Back To Index
("`-''-/").___..--''"`-._
`6_ 6 ) `-. ( ).`-.__.`)
(_Y_.)' ._ ) `._ `. ``-..-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'
ADMINISTRIVIA
Disclaimer
This document is primarily concerned with defending the integrity of
computing systems and preventing damage caused by viruses or other
malicious and/or other unauthorized software. It attempts to address
many of the issues which are frequently discussed on alt.comp.virus,
but does not claim to represent all shades of opinion among the users of
a.c.v. - in particular, it does not include information which, in my
estimation, is likely to be of more help to those interested in the
spreading of unauthorized and/or malicious software than to those
who wish to be protected from it.
This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects
resulting from the use of any information contained in this document.
Not all the views expressed in this document are mine, and those views
which *are* mine are not necessarily shared by my employer.
David Harley
Copyright Notice
Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holders. To obtain such permission,
please contact the maintainer of the FAQ.
Availability
The latest version of this document is available from:
(1) ftp://ftp.icnet.uk/icrf-public/acv.FAQ
(2) harley@icrf.icnet.uk
Subject: request a.c.v. FAQ
Message: Optional, but unlikely to be read!
This request format will get you the FAQ in four parts. It will
shortly also be available archived for Mac or PC, mailed in MIME
format or uuencoded. (Watch this space)
A number of individuals and sites have agreed to make it available
via anonymous FTP and/or WWW. There'll be an update on this in due
course, but these include:
FTP://ftp.gate.net/pub/users/ris1/acvfaq.zip
http://www.drsolomon.com/
http://www.innet.net/~ewillems/
http://www.agora.stm.it/N.Ferri/infos.htm
It is also available on AOL:
America Online: (Virus Information Center: Keyword VIRUS
----------------------------------------------------------------------
PREFACE
(i) What is the FAQ, and who is it for?
-----------------------------------
This FAQ is intended to make available answers to questions which
are repeatedly asked on alt.comp.virus, and tries to gather the most
useful information regarding this group and the issues discussed here
into a relatively short document. The hope is to produce (eventually)
an easily-digested document for newcomers, as a means of saving those
who regularly reply to posted questions having to re-invent the wheel
each time.
I recommend that you read this FAQ in conjunction with the comp.virus
(VIRUS-L)FAQ, which gives more detailed information regarding some
issues which are, inevitably, covered in both FAQs.
The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus
newsgroup. The latest version should be available as:
ftp://cert.org/pub/virus-l/FAQ.virus-l
You can get the Mk. 2 version at
ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip
ftp://cs.ucr.edu/pub/virus-l/
which is very long and very thorough. This document is subject to
revision, so the file name may change.
(ii) Credits/Acknowledgements
------------------------
The following have contributed text and/or ideas and/or
proofreading/corrections and/or URLs to the a.c.v. FAQ.
Vesselin Bontchev
Bruce Burrell
Graham Cluley
Henri Delger
Edward Fenton
Nicola Ferri
David Harley
R. Wallace Hale
Norman Hirsch
Matthew Holtz
Mikko H. Hypponen
Douglas A. Kaufman
Susan Lesch
Mike Ramey
Perry Rovers
Megan Skinner
Fridrik Skulason
Alan Solomon
Ken Stieers
Hector Ugalde
George Wenzel
Caroline Wilson
Acknowledgement is also due to the work of Ken Van Wyk, former
moderator of VIRUS-L/comp.virus, and the contributors to the
comp.virus FAQ (both versions).
Thanks also to ked@intac.com, who mailed me a copy of the FAQ he
posted to a.c.v. some months before this one was begun, David J. Loundy
for assistance regarding legal issues, and to Nick FitzGerald, the
moderator of comp.virus and maintainer of the Mk. II comp.virus FAQ.
And especially to George Wenzel and Lucky the Cat.
(iii) Guide to posting etiquette
--------------------------
Messages asking for help posted to alt.comp.virus are more likely to
receive a useful response if they conform to accepted standards of
civility. The newsgroup news.announce.newusers includes information
on good newsgroup etiquette, or try
ftp://rtfm.mit.edu/pub/usenet/news.answers
http://www.fau.edu/rinaldi/netiquette.html
However, adhering to the following guidelines would be particularly
helpful:
* Keep your lines short (say 72 characters per line), so that anyone
who follows up doesn't have to reformat quoted text to keep it
readable).
* Don't quote all or most of a message you're following up unless it's
either very short, or necessary in order to address each point made.
In the latter case, please put the point you're answering close to
your answer and try to format it so that it's readable. Remember that
some people have to pay for connection/download time.
* On the other hand, a message which says something like 'I totally
agree' without including enough of the original for us to tell what
you're agreeing with is a waste of bandwidth.
* Keep it polite. It's unlikely that anyone who replies to your
posting is being paid to do so, and it wouldn't excuse bad manners if
they were. Of course, the cut and thrust of debate may be a different
matter altogether....
* Asking for a reply by direct e-mail may be reasonable if you need
an urgent solution or are using a borrowed account. It isn't
reasonable if you simply can't be bothered to check newsgroups.
At least try to think up a good excuse, and be prepared to offer a
summary to the group.
* Check that there isn't already a thread on the subject you're
asking about before posting yet another 'Has anyone heard of the GOOD
TIMES virus?' message. If there is, check it first: the answer to
your question may already be there (if it isn't in this document!).
Please remember that many people have to pay for connect time, and
don't appreciate duplicate postings or uuencoded binaries.
* If you want to follow up a message which doesn't seem particularly
relevant to alt.comp.virus, check the 'Newsgroups:' header: there
have been a lot of responses to spammings recently which have made
increased the bandwidth used, often quite unnecessarily.
* Please don't post test messages here unless you really need to:
use one of the newsgroups intended for the purpose: there is probably
one local to your news server - ask your Systems Administrator,
provider or local helpdesk. If you must post to the entire Internet,
use misc.test - if you do, put the word IGNORE in your Subject: field,
or you'll get auto-responder messages in your mail for weeks
afterwards. Look through the postings in news.announce.newusers
for relevant guidelines before you post.
* If you get into an exchange of E-mail, please remember that
not everyone can handle all forms of E-mail attachment (uuencoded,
MIME format etc. - if it's text, *send* it as text. NB also that
(uu)encoding text makes it longer as well as unreadable, so don't!
(iv) How to ask on the alt.comp.virus newsgroup for help
---------------------------------------------------
The more relevant information you give us, the more we can help you.
It helps to tell us the following:
* What you think the problem is (you might think it's a virus, but
maybe it isn't)
* What the symptoms are. If you ran some software that gave you a
message, tell us which package, version number, and the exact wording
of the message.
* Please be as accurate as possible about the order in which events
happened.
* If just one file is infected, give the filename.
* If you're running more than one anti-virus product, please list
them (including version number), and say what each one said about
the possible virus.
* Which version of which operating system you are running.
* Any other configuration information which you think may have a bearing.
Don't take action, then ask if that was the right action - if it
wasn't, it's too late.
Don't just ask "I've got xyz virus, can anyone help me".
-------------------------------------------------------------------------
Table of Contents
-----> Part 1
------
-----> (1) I have a virus - what do I do?
-----> (2) Minimal glossary
-----> (3) What is a virus (Trojan, Worm)?
-----> (4) How do viruses work?
-----> (5) How do viruses spread?
-----> (6) How can I avoid infection?
-----> (7) How does antivirus software work?
Part 2
------
(8) What's the best anti-virus software
(and where do I get it)?
(9) Where can I get further information?
(10) Does anyone know about
* Mac viruses?
* UNIX viruses?
* macro viruses?
* the AOLGold virus?
* the xyz PC virus?
(11) Is it true that...?
(12) Favourite myths
* DOS file attributes protect executable files from
infection
* I'm safe from viruses because I don't use bulletin
boards/shareware/Public Domain software
* FDISK /MBR fixes boot sector viruses
* Write-protecting suspect floppies stops infection
* The write-protect tab always stops a disk write
* I can infect my system by running DIR on an infected
disk
Part 3
------
(13) What are the legal implications of computer viruses?
Part 4
------
(14) Miscellaneous
Are there anti-virus packages which check zipped files?
What's the genb/genp virus?
Where do I get VCL and an assembler, & what's the password?
Send me a virus.
Is it viruses, virii or what?
Where is alt.comp.virus archived?
What about firewalls?
Viruses on CD-ROM.
Removing viruses.
Can't viruses sometimes be useful?
Do I have a virus, and how do I know?
What should be on a (clean) boot disk?
How do I know I have a clean boot disk?
What other tools might I need?
What are rescue disks?
Are there CMOS viruses?
How do I know I'm FTP-ing 'good' software?
What is 386SPART.PAR?
Can I get a virus to test my antivirus package with?
When I do DIR | MORE I see a couple of files with funny names...
Reasons NOT to use FDISK /MBR
Why do people write/distribute viruses?
Where can I get an anti-virus policy?
Placeholders
-------------------------------------------------------------------------
(1) I have a virus problem - what do I do?
The following guidelines will, one hopes, be of assistance. However,
you may get better use out of them if you read the rest of this
document before acting rashly...
If you think you may have a virus infection, *stay calm*. Once
detected, a virus will rarely cause (further) damage, but a
panic action might. Bear in mind that not every one who thinks s/he
has a virus actually does (and a well-documented, treatable virus
might be preferable to some problems!). Reformatting your hard disk
is almost certainly unnecessary and very probably won't kill the
virus.
If you've been told you have something exotic, consider the
possibility of a false alarm and check with a different package.
If you have a good antivirus package, use it. Better still, use more
than one. If there's a problem with the package, use the publisher's
tech support and/or try an alternative package. If you don't have a
package, get one (see section on sources below). If you're using
Microsoft's package (MSAV) get something less out-of-date.
Follow the guidelines below as far as is practicable and applicable
to your situation.
Try to get expert help *before* you do anything else. If the problem
is in your office rather than at home there may be someone whose job
includes responsibility for dealing with virus incidents.
Follow the guidelines below as far as is practicable and applicable.
* Do not attempt to continue to work with an infected system, or let
other people do so.
* Generally, it's considered preferable to switch an infected
system off until a competent person can deal with it: don't allow
other people to use it in the meantime. If possible, close down
applications, Windows etc. properly and allow any caches/buffers
to flush, rather than just hit the power switch.
* If you have the means of checking other office machines for
infection, you should do so and take appropriate steps if an
infection is found.
* If you are unable to check other machines, assume that all
machines are infected and take all possible steps to avoid
spreading infection any further.
* If there are still uninfected systems in the locality, don't use
floppy disks on them [except known clean write-protected DOS boot
floppies]
* users of infected machines should not *under any circumstances *
trade disks with others until their systems and disks are cleaned.
* if the infected system is connected to a Novell network, Appleshare
etc., it should be logged off all remote machines unless someone
knowledgeable says different. If you're not sure how to do this,
contact whoever is responsible for the administration of the
network. You should in any case ensure that the network administrator
or other responsible and knowledgeable individual is fully aware of
the situation.
* No files should be exchanged between machines by any other means
until it's established that this can be done safely.
* Ensure that all people in your office and anyone else at risk are
aware of the situation.
* Get *all* floppy disks together for checking and check every one.
This includes write-protected floppies and program master disks.
Check all backups too (on tape or file servers as well as on floppy).
(2) Minimal Glossary
[There is room for improvement and expansion here. Contributions
will be gratefully accepted.]
* AV - AntiVirus. Sometimes applied as a shorthand term for
anti-virus researchers/programmers/publishers - may include
those whose work is not AV research, but includes
virus-control. (See also Vx.)
