From csus.edu!newshub.csu.net!csulb.edu!gatech!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:21 1999 Path: csus.edu!newshub.csu.net!csulb.edu!gatech!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: "Nick FitzGerald" Newsgroups: comp.virus,comp.answers,news.answers Subject: VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 Supersedes: Followup-To: comp.virus Date: 23 Mar 1999 15:09:31 GMT Organization: Virus-L/comp.virus moderator Expires: 6 May 1999 14:47:20 GMT Message-ID: Reply-To: NNTP-Posting-Host: penguin-lust.mit.edu Summary: This posting contains a list of Frequently Asked Questions, and their answers, about computer viruses. It should be read by anyone who wishes to post to VIRUS-L/comp.virus. X-Last-Updated: 1995/09/10 Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu comp.virus:28439 comp.answers:33620 news.answers:142271 Archive-name: computer-virus/faq Last-modified: 9 October 1995, 11:00 AM NZD -----BEGIN PGP SIGNED MESSAGE----- Frequently Asked Questions on Virus-L/comp.virus Release 2.00 Last Updated: 9 October 1995, 11:00 AM NZD ========================= = Using this FAQ sheet: = ========================= This document is intended to answer some Frequently Asked Questions (FAQs) about computer viruses. This FAQ sheet has been compiled by some of the main contributors to the Virus-L mailing list and its USENET news fan-out, comp.virus. The Preface Section (below) explains the multi- part nature of the FAQ sheet and how to ensure you have "the genuine article", and gives details on version numbers and contacting the authors with questions and suggestions. If you are seeking help after discovering what you suspect is a virus on your computer, read the Preface Section, skim through Sections A and B for the essential jargon, then concentrate on Section C. If you feel that you may have found a new virus, or are not quite sure if some file or boot sector is infected, please refer to Section F Question #4 (F4) before posting a request for assistance. The answer to this question has been developed to ensure new readers of Virus-L/ comp.virus understand the protocol for raising such questions and to help them avoid asking questions that can be answered in this document. If you are looking for help in designing and implementing an antivirus policy or system, read all of Sections B through F inclusive, paying particular attention to Section D. Please read the full list of questions carefully--as with most complex topics, dozens of different virus-related questions turn out to be about similar phenomena. If you don't find your exact question here, look closely at the ones that seem vaguely similar. Above all, remember that the time to really worry about viruses is *before* your computer gets one! ==================== = Preface Section: = ==================== The Virus-L/comp.virus FAQ sheet is normally posted to on-line services and sent via e-mail in one of two forms: As a single, large (>160KB) file, or in four separate pieces. Either or both of these forms may be available for download from FTP sites and BBSes. The one-piece FAQ sheet should be available in a file called vlfaqxyy.txt, where "xyy" is the current version number (starting from 200 in mid-1995 for version 2.00). The multi-part version is created by splitting the main FAQ sheet into four pieces as follows: Filename Contains FAQ Sections ============================== vlfxyy-1.txt A & B vlfxyy-2.txt C & D vlfxyy-3.txt E & F vlfxyy-4.txt G (with "xyy" again representing the current version number). Please do not make your own multi-part FAQ, as each of the parts in the "official" multi-part version include additional preface information. Either or both versions may also be available in some form of compressed archive--in this case the "name part" of the filename should be the same as the original file with the extension being replaced (or appended) as appropriate for the archiving method used. Please *do not* repackage the multi-part FAQ into one large archive file, as this defeats the sole purpose for creating it--to ensure that the FAQ sheet is "officially" available in a readable form that will pass unmolested through most e-mail gateways. All the files in either version of the FAQ sheet are signed with Nick FitzGerald's PGP key. Nick's public key can be retrieved from the main PGP key servers. If you do not know what PGP is, but wish to validate your copy of the FAQ sheet, you should read the USENET newsgroup alt.security.pgp [please do *not* e-mail me, as I am not a PGP expert-- FAQ maintainer]. The FAQ sheet is a dynamic document, changing as people's questions change. The version number also changes as *any* changes are made. Version numbers containing a "d" are drafts and should *not* be made publicly available, nor distributed. We ask for your cooperation in deleting and not further distributing "d" versions of the FAQ sheet. If you have any questions or contributions, please e-mail them to the FAQ sheet maintainer, Nick FitzGerald, at: n.fitzgerald@csc.canterbury.ac.nz The most recent copy of the FAQ sheet will always be available on the Virus-L/comp.virus archives, including by anonymous FTP on corsa.ucr.edu (IP = 138.23.166.133) in the directory pub/virus-l. A WWW version of the FAQ sheet, with cross-references and file links is currently under development, as is a WinHelp version with cross- references (if you would like to assist with these efforts, or to port one of these formats to another popular hypertext help format, please contact the FAQ sheet maintainer so we can better coordinate this work). In various places the FAQ sheet mentions products by name. This is usually only for illustrative purposes. Such references should *not* be taken to imply that all, some, or any of the contributors to this FAQ sheet endorse any such product for any purpose or that such products are the *best* examples of what is being discussed. Such refernces are usually because the products named were the first to implement a particular feature or function. Further, that a given product is *not* mentioned in the FAQ should not be taken as an indication of its quality or suitability for any task. Various brand and product names are used throughout the FAQ sheet--these remain trademarks or registered trademarks of their respective holders. Unless indicated otherwise, prices are given in US dollars and should be taken as guides only. Telephone numbers include an indication of the time-zone relative to GMT--some of these are very approximate, but should be close enough to save you ringing in the middle of the receiver's night! Nick FitzGerald, Virus-L/comp.virus