
             Doctor Web for Windows 95/98/Me/NT/2000/XP
  (Dr.Web for Windows 95-XP, without grafical interface, or DrWebWCL)

                         Version 4.29
              Copyright (c) 1992-2002, Igor Daniloff

     Anti-virus laboratory of Igor Daniloff, DialogueScience, Inc.


This program is a representative of the 32-bit family of antivirus scanner
Doctor Web (or, briefly, DrWeb). This family, DrWeb32, includes programs
for Windows 95/98/Me/NT/2000/XP, DOS/386, OS/2, Novell NetWare, Linux,
FreeBSD, and Solaris (Intel).

The program is designed for 32-bit Windows (i.e. Windows 95/98/Me,
Windows NT 4.0, Windows 2000, and Windows XP).


INSTALLATION NOTES

There is no install shield in this distribution package of DrWebWCL. To
install the program, create a folder (directory), say, DRWEB32, and unzip
DRWEBWCL.ZIP into it. Create a shortcut to DRWEBWCL.EXE and run it.

Note that all DrWeb32 programs are installed in the same directory. The
distribution packages of all family members include two common files,
DRWEB32.DLL (DrWeb32's engine) and DRWEBASE.VDB (main virus database).
All new virus base adds-on should also be placed in the same directory.

The configuration file DRWEB32.INI is also common to all family members and
can be placed in the same directory (for instance, DRWEB32). However, each
product uses its own section in the INI-file, except for DrWeb32W and
DrWebWCL that share the same section.

Log files are created in the same directory, separately for each product,
and are given, by default, the filename <program>.LOG.

Additionally, the DrWeb32 distribution kit may include language resource files
named <language>.DWL (for instance, RUSSIAN.DWL, GERMAN.DWL, etc.) that
contain program messages written in the respective language. The language
resource files are common to all programs of the DrWeb32 family.

In the program with graphical interface (DrWeb32W), language can be changed
from a special menu in the main window. Or, in any version, language can be
changed by the /LNG command line option.


DOCTOR WEB FOR WINDOWS 95-XP

This version offers two variants, graphical (DrWeb32W) and command
line (DrWebWCL). Both programs support the same command line options given
below. However, DrWeb32W can be configured via dialog panels, which is
usually more convenient. On the other hand, DrWebWCL requires less system
resources.

Both programs use the same configuration file and the same option group in
it. You can alternatively use both variants, whichever is more convenient at
a given time.

Dr.Web for Windows 95-XP can work with ADinf32 and ADinf for DOS, but
would refuse to communicate with 16-bit ADinf for Windows.

This distribution package include only command line variant, DrWebWCL.


REGISTRATION KEYS FOR THE DRWEB32 FAMILY

For the DrWeb32 programs, there is an important file, a registration user key.
Without a registration key, all DrWeb32 members offer a limited functionality
only, as described below:

- at each startup, the evaluation version displays a warning (saying that
  it's an evaluation version);
- archives aren't checked;
- e-mail message files aren't checked;
- packed executable files aren't checked;
- heuristic analyzer is disabled;
- infected and suspicious files cannot be cured, deleted, removed or renamed.
 
Without a registration key, the DrWeb32 family members may be redistributed
without any restriction.
 
To enable an enhanced preview of Doctor Web features, DialogueScience freely
distributes a special evaluation registration key, the DRWEVAL.KEY file,
that removes some of the restrictions mentioned above. However, this key only
works with the one version of DrWeb (that is attached to the key). With
the evaluation key, DrWeb32 will have the following restrictions:
 
- at each startup, the evaluation version displays a warning (saying that
  it's an evaluation version);
- archives aren't checked;
- e-mail message files aren't checked;
- infected files cannot be cured.

In some cases DialogueScience and its dealers can also distribute other
evaluation registration keys, with other set of restrictions.

To use all features of DrWeb32, a user must purchase a commercial
registration key. This key, as well as an evaluation key, is a special
file generated by UserKey. When placed in the DrWeb32 home directory,
the key enables the full-featured commercial operation of DrWeb32. The key
contains a user name, duration and some other information, and is protected
against fraud with a digital signature.

If you tried an evaluation copy of DrWeb32 and have received a commercial
registration key, please copy it to the DrWeb32 directory.


