CLEAN-UP Version 7.

6V80
Copyright (C) 1990, 1991 by McAfee Associates.
All rights reserved.
Documentation by Aryeh Goretsky.

McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054-0253
U.S.A

(408) 988-3832 office

(408) 970-9727 fax
(408) 988-4004 BBS 2400 bps
(408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
Internet: mcafee@netcom.com

TABLE OF CONTENTS:

SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2
- What CLEAN-UP is, system requirements
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2
- Verifying the integrity of CLEAN-UP
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Features, new viruses added in this release
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Detailed description of CLEAN-UP
OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . .4
- How to use CLEAN-UP
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .6
- Samples of frequently-used options
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .6
- How to register CLEAN-UP
TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .7
- Information you should have ready when calling

Page 1

CLEAN-UP Version 7.6V80

Page 2

SYNOPSIS
CLEAN-UP (CLEAN) is a virus disinfection program for IBM PC
and compatible computers. CLEAN-UP will search though the
partition table, boot sector, or files of a PC and remove a virus
specified by the user. In most instances CLEAN-UP is able to repair
the infected area of the system and restore it to normal usage.
CLEAN-UP works on all viruses identified by the current version of
the VIRUSCAN (SCAN) program.
CLEAN-UP runs on any PC with 256Kb and DOS 2.00 or above.
AUTHENTICITY
CLEAN-UP runs a self-test when executed. If CLEAN has been
modified in any way, a warning will be displayed. The program will
still continue to remove viruses, though. If CLEAN reports that
it has been damaged, is recommended that a new, clean copy be
obtained.
CLEAN-UP is packaged with the VALIDATE program to ensure the
integrity of the CLEAN.EXE file. The VALIDATE.DOC instructions
tell how to use the VALIDATE program. The VALIDATE program
distributed with CLEAN-UP may be used to check all further versions
of CLEAN.
The validation results for Version 80 should be:
FILE NAME:
SIZE:
DATE:
FILE AUTHENTICATION
Check Method 1:
Check Method 2:

CLEAN.EXE
119,999
06-24-1991
F8AE
05DD

If your copy of CLEAN.EXE differs, it may have been modified.

Always obtain your copy of CLEAN-UP from a known source. The
latest version of CLEAN-UP and validation data for SCAN.EXE can be
obtained off of McAfee Associates' bulletin board system at (408)
988-4004.
Beginning with Version 72, all McAfee Associates programs for
download are archived with PKWare's PKZIP Authentic File
Verification. If you do not see the "-AV" message after every file
is unzipped and receive the message "Authentic Files Verified!
# NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files
then do not run them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact McAfee Associates if your .ZIP file has been
tampered with.

CLEAN-UP Version 7.6V80

Page 3

WHAT'S NEW
The Empire, Form, Loa Duong, Michaelangelo, Nomenclature,
Tequila and V-801 viruses have been added to the list of viruses
that can be successfully removed.
The /REPORT option now displays version number, options used,
date and time, and cleaning results.
The Loa Duong virus is a memory-resident floppy disk and hard
disk boot sector infector. It is named after a Laotian funeral
dirge that it plays after every 128 disk accesses.
The Michelangelo is a floppy disk boot sector and hard disk
partition table infector based on the Stoned virus. On March 6,
Michelangelo's birthdate, it formats the hard disk of infected
PC's.
The Tequila virus was sent to us from the United Kingdom but
originates in Switzerland. It is a memory-resident multipartite
virus uses stealth techniques and attaches to the boot sector of
floppies, partition table of hard disks, and .EXE files. It
contains messages saying "Welcome to T.TEQUILA's latest
production.", "Loving thoughts to L.I.N.D.A", and "BEER and TEQUILA
forever !"
The V801, Form, Empire and Nomenclature viruses are older
viruses that have been reported with increasing regularity in
Canada and England, respectively.
Please refer to the enclosed VIRLIST.TXT file for a short
description of the new viruses. For a more complete description,
please refer to Patricia Hoffman's VSUM listing.
OVERVIEW
CLEAN-UP searches the system looking for the virus you wish
to remove. When an infected file is found, CLEAN-UP isolates and
removes the virus, and in most cases, repairs the infected file and
restores it to normal operation. If the file is infected with a
less common virus, CLEAN-UP will then display a warning message and
prompt the user, asking whether to overwrite and delete the
infected file. Files erased in such a manner are non-recoverable.
Verify the suspect virus infection with the VIRUSCAN program
before running CLEAN-UP. VIRUSCAN will locate and identify the
virus and provide the I.D. code needed to remove it. The I.D. is
displayed inside the square brackets, "[" and "]." For example,
the I.D. code for the Jerusalem virus is displayed as
"[Jeru]". This I.D. must be used with CLEAN-UP to remove the
virus. The square brackets "[" and "]" MUST be included.