* BSI - Boot Sector Infector (= BSV - Boot Sector Virus)
* BIOS - Basic Input Output System
* CMOS - Memory used to store hardware configuration information
* DBR - DOS Boot Record
* DBS - DOS Boot Sector
* False Positive - When an antivirus program incorrectly reports a
virus in memory or infecting a file. Scanners in
heuristic mode and integrity checkers are, by
definition, somewhat more prone to these.
* False Negative - Essentially, a virus undetected by an antivirus
program.
* In-the-wild - describes viruses known to be spreading
uncontrolled to real-life systems, as opposed to
those which exist only in controlled situations
such as anti-virus research labs. Virus code
which has been published but not actually found
spreading out of control is not usually regarded
as being in-the-wild.
* MBR - Master Boot Record (Partition Sector)
* TSR - A memory-resident DOS program, i.e one which remains in
memory while other programs are running. A good TSR should
at least detect all known in-the-wild viruses and a good
percentage of other known viruses. Generally, TSRs are not
so good with polymorphic viruses, and should not be relied on
exclusively.
* vx - Those who study, exchange and write viruses, not necessarily
with malicious intentions (So I'm frequently told here...) B-)
* VxD - A Windows program which can run in the background. A scanner
implemented as a VxD has all the advantages of a DOS TSR, but
can have additional advantages: for instance, a good VxD will
scan continuously *and* for all the viruses detected by a
command-line scanner.
* Zoo - suite of viruses used for testing.
See the comp.virus FAQ for fuller definitions of some of these terms and
others which aren't addressed here.
Here are some commonly referred to anti-virus packages, including
acronyms (hence their inclusion in this section). [Suggestions for
expansion are, again, welcomed.]
* AVP - AntiViral Toolkit Pro
* AVTK - Dr. Solomon's AntiVirus ToolKit
* CPAV - Central Point AntiVirus
* The Doctor (Not Dr. Solomon!)
* Disinfectant (Mac)
* DSAVTK - Dr. Solomon's AntiVirus ToolKit
* F-Prot
* FindViru(s) - DSAVTK scanner
* Gatekeeper (Mac)
* Invircible
* MSAV - MicroSoft AntiVirus
* McAfee
* NAV - Norton AntiVirus
* SCAN - ViruScan (McAfee's scanner)
* Sweep - Scanner by Sophos
* TBAV - Thunderbyte AntiVirus
* VET
(3) What is a virus (and what are Trojans and Worms)?
A (computer) virus is a program (a block of executable code) which
attaches itself to, overwrites or otherwise replaces another program
in order to reproduce itself without the knowledge of the PC user.
Most viruses are comparatively harmless, and may be present for
years with no noticeable effect: some, however, may cause random
damage to data files (sometimes insidiously, over a long period)
or attempt to destroy files and disks. Others cause unintended
damage. Even benign viruses (apparently non-destructive viruses)
cause significant damage by occupying disk space and/or main
memory, by using up CPU processing time, and by the time and expense
wasted in detecting and removing them.
A Trojan Horse is a program intended to perform some covert
and usually malicious act which the victim did not expect or want.
It differs from a destructive virus in that it doesn't reproduce,
(though this distinction is by no means universally accepted).
A dropper is a program which installs a virus or Trojan, often
covertly.
A worm is a program which spreads (usually) over network
connections. Unlike a virus, it does not attach itself to a
host program. In practice, worms are not normally associated
with personal computer systems. There is an excellent
and considerably longer definition in the Mk. 2 version of the
Virus-L FAQ.
(The following is a slightly academic diversion)
A lot of bandwidth is spent on precise definitions of some of
the terms above. I have Fridrik Skulason's permission to include
the following definition of a virus, which I like because it
demonstrates most of the relevant issues.
#1 A virus is a program that is able to replicate - that is, create
(possibly modified) copies of itself.
#2 The replication is intentional, not just a side-effect.
#3 At least some of the replicants are also viruses, by this
definition.
#4 A virus has to attach itself to a host, in the sense that execution
of the host implies execution of the virus.
--
#1 is the main definition, which distinguishes between viruses and Trojans
and other non-replicating malware.
#2 is necessary to exclude for example a disk-copying program copying a
disk, which contains a copy of itself.
#3 is necessary to exclude "intended" not-quite-viruses.
#4 is necessary to exclude "worms", but at the same time it has to be broad
enough to include companion viruses and .DOC viruses.
(4) How do viruses work?
A file virus attaches itself to a file (but see the section below
or the comp.virus FAQ on the subject of companion viruses), usually
an executable application (e.g. a word processing program or a DOS
program). In general, file viruses don't infect data files. However,
data files can contain embedded executable code such as macros, which
may be used by virus or trojan writers. Text files such as batch files,
postscript files, and source code which contain commands that can be
compiled or interpreted by another program are potential targets for
malware (malicious software), though such malware is not at present
common.
Boot sector viruses alter the program that is in the first sector
(boot sector) of every DOS-formatted disk. Generally, a boot
sector infector executes its own code (which usually infects the boot
sector or partition sector of the hard disk), then continues the PC
bootup (start-up) process. In most cases, all write-enabled floppies
used on that PC from then on will become infected.
Multipartite viruses have some of the features of both the above
types of virus. Typically, when an infected *file* is executed, it
infects the hard disk boot sector or partition sector, and thus
infects subsequent floppies used or formatted on the target system.
The following virus types are more fully defined in the
comp.virus FAQs (see preamble):
* STEALTH VIRUSES - viruses that go to some length to
conceal their presence from programs which might notice.
* POLYMORPHIC VIRUSES - viruses that cannot be detected by
searching for a simple, single sequence of bytes in a
possibly-infected file, since they change with every
replication.
* COMPANION VIRUSES - viruses that spread via a file which
runs instead of the file the user intended to run, and
then runs the original file. For instance, the file
MYAPP.EXE might be 'infected' by creating a file called
MYAPP.COM. Because of the way DOS works, when the user
types MYAPP at the C> prompt, MYAPP.COM is run instead of
MYAPP.EXE. MYAPP.COM runs its infective routine, then
quietly executes MYAPP.EXE. N.B. this is not the *only*
type of companion (or 'spawning') virus.
* ARMOURED VIRUSES - viruses that are specifically written
to make it difficult for an antivirus researcher to find
out how they work and what they do.
(5) How do viruses spread?
A PC is infected with a boot sector virus (or partition sector
virus) if it is (re-)booted (usually by accident) from an infected
floppy disk in drive A. Boot Sector/MBR infectors are the most
commonly found viruses, and cannot normally spread across a network.
These (normally) spread by accident via floppy disks which may come
from virtually any source: unsolicited demonstration disks,
brand-new software (even from reputable sources), disks used on
your PC by salesmen or engineers, new hardware, or repaired hardware.
A file virus infects other files when the program to which it is
attached is run, and so *can* spread across a network (often very
quickly). They may be spread from the same sources as boot sector
viruses, but also from sources such as Internet FTP sites and
bulletin boards. (This applies also to Trojan Horses.)
A multipartite virus infects boot sectors *and* files. Often,
an infected file is used to infect the boot sector: thus, this is
one case where a boot sector infector could spread across a network.
(6) How can I avoid infection?
There is no way to guarantee that you will avoid infection. However,
the potential damage can be minimized by taking the following
precautions:
* make sure you have a clean boot disk - test with whatever (up-to-date!)
antivirus software you can get hold of and make sure it is (and stays)
write-protected. Boot from it and make a couple of copies.
* use reputable, up-to-date and properly-installed anti-virus
software regularly. (See below) If you use a shareware package
for which payment and/or registration is required, do it. Not only
does it encourage the writer and make you feel virtuous, it means
you can legitimately ask for technical support in a crisis.
* do some reading (see below). If you're a home user, you may well
get an infection sooner or later. If you're a business user, it'll
be sooner. Either way you'll benefit from a little background.
If you're a business user you (or your enterprise) need a policy.
* don't rely *solely* on newsgroups like this to get you out of
trouble: it may be a while before you get a response (especially
from a moderated group like comp.virus), and the first response
you act upon may not offer the most appropriate advice for your
particular problem.
* if you use a shareware/freeware package, make sure you have hard
copy of the documentation *before* your system falls apart!
* always run a memory-resident scanner to monitor disk access and
executable files before they're run.
* if you run Windows, a reputable anti-virus package which includes
DOS *and* Windows components is likely to offer better protection
than a DOS only package. If you run Windows 95, you need a proper
Win95 32-bit package for full protection.
* make sure your home system is protected, as well as your work PC.
* check all new systems and all floppy disks when they're brought
in (from *any* source) with a good virus-scanning program.
* acquire software from reputable sources: 2nd-hand software is
frequently unchecked and sometimes infected. Bear in mind that
shrinkwrapped software isn't necessarily unused. In any case,
reputable firms have shipped viruses unknowingly.
* once formatted, keep floppies write-disabled except when you need
to write a file to them: then write-disable them again.
* make sure your data is backed up regularly and that the procedures
for restoring archived data *work* properly.
* scan pre-formatted diskettes before use.
* Get to know all the components of the package you're using and
consider which bits to use and how best to use them. Different
packages have different strengths: diversifying and mixing and
matching can, if carefully and properly done, be a good antivirus
strategy, especially in a corporate environment
* if your PC can be prevented with a CMOS setting from booting with a
disk in drive A, do it (and re-enable floppy booting temporarily when
you need to clean-boot).
CMOS settings
Some CMOSes come with special anti-virus settings. These are normally
vague about what they do but typically they write-protect your hard
disk's boot sector and partition sector (MBR). This can be some use
against boot sector viruses but may false alarm when you upgrade your
operating system.
One sensible setting to make (if your CMOS allows) is to adjust the
boot sequence of your PC. Changing the default boot-up drive order
from A: C: to C: will mean that the PC will attempt to boot from drive
C: even if a floppy disk has been left in drive A:. This way boot
sector virus infection can often be avoided. Remember, however, to set
your CMOS back temporarily if you ever *do* want to boot clean from
floppy (for example, when running a cryptographical checksummer
after a cold boot).
(7) How does antivirus software work?
* Scanner (conventional scanner, command-line scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
'signatures').
* TSR scanner - a TSR (memory-resident program) that checks for
viruses while other programs are running. It may have some of
the characteristics of a monitor and/or behaviour blocker.
* VxD scanner - a scanner that works under Windows or perhaps under
Win 95, or both), which checks for viruses continuously while
you work.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on
a system and check for changes which might signify an attack by
an unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus which targets that particular
checksummer.
---------------------------------------------------------------------
End of a.c.v. FAQ Part 1 of 4
-------------------------------------------------------------------
(8) What's the best antivirus software (and where do I get it)?
In case it's not absolutely clear from the following, I can't
possibly answer the first part of this question! There are,
however, some suggestions following for sources of software
and of information on particular packages, comparative reviews etc.
The danger of this approach is that sites, servers, and packages
come and go, and I haven't time to keep track of all these
variables. Some of these URLs have been passed on by trusted
sources, but I haven't the time to check them all out regularly.
If you run into problems, please let me know (by e-mail, please).
Most of the people who post here have their favourites: if you just
ask which is the best, you'll generally get either a subjective
"I like such and such", recommendation of a particular product by
someone who works for that company, or a request to be more specific
about your needs. Some of us who are heavily involved with virus
control favour using more than one package and keeping track of the
market. Don't trust anything you read in the non-technical press.
Don't accept uncritically reviews in the computing press, either:
even highly-regarded IT specialists often have little understanding
of virus issues, and many journalists are specialists only in
skimming and misinterpreting. Magazines like Virus Bulletin and
Secure Computing are much better informed and do frequent comparative
reviews, and are also informative about their testing criteria,
procedures and virus suites. Recently, a number of articles have been
posted here by people who've run their own tests on various packages.
