The  easiest way  how to  solve problems  with LFN  is using a commander
   which  uses short  names (for  instance Volkov  Commander or similar) or
   commander  which  can  be  forced  to  use  short  file  names (like our
   favourite Far Commander)

B. Problems with long file names under Windows 95/98

   HMVS fully supports long file names under Windows 95/98 but problems can
   occure if a wrong syntax is used.

   Following  examples show  possible  problems  which could  occure during
   scanning files or directories with LFN and solution of those problems.

   Example 1: scanning  a single  directory, the  directory name  contains
              spaces

   HMVS c:\My Documents              (wrong syntax - will not work)
   HMVS "c:\My Documents\"           (wrong syntax - will not work)
   HMVS "c:\My Documents"            this is the right syntax

   Example 2: scanning a single  directory, the directory  name is a  long
              file name

   HMVS c:\VeryLongDirectory         this is correct
   HMVS c:\VeryLongDirectory\        this is correct
   HMVS "c:\VeryLongDirectory"       this is correct
   HMVS "c:\VeryLongDirectory\"      (wrong syntax - will not work)

   Example 3: scanning a single file, the file name is a long name or
              contains spaces

   HMVS c:\Danger\Do Not Run.doc         (wrong syntax - will not work)
   HMVS "c:\Danger\Do Not Run.doc"       this is correct

   HMVS c:\Danger\DoNotRunPlease.doc     this is correct
   HMVS "c:\Danger\DoNotRunPlease.doc"   this is correct

   Note: If scanned  directory or file contains spaces  you have to enclose
         whole pathname with quotes !

C. Problems with the individual Excel 5.0-7.0 modules cleaning

   If you choose (in advanced mode)  deletion of selected modules, the code
   from selected  modules will be  removed but references  to these deleted
   modules will remain untouched in the file.

   In other words, names of modules and names of macros they contain remain
   in the file but there is no code in them.

   So  use the  deletion of  selected modules  in case  of MS Excel 5.0-7.0
   files only if it is really necessary.

   If the file does not contain modules  you really need, it will be better
   to perform global cleaning.

D. Scanning multiple drives

   Some examples:

   - to scan drives C and D use

         HMVS C: D:
      or
         HMVS C:\ D:\

   - to scan files in three different directories use

         HMVS C:\DIR1\ C:\DIR2\ D:\DIR3\


If  you find  any bugs  or if  you have  any suggestions  for further HMVS'
improvements - feel free to send us an e-mail.