CLEAN-UP Version 7.6V80

Page 4

The common viruses that CLEAN-UP is able to remove

successfully and repair and restore the damaged programs are:
555
651
170x*
4096*+
Alameda
Ashar*
Black Monday+
Bloody!
Disk Killer*
EDV*
Filler
Fish+
Ghost
Invader*+
KeyPress*+
Korea*
Lisbon*
Loa Duong
Murphy*+
Music Bug
Pakistani Brain*PayDay+
Print Screen-2* RPKS
Striker
SunDay+
Taiwan 4+
Typo Boot
VACSINA*+
Vienna*
Yankee Doodle*+ ZeroBug

1260
Air Cop*
Azusa
Dark Avenger*+
Empire*
Flip*+
Jerusalem*+
Lazy
Mardi Brothers
New Jerusalem+
Ping Pong*
Slow+
Suriv03+
V800
Violator*

15xx*+
Alabama+
Beeper
DataLock+
Fellowship+
Form
Joshi
Liberty+
Michelangelo
Nomenclature
Plastique*+
Stoned*
Taiwan 3+
V-801
Whale*+

*Denotes virus with more than one strain

+Denotes virus which attaches to overlays
AN IMPORTANT NOTE ABOUT .EXE FILES: Some viruses which infect .EXE
files can not be removed successfully in all cases. This usually
occurs when the .EXE file loads internal overlays. Instead of
attaching to the end of the .EXE file, the virus may attach to the
beginning of the overlay area, and program instructions are
overwritten. CLEAN-UP will truncate files infected in this manner.
If a file no longer runs after being cleaned, replace it from the
manufacturer's original disk.
AN IMPORTANT NOTE ABOUT THE STONED VIRUS: Removing the Stoned
virus can cause loss of the partition table on systems with
non-standard formatted hard disks. As a precaution, backup all
critical data before running CLEAN-UP. Loss of the partition table
can result in the LOSS OF ALL DATA ON THE DISK.
OPERATION:
IMPORTANT NOTE: POWER DOWN YOUR SYSTEM AND BOOT FROM A CLEAN
SYSTEM DISK BEFORE BEGINNING. RUN THE CLEAN-UP PROGRAM FROM A
WRITE-PROTECTED DISK TO PREVENT INFECTION OF THE PROGRAM.
Power down the infected system and boot from a clean,
write-protected system diskette. This step will insure that the
virus is not in control of the computer and will prevent
reinfection. After cleaning, power down the system again, reboot
from the system disk, and run the VIRUSCAN program to make sure the
system has been succesfully disinfected. After cleaning the hard

disk, run the VIRUSCAN program on any floppies that may have been
inserted into the infected system to determine if they have been
infected.
CLEAN-UP will display the name of the infected file, the virus
found in it, and report a "successful" disinfection when the virus
is removed. If a file has been infected multiple times by a virus
(possible if the virus does not check to see if it has already
attached to a file) than CLEAN-UP will report that the virus has
been removed successfully for each infection.