These are often of interest, but should not be accepted uncritically.
(No-one's opinion should be accepted uncritically!)
Valid testing of antivirus software requires a lot of care and
thought, and not all those who undertake it have the resources,
knowledge or experience to do it properly.
You may get a more informed response if you specify what sort of system
you have - DOS, Windows, Win95? XT, AT, 386 or better? Is the system
networked, and are you asking about protecting the whole network?
(What sort of network?) Are you running NT, OS/2 or Win95, any of which
involve special considerations? Be aware that there is more than one way
of judging the effectiveness of a package - the sheer number of viruses
detected; speed; tendency to false alarms; size (can you run it from a
single floppy when necessary?); types of virus detection & prevention
(not at all the same thing) offered (command-line scanning, TSR scanning,
behaviour blocking, checksumming, access-control, integrity shell etc.);
technical support etc.
DOS packages available from SimTel etc. include
F-Prot
AVP Lite
McAfee
TBAV
Most Shareware/Freeware packages can be obtained from SimTel via
anonymous FTP or WWW, e.g.
http://www.coast.net/SimTel/msdos/virus
ftp://ftp.coast.net/SimTel/msdos/virus/
USA:-
ftp.cdrom.com
uiarchive.cso.uiuc.edu
oak.oakland.edu
wuarchive.wustl.edu
ftp.uoknor.edu
ftp.pht.com
UK:-
micros.hensa.ac.uk
src.doc.ic.ac.uk
ftp.demon.co.uk
as well as other sites in many other parts of the world.
There is some confusion at present regarding SimTel: you may find that
some mirrors are still pointing to the Coast to Coast collection while
others are pointing to SimTelnet. I've been referred to
http://www.simtelnet.com/pub/simtelnet
but haven't been able to get in to date.
Of course, such products can often be obtained direct from the
publisher's WWW or FTP sites too.
There is a shareware program for Win95 called the Doctor.
Compuserve - GO NCSAVIRUS
ftp://thomnet.com/
http://www.tucows.com/files/doc9509.zip
ftp://ftp.mindspring.com/users/rogert
TNS BBS +1 (404) 971 8886
Also, McAfee and Thunderbyte have Win95 programs.
ftp://ftp.mcafee.com/pub/antivirus/
http://thunderbyte.com/ftp/thunderbyte/
ftp://ftp.thunderbyte.com/
ChekMate is described by its author as a targeted integrity checker.
It's a potentially useful shareware supplement to a good virus scanner.
Via anonymous ftp at:
ftp.coast.net/SimTel/msdos/virus/cm200.zip
ftp.demon.co.uk/pub/simtel/msdos/virus/cm200.zip
ftp.demon.co.uk/antivirus/ibmpc/av-progs/cm200.zip
gate.net/pub/users/ris1/cm200.zip
At the World-Wide Web site:
http://www.valleynet.com/~joe/avdos.html
Commercial
----------
[vendors are invited to supply full contact details and indicate the range
of platforms their product range covers. Let's not overdo the hype, though,
guys.]
There is a pretty comprehensive list of anti-virus developers at
http://www.virusbtn.com/AVLinks/
(NB Some of the following, though not shareware, can be obtained for
evaluation via anon FTP or WWW.
Please note, I have not tested or even seen all the packages listed
here, or all the contact data, come to that, and listing here does not
imply recommendation (though I won't list anything I *know* is
rubbish....).
DSAVTK (Dr Solomon's Anti-Virus ToolKit)
[DOS; DOS & Windows; DOS & Win95; NetWare; NT; OS/2; Unix; Mac]
UK Support: support@uk.drsolomon.com
US Support: support@us.drsolomon.com
UK Tel: +44 (0)1296 318700
USA Tel: +1 617-273-7400
CompuServe: GO DRSOLOMON
Web: http://www.drsolomon.com
FTP: ftp://ftp.drsolomon.com
Evaluation copy of Findvirus Dos scanner available via the Web.
*************
F-Prot Pro (DOS, Windows 3.x, Win95, WinNT, NetWare)
There are two flavours, though I gather that Command Software and
Data Fellows are currently doing joint development.
Command Software Systems Inc.
1+407-575 3200
ftp://ftp.commandcom.com
Data Fellows Ltd.
f-prot@DataFellows.com
ftp://ftp.DataFellows.com
http://www.DataFellows.com
http://www.Europe.DataFellows.com
UK:
Portcullis (for Data Fellows) 44-181-868-0098
Command Software UK 44-171-259-5710
command@command.co.uk
More details inc. in ORDER-2.DOC, supplied with the shareware version.
[The filename is now PRO.DOC in recent versions]
************
IBM AntiVirus:
http://www.brs.ibm.com/ibmav.html
800-551-3579 (US only)
800-465-7999
fax: 800-267-5185
************
McAfee Associates
2710 Walsh Ave
Santa Clara, CA 95051
95054-3107 USA
Voice (408) 988-3832
FAX (408) 970-9727
BBS (408) 988-4004
CompuServe ID: 76702,1714 or GO MCAFEE
mcafee@netcom.com
ftp://ftp.mcafee.com/pub/antivirus/
http://www.mcafee.com/
[DOS, Windows, Win95, NetWare]
************
NAV (Norton AntiVirus) [DOS, Windows, Win95, Mac]
http://www.symantec.com/ ftp://ftp.symantec.com
US Support: 541-465-8420 AOL: SYMANTEC
European Support: 31-71-353-111 Australian Support: 61-2-879-6577
************
AntiViral Toolkit Pro
AVP LITE
Central Command Inc.
P.O. Box 856
Brunswick, Ohio 44212
Phone: 330-273-2820
FAX: 330-220-4129
BBS: 330-220-4036
WWW: www.command-hq.com/command
ftp: ftp.command-hq.com pub/command/avp
email: sales@command-hq.com
support@command-hq.com
************
Sweep http://www.sophos.com/ ftp://ftp.sophos.com
************
Thunderbyte http://thunderbyte.com/ftp/thunderbyte/software/
ftp://ftp.thunderbyte.com (?)
************
Invircible ftp://ftp.invircible.com
ftp://ftp.datasrv.co.il/pub/usr/netz/
http://invircible.com/
************
Reflex Magnetics Ltd
31-33 Priory Park Road
London
NW6 7UP
United Kingdom
Tel+44 (0)171 372 6666
Fax+44 (0)171 372 2507
BBS+44 (0)171372 2584
Emailsales@reflex-magnetics.co.uk
http://www.reflex-magnetics.co.uk/
************
Reflex Magnetics Ireland
Unit 24 Johnstown Industrial Centre, Waterford, Ireland.
tel: +353-(0)51-841051 J fax: +353-(0)51-841052
http://www.iol.ie/~ralf/
************
NH&A
577 Isham St. # 2-B
New York, NY 10034
Phone: 212-304-9660
Fax: 212-304-9759
CompuServe: 72115,661
Internet: nhirsch@nha.com
URL: http://www.nha.com
BBS: 212-304-9759,,,,,,,3
************
Microsoft (Macro Virus fixes) - http://www.microsoft.com
For updates to MSAV, contact Symantec (but better to get a more
up-to-date package). CPAV updates from the same source.
There is a paper by Yisrael Radai which documents many of the problems
with MSAV.
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip
************
ViruSafe, ViruSafe-95
I believe a version of this program was at one time marketed by
Xtree.
They also maintain a Virus Hot Line via their WWW site or
E-mail (virus@eliashim.co.il).
-------------------------------------------------------------
EliaShim, LTD. Computer Security Specialists
5 Haganim st. Haifa 35022 Tel: +972-4-8516111
ISRAEL Fax: +972-4-8528613
Email: shimon@eliashim.co.il BBS: +972-4-8516113
URL: http://www.eliashim.com
-------------------------------------------------------------
----------------------------------------------------------------------------
VirusNet PC (DOS, Win3.x, Win95) - (File: VNPC.EXE)
VirusNet LAN (DOS, Win3.x, Win95, All Networks) - (File: VNLAN.EXE)
StopLight PC (DOS, Win3.x) - (File: SLELS.EXE)
StopLight for Win95 (Win95, Win3.x, DOS) - (File: Check Site)
StopLight for OS/2 (OS/2, Dual Boot to DOS and Win3.x) - (File: sltmos2.exe)
Safetynet, Inc.
140 Mountain Ave.
Springfield, NJ 07081
201-467-1024 (Sales and Support)
800-OS2-SAFE (Sales and Support in US and Canada)
201-467-1611 (Fax)
201-467-1581 (BBS 28800,n,8,1)
Web: http://www.safe.net/safety/
FTP: ftp.safe.net /pub/safetynet/
EMail: support@safe.net
CompuServe: GO CIS:SAFE
AntiVirus and security software evals and product updates are available from
the Safetynet Web, FTP, BBS and CompuServe sites.
*****************
MIMESweeper (Mail scanning 'firewall')
Integralis Ltd.
10 Brewery Court
Theale
Berkshire
RG7 5AH
+44(0) 1734 306060
Fax +44(0) 1734 302143
info@integralis.co.uk
US Office in Kirkland, WA.
Phone 206-889-4724.
--------------------------------------
NetPro Computing
7150 E Camelback Rd, Suite 100
Scottsdale, AZ 85251 USA
Products:
* PC ScanMaster for Novell/Vines
* Server ScanMaster for Banyan Vines
(Use McAfee VirusScan engine)
General Office: 602.941.3600
Sales: 800.998.5090
International Sales: 602.941.3630
DS Expert Info Line: 800.998.1550
Technical Support: 602.941.3670
FAX: 602.941.3610
On Line:
BBS: 602.941.3620
FTP: ftp.netpro.com
HTTP: www.netpro.com
e-mail: info@netpro.com or 70524,2670@compuserve.com
-----------------------------------------------------------------------------
There is a comprehensive set of product reviews at:
http://www.first.org/virus/virrevws/
and a number of reputable vendors include comparative reviews,
papers on testing etc. on their WWW/FTP servers.
Virus Bulletin comparative reviews are available from
http://www.virusbtn.com/Comparatives/
and information is also available on their testing protocols.
There are links to just about every anti-virus site you ever heard of at
http://www.innet.net/~ewillems/
In the event of a *real* tragedy, there are a number of firms which
specialize in data recovery. In the UK, there are S&S International
(see above) and Ontrack Data Recovery Europe (0800-243996). In the
US, there's Ontrack Computer Systems (parent company of Ontrack
...Europe). I believe Maxtor also offer a service of this sort,
but I have no details at present.
DataRescue:
http://www.datarescue.com/
info@datarescue.com
Ontrack Data Recovery, Inc.
6321 Bury Drive, Suites 13-21
Eden Prairie, MN 55346
Phone: 612-937-5161
FAX: 612-937-5750
BBS: 612-937-0860
Toll free:
Minnesota office: 1-800-872-2599
California office: 1-800-752-7557
Washington, DC: 1-800-650-2410
Japan: 0120-413-374 (Japan only)
International: (0429)32-6365
UK office: 0800 24 39 96 (UK only)
From Germany: 0130 815 198
From France: 05 90 72 42
International: +44(0)181 974 5522
Compuserve: GO DATARECOVERY
W3: http:\\www.ontrack.com
Email: sales@ontrack.com
(9) Where can I get further information?