FAQ sheet maintainer. ================================================ = Primary contributors (in alphabetical order) = ================================================ The following people have provided significant content and/or editorial input to this FAQ sheet: Mark Aitchison Vaughan Bell Claude Bersano-Hayes Matt Bishop Vesselin Bontchev Bruce Burrell David Chess John-David Childs Olivier M. J. Crepin-Leblond Nick FitzGerald Richard Ford Alan Glover Sarah Gordon Yaron Y. Goland Mikko Hypponen John Kida Kevin Marcus Anthony Naggs Donald G. Peters A. Padgett Peterson Y. Radai Brian Seborg Fridrik Skulason Rob Slade or Gene Spafford Otto Stolz Ken van Wyk ==================== Questions answered in this document Section A: Sources of Information and Antivirus Software (Where can I find HELP?!!) A1) What is Virus-L/comp.virus? A2) What is the difference between Virus-L and comp.virus? A3) How do I get onto or off Virus-L/comp.virus? A4) What are the guidelines for Virus-L? A5) How can I get back-issues of Virus-L? A6) What are the known viruses, their names, major symptoms and possible cures? A7) Where can I get free or shareware antivirus programs? A8) Where can I get more information on viruses, etc? A9) Why is so much of the discussion in Virus-L/comp.virus about PCs and DOS? Is this forum only for the PC world? Section B: Definitions (What is ...?) B1) What are computer viruses (and why should I worry about them)? B2) What is a Worm? B3) What is a Trojan Horse? B4) What are the main types of PC viruses? B5) What is a stealth virus? B6) What is a polymorphic virus? B7) What are "fast" and "slow" infectors? B8) What is a sparse infector? B9) What is a companion virus? B10) What is an armored virus? B11) What is a cavity virus? B12) What is a tunnelling virus? B13) What is a dropper? B14) What is an ANSI bomb? B15) Miscellaneous Jargon and Abbreviations Section C: Virus Detection (Is my computer infected? What do I do?) C1) What are the symptoms and indications of a virus infection? C2) What steps should be taken in diagnosing and identifying viruses? C3) What is the best way to remove a virus? C4) What does the virus do? C5) What are "false positives" and "false negatives"? C6) Can an antivirus program itself be infected? C7) Where can I get a virus scanner for my Unix system? C8) Why does my scanner report an infection only sometimes? C9) I think I have detected a new virus; what do I do? C10) CHKDSK reports 639K (or less) total memory on my system; am I infected? C11) I have an infinite loop of sub-directories on my hard drive; am I infected? C12) Can a PC not running DOS be infected with a common DOS virus? C13) My hard-disk's file system has been garbled: Do I have a virus? Section D: Protection Plans (What should I do to prepare against viruses?) D1) What is the best antivirus program? D2) Is it possible to protect a computer system with only software? D3) Is it possible to write-protect the hard disk with software only? D4) What can be done with hardware protection? D5) Does setting a file's attributes to READ ONLY protect it from viruses? D6) Do password/access control systems protect my files from viruses? D7) Do the protection systems in DR DOS work against viruses? D8) Does a write-protect tab on a floppy disk stop viruses? D9) Do local area networks (LANs) help to stop viruses or do they facilitate their spread? D10) What is the proper way to make backups? Section E: Facts and Fibs About Computer Viruses (Can a virus...?) E1) Can boot sector viruses infect non-bootable DOS floppy disks? E2) Can a virus hide in a PC's CMOS memory? E3) Can a PC virus hide in Extended or in Expanded RAM in a PC? E4) Can a virus hide in a PC's Upper Memory or its High Memory Area? E5) Can a virus infect data files? E6) Can viruses spread from one type of computer to another? E7) Are mainframe computers susceptible to computer viruses? E8) Some people say that disinfecting files is a bad idea. Is that true? E9) Can I avoid viruses by avoiding shareware, free software or games? E10) Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk? E11) Is there any risk in copying data files from an infected floppy disk to a clean PC's hard disk? E12) Can a DOS virus survive and spread on an OS/2 system using the HPFS file system? E13) Under OS/2 2.0+, could a virus infected DOS session infect another DOS session? E14) Can normal DOS viruses work under MS Windows? E15) Can I get a virus from reading e-mail, BBS message forums or USENET News? E16) Can a virus "hide" in a GIF or JPEG file? Section F: Miscellaneous Questions (I have heard... I was just wondering...) F1) How many viruses are there? F2) How do viruses spread so quickly? F3) What is the correct plural of "virus"? "Viruses" or "viri" or "virii" or "vira" or... F4) When reporting a virus infection (and looking for assistance), what information should be included? F5) How often should we upgrade our antivirus tools to minimize software and labor costs and maximize our protection? F6) What are "virus simulators" and what use are they? F7) I've heard talk of "good viruses". Is it really possible to use a computer virus for something useful? F8) Wouldn't adding self-checking code to your programs be a good idea? Section G: Specific Virus and Antivirus Software Questions... G1) I was infected by the Jerusalem virus and disinfected the infected files with my favorite antivirus program. However, WordPerfect and some other programs still refuse to work. Why? G2) Is my disk infected with the Stoned virus? G3) I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why? G4) I was infected by both Stoned and Michelangelo. Why has my computer become unbootable? And why, each time I run my favorite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there? G5) My scanner finds the Filler and/or Israeli Boot virus in memory, but after I boot from a clean floppy it reports no viruses. Am I infected? G6) I was infected with Flip and now a large part of my hard disk seems to have disappeared. What has happened? G7) What does the GenB and/or the GenP virus do? G8) How do I "boot from a clean floppy"? G9) My PC diagnostic utility lists "Cascade" amongst the hardware interrupts (IRQs). Does this mean I have the Cascade virus? G10) Occasionally the text "welcome datacomp" appears in my Mac documents without me typing it. Is this a virus? G11) How good are the antivirus tools included with MS-DOS 6? G12) When I do a "DIR | MORE", I see two files with random names that are not there when I just use "DIR". On my friends's system they cannot be seen. Do I have a virus? G13) What is the ChipAway virus? (Or