COMMAND LINE OPTIONS

To start Doctor Web, use the following command line:

        <program> [disk:][path] [options]

where
program - executable module name (DrWebWCL);
disk:   - logical drive of a hard disk, floppy drive, network drive, CD-ROM,
          or * (all local logical drives);
path    - location of files to be checked; it may contain path to the
          directory on local/network drive (or network directory) and,
          optionally, filename (or filename mask).

The command line may contain several [disk:][path] parameters delimited with
blanks. In this case, the program will sequentially scan the specified objects.

Command line options (delimited with blanks)

/@[+]<file> - check objects listed in <file>.
      Each object must be identified on a separate line containing
      a full pathname (to check file) or the "?boot" keyword (to check
      boot sectors). The list file can be created with any text editor.
      When scan is completed, Doctor Web deletes the list file, unless
      "+" is included in the option.
      A list file can also be generated by ADinf. In this case, the
      integrity checker will include in the file modified objects only.
      Then, this list can be used by Doctor Web to limit the scan scope,
      which can substantially reduce overall scan time. If ADinf32 is
      configured to launch Doctor Web, the integrity checker inserts 
      the /@ option in the command line and starts the scanner
      automatically (see ADinf32 Manual for details);
/AL - scans all files on a given drive or directory;
/AR[N] - scans all files inside archives created by ARJ, CAB, GZIP, TAR, RAR,
      ZIP without curing. The N option suppresses the name of the archive
      utility after the name of the archived file;
/CU[RDM][P] - cures infected files and disk system areas. Use the optional
      parameters to specify how infected filed should be treated:
      R - rename (by default, the extension's first character is changed to
      "#"), D - delete, M - move (by default, to the INFECTED.!!! directory);
      P - prompt before action;
/SP[RDM][P] - specifies how to treat suspicious files: R - rename, D - delete,
      M - move; P - prompt before action;
/IC[RDM][P] - specifies how to treat incurable files: R - rename, D - delete,
      M - move; P - prompt before action;
/DA - runs Dr.Web only once in a day. For this option, the configuration file,
      (INI-file) containing the date of the next scanning session must be
      present;
/EX - scans files that have extensions associated with executable modules
      and MS Office documents (COM, EXE, SYS, BAT, CMD, DRV, BIN, DLL, OV?,
      BOO, PRG, VXD, 386, SCR, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VBS, JS*,
      INF, A??, ZIP, R??, PP?, HLP, OBJ, LIB, MD?, INI, MBR, IMG, CSC, CPL,
      MBP, SH,  SHB, SHS, SHT*,MSG, CHM, XML, PRC, ASP, LSP, MSO, OBD, THE*,
      EML, NWS, TBB);
/FM - scans files (regardless of the extension) whose internal format is
      that of an executable module or MS Office document with macros (such
      as MS Word or Excel files);
/GO - goes without asking you what to do next (in such situations as not
      enough disk space for unpack operation, invalid parameters in the
      command line, DrWeb infected by unknown virus, etc.). This option
      might be useful, say, for automatic check of incoming e-mail;
/HA - enables the heuristic analyzer that can detect unknown viruses;
/INI:<path> - uses an alternative configuration file (INI-file);
/NI - ignores the settings in the configuration file (DRWEB32.INI);
/LNG[:<path>] - uses an alternative language file (DWL-file), or built-in
      (english) language;
/ML - check files of e-mail format (UUENCODE, XXENCODE, BINHEX and MIME);
/NS - runs non-stop (no interruption by pressing ESC);
/OK - writes a full list of scanned objects and displays "OK" next to clean
      objects;
/PF - displays the "Scan another diskette?" prompt after checking a floppy
      disk;
/PR - prompts to confirm an action on an infected or suspicious file;
/RP[+]<file> - writes the scan results to a file (by default,
      <program>.LOG), <file> is the full pathname of a report file. If the
      plus sign is included, the recent report will be appended to the
      report file; otherwise the report file will be overwritten;
/NR - does not create report file;
/SD - scans subdirectories;
/SO - plays sounds;
/SS - saves current settings when the program terminates;
/TB - scans boot sectors and master boot record;
/TM - scans memory for viruses (including Windows system memory);
/UP[N] - checks executable files packed by ASPACK, COMPACK, DIET, EXEPACK,
      LZEXE, OPTLINK, PECOMPACT, PEPACK, PGMPAK, PKLITE, WWPACK, WWPACK32,
      UCEXE, UPX; files converted by BJFNT, COM2EXE, CONVERT, CRYPTCOM,
      CRYPTEXE, PECRYPT, PESHIELD, PROTECT, TINYPROG; and files immunized by
      CPAV, F-XLOCK, PGPROT, VACCINE. 
      N - suppresses the compression utility name after the name of the
      archived file;
/WA - waits after scan is finished if viruses or suspicious objects were found;
/?  - displays help.