========================================
[I haven't checked all these: please mail me if you find any errors]
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/
[mirror sites]
ftp://ftp.uu.net/pub/security/virus/
ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/
http://all.net:8000/cgi-bin/all-search-2
Virus Text Search
Search engine to check out documents in the following archives:
VIRUS-L Forum, 40Hex Archives, Risks Forum, Privacy Forum, CERT Advisories,
Internet RFCs, State Computer Crime Laws, The Telecom Privacy Digest,
CIAC Advisories, Firewalls Digest.
http://www-iwi.unisg.ch/~sambucci/icaro/texts
http://lipsmac.acs.unt.edu/Virus/virinfo.html
http://www.valleynet.com/~joe/avinfo.html
http://www.primenet.com/~mwest/av.htm
http://csrc.ncsl.nist.gov/virus
http://www.jumbo.com/home/dos/virus
http://www.valleynet.com/~joe/top10.html
ftp://ftp.uu.net/pub/virus/progs/virlab15.zip
http://www.infi.net/~wtnewton/vinfo/master.html
Virus-List Archive (you can also pick up the mk. II FAQ from here):
ftp://cs.ucr.edu/pub/virus-l/
Virus Bulletin Home Page - vendor contact info, comparative reviews,
review protocol info etc.
http://www.virusbtn.com
S&S International: evaluation copy of FindVirus, product info, virus
encyclopaedia on-line, papers, links to other sites etc.
http://www.drsolomon.com/
ftp://ftp.drsolomon.com/
ftp://ftp.sophos.com/
http://www.sophos.com/
Dr.Solomon's History of PC Viruses:
http://dbweb.agora.stm.it/webforum/virus/solomhis.htm
Robert Slade's Virus History:
http://dbweb.agora.stm.it/webforum/virus/sladehis.htm
http://www.innet.net/~ewillems/
http://www.thenet.ch/metro/
Nic Ferri has an expansive home page with many useful links
http://www.agora.stm.it/htbin/wwx?fi^N.Ferri
Henri Delger's home page has useful info and links
HTTP://pages.prodigy.com/virushelp/
http://www.DataFellows.com/
http://www.Europe.DataFellows.com/
http://www.datarescue.com/
VSUM (not highly-rated for its accuracy)
(Try SimTel mirrors, McAfee sites)
Tom Simondi has written a freeware virus tutorial (VTUTOR11.ZIP).
Unfortunately, I haven't been able to download it so far.
http://ourworld.compuserve.com/homepages/ck
http://www.slonet.org/~tsimondi/ck.htm
The WildList (List of viruses currently 'in the wild'
maintained by Joe Wells - doesn't include much description)
ftp://ftp.ncsa.com/pub/virus/wildlist
http://www.drsolomon.com/
http://www.symantec.com/virus/wl.html
http://www.innet.net/~ewillems/vwild.htm
AV Software Update Auto-Notification:
http://www.primenet.com/~Emwest/up-form.htm
Most anti-virus packages include some information on common
viruses, too.
Virus Descriptions
------------------
Dr Solomon's Virus Encyclopedia:
http://www.drsolomon.com/virus/enc/enc.htm
free-form searches from the datafellows F-Prot virus description database:
http://www.datafellows.com/v-descs/
The AVP database:
http://www.datarescue.com/avpbase/
Virus demonstrations
--------------------
ftp://ftp.uu.net/pub/virus/progs/virsim1.zip
(I haven't checked this one out yet).
AVP also includes some virus demonstrations, and I know that other
publishers have demos available.
There are also virus simulators, which are not quite the same thing.
These are sometimes advocated as a means of testing antivirus packages,
but there are dangers to this approach: after all, a package which
detects one of these simulators as the virus it detects is, technically,
false-alarming.
See section F6 of the Mark 2 Virus-L FAQ, which is rather good on
types and uses of virus simulation.
Books which may be of use:
Robert Slade's Guide to Computer Viruses - Springer-Verlag
Pretty good introduction & general resource.
Computers Under Attack (ed. Denning) - Addison-Wesley
Aging, but some classic texts
Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin
Uneven, but includes useful stuff from Virus Bulletin
Dr. Solomon's Virus Encyclopaedia
You may from time to time find copies of an older edition
of this in bookshops, though it's better known as part of
Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide
to some of the older viruses.
A Short Course on Computer Viruses (F. Cohen) - Wiley
By the man who 'invented' the concept of computer viruses.
Some aspects are controversial, but a good introduction to
his work.
The comp.virus FAQ includes pointers to some books.
Useful (but expensive) periodicals:
Virus Bulletin
Virus Bulletin Ltd
21 The Quadrant
Abingdon
Oxfordshire
OX14 3YS
44 (0) 1234 555139
Compuserve 100070,1340
Computers and Security
Elsevier Advanced Technology
PO Box 150
Kidlington
Oxford
OX5 1AS
44 (0) 1865-843666
a.verhoeven@elsevier.co.uk
Rather cheaper (though still expensive for the non-corporate
non-specialist in security) is the magazine Secure Computing.
West Coast are launching a corporate licence scheme which may
be of interest to corporate users
Secure Computing
West Coast Publishing Ltd.
William Knox House
Britannic Way
Llandarcy
Swansea
SA10 6EL
UK
44 (0) 1792 324000
Compuserve 70007,5406
Doubts have been expressed concerning the impartiality or otherwise
of Virus Bulletin, which is a sister company to Sophos, who market
Sweep and other antivirus/security products. VB uses an advisory board
of anti-virus experts from a wide variety of vendors and other
organisations, and its virus statistics are collated monthly from a
variety of sources, not only from Sophos.
Secure Computing, though formerly associated with S&S International, who
market Dr.Solomon's AntiVirus ToolKit and other security products, is
now an independent organization. SC also has input from experts associated
with various vendors and other organisations.
***************************************************************************
* As a regular and reasonably knowledgeable reader of both publications, *
* I'm personally satisfied that neither displays editorial bias, nor do *
* I believe that either publication intentionally weights its methodology *
* to the unfair advantage of an affiliated product [DH] *
***************************************************************************
(10) Does anyone know about...
==============================
...Mac viruses?
---------------
The best single source of information on Mac viruses is the online
help included in the freeware package Disinfectant, which can be
obtained from
ftp://ftp.acns.nwu.edu/pub/disinfectant
CompuServe
GEnie
America Online
Calvacom
Delphi
BIX
sumex-aim.stanford.edu
rascal.ics.utexas.edu
comp.binaries.mac
Information on Mac viruses is also available from the AntiVirus Catalog/
CARObase (see above).
I've also noticed some Mac info at Symantec's web site (www.symantec.com).
Disinfectant is an excellent anti-virus package: however, it doesn't catch
much in the way of hypercard infectors or trojans, nor does it detect
Word 6 macro viruses.
For other mac packages, try Info-Mac mirrors like:
ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/
The University of Texas holds the latest versions of Disinfectant and
Gatekeeper, and some documentation on Mac viruses.
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html
Commercial packages include SAM (Symantec) and Virex. Dr. Solomon's
AntiVirus ToolKit for Macintosh is about to be released.
...UNIX viruses?
----------------
In general, there are virtually no non-experimental UNIX viruses.
There have been a few Worm incidents, most notably the Morris Worm
(a.k.a. the Internet Worm) of 1988.
There are products which scan some Unix systems for PC viruses,
though any machine used as a file server (Novell, Unix etc.) can be
scanned for PC viruses by a DOS scanner if it can be mounted as a
logical drive on a PC running appropriate network client software
such as PC-NFS.
Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.)
can also be infected by a DOS boot-sector virus if booted from an
infected disk. The same goes for other PC-hosted operating systems
such as NetWare.
While viruses are not a major risk on Unix platforms, integrity
checkers and audit packages are frequently used by system administrators
to detect file changes made by other kinds of attack. However, Unix
security is outside the scope of this FAQ (see comp.security.unix).
[See also the comp.virus FAQ]
A possibly useful book:
Practical Unix Security (Garfinkel, Spafford) - O'Reilly
...macro viruses?
-----------------
Macro viruses spread from files in applications which use
macros capable of being infected, and are limited to the
specific applications for which they were written.
The macro viruses which are receiving attention currently
are specific to Word 6/WordBasic and Excel: however, many
applications, not all of them Windows applications, have
potentially damaging and/or infective macro capabilities
too.
One, now widespread, infects macros attached to Word
6.0 for Windows, Word 6.0.1 for Macintosh, Word 6.0 for
Windows NT, and Word for Windows 95 documents.
What makes such a virus possible is that the macros
are created by WordBASIC, a program language which links
features used in Word to macros, and even allows DOS
commands to be run.
This virus, named "Concept," has no destructive
payload; it merely spreads, after a document containing the
virus is opened, copying itself to other documents as they
are saved, without affecting the contents of documents.
However, other macro viruses have been discovered, and some
of them contain destructive routines.
Microsoft suggests opening files without macros, to
prevent macro viruses from spreading, unless the user can
verify that the macros contained in the document will not
cause damage. (This does NOT work for all macro viruses.)
For further info on macro viruses, you might like to try
http://www.drsolomon.com/
http://www.datafellows.com/macrovir.htm
Richard Martin is working on an FAQ on this subject.
ftp.gate.net/pub/users/ris1/word.faq
or mail to
Bd326@TorFree.Net
Subject: PLEASE SEND FAQ
...The AOLgold virus
--------------------
This is actually a trojan. The following is extracted from the CIAC
bulletin (Number G-03).
Apparently, an e-mail message is being circulated that contains an attached
archive file named AOLGOLD.ZIP. A README file that is in the archive
describes it as a new and improved interface for the AOL online service.
Note that there is no such program as AOLGOLD. Also, simply reading an
e-mail message or even downloading an included file will not do damage to
your machine. You must execute (or run) the downloaded file to release
the Trojan and have it cause damage.
If you unzip the archive, you get two files: INSTALL.EXE and README.TXT.
The README.TXT file again describes AOLGOLD as a new and improved interface
to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP
archive. When you run the install program, it extracts 18 files onto your
hard drive.
The Trojan program is started by running the INSTALL.BAT file. The
INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to
VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that
starts deleting the contents of several critical directories on your C:
drive.
When the batch file completes, it prints a crude message on the screen and
attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent
the DOOMDAY.EXE program from running. Other bugs in the file cause it to
delete itself if it is run from any drive but the C: drive. The programming
style and bugs in the batch file indicates that the Trojan writer appears
to have little programming experience.
You can get this and other CIAC notices from the CIAC Computer Security
Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
...the PKZip Trojan?
--------------------
There have been at least two attempts to pass off Trojans as an upgrade
to PKZip, the widely used file compression utility. A recent example was
of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading
from various sources. An earlier Trojan passed itself off as version 2.0.
For this reason, PKWare have never released a version 2.0 of PKZip:
presumably, if they ever do release another DOS version (unlikely, at
this date, in my opinion), it will not be numbered version 3.0(0).
To the best of my knowledge, the latest version of PKZip is 2.04g.
...xyz PC virus?
----------------
There are several thousand known PC viruses, and the number 'in the
wild' is in the hundreds. It is not practical to include information
about all of these in this FAQ. However, information about some or
most of those which regularly get asked about may shortly (Real Soon
Now) be available in a separate document. Meanwhile, sources of
information on specific viruses are included in the preceding sections.
There are rarely enquiries about viruses on other computing platforms
raised in alt.comp.virus, but there is some information concerning
viruses on most platforms available at the Virus Test Center in Hamburg.
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
The following sites also have virus descriptions listed alphabetically:
http://www.DataFellows.com/
http://www.drsolomon.com
(11) Is it true that....?
=========================
(*or* some favourite hoaxes...)
(1) There is *no* Good Times virus that trashes your hard disk
and launches your CPU into an nth-complexity binary loop when
you read mail with "Good Times" in the Subject: field.