ChipAwayVirus?) =============================================================== = Section A. Sources of Information and Antivirus Software. = =============================================================== A1) What is Virus-L/comp.virus? Virus-L and comp.virus are discussion forums which focus on computer virus issues. More specifically, Virus-L is an electronic mailing list and comp.virus is a USENET newsgroup. Both groups are moderated; all submissions are sent to the moderator who decides if a submission should be distributed to the groups. For more information, including a copy of the posting guidelines, see the file virus-l.README, available by anonymous FTP on corsa.ucr.edu in the pub/virus-l directory. A2) What is the difference between Virus-L and comp.virus? Virus-L is a mailing list while comp.virus is a newsgroup. Virus-L is distributed in "digest" format (with multiple e-mail postings in one large digest) and comp.virus is distributed as individual news postings. However, the content of the two groups is identical. A3) How do I get onto or off Virus-L/comp.virus? To subscribe to Virus-L, send e-mail to LISTSERV@LEHIGH.EDU saying "SUB VIRUS-L your-name". For example: SUB VIRUS-L Jane Doe To be removed from the Virus-L mailing list, send a message to LISTSERV@LEHIGH.EDU saying "SIGNOFF VIRUS-L". To "subscribe" to comp.virus, simply use your favorite USENET news reader to read the group. A4) What are the guidelines for Virus-L? The posting guidelines are available by anonymous FTP on corsa.ucr.edu. Retrieve the file pub/virus-l/virus-l.README for the most recent copy. In general, however, the moderator requires discussions to be polite and non-commercial. Objective postings of product availability, product reviews, etc, are fine, but commercial advertisements are not. Requests for virus samples (binary or disassembly) are forbidden. Technical discussions are strongly encouraged, however, within reason. A5) How can I get back-issues of Virus-L? Back-issues of Virus-L/comp.virus date back to the group's inception, on 21 April, 1988. The anonymous FTP archive at cs.ucr.edu carries all of the Virus-L back issues. Retrieve the file pub/virus-l/README for more information on the Virus-L/comp.virus archives. A6) What are the known viruses, their names, major symptoms and possible cures? The reader should be aware that there is no universally accepted naming convention for viruses, nor is there any standard means of testing. As a consequence nearly *all* virus information is highly subjective and open to interpretation and dispute. There are several major sources of information on specific viruses. Probably the largest one is Patricia Hoffman's hypertext VSUM. While VSUM is quite complete it only covers PC viruses and it is regarded by many in the antivirus field as being inaccurate, so we advise you not to rely solely on it. It can be downloaded from most major archive sites. A more precise source of information is the Computer Virus Catalog, published by the Virus Test Center in Hamburg. It contains highly technical descriptions of computer viruses for several platforms: DOS, Mac, Amiga, Atari ST and Unix. Unfortunately, the DOS section is quite incomplete. The CVC is available by anonymous FTP from ftp.informatik.uni-hamburg.de (IP = 134.100.4.42), directory pub/virus/texts/catalog. (A copy of the CVC is also available by anonymous FTP on corsa.ucr.edu in the directory pub/virus-l/docs/vtc.) Another small collection of good technical descriptions of PC viruses, called CARObase is also available from ftp.informatik.uni-hamburg.de, in the directory /pub/virus/texts/carobase. A fourth source of information is the monthly Virus Bulletin, published in the UK. Among other things, it gives detailed technical information on viruses (see A8); a one year subscription, however, costs $395. US subscriptions can be ordered by calling (203) 431 8720 (GMT-5/-4) or writing to 590 Danbury Road, Ridgefield, CT 06877; for European subscriptions, the number is +44 1235 555139 (GMT+0/-1) and the address is: 21 The Quadrant, Abingdon, OXON, OX14 3YS, ENGLAND. General enquiries can be sent to virusbtn@vax.ox.ac.uk. Another source of information is the book "Virus Encyclopedia" which is part of the printed documentation of Dr. Solomon's AntiVirus ToolKit (a commercial DOS antivirus program). It is more complete than the CVC list and just as accurate; however it lists only DOS viruses. This book may be available separately The on-line help system of the shareware antivirus product Anti-Virus Pro contains a large and relatively exact collection of virus descriptions and even includes demonstrations of several of the audio and visual effects produced by some viruses. However the text can be difficult to read because English is not the author's native tongue. The WWW site www.datafellows.fi has an on-line, cross-referenced database containing descriptions of about 1500 PC viruses, with an emphasis on viruses "in the wild". Another network-accessible source of information pertaining to viruses is provided by IBM AntiVirus, at http://www.brs.ibm.com/ibmav.html or via gopher at the site index.almaden.ibm.com (choose "IBM Computer Virus Information Center" from the main menu). An excellent source of information regarding Apple Macintosh viruses is the on-line documentation in the freeware Disinfectant program by John Norstad of Northwestern University. This is available at most Mac archive sites. A7) Where can I get free or shareware antivirus programs? The Virus-L/comp.virus archive sites carry publicly distributable antivirus software products. Up-to-date listings of these antivirus archive sites are posted monthly to Virus-L/comp.virus (see A5 for details). Many freeware/shareware DOS antivirus programs are available from the SimTel Software Repository. This collection of software is available via anonymous FTP from ftp.coast.net (IP = 141.210.10.117), with antivirus software in the directory /SimTel/msdos/virus. Note that the SimTel archive is "mirrored" at many anonymous FTP sites, including wuarchive.wustl.edu (IP = 128.252.135.4, /systems/ibmpc/simtel/virus), and nic.funet.fi (IP = 128.214.248.6, /pub/msdos/SimTel/virus). Most of this software can also be obtained via e-mail in uuencoded form from various TRICKLE sites, especially in Europe. Likewise, Macintosh antivirus programs can be found in /pub/tools/mac at coast.cs.purdue.edu. A list of many antivirus programs, including commercial products and one person's rating of them, can be obtained by anonymous ftp from corsa.ucr.edu (IP = 138.23.166.33) in pub/virus-l/docs/reviews in the file slade.quickref.rvw. This directory also