CLEAN-UP Version 7.6V80

Page 5

To run CLEAN-UP type:

CLEAN d1: ... d10: [virus ID] /A /E .xxx /FR /MANY /M
/REPORT d:filename /NOPAUSE
Options are:
/A
/E .xxx .yyy .zzz
/FR
/MANY
/NOPAUSE
/REPORT d:filename

Examine all files for viruses

Clean overlay extensions .xxx .yyy .zzz
Display messages in French
Check and disinfect multiple floppies
Disable screen prompting
Create report of cleaned files

d1: ... d10: - indicate drives to be cleaned

[virus ID] - Virus identification code - provided by the
VIRUSCAN program when it detects a virus.
For a complete list of codes, see the
accompanying VIRLIST.TXT file
The /A option will cause CLEAN to go through all files on
diskette. This should be used if an overlay-infecting virus is
detected.
The /E option allows the user to specify an extension or set
of extensions to clean. Extensions must be separated by a space
after the /E and between each other. Up to three extensions may
be added with the /E. For more extensions, use the /A option.
The /FR option tells CLEAN-UP to display all messages in
French instead of English.
The /MANY option is used to clean multiple floppy diskettes.
If the user has more than one floppy disk to check for viruses, the
/MANY option will allows the user to check them without having to
run CLEAN multiple times.
The /NOPAUSE option disables the "More..." prompt that appears
when CLEAN fills a screen with data. This allows CLEAN-UP to run
on a machine with multiple infections without requiring operator
intervention when the screen fills up with messages from the CLEAN
program.
The /REPORT option is used to generate a listing of
disinfected files. The resulting list can be saved to disk as an
ASCII text file. To use the report option, specify /REPORT on the
command line, followed by the device and filename.

CLEAN-UP Version 7.6V80

Page 6

EXAMPLES
The following examples are shown as they would be typed in on
the command line.
CLEAN C: D: E: [JERU] /A
To disinfect drives C:, D:, and E: of the Jerusalem
virus, searching all files for the virus in the process
CLEAN A: [STONED]
To disinfect floppy in drive A: of the Stoned virus
CLEAN C:\MORGAN [DAV] /A
To disinfect subdirectory MORGAN on drive C: of the Dark
Avenger, searching all files for the virus in the process
CLEAN B: [DOODLE] /REPORT C:YNKINFCT.TXT
To disinfect floppy in drive B: of the Yankee Doodle
virus, searching all files in the process, and creating
a report of disinfected files named YNKINFCT.TXT on drive
C:
REGISTRATION
A registration fee of $35.00US is required for the use of
VIRUSCAN by individual home users. Registration is for one year
and entitles the holder to unlimited free upgrades off of McAfee
Associates BBS. When registering, a diskette containing the latest
version may be requested. Add $9.00US for diskette mailings. Only
one diskette mailing will be made.
Registration is for home users only and does not apply to
businesses, corporations, organizations, government agencies, or
schools, who must obtain a license for use. Contact McAfee
Associates for more information.
Outside of the United States, registration and support may be
obtained from the Agents listed in the accompanying AGENTS.TXT
file.

CLEAN-UP Version 7.6V80

Page 7

TECH SUPPORT
In order to facilitate speedy and accurate support, please
have the following information ready when you contact McAfee
Associates:
-

Program name and version number.

Type and brand of computer, hard disk, plus any

peripherals.

Version of DOS you are running, plus any TSRs or device

drivers in use.

Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.

The exact problem you are having. Please be specific as

possible. Having a print out of the screen and/or being
at your computer will help also.

McAfee Associates can be contacted by BBS or fax twenty-four hours

a day, or call our business office at (408) 988-3832, Monday
through Friday, 8:30AM to 6:00PM Pacific Standard Time.
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
U.S.A

(408) 988-3832 office

(408) 970-9727 fax
(408) 988-4004 BBS 2400 bps
(408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
Internet: mcafee@netcom.com