If DBWEB32.INI is not present or not used, the default options are:
/AR /FM /HA /ML /PR /SD /TB /TM /UP

Some options can be postfixed with the "-" character. This "negation" form 
disables the respective function or mode. It might be useful if the mode is
enabled by default or via settings in the INI-file.

The negation form can be applied to the following command-line options:
/AR /CU /FN /HA /IC /ML /OK /PF /PR /SD /SO /SP /SS /TB /TM /UP /WA

Note that the negation form of /CU, /IC and /SP cancels all actions enabled
by these options. It means that information about infected and suspicious
objects will appear in the report file only.

/AL, /EX and /FM cannot be used in the negation form. However, any of these
options disables the other two.


RETURN CODES

The values of the return code and corresponding events are as follows:

  0 - OK, no virus found
  1 - known virus detected
  2 - modification of known virus detected
  4 - suspicious object found
  8 - known virus detected in archive
 16 - modification of known virus detected in archive
 32 - suspicious file found in archive
 64 - at least one virus successfully cured
128 - at least one infected or suspicious file deleted/renamed/moved

The actual value returned by the program is equal to the sum of codes for
the events that occured during scanning. Obviously, the sum can be easily
decomposed into separate event codes.

For example, return code 9 = 1 + 8 means that known viruses were detected,
including viruses in archives; curing and others actions were not executed;
no other "virus" events occured during scanning.


LIMITATIONS IN THIS VERSION OF PROGRAM

- Virus check in archives is supported only for ARJ, CAB, GZIP, TAR, RAR, ZIP.


======================
Below is Igor Daniloff's PGP public key. Please use it to encode virus
specimens when you wish to e-mail them to us.

Type Bits/KeyID    Date       User ID
pub  1024/1B87196D 1994/05/12 Igor A. Daniloff <ID@DrWeb.Ru>
                              Igor A. Daniloff <id@sald.spb.su>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig
Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T
cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR
tB5JZ29yIEEuIERhbmlsb2ZmIDxJREBEcldlYi5SdT6JAJUDBRA3P7dHncLqARuH
GW0BAQDTBACeJaSAdFMINa6G4xChVPHKUWy/jqdze94UtBRymBZFdmrtup+3bL6D
IB148AkFjH6zZyQLPCgXr4RqxURtA5H1SsFJR1Iqj2eTjQZOqfgL2IAR3M79qBqD
nhGzeQMOr7gP3hXnb2hQZtZJFgw6IneSHM5gXRVGm7y29yR0y6+RT7QhSWdvciBB
LiBEYW5pbG9mZiA8aWRAc2FsZC5zcGIuc3U+iQCVAwUQL7d6qTCAIMQGDNzxAQFN
jQP7BS+D1P68oNZjqHSGbxqqzrvasK5WjFJBefJ14ALeJbn4X3BcTFqfckYNYG6w
ZqTMWt9aZZKAWOA5rKfPp9LflJzJvZSSwYZz1Su5hJ3G0RM6z7JDVCQyV90yelDq
X1ehBEHAqMV2gvkhE5YKxvoH+uOG+TPq1FzUz4hQB/W4srCJAJUDBRAugG2cOpoV
rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS
GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p
jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF
EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz
KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4
lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ
oNBx
=VFhp
-----END PGP PUBLIC KEY BLOCK-----

======================
Please send your comments to:

DialogueScience, Inc.
40 Vavilova St., office 103
Moscow, 117786, RUSSIA

Tel.:     +7 (095) 135-6253, 137-0150
Tel./fax: +7 (095) 938-2970, 938-2855

FidoNet: 2:5020/69

E-mail:   Antivir@dials.ru
WWW:      http://www.dials.ru
FTP:      ftp.dials.ru, ftp2.dials.ru, ftp3.dials.ru

The author of Doctor Web is available by
E-mail: Igor.Daniloff@dials.ru , id@drweb.ru
FidoNet: 2:5020/69.14 , 2:5030/87.57