contains detailed product reviews of many products. A8) Where can I get more information on viruses, etc? Five very good books on computer viruses that cover most of the introductory and technical questions you might have are: "Computers Under Attack: Intruders, Worms and Viruses" edited by Peter J. Denning, ACM Press/Addison-Wesley, 1990. This is a book of collected readings that discuss computer viruses, computer worms, break-ins, and social aspects, and many other items related to computer security and malicious software. A very solid, readable collection that doesn't require a highly- technical background. Price: $20.50. "Rogue Programs: Viruses, Worms and Trojan Horses" edited by Lance J. Hoffman, Van Nostrand Reinhold, 1990. This is a book of collected readings describing in detail how viruses work, where they come from, what they do, etc. It also has material on worms, Trojan Horse programs, and other malicious software programs. This book focuses more on mechanism and relatively less on social aspects than does the Denning book; however, there is an excellent piece by Anne Branscomb that covers legal aspects. Price: $32.95. "A Pathology of Computer Viruses" by David Ferbrache, Springer- Verlag, 1992. This is an in-depth book on the history, operation, and effects of computer viruses. It is one of the most complete books on the subject, with an extensive history section, a section on Macintosh viruses, network worms, and Unix viruses. Price $49.00. "A Short Course on Computer Viruses", 2nd edition, by Dr. Fred B. Cohen, Wiley, 1994. This book is by a well-known pioneer in virus research, who has also written dozens of technical papers on the subject. Price: $35.00 ($45.00 with accompanying diskette). "Robert Slade's Guide to Computer Viruses", by Robert Slade, Springer-Verlag, 1994. This book is a comprehensive introduction to computer viruses, written in a clear and easy style for non-experts. Price $29.00. A somewhat dated, but still useful, high-level description of viruses, suitable for a complete novice with little computer background is "Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats" by Eugene H. Spafford, Kathleen A. Heaphy, and David J. Ferbrache, ITAA (Arlington, VA), 1989. ITAA (Information Technology Association of America) is a computer industry service organization and not a publisher. While many people have indicated they find this a very understandable reference it is now out of print, but portions of it have been reprinted in many other places, including Denning and Hoffman's books (above). It is also worth consulting various publications such as _Computers & Security_ and _SECURE Computing_ (both of which, while not limited to viruses, contain many relevant papers) and the _Virus Bulletin_ (published in the UK, it contains many technical articles). A9) Why is so much of the discussion in Virus-L/comp.virus about PCs and DOS? Is this forum only for the PC world? No--neither the problem nor this discussion relate only to PCs. Viral programs are a property of general-purpose computers, and therefore are, and will be, a problem for any computer system. We *are* aware of the lopsided coverage and welcome the submission of material relevant to other systems. There are several reasons for the apparent imbalance. One very general reason is that users of DOS heavily outnumber the users of other operating systems. The discussion in Virus-L/comp.virus therefore tends to have a preponderance of questions and chat about DOS specific infections and problems. We welcome questions, comments and reports from users of other operating systems and platforms. If you use a computer of another type, please do contribute to the discussion. Just because the majority are talking about DOS does *not* mean that your contribution is not welcome. It may be important precisely because you have a different perspective. Therefore, let us assure you there is no deliberate attempt being made to exclude Amiga, Atari, Macintosh, OS/2, UNIX, VMS, Windows (NT, '95 or any other flavor) or any other platform or operating system from the discussion or the FAQ sheet. If you feel that there *is* too much PC bias, please don't complain about it--tell us something about the virus situation on *your* system. ==================================================== = Section B. Definitions and General Information = ==================================================== B1) What are computer viruses (and why should I worry about them)? Fred Cohen "wrote the book" on computer viruses, through his Ph.D. research, dissertation and various related scholarly publications. He developed a theoretical, mathematical model of computer virus behaviour, and used this to test various hypotheses about virus spread. Cohen's formal definition (model) of a virus does not easily translate into "human language", but his own, well-known, informal definition is "a computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself". Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to be classified as a "virus" by this definition. The problem with Cohen's human language definition is that it doesn't capture many of the subtleties of his mathematical model--as indeed, few informal definitions do--and questions arise that can only be answered by checking his formal model. Using his formal definitions, Cohen classifies some things as viruses that most readers of Virus-L/ comp.virus (and many experts) would not consider viruses. For example, given certain circumstances on an IBM PC running DOS, the DISKCOPY program is classified as a virus by Cohen's formalisms. This has led to some tension between what Cohen considers a "virus" and what is usually discussed on Virus-L. Several other definitions of "virus" have been proposed, but it is probably fair to say that most of us are concerned about things that are viruses by the following definition: A computer virus is a self-replicating program containing code that explicitly copies itself and that can "infect" other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus. Probably the major distinction between Cohen's definition and "viruses" as we tend to use the word is that we see them as deliberately designed to replicate (although there is some debate over this too). Cohen's definition does *not* require this (and this would be difficult to build into his formal model). Note that many people use the term "virus" loosely to cover any sort of program that tries to hide its possibly malicious function and\or tries to spread onto as many computers as possible, though some of these programs may more correctly be called "worms" (see B2) or "Trojan