You can get a copy of Les Jones' FAQ on the Good Times Hoax from:
Via FTP:
ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt
On the World Wide Web:
http://www.tcp.co.uk/tcp/good-times/index.html
http://www.singnet.com.sg/staff/lorna/Virus
http://www.nsm.smcm.edu/News/GTHoax.html
There's a Mini-FAQ available as:
ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ.txt
There *is* at least one file virus christened Good Times
by the individual who posted it in an attempt to cause
confusion. It is more commonly referred to as GT-spoof.
(2) There is no modem virus that spreads via an undocumented
subcarrier - whatever that means....
(3) Any file virus can be transmitted as an E-mail attachment.
However, the virus code has to be executed before it actually
infects. Sensibly configured mailers don't usually allow this
by default and without prompting, but certainly some mailers
can support this: for instance, cc:mail can, it seems, launch
attachments straight into AmiPro.
[further information on this or other potentially dangerous
associations would be gratefully received]
There's room for a lot of discussion here. The jury is still
out on web browsers: Netscape can certainly be set up to do
things I don't approve of, such as opening a Word document in
Word without asking.
Microsoft have made available a Word viewer which reads Word
files, but doesn't run attached macros. If possible, use this
instead.
The term 'ANSI bomb' usually refers to a mail message or other
text file that takes advantage of an 'enhancement' to the MS-DOS
ANSI.SYS driver which allows keys to be redefined with an
escape sequence, in this case to echo some potentially
destructive command to the console. In fact, few systems
nowadays run programs which need ANSI terminal emulation to run,
and there's no guarantee that the program reading the file would
pass such an escape sequence unfiltered to the console anyway.
There are plenty of PD or shareware alternatives to ANSI.SYS that
don't support keyboard redefinition, or allow it to be turned off.
The term mail bomb is usually applied to the intentional
bombardment of an e-mail address with multiple copies of a
(frequently abusive) message, rather than to the above.
See SimTel/keyboard on sites carrying a SimTel mirror.
(4) There is no known way in which a virus could sensibly be spread
by a graphics file such as a JPEG or .GIF file, which does not
contain executable code. Macro viruses work because the files to
which they are attached are not 'pure' data files.
(5) In general, software cannot physically damage hardware - this
includes viruses. There is a possibility that specific hardware
may be damaged by specific code: however, a virus which drops
a particular payload on the offchance that it's running on a
system with a particular type of obsolete video card seems more
than usually futile.
(12) Favourite myths
====================
* DOS file attributes protect executable files from infection
File attributes are set by software, and can therefore be
changed by software, including viruses. Many viruses reset a
ReadOnly/System/Hidden file to Read/Write, infect it, and
often reset it to the original attributes afterwards.
This also applies to other software mechanisms such as
simulating hardware write-protection on a hard disk.
However, file protection rights in NetWare *can* help to
contain virus infections, if set up properly, as can
trustee rights. [Trustee assignments govern whether an
individual user has right of access to a subdirectory: the
Inherited Rights Mask governs the protection rights of
individual files and (sub)directories.]
Basically, a file virus has the same rights of access as the
user who happens to inadvertantly activate it.
Setting up these levels of security is really a function
of the network Administrator, but you might like to check
(politely) that yours is not only reassuringly paranoid but
also knowledgeable about viruses as well as networks, since a
LAN which is not, in this respect, securely configured, can
result in very rapid infection and reinfection of files
across the whole LAN. In particular, accounts with supervisor
equivalence can, potentially, be the unwitting cause of very
rapid dissemination of viruses.
[See also the comp.virus FAQ (version 2) section D]
* I'm safe from viruses because I don't use bulletin boards/shareware/
Public Domain software.
Many of the most widely-spread viruses are Boot Sector Infectors,
which can't normally infect over a serial or network connection.
Writers of shareware, freeware etc. are no more prone to accidental
infection than commercial publishers, and possibly less. The only
'safe' PC is still in it's original wrapping (which doesn't mean
it isn't already infected...) And don't forget that shrinkwrapped
software may have been rewrapped.
* FDISK /MBR fixes boot sector viruses.
The mark II comp.virus FAQ is worth reading on this (see Part 1
of this FAQ).
In brief, don't use FDISK /MBR *unless* you're *very* sure of what
you're doing, as you may lose data. Note also that if you set up the
drive with a disk manager such as EZDrive, you won't be able to access
the drive until and unless you can reinstall it.
******************************************************************
(i) What does FDISK /MBR do?
------------------------
It places "clean" partition code onto the partition of your hard disk.
It does **not change the partition information, however. The /MBR
command-line switch is not officially documented and was introduced in
DOS 5.0
[It does sometimes, and when it does it us usually fatal (for the
common user, anyway). FDISK /MBR will wipe the partition table data if
the last two bytes of the MBR are not 55 AA.]
(ii) What is the partition?
----------------------
The partition sector is the first sector on a hard disk. It contains
information about the disk such as the number of sectors in each
partition, where the DOS partition starts, plus a small program. The
partition sector is also called the "Master Boot Record" (MBR).
When a PC starts up it reads the partition sector and executes the
code it finds there. Viruses that use the partition sector modify
this code.
Since the partition sector is not part of the normal data storage
part of a disk, utilities such as DEBUG will not allow access to it.
[Unless one assembles into memory]
Floppy disks do not have a partition sector.
FDISK /MBR will change the code in a hard disk partition sector.
(iii) What is a boot sector?
----------------------
The boot sector is the first sector on a floppy disk. On a hard disk
it is the first sector of a partition. It contains information about
the disk or partition, such as the number of sectors, plus a small
program.
When the PC starts up it attempts to read the boot sector of a disk in
drive A:. If this fails because there is no disk it reads the boot
sector of drive C:. A boot sector virus replaces this sector with its
own code and usually moves the original elsewhere on the disk.
Even a non-bootable floppy disk has executable code in its boot sector.
This displays the "not bootable" message when the computer attempts to
boot from the disk. Therefore, non-bootable floppies can still contain
a virus and infect a PC if it is inserted in drive A: when the PC
starts up.
FDISK /MBR will not change the code in a hard disk boot sector. Most
boot sector viruses infect the partition sector of hard disks and
floppy disk boot sectors: most do not infect the boot sector of a hard
disk - Form virus is an exception.
(iv) How can I remove a virus from my hard disk's partition sector?
--------------------------------------------------------------
There are two main alternatives: run an anti-virus product, or use
FDISK /MBR.
Most effective anti-virus products will be able to remove a virus from
a partition sector, but some have difficulties under certain
circumstances. In these cases the user may decide to use FDISK /MBR.
Unless you know precisely what you are doing this is unwise. You may
lose access to the data on your hard disk if the infection was done by
a virus such as Monkey or OneHalf.
(v) Won't formatting the hard disk help?
------------------------------------
No. Formatting the hard disk can result in everything being wiped
from the drive *apart* from the virus. Format leaves the partition
sector untouched. There is always a better way of removing a
virus infection than formatting the hard disk.
[Clarification: FORMAT alters the DOS partition, but leaves the
*partition sector*, aka MBR, alone.]
******************************************************************
* Write protecting suspect floppies stops infection.
This sounds so silly I hesitate to include it. I've never seen it said
on a.c.v., but I've heard it so often in other contexts, I've included
it anyway. Write-protecting a suspect floppy will only protect that
diskette from *re-infection*, if it's already infected. It won't stop
an infected floppy from infecting other (write-enabled) drives.
If you boot with a disk in drive A which is infected with a boot-sector
virus, the fact that the diskette is write-protected will make no
difference at all.
Write-protecting a *clean* floppy will indeed prevent it from being
infected (but see below!).
* The write protect tab always stops a disk write
Briefly, write protection is built into the hardware on the Mac and
on the PC (and most other systems, of course, but we can't cover
everything), and can't be circumvented in software.
However, it is possible for the hardware to fail: it's not common,
but it happens. Thus when I do a cleanup, I try to create a file on a
sacrificial floppy before risking my R/O boot disk. Sometimes, I
even remember....
Other caveats: a disk which you receive write-protected could have
been de-protected, infected, and re-protected. Even a 3.5" disk with
the write-enable tab removed can be written to by covering the hole
with (e.g.) masking tape. And, of course, shrink-wrapped software
could have been infected before the duplication process.
* I can infect my system by running DIR on an infected disk
If you have a clean PC system, you can't contract a boot sector virus
*or* a file virus just by listing the files on an infected floppy.
Of course, if your PC is infected, you may well infect a *clean* floppy
by using
DIR A:
It *is* possible to have a scanner report a virus in memory after a
DIR of a floppy with an infected boot sector. The distinction here is
that the virus is *not* actually loaded into memory, so the PC has
*not* been infected.
-----------------------------------------------------------------------
End of a.c.v. FAQ part 2
-------------------------------------------------------------------
(13) What are the Legal Implications of Computer Viruses?
=========================================================
**********************************************************************
The material in this section has no formal legal standing. It consists
of several persons' attempts to interpret and clarify the legal
issues, and cannot possibly be authoritative.
**********************************************************************
Overview
--------
It isn't possible to deal briefly with all the relevant legislation in
one country, let alone all of them. In the USA, local statutes may be
much more rigorous than federal legislation, which is, arguably, more
concerned with computers in which the government has an interest than
it is with those belonging to individuals.
In many countries, writing of viruses is not an offence in itself,
whereas in others, not only is this not the case, but distribution,
even the sharing of virus code between antivirus researchers is,
at least technically, also an offence.
Once a virus is released 'into the wild', it is likely to cross
national boundaries, making the writer and/or distributor answerable
for his/her actions under a foreign legal system, in a country
he/she may never have visited.
Where virus writing and distribution may not apply locally in a
particular case, the individual may nevertheless be subject to
civil action: in other words, where you may be held to have
committed no offence, you may still be sued for damage.
Some of the grounds on which virus writing or distribution may be
found to be illegal (obviously I'm not stating that all these grounds
will apply at all times in all states or countries!) include:
* Unauthorized access - you may be held to have obtained unauthorised
access to a computer you've never seen, if you are responsible for
distribution of a virus which infects that machine.
* Unauthorized modification - this could be held to include an infected
file, boot sector, or partition sector.
* Loss of data - this might include liability for accidental damage as
well as intentional disk/file trashing.
* Endangering of public safety
* Incitement (e.g. making available viruses, virus code, information
on writing viruses, and virus engines)
* Denial of service
* Application of any of the above with reference to computer systems or
data in which the relevant government has an interest.
One major problem is that some residents of the United States
firmly believe that U.S. law is universal law. Worse, most of them
have limited knowledge of their own legal system, but this may apply
to the citizens of many countries. The idea that a person can be
acquitted of a criminal offence yet still lose a civil suit in
connection with that same offence strikes most laymen as preposterous,
yet it does happen in both Canada and the U.S., at least.
Since the law does vary widely from country to country (and even
within countries), it is entirely possible for one to break
the law of another country, state, province, or whatever, without ever
leaving your own, and since extradition treaties do exist, perhaps it's
best to assume that any act that might be construed as being or causing
wilful and malicious damage to a computer or computer system could
get you a roommate with undesirable tendencies and no social graces. :)
The best advice to give to any one contemplating a possibly illegal act
would be to contact their local Crown Prosecutor, Crown Attorney,
District Attorney, or whatever label the local government prosecutor
wears. Acting on the advice of one's own attorney doesn't render one
immune from prosecution, and the cost of defence can be high, even if
successful.
An extremely biased opinion is that very often attorneys attempt to
provide the answer they believe the client wishes to hear, or give an
opinion in areas where they have no real expertise. Prosecutors, on
the other hand, tend to look at a particular action in the light of
whether a successful prosecution can be mounted. If the local Crown
Prosecutor were to suggest that something was a Bad Thing, I should be
extremely nervous about doing it. :)
USA & Canada
------------
The following is an interpretation of the laws in the USA and
Canada, and has no legal standing as an authoritative document in
those countries or any other. Relevant legislation in other parts of
the world may be very different and in some cases far stricter.
Many thanks to David J. Loundy for his assistance with the legalities
regarding computer crime. A valuable source of information on this
topic can be found in his E-Law paper, which can be accessed
via the URL:
http://www.leepfrog.com/E-Law/E-Law/Part_VII.html
It is illegal in both the USA and Canada to damage data within
a computer system which is used or operated by the
government. This means that if you write a virus, and it
eventually infects a government system (highly probable),
you are in violation of the law. Inclusive in this category
are damages incurred due to computer stoppages (i.e.
writing a virus that causes a computer to crash or become
unusable), and viruses that destroy data.
The question regarding the writing of malevolent computer
viruses being illegal isn't really that hard to answer: It is
illegal to write and spread a virus that infects a government
system. Federal law is unclear as to whether this extends to
private computer systems as well, but State statutes are frequently
unequivocal about defining virus-related crimes against property.
The question has come up, however, about the distribution
of viruses and virus-related programs. A general guideline
is that it is legal to distribute viruses, for example, on a BBS,
as long as the people who are downloading the virus know
EXACTLY what they are getting. If you intentionally infect a
file and make it available for downloading, you may be
subject to prosecution. Your conscience should be your
guide in this kind of a situation. If a virus distributed by you
is used to damage or otherwise modify a major system, you can be
held accountable.
The reason that the explanations in this section are vague
is that the laws in various states, provinces, etc., are
different, and you should check with your local police before
you decide you want to distribute viruses.
If you spread a virus unknowingly, you generally cannot be
prosecuted unless it can be proven that you spread the
virus due to pure carelessness. The definition of
carelessness has not been tested in a court of law, as
far as I know at the date of writing (9/22/95)
The UK
------
In the UK, the Computer Misuse Act makes it a crime to make an
unauthorised modification on a computer. If you own a computer, you
can authorise anything you want for that computer, so you can
spread a virus on a computer you own. A virus makes a modification,
so if someone deliberately spreads a virus on someone else's
computer, that's a crime. Giving a virus to someone else isn't a
crime if it's with his/her knowledge and permission, however. So,
sending a diskette with a virus on to an AV company, together with
a note saying "There's a virus on this disk, please investigate it
for me" is legal.
If an action is a crime, then encouraging that action can also be a
crime ("incitement").
If you spread a virus unwittingly, then it isn't a crime, as you
don't have "intent".
If someone is negligent, and so spreads a virus (even unwittingly),
then there could be a civil action for damages through negligence.
The Canadian Criminal Code
--------------------------
Please bear in mind that the following information was culled from the
Criminal Code in 1993 and those sections may have been expanded or
revised since then, or possibly some computer-specific legislation may
have been enacted of which I am unaware.
No mention is made in the Code (as of 1993) of computer viruses as such,
but it would seem that prosecution under Sec. 430 would be appropriate.
Quoting from the Code:-
Section 342.1
(1) Every one who, fraudulently and without color of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or
any other device, intercepts or causes to be intercepted,
directly or indirectly, any function of a computer system, or
(c) uses or causes to be used, directly or indirectly, a
computer system with intent to commit an offence under
paragraph (a) or (b) or an offence under section 430 in
relation to data or a computer system
is guilty of an indictable offence and liable to imprisonment for a
term not exceeding ten years, or is guilty of an offence punishable
on summary conviction.
(2) In this section,
"computer program" means data representing instructions or statements
that, when executed in a computer system, causes the computer system
to perform a function;
"computer service" includes data processing and the storage or
retrieval of data;
"computer system" means a device that, or a group of interconnected
or related devices one or more of which,
(a) contains computer programs or other data, and
(b) pursuant to computer programs,
(i) performs logic and control, and
(ii) may perform other functions;
"data" means representation of information or of concepts that are
being prepared or have been prepared in a form suitable for use in a
computer system;
"electro-magnetic, acoustic, mechanical or other device" means any
device or apparatus that is used or is capable of being used to
intercept any function of a computer system, but does not include a
hearing aid used to correct subnormal hearing of the user to not
better than normal hearing;
"function" includes logic, control, arithmetic, deletion, storage
and retrieval and communication or telecommunication to, from or
within a computer system;
"intercept" includes listen to or record a function of a computer
system, or acquire the substance, meaning or purport thereof.
--------------- End of Sec. 342.1 ---------------
Apparently the laws governing trespass have not been considered as
having any application in cyberspace. Offenders under the above
section would be charged with mischief, which covers a multitude
of sins under Canadian law. The penalties stipulated in Sec. 342.1
are the same as the penalties for sabotage, just as a point of
interest.
Mischief is covered by Sec. 430:-
Section 430
(1) Every one commits mischief who wilfully
(a) destroys or damages property;
(b) renders property dangerous, useless, inoperative or
ineffective;
(c) obstructs, interrupts or interferes with the lawful use,
enjoyment or operation of property, or
(d) obstructs, interrupts or interferes with any person in
the lawful use, enjoyment or operation of property.
(1.1) Every one commits mischief who wilfully
(a) destroys or alters data;
(b) renders data meaningless, useless or ineffective;
(c) obstructs, interrupts or interferes with the lawful use
of data; or
(d) obstructs, interrupts or interferes with any person in
the lawful use of data or denies access to data to any person
who is entitled to access thereto.
(2) Every one who commits mischief that causes actual danger
to life is guilty of an indictable offence and liable to imprisonment
for life.
(3) Every one who commits mischief in relation to property
that is a testamentary instrument or the value of which exceeds one
thousand dollars
(a) is guilty of an indictable offence and liable to
imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
(4) Every one who commits mischief in relation to property,
other than property described in subsection (3),
(a) is guilty of an indictable offence and liable for
imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.
(5) Every one who commits mischief in relation to data
(a) is guilty of an indictable offence and liable to
imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
(5.1) Every one who wilfully does an act or wilfully omits
to do an act that it is his duty to do, if that act or omission is
likely to constitute mischief causing actual danger to life, or to
constitute mischief in relation to property or data,
(a) is guilty of an indictable offence and liable to
imprisonment for a term not exceeding five years; or
(b) is guilty of an offence punishable on summary conviction.
(6) No person commits mischief within the meaning of this
section by reason only that
(a) he stops work as a result of the failure of his employer
and himself to agree on any matter relating to his
employment;
(b) he stops work as a result of his employer and a
bargaining agent acting on his behalf to agree on any matter
relating to his employment; or
(c) he stops work as a result of his taking part in a
combination of workmen or employees for their own reasonable
protection as workmen or employees.
(7) No person commits mischief within the meaning of this
section by reason that he attends at or near or approaches a
dwelling-house or place for the purpose only of obtaining or
communicating information.
(8) In this section, "data" has the same meaning as in
section 342.1.
-------------- End of Sec. 430 -----------------
For the record, from Sec. 785:-
Section 785 (1)
"summary conviction court" means a person who has jurisdiction in the
territorial division where the subject-matter of the proceedings is
alleged to have arisen and who
(a) is given jurisdiction over the proceedings by the
enactment under which the proceedings are taken,
(b) is a justice or provincial court judge, where the
enactment under which the proceedings are taken does not
expressly give jurisdiction to any person or class of
persons, or
(c) is a provincial court judge, where the enactment under
which the proceedings are taken gives jurisdiction in respect
thereof to two or more justices;
To the best of my limited knowledge, the Canadian Criminal Code only
uses the term "incitement" in Sec. 319 (Public incitement of hatred)
and Sec. 53 (incitement to commit a traitorous or mutinous act).
A prosecutor would probably deal with incitement under Sec. 21
(Parties to offence), Sec. 463 (Attempts), or Sec. 465 (Conspiracy).
Section 21
(1) Every one is a party to an offence who
(a) actually commits it;
(b) does or omits to do anything for the purpose of aiding
any person to commit it; or
(c) abets any person in committing it.
(2) Where two or more persons form an intention in common to
carry out an unlawful purpose and to assist each other therein and
any one of them, in carrying out the common purpose, commits an
offence, each of them who knew or ought to have known that the
commission of the offence would be a probable consequence of carrying
out the common purpose is a party to that offence.
--------------- End of Sec. 21 ------------------
"Incite" does get mentioned in Sec. 22:-
Section 22
(1) Where a person counsels another person to be a party to
an offence and that other person is afterwards a party to that
offence, the person who counselled is a party to that offence,
notwithstanding that the offence was committed in a way different
from that which was counselled.
(2) Every one who counsels another person to be a party to
an offence is a party to every offence that the other commits in
consequence of the counselling that the person who counselled knew or
ought to have known was likely to be committed in consequence of the
counselling.
(3) For the purpose of this Act, "counsel" includes procure,
solicit or incite.
-------------- End of Sec. 22 -------------------
Section 23 deals with an accessory after the fact, and I've already
quoted too much, and more to come, but Sections 23.1 and 24 are
interesting.....
Section 23.1
For greater certainty, sections 21 to 23 apply in respect of
an accused notwithstanding the fact that the person whom the accused
aids or abets, counsels or procures or receives, comforts or assists
cannot be convicted of the offence.
Section 24
(1) Every one who, having an intent to commit an offence,
does or omits to do anything for the purpose of carrying out the
intention is guilty of an attempt to commit the offence whether or
not it was possible under to circumstances to commit the offence.
(2) The question whether an act or omission by a person who
has an intent to commit an offence is or is not mere preparation to
commit the offence, and too remote to constitute an attempt to commit
the offence, is a question of law.
-------------- End of Sec. 23.1 and 24 ----------
Under Sec. 465 (1)(c) and 465 (1)(d), conspiring to commit an offence
carries the same penalties as the actual commission of the crime.
Under certain circumstances, laws in other countries may be applicable
in cyberspace, where there are no formal territorial boundaries. For
instance, Sec. 465 (4) of the Canadian Criminal Code stipulates that every
one, "while in a place outside Canada" conspires to commit an offence in
Canada "shall be deemed to have conspired in Canada to do that thing."
Further Information
-------------------
Computer Crime (Icove, Seger, Von Storch) - O'Reilly
Computer Law & Security Report (periodical) - Elsevier Advanced Technology
Dr. Alan Solomon includes information on Hacking and Virus Laws in the
UK and elsewhere on his webpage at
http://www.ibmpcug.co.uk/~drsolly
-----------------------------------------------------------------------
End of a.c.v. FAQ Part 3 of 4
-------------------------------------------------------------------
(14) Miscellaneous
==================
Are there anti-virus packages which check zipped files?
-------------------------------------------------------
An increasing number of packages seem to support checking .ZIP and
other compression formats on the fly. DSAVTK, AVP and NAV 3.0/NAV95
support some formats. The number of formats supported may become as
big a selling point as the total number of viruses detected, but for
most of us it's only really an issue if we do a lot of scanning of
CDs, for instance. Even then, it becomes urgent only if you *unpack*
the archive and want to run programs. Compilers of CDs, however,
are *not* entitled to use this as an excuse for not scanning their
collections.
What's the genb/genp virus?
---------------------------
This is McAfee-ese for "You may have an unrecognised ('generic')
boot-sector (genb) or partition-sector (genp) virus". Re-check
with a more recent version or the latest version of another
reputable package.
Where do I get VCL and an assembler, & what's the password?