Horses" (see B3). Also be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious--don't assume too much about what a virus can or can't do! These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be life-threatening. For example, in the context of a hospital life- support system, a virus that "simply" stops a computer and displays a message until a key is pressed, could be fatal. Further, those who create viruses can not halt their spread, even if they wanted to. It requires a concerted effort from computer users to be "virus-aware", rather than continuing the ambivalence that has allowed computer viruses to become such a problem. Computer viruses are actually a special case of something known as "malicious logic" or "malware", and other forms of malicious logic are also discussed in Virus-L/comp.virus. It can be important to understand the distinctions between viruses and these other forms of malware. B2) What is a Worm? A computer WORM is a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections). Note that unlike viruses, worms do not need to attach themselves to a host program. There are two types of worms--host computer worms and network worms. Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Host computer worms where the original terminates itself after launching a copy on another host (so there is only one copy of the worm running somewhere on the network at any given moment), are sometimes called "rabbits." Network worms consist of multiple parts (called "segments"), each running on different machines (and possibly performing different actions) and using the network for several communication purposes. Propagating a segment from one machine to another is only one of those purposes. Network worms that have one main segment which coordinates the work of the other segments are sometimes called "octopuses." The infamous Internet Worm (perhaps covered best in "The Internet Worm Program: An Analysis," Eugene H. Spafford, Purdue Technical Report CSD- TR-823) was a host computer worm, while the Xerox PARC worms were network worms (a good starting point for these is "The Worm Programs-- Early Experience with a Distributed Computation," Communications of the ACM, 25, no.3, March 1982, pp. 172-180). B3) What is a Trojan Horse? A TROJAN HORSE is a program that does something undocumented that the programmer intended, but that some users would not approve of if they knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to *non-replicating* malware, so that the set of Trojans and the set of viruses are disjoint. B4) What are the main types of PC viruses? Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary COM and/or EXE programs, though some can infect any program for which execution or interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. There is also at least one PC virus that "infects" source code files by inserting code into C language source files that replicates the virus's function in any executable that is produced from the infected source code files (see E5 for a more detailed discussion of the issue of "executable" code). File infectors can be either DIRECT-ACTION or RESIDENT. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when *they* are executed (as in the case of the Jerusalem virus) or when other conditions are fulfilled. Direct-action viruses are also sometimes referred to as NON-RESIDENT. The Vienna virus is an example of a direct-action virus. Most viruses are resident. The second main category of viruses is SYSTEM or BOOT-RECORD INFECTORS: these viruses infect executable code found in certain system areas on a disk. On PCs there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa and Michelangelo. All common boot sector and MBR viruses are memory resident. To confuse this classification somewhat, a few viruses are able to infect both files and boot sectors (the Tequila virus is one example). These are often called "MULTI-PARTITE" viruses, though there has been criticism of this name; another name is "BOOT-AND-FILE" virus. Aside from the two main classes described above, many antivirus researchers distinguish either or both of the following as distinct classes of virus: FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those that modify directory table entries so that the virus is loaded and executed before the desired program is. The program itself is not physically altered, only the directory entry of the program file is. Some consider these to be a third category of viruses, while others consider them to be a sub- category of the file infectors. LINK virus is another term occasionally used for these viruses, though it should be avoided, as "link virus" is commonly used in the Amiga world to mean "file infecting virus." KERNEL viruses target specific features of the programs that contain the "core" (or "kernel") of an operating system (3APA3A is a DOS kernel virus and is also multipartite). A file infecting virus that *can* infect kernel program files is *not* a kernel virus--this term is reserved for describing viruses that utilize some special feature of kernel files (such as their physical location on disk or a special loading or calling convention). B5) What is a stealth virus? A STEALTH virus is one that, while "active", hides the modifications it has made to files or boot records. This is usually achieved by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus's modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed and *this* may be detected by an antivirus program. Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain- infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (aka 4096, 4K). Countermeasures: A "clean" system is needed so that no virus is present to distort the results of system status checks. Thus the system should be started from a trusted, clean, bootable diskette before any virus- checking is attempted; this is "The Golden Rule of the Trade" (see G8 for help with making a clean boot disk and booting clean). B6) What is a polymorphic virus? A POLYMORPHIC virus is one that produces varied but operational copies of itself. These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus. One method of evading scan string-driven virus detectors is self- encryption with a variable key. These viruses (e.g. Cascade) are not termed "polymorphic", as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners (unless another virus uses the identical decryption routine *and* exact identification (see B15) is required). A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind. More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g. a No Operation instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus. One of the most sophisticated forms of polymorphism used so far is the "Mutation Engine" (MtE) which comes in the form of an object module. With the Mutation Engine any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation- engine and random-number generator modules. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses. B7) What are "fast" and "slow" infectors? A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed. A FAST infector is a virus that, when it is active in memory, infects not only programs which are executed, but even those that are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected. Examples are the Dark Avenger and the Frodo viruses. The term "SLOW infector" is sometimes used to refer to a virus that only infect files as they are modified or as they are created. The purpose is to fool people who use integrity checkers into thinking that modifications reported by their integrity checker are due solely to legitimate reasons. An example is the Darth Vader virus. B8) What is a sparse infector? The term "sparse infector" is sometimes used to describe a virus that infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range, etc. By infecting less often, such viruses try to minimize the probability of being discovered. B9) What is a companion virus? A COMPANION virus is one that, instead of modifying an existing file, creates a new program which (unknown to the user) is executed instead of the intended program. On exit, the new program executes the original program so that things appear normal. On PCs this has usually been accomplished by creating an infected .COM file with the same name as an existing .EXE file. Integrity checking antivirus software that only looks for modifications in existing files will fail to detect such viruses. B10) What is an armored virus? An ARMORED virus is one that uses special tricks to make tracing, disassembling and understanding of its code more difficult. A good example is the Whale virus. B11) What is a cavity virus? A CAVITY VIRUS is one which overwrites a part of the host file that is filled with a constant (usually nulls), without increasing the length of the file, but preserving its functionality. The Lehigh virus was an early example of a cavity virus. B12) What is a tunnelling virus? A TUNNELLING VIRUS is one that finds the original interrupt handlers in DOS and the BIOS and calls them directly, thus bypassing any activity monitoring program (see D1) which may be loaded and have intercepted the respective interrupt vectors in its attempt to detect viral activity. Some antivirus software also uses tunnelling techniques in an attempt to bypass any unknown or undetected virus that may be active when it runs. B13) What is a dropper? A DROPPER is a program that has been designed or modified to "install" a virus onto the target system. The virus code is usually contained in a dropper in such a way that it won't be detected by virus scanners that normally detect that virus (i.e., the dropper program is not *infected* with the virus). While quite uncommon, a few droppers have been discovered. A dropper is effectively a Trojan Horse (see B3) whose payload is installing a virus infection. A dropper which installs a virus only in memory (without infecting anything on the disk) is sometimes called an "injector". B14) What is an ANSI bomb? An "ANSI bomb" is a sequence of characters, usually embedded in a text file, that reprograms various keyboard functions of computers with ANSI console (screen and keyboard) drivers. In theory a special sequence of characters could have been included in this FAQ sheet to reprogram your Enter key to issue the command "format c:" with a return character tacked on the end. Such a possibility however, need not translate into much of a threat. It is rare for modern software to require the computer it runs on to have an ANSI console, so few PCs or other machines should load ANSI drivers. Also, few people use software that simply "types" output to the terminal device, so such an ANSI bomb in an e-mail or News posting would most likely not reprogram your keyboard anyway. Further, although FORMAT C: may be catastrophic under certain versions of DOS, it won't hurt Macintoshes and would probably have very unexpected, or no, effects on other systems. If you are at all worried about the possibility of having something untoward happen on your PC due to an ANSI bomb *and* you have to load an ANSI driver (some communications software still requires it), look for one of the third-party ANSI drivers which abound on BBSes and FTP sites. Most of these have improved performance over DOS's ANSI.SYS *and* either do not support, or let you disable, keyboard re-mapping. B15) Miscellaneous Jargon and Abbreviations AV = antivirus. A commonly used shorthand on Virus-L/comp.virus, as in "av software". BSI = Boot Sector Infector: a virus that takes control when the computer attempts to boot. These are found in the boot sectors of floppy disks, and the MBRs or boot sectors of hard disks (see B4 for more details). BSIs are also known as BSVs (Boot Sector Viruses). CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT class, and higher, PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed (see E2 for further discussion of issues concerning CMOS memory and viruses). DBS = DOS Boot Sector: The first sector of a logical DOS partition on a hard disk or the first absolute sector of a diskette. This sector contains the startup code that actually loads DOS. This is often confused with the MBR. Some boot sector viruses infect the DBS rather than the MBR when infecting hard disks. DETECTION = The ability of an antivirus program to detect that a virus is present, without necessarily reporting which particular virus it is (also see IDENTIFICATION and RECOGNITION, in this section). DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, DR DOS or Novell DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other, unrelated machines. GERM = The first generation of a virus. It normally cannot be produced again during the replication process and is usually created by compiling the source of the virus. GOAT FILES = Programs which usually do nothing special (e.g., just exit, or simply display a message), that are used by antivirus researchers to capture samples of viruses. This is done to make it easier to disassemble and understand the virus, because the infected "goat" program is (usually) simple and does not clutter the disassembly. Alternative terms are BAIT FILES, DECOY FILES and VICTIM FILES. In any of these terms, the word "programs" often replaces the word "files". IDENTIFICATION = The ability of an antivirus program (usually a scanner) to not only detect the virus and recognize it by name, but also to recognize it to a high degree of uniqueness. This allows third parties to understand which particular virus it is without seeing a sample of the virus. EXACT IDENTIFICATION occurs when every section of the non- modifiable parts of the virus body are uniquely identified. ALMOST EXACT IDENTIFICATION occurs if the identification is only good enough to ensure that an attempt to remove the virus will not result in damage to the host object by the use of an inappropriate disinfection method (also see DETECTION and RECOGNITION, in this section). MBR = Master Boot Record: the first absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table but on some PCs may only contain a boot sector. The MBR is also known as the MBS (Master Boot Sector). This is *not* the same as the DOS Boot Sector, logical sector 0 (see above). PARTITION TABLE = A 64-byte data structure that defines the way a PC's hard disk is divided into logical sections known as partitions. While there is often more than one partition table on a PC's hard disk, the most important is the one stored *in* the MBR. This one contains important extra information such as which partition (if any) should be booted from. The partition table is purely data, so is not executed. Some people erroneously use the term "partition table virus" as a synonym for "MBR virus". RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must load themselves into part of the RAM. However, some virus scanners may declare that a virus is active when it is found in RAM, even though it may only be left in a buffer area following a disk read operation, rather than truly being active (see C8 for further discussion of this issue). RECOGNITION = The ability of an antivirus program (usually a scanner) to detect a virus and to recognize it by name (also see DETECTION and IDENTIFICATION, in this section). TARGETING VIRUS = A virus that tries to bypass or hinder the operation of one or more *specific* antivirus programs. Also known as RETALIATOR, RETRO and ANTI-ANTIVIRUS viruses. SCAN STRING = A sequence of bytes (characters) that occur in a known virus but not, one hopes, in legitimate programs. Some scanners allow "wildcards"--positions that are matched by any character--in their scan strings. Authors of virus scanners reduce the likelihood of false positives (see B7) by carefully selecting their scan strings and often by only searching "likely" parts of target files. SEARCH STRING = A synonym for scan string. SIGNATURE = A poor synonym for scan string. We recommend that you avoid using this term and use "scan string" or "search string" instead. TOM = Top Of Memory: the end of conventional memory--an architectural design limit--at the 640KB mark on most PCs. Some early PCs may not have a full 640KB, but the amount of memory is always a multiple of 64KB. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't be overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change (see C10). A very few PCs with unusual configurations or memory managers may report in excess of 640KB. TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of common viruses. These can often be seen using utilities such as MEM and MSD. VX = Virus eXchange. A shorthand usually reserved for those BBSes and FTP sites, and their community of users, that make their virus collections "openly" available for downloading. Exchange of virus samples between bona fide members of the antivirus community is not tagged with the VX label. ================================ = Section C. Virus Detection = ================================ C1) What are the symptoms and indications of a virus infection? Many people associate destruction--file corruption, reformatted disks and the like--with viruses. Machines infected with viruses that do this kind of damage often display such damages too. This is unfortunate, as usually viruses can be detected or prevented from infecting long before they can inflict any (serious) damage, though many viruses have no "payload" at all. Note that viruses that simply reformat the hard disk shortly after infecting a machine tend to wipe themselves out faster than they spread, so don't get far. Thus, the more successful viruses typically try to spread as much as possible before delivering their payload, if any. As these tend to be the viruses you are most likely to encounter, you should be aware that there are usually symptoms of virus infection before any (or much!) damage is done. There are various kinds of symptoms that some virus authors have written into their programs, such as messages, music and graphical displays. The main indications, however, are changes in file sizes and contents, changing of interrupt vectors, or the reassignment of other system resources. The unaccounted use of RAM or a reduction in the amount reported to be in the machine are important indicators. Examination of program code is valuable to the trained eye, but even a novice can often spot the gross differences between a valid boot sector and some viral ones. These symptoms, along with longer disk activity and strange behavior from the hardware, may instead be caused by genuine software, by harmless "joke" programs, or by hardware faults. The only foolproof way to determine that a virus is present is for an expert to analyse the assembly code contained in all programs and system areas, but this is usually impracticable. Virus scanners go some way towards performing this analysis by looking in that code for known viruses; some even use heuristic means to spot "virus-like" code, but this is not always reliable. It is wise to arm yourself with the latest antivirus software and to pay close attention to your system. In particular, look for any unexpected change in the memory map or configuration as soon as you start the computer. For users of DOS 5.0+, the MEM program with the /C switch is very handy for this. If you have DR DOS, use MEM with the /A switch; if you have an earlier DOS version, use CHKDSK or the commonly-available MAPMEM utility. You don't have to know what all the numbers mean, only that they have changed *unexpectedly*. Mac users have "info" options, which give some indication of memory use, but may need ResEdit to supply more detailed information. If you run Windows on your PC and you suddenly start getting messages at Windows startup that 32-bit Disk Access cannot be used, this often indicates your PC has been infected by a boot-sector virus. C2) What steps should be taken in diagnosing and identifying viruses? Most of the time, a virus scanner program will take care of that for you. To help identify problems early, run a virus scanner: 1. On new programs and diskettes (write-protect diskettes before scanning them). 