-----------------------------------------------------------
Wrong FAQ. You don't learn anything about viruses, programming
or anything else from virus toolkits. You want rec.knitting. B-)
I can't believe there's anyone left on the Internet who doesn't
know the VCL password, but I'm not going to tell you anyway.
OK, maybe you want an assembler to learn assembly-language, not
just to rehash prefabricated code. Where do you get TASM?
You buy it from Borland or one of their agents, either stand-alone
or with one of their high-level languages. If you want freeware
or shareware, I guess you can still get the likes of CHASM and
A86 (SimTel mirror sites in SimTel/asm).
Send me a virus
---------------
Anti-virus researchers don't usually share viruses with people
they can't trust. Pro-virus types are often unresponsive to
freeloaders. And why would you *trust* someone who's prepared
to mail you a virus, bona-fide or otherwise? [A high percentage
of the 'viruses' available over the internet are non-replicating
junk.]
Requests for viruses by people 'writing a new anti-virus utility'
are usually not taken too seriously.
* We get rather a lot of such requests, which leads to a certain amount
of cynicism.
* Writing a utility to detect a single virus is one thing: writing a
usable, stable, reasonably fast scanner which detects all known
viruses is a considerable undertaking. There are highly experienced
and qualified people working more or less full time on adding routines
to do this to antivirus packages which are already mature, and unless
you have a distinctly novel approach, you don't have much chance of
keeping up with them.
* It may be that the research you're interested in has already been done.
Say what sort of information you're looking for, and someone may be able
to help.
* You can't afford to use junk 'viruses' for research, and the best
collections are largely in the hands of people who won't allow
access to them to anyone without cast-iron credentials.
If you want to test anti-virus software with live viruses, this
is *not* the way to get good virus samples.
Valid testing of antivirus software requires a lot of time, care
and thought and a valid virus test-set. Virus simulators are
unhelpful in this context: a scanner which reports a virus when it
finds one of these is actually false-alarming, which isn't
necessarily what you want from a scanner.
Read Vesselin Bontchev's paper on maintaining a virus library:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/virlib.zip
It said in a review....
-----------------------
Reviews in the general computing press are rarely useful. Most
journalists don't have the resources or the knowledge to match
the quality of the reviews available in specialist periodicals like
Virus Bulletin or Secure Computing. Of course, it's possible to
produce a useful, if limited assessment of a package without
using live viruses based on good knowledge of the issues involved
(whether the package is NCSA-certified, for instance): unfortunately,
most journalists are unaware of how little they know and have a vested
interest in giving the impression that they know much more than they
do. Even more knowledgeable writers may not make clear the criteria
applied in their review.
Is it viruses, virii or what?
-----------------------------
The Latin root of virus has no plural form. Since the use of the
word virus is borrowed from biology, you might like to conform to
the usage normally favoured by biologists, doctors etc., which is
viruses. However, a number of people favour the terms virii/viri,
either to avoid confusion with the biological phenomenon (but what's
the point of distinguishing in the plural but not in the singular?),
or to avoid being mistaken for anti-virus researchers.....
Where is alt.comp.virus archived?
---------------------------------
It isn't, as far as anyone seems to know. No-one currently working on
the FAQ is likely to offer archiving, since a full archive would
include uploaded viruses. When the FAQ is established, I may do some
work on making an occasional digest available.
Tom Simondi points that there is an archive of sorts at dejanews. You
can search for several months of messages by subject at:
http://www.dejanews.com/
What about firewalls?
---------------------
Firewalls don't generally screen computer viruses. However, there are
currently two products that scan for viruses at a point either before
or after a "normal" firewall to the Internet (or internally between post
offices.) These products can scan incoming and outgoing E-mail
attachments for viruses. MIMESweeper, by Integralis, uses your
favorite scanner (e.g. F-PROT, Thunderbyte, Dr. Solomon's, Sophos,
etc) for scanning the viruses after it has opened up the E-Mail
attachments in a secure area on the hard drive of the NT machine.
The use of a "batch" file allows the scanning to use any switches or
commands that are available to the scanner program(s) and also allows
multiple scanners to be used with different switches, etc. which it
runs. If clean, it sends the E-Mail on. Files which it cannot scan
are 'quarantined' in the secure area to be scanned 'by hand'.
MIMESweeper ver. 2.1 reads MIME attachments, UUENCODE, and recognises
ZIP and recursive .ZIP archives, OLE, but does not yet read many other
compression or binary encoding formats. (CDA, BinHex, LHA and Stuffit
are expected shortly). It runs under NT Workstation and requires, as
minimum, a 486 with 24Mb RAM, 500Mb hard disk, and a CD-ROM drive (for
installation only). It works with cc:Mail, SMTP with MIME attachments,
Microsoft Mail, or MHS, and is said to be usable as a filter for other
material as well as file viruses such as trojans. (MIMEsweeper will be
adding FTP and HTTP later).
[The following is included because Integralis' Sales Dept. in the UK
don't seem to have caught up with vs. 2.1 yet.]
MIMESweeper vs. 1.0 reads MIME attachments and recognises ZIP archives,
but does not read other compression formats or binary encoding
formats such as uuencode.
Trend's InterScan VirusWall is similar to MIMEsweeper but uses Trend's
own scanning engine only as the scanner. Trend also scans FTP traffic.
Trend currently runs on SUN Solaris 2.4-5 and will be adding NT later.
These products do real scanning before the mail hits the hard drive but,
at least until the holes are filled in the above products, make sure your
mail attachments, WWW downloads etc. can't be automatically executed and
use a good TSR/VXD in combination with a good scanner. Note that scanning
FTP traffic is likely to add a heavy network overhead and probably won't
catch as many viruses as checking *all* files from *all* sources with a
desktop scanner
For firewall-related information, see comp.security, comp.security.firewalls,
or, if you don't mind your mail by the ton, the firewalls mailing-lists.
Books:
Firewalls and Internet Security (Cheswick, Bellovin) - Addison-Wesley
Building Internet Firewalls (Chapman, Zwicky) - O'Reilly
Viruses on CD-ROM
-----------------
Viruses have been distributed on CD ROM (for instance, Microsoft
shipped Concept, the first (in the wild) macro virus, on a CD ROM called
"Windows 95 Software Compatability Test" in 1995). It is wise to scan CD
ROMs on arrival for viruses, just like floppies. If the CD ROM has
compressed or archived files it is wise to scan it with an anti-virus
package which can cope with large amounts of compressed and archived
files.
[If you scan all drives at every boot, though, you may find that this
gives you a good incentive to remove CDs from your CD drive before
you power down, especially if your scanner isn't set to allow you
to break out of a scan. B-)]
Removing viruses
----------------
It is always better from a security point of view to replace infected
files with clean, uninfected copies. However, in some circumstances this
is not convenient. For example, if an entire network were infected with
a fast-infecting file virus then it may be a lot quicker to run a quick
repair with a reliable anti-virus product than to find clean, backup copies
of the files. It should also be realised that clean backups are not
available. If a site has been hit by Nomenklatura, for example, it may
take a long time before it is realised that you have been infected. By
that time the data in backups has been seriously compromised.
There are virtually no circumstances under which you should need to reformat
a hard disk, however: in general, this is an attempt to treat the symptom
instead of the cause. Likewise re-partitioning with FDISK.
If you use a generic low-level format program, i.e. one which isn't
specifically for the make and model of drive you actually own, you
stand a good chance of trashing the drive more thoroughly than any
virus yet discovered.
Can't viruses sometimes be useful?
----------------------------------
Vesselin Bontchev wrote a respected paper on this subject:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Fred Cohen has done some heavy-duty writing in the other direction.
Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley).
In general, it's hard to imagine a situation where (e.g.) a
maintenance virus is the *only* option. I have yet to see a convincing
example of a potentially useful virus which *needs* to be a virus.
Such a program would have to be *much* better written and error-trapped
than viruses usually are.
Do I have a virus, and how do I know?
-------------------------------------
Almost anything odd a computer may do can (and has been)
blamed on a computer "virus," especially if no other
explanation can readily be found. In most cases, when an
anti-virus program is then run, no virus is found.
A computer virus can cause unusual screen displays, or
messages - but most don't do that. A virus may slow the
operation of the computer - but many times that doesn't
happen. Even longer disk activity, or strange hardware
behavior can be caused by legitimate software, harmless
"prank" programs, or by hardware faults. A virus may cause
a drive to be accessed unexpectedly (and the drive light to
go on) - but legitimate programs can do that also.
One usually reliable indicator of a virus infection is
a change in the length of executable (*.com/*.exe) files, a
change in their content, or a change in their file date/time
in the Directory listing. But some viruses don't infect
files, and some of those which do can avoid showing changes
they've made to files, especially if they're active in RAM.
Another common indication of a virus infection is a
change to interrupt vectors or the reassignment of system
resources. Unaccounted use of memory or a reduction in the
amount normally shown for the system may be significant.
In short, observing "something funny" and blaming it on
a computer virus is less productive than scanning regularly
for potential viruses, and not scanning, because "everything
is running OK" is equally inadvisable.
What should be on a (clean) boot disk?
--------------------------------------
A boot floppy is one which contains the basic operating system, so that
if the hard disk becomes inaccessible, you can still boot the machine
to attempt some repairs. NB All formatted floppies contain a boot sector,
but only floppies which contain the necessary system files can be used
as boot floppies. A clean boot disk is one which is known not to be
virus-infected. It's best to use a clean boot disk before routine
scans of your hard disk(s). Some antivirus packages will refuse to run
if there is a virus in memory. It is usually better and sometimes
mandatory to disinfect a system without the virus in memory, and an
undetected file virus may actually spread faster during a scan, since
scanners normally open all executable files in all directories.
To make an emergency bootable floppy disk, put a disk in drive A and type
FORMAT A: /S
Be careful to avoid 'cross-formatting', i.e. formatting a double-density
disk as high-density or vice versa, if you system allows this. (You should
avoid this all the time, not just when creating a boot disk. I'd also
recommend avoiding single-density and quad-density disks, and there may
be problems writing to double-density 5.25" disks on a different machine
to the one on which they were formatted, if one machine is an XT and the
other an AT or better.)
You can also make a pre-formatted floppy into a boot disk by typing
SYS A:
I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB,
CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and
RESTORE (or whatever backup program you use, if it will fit). They may
come in handy if you can't access the hard disk, or it won't boot up.
You may be aware that if there is a problem with your boot sequence, you
can boot from the hard disk on a DOS 6/7/Win95 system while bypassing
AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot:
it won't help at all if you have a boot sector/partition sector infector,
or if any or all of the basic operating system files have been infected
by a file virus.
The boot disk should have been created with the same version of DOS as
you have on your hard disk. It should also include any drivers necessary
to access your hard disk and other device. If, for some reason, you
can't obtain a clean boot disk with the same version of DOS, you can
often get away with booting from a (clean) disk using a different
version, though: indeed, there are viruses which exploit a bug in
recent versions of MS-DOS which will prevent a clean boot from DOS vs.
4-6. If you *do* use a different version, remember that you won't be able
to use many of the standard DOS system utilities on the hard disk, which
will simply return a message like 'Wrong DOS version' when you try to run
them, and avoid the use of FORMAT or FDISK.
If you become virus-infected it can be very helpful to have backup of your
hard disk's boot sector and partition sector (also known as MBR). Some
anti-virus and disk utilities can do this. Other useful tools to include are
a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so
forth), a copy of the DOS commands COMP or FC (for comparing files),
FDISK and SYS (make sure they are from the same version of DOS as you are
booting). There is a school of thought that your boot disk should also
include your anti-virus software. The problem with this is that
anti-virus software should be updated frequently, and you may forget to
update (and re-write-protect) your boot disk each time. Ideally you will
have been sent a clean, write-protected copy of the latest version of your
anti-virus software by your vendor/supplier.
If you want to use the DOS program EDIT, remember that you need both
EDIT.* and QBASIC.* on the same disk.
When you have everything you need on your boot floppy and any supplementary
floppies (see below), make sure they're all *write-protected*!
How do I know I have a clean boot disk?
---------------------------------------
You can't usually make up a clean boot disk on a system which has been
booted from an infected floppy or hard disk. So how do you know you're
booting clean? Actually, you can never be 100% sure. If you buy a PC
with the system already installed, you can't be sure the supplier
didn't format it with an infected disk. If you get a set of system
disks, can you assume that Microsoft or the disk duplicator
didn't somehow release a contaminated disk image? (Yes, something rather
like this has indeed happened...) However, you can be better than 99%
sure.
* If you have (and use) a reputable, up-to-date virus scanner, it will
almost invariably detect a known virus in memory (scanners can't be
relied on to detect an unknown virus, in memory or not). If a good
scanner doesn't ring an alarm bell, you've *almost* certainly booted
clean. What constitutes a good scanner is another question....
* If you have a set of original system disks which you received
shrinkwrapped *and* which you've never used *or* which have only been
used write-protected, you can probably use Disk 1 as a boot disk and
it *probably* isn't infected - after all, Microsoft doesn't use MSAV
for jobs like this..... It has been reported, though, that DOS
systems disks have been distributed infected, and the fact that
they're often distributed write-enabled doesn't inspire confidence.
* You could always contact the supplier of your most-trusted anti-virus
utility and ask whether you can send them a boot floppy to check. Of
course, even anti-virus gurus sometimes make mistakes, but a boot
disk verified in this way would still be worth paying for,
especially for organizations with mission-critical systems.
* S&S are planning to distribute a 'Magic Bullet' disk with future versions
of their Dr. Solomon product, which will boot a PC with just enough
functionality to enable users to run their scanning software without
infringing Microsoft's copyright (as they would be doing if they
distributed a boot-able DOS floppy). This strikes me as an excellent
idea.
* When the unit I work for approached Microsoft to check on the legal
position as regards distributing a clean boot disk with anti-virus
software updates within the organization, we were told that this was
OK as long as the boot floppy was made with the same version of DOS as
the version on the target machine. Any organization wishing to do
this might like to check with Microsoft that this is still their formal
position.
What other tools might I need?
------------------------------
Other suggestions have included a sector editor, and Norton Utilities
components such as Disk Doctor (NDD). These are not suitable for use by
the technically-challenged - any tool which can manipulate disks at a
low-level is potentially dangerous. If you do use tools like this, make
sure they're good quality and up-to-date. If you attack a 1Gb disk with
a package that thinks 32Mb is the maximum for a partition and MFM disk
controllers are leading edge, you're in for trouble....
A copy of PKZIP/PKUNZIP or similar compression/decompression utility may
be useful both for retrieving data and for cleaning (some) stealth viruses.
The MSD diagnostic tool supplied with recent versions of DOS and Windows
is a useful addition. QEMM includes a useful diagnostic tool called
Manifest. Heavy duty diagnostic packages like CheckIt! may be of use.
There are some useful shareware/freeware diagnostic packages, too.
Obviously, these are not all going to go on one bootdisk. When you
prepare a toolkit like this, make sure *all* the disks are
write-protected!
Tech support types are likely to find that an assortment of bootable
disks including various versions of DOS comes in useful on occasion.
If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS
or PC-DOS), they can be a useful addition. DoubleSpaced or similar
drives will need DOS 6.x; Stacked drives will need appropriate
drivers loaded.
My understanding of the copyright position is that Microsoft does
not encourage you to *distribute* bootable disks (even if they contain
only enough files to minimally boot the system) *unless* the target
system is loaded with the same version of MS-DOS as the boot floppy.
Support engineers will need to ensure that they are legally entitled
to all DOS versions for which they have bootable disks.
What are rescue disks?
----------------------
Many antivirus and disk repair utilities can make up a (usually
bootable) rescue disk for a specific system. This needs a certain
amount of care and maintenance, especially if you make up more than
one of these for a single PC with more than one utility. Make sure
you update *all* your rescue disks when you make a significant
change, and that you understand what a rescue disk does and how it
does it before you try to use it. Don't try to use a rescue disk
made up on one PC on another PC, unless you're very sure of what
you're doing: you may lose data.
Are there CMOS viruses?
-----------------------
Although a virus (e.g. antiCMOS) CAN write to (and corrupt) a
PC's CMOS memory, it can NOT "hide" there. The CMOS memory
used for system information (and backed up by battery power) is
not "addressable," and requires Input/Output ("I/O") instructions
to be usable.
Data stored there are not loaded from there and executed, so virus
code written to CMOS memory would still need to infect an
executable program in order to load and execute whatever it wrote.
A virus could use CMOS memory to store part of its code,
and some tamper with the CMOS Setup's values. However,
executable code stored there must first be first moved to
DOS memory in order to be executed. Therefore, a virus
can NOT spread from, or be hidden in CMOS memory.
[There are also reports of a trojanized AMI BIOS - this is
not a virus, but a 'joke' program which does not replicate.
If the date is 13th of November, it stops the bootup process
and plays 'Happy Birthday' through the PC speaker. In this
case, the only cure is a new BIOS - contact your dealer.]
[There are also reports of a trojanized 3rd-party keyboard
which puts the string 'Welcome to Datacomp' to the console,
if I can use such archaic terminology in a Mac context B-)
- both the Virus-L FAQ versions include information on this.]
How do I know I'm FTP-ing 'good' software?
------------------------------------------
Reputable sites like SimTel and Garbo check uploaded utilities for
viruses before making them publicly available. However, it makes
sense not to take anything for granted. I'm aware of at least one
instance of a virus-infected file being found on a SimTel mirror:
you can't scan a newly-uploaded file for a virus your scanner
doesn't know about. Good A/V packages include self-checking code,
though it's unsafe to depend even on this 100%. Be paranoid: you
know it makes sense....
In general, don't run *anything* downloaded from the Internet,
BBSs etc. until it's been checked with at least one reputable
and up-to-date antivirus scanner.
What is 386SPART.PAR?
---------------------
People are sometimes alarmed at finding they have a hidden file
with this name. It is, in fact, created by Windows 3.x when you
configure it to use a permanent swap file (a way of allowing Windows
to work as if you had more memory than you really do. On no account
should you delete it, as it will upset your configuration. If you wish
to remove it or adjust the size, do so via the 386 Enhanced
setting in Control Panel. However, a permanent swap file usually
improves performance on a machine with relatively little memory.
The file is not executable as such, and reports of virus infection
are usually false positives.
Can I get a virus to test my antivirus package with?
----------------------------------------------------
Well, I won't send you one... Most packages have some means of allowing
you to trigger a test alert. There is a standard EICAR test file which
is recognized by F-Prot and Dr. Solomon's AntiVirus ToolKit, and possibly
other antivirus packages.
Type or copy/paste the following text into a file called EICAR.COM,
or TEST.COM or whatever.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Running the file displays the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE.
Scanning the file with one of the components of these packages should
trigger an alert.
There has been a long thread recently on whether the Rosenthal
Simulator is useful for this sort of job. This will be considered
at length here when I have the time to look at it, but it should be
noted that many of the anti-virus researchers who have contributed
to this document have expressed considerable scepticism.
When I do DIR | MORE I see a couple of files with funny names...
----------------------------------------------------------------
Actually, this is in the Virus-L FAQ. Read that and post the question
to comp.virus or alt.comp.virus if you're still worried. Basically,
the answer is that MORE creates a couple of temporary files, being
considerably less efficient than the Unix utility it attempts to
emulate. Most versions of DOS since the Middle Ages support the
syntax DIR /P, which does the same job less messily. In fact,
if you have a version of DOS later than 5, you might consider
incorporating it into the environment variable DIRCMD, so that it
becomes your default on directory listings which exceed 1 screenful.
Of course, other utilities such as ATTRIB can also be filtered through
MORE like this, which may result in similar symptoms.
------------------------------------------------------------
Reasons NOT to use FDISK /MBR
-----------------------------
See Section 12 in part 2 of this FAQ for further information about FDISK
with the undocumented /MBR switch. However, people with virus problems
are frequently advised, out of ignorance or maliciousness, to use this
switch in circumstances where it can lead to an inability to access your
disk drive and possible loss of data (not to mention hair and sanity).
Essentially, you should avoid using FDISK /MBR unless you have it on good
authority that it's safe and necessary to do so. In most circumstances, it's
safer to clean a partition sector with a good anti-virus program.
You should avoid FDISK /MBR at all costs under the following circumstances:
1. Under an infection of viruses that don't preserve the Partition Table
e.g., Monkey, reported at 7.2% of the infections reported to _Virus
Bulletin_ for December '95, the last report for which I have data
2. Under an infection that encrypts data on the hard drive and keeps
the key in the MBR, e.g, One_half -- reported at 0.8% worldwide
3. When security software, e.g., PC-DACS is in use
4. When a driver like Disk Manager or EZDrive is installed
5. When a controller that stores data in (0,0,1) is in use
6. When more than one BSI virus is active, in some conditions
7. When a data diddler is active, e.g. Ripper, accountable for 3.8% of
the infections reported in the study cited above (N.B.: while this
case won't be fixed by AV utilities, at least one will know why
there are problems with the drive)
------------------------------------------------------------
Why do people write/spread viruses?
-----------------------------------
From postings which have appeared in alt.comp.virus in the past:
* they don't understand or prefer not to think about the consequences
for other people
* they simply don't care
* they don't consider it to be their problem if someone else is
inconvenienced
* they draw a false distinction between creating/publishing viruses
and distributing them
* they consider it to be the responsibility of someone else to protect
systems from their creations
* they get a buzz, acknowledged or otherwise, from vandalism
* they consider they're fighting authority
* they like 'matching wits' with antivirus vendors
* it's a way of getting attention, getting recognition from their peers
and their names (or at least that of their virus) in the papers and
the Wild List
* they're keeping the antivirus vendors in a job
How seriously you take some of these assertions is up to you....
------------------------------------------------------------
Where can I get an anti-virus policy?
-------------------------------------
There is some relevant material in the Virus-L FAQ document, but you'll
need to do most of the work specific to your own environment. It's worth
doing some general reading on security policies generally and getting
the distinctions straight between policies, strategies, standards,
procedures and protocols. I'm working on this in other contexts: some of
that material may eventually seep back into here.
The NCSA have a Corporate Virus Prevention Policy disk/document which can
be ordered via their web page (www.ncsa.com) for around $20, or downloaded
from Compuserve.
In the UK, the British Standards Institution have a Code of Practice for
Information Security Management which includes virus-management (BS7799).
BSI
389 Chiswick High Road
London W4 4AL
DTI (Dept. of Trade & Industry)
IT Security Policy Unit
151 Buckingham Palace Road
London SW1W 9SS
The last time I looked at the S&S International web page (www.drsolomon.com)
they had a paper on Guidelines for an Anti-Virus Policy by David Emm which
is a reasonable starting point, though a comprehensive virus management
policy is no small undertaking.
------------------------------------------------------------
Placeholders
------------
Errrr... gone. I don't have time to polish the FAQ at present, and
leaving placeholders implied there was a likelihood of my addressing
those issues in the near future. If you have suggestions for further
items, I'd be glad to see them, especially if you care to do the
writing. I can't guarantee a quick response, though.
End of a.c.v. FAQ Part 4 of 4
Last Modified: May 7th, 1996