2. When an integrity checker reports a mismatch. 3. When a generic monitoring program sounds an alarm. 4. When you receive an updated version of a scanner (or you have a chance to run a different scanner than the one you have been using). Because of the time required, it is not generally advisable to set a scanner to check your entire hard disk on every boot. If you run into an alarm and your scanner doesn't identify anything or doesn't properly clean up for you, first verify that the version you are using is the most recent. Then get in touch with a reputable antivirus researcher, who may ask you to send in a copy of the infected file. (Also see C9; and F4 if you decide you need to ask for help on Virus- L/comp.virus.) C3) What is the best way to remove a virus? In order that downtime be short and losses low, do the minimum that you must to restore the system to a normal state, starting with booting the system from a clean diskette (see G8). It is *never* necessary to low- level format a hard disk to recover from a virus infection! If backups of infected or damaged files are available and, in making them, appropriate care was taken to ensure that infected files have not been included in the backups (see D10), restoring from backup is the safest solution, even though it can be a lot of work if many files are involved. More commonly, a disinfecting program is used, though disinfection is somewhat controversial and problematic (see E8). If the virus is a boot- sector infector, you can continue using the computer with relative safety (if the hard disk's partition table is left intact) by booting from a clean system diskette. However, it is wise to go through all your diskettes removing any infections as, sooner or later, you will be careless and leave an infected diskette in the machine when it reboots, or give an infected diskette to a someone who doesn't have appropriate defenses to avoid infection. Most PC boot-sector infections can be cured by the following simple process--pay particular care to make the checks in Steps 2 and 3. Note that removing an MBR virus in the following way may not be desirable, and may even cause valuable information to be lost. For instance, the One_Half virus gradually encrypts the infected hard drive "inwards" (starting from the "end" and moving towards the beginning), encrypting two more tracks at each boot. The information about the size of the encrypted area is *only* stored in the MBR. If the virus is removed using the method above, this information will be irrecoverably lost and part of the disk with unknown size will remain encrypted. 1. Boot the PC from a clean system floppy--this must be MS-DOS 5.0 or version 6.0 or higher of PC-DOS or DR DOS. This diskette should carry copies of the DOS utilities MEM, FDISK, CHKDSK, UNFORMAT and SYS. (See G8 for help on making an emergency boot diskette.) 2. Check that your memory configuration is "normal" with MEM (see C10 for assistance here). Check that your hard disk partitioning is normal--run FDISK and use the "Display partition information" option to check this. MS-DOS 5.0 (or later) users can use UNFORMAT /L /PARTN. 3. Try doing a DIR of your hard disk/s (C:, D:, etc). You should continue with Step 4 *only* if all the tests in Step 2 and this step pass. Do *NOT* continue if you were unable to correctly access *all* your hard disks, as you will quite possibly damage critical information making permanent data damage or loss more likely. 4. Replace the program (code) part of the MBR by using the MS-, or PC-DOS FDISK /MBR command. If you use DR DOS 6.0, or later, select the FDISK menu option "Re-write Master Boot Record". 5. Replace the DOS boot sector using the command SYS C: (or whatever is correct for your first hard disk partition). For this step, the version of DOS on your boot diskette must be *exactly* the same as is installed on your hard disk (this may mean you have to first reboot with a clean boot diskette other than that used in Step 1). If you are using a disk compression system, such as DoubleSpace of DriveSpace, check the documentation on how to locate the physical drive on which the compressed volume is installed, and apply the SYS command to that instead. Usually this is drive H: or I:. 6. Reboot from your hard disk and check that all is well--if not (which is unlikely if you made the recommended checks), seek expert help. 7. As you will get re-infected by forgetting an infected diskette in your A: drive at boot time, you have to clean all your floppies as well. This is harder, as there is no simple way of doing this with standard DOS tools. You can copy the files from each of your floppies, re-format them and copy the files back, but this is a very tedious process (and prone to destructive errors!). At this point you probably should consider obtaining some good antivirus software. FDISK /MBR will only overwrite the boot loader code in the MBR of the *first* hard drive in a system. However, a few viruses will infect both drives in a two drive system. Although the second hard drive is never booted from in normal PC configurations, should the second drive from such a machine ever be used as the first drive in a system, it will still be infected and in need of disinfecting. C4) What does the virus do? If an antivirus program has detected a virus on your computer, don't rush to post a question to this list asking what it does. First, it might be a false positive alert (especially if the virus is found only in one file--see C5), and second, some viruses are extremely common, so questions like "What does the Jerusalem virus do?" or "What does the Stoned virus do?" are asked here repeatedly. While this list is read by several antivirus experts, they get tired of perpetually answering the same questions over and over again. In any case, if you really need to know what a particular virus does (as opposed to knowing enough to get rid of it), you will need a longer treatise than could be given here. For example, the Stoned virus replaces the disk's boot record with its own, relocating the original to a sector on the disk that may (or may not) occur in an unused portion of the root directory of a DOS diskette; when active, it sits in an area a few kilobytes below the top of memory. All this description could apply to a number of common viruses; but the important points of where the original boot sector goes--and what effect that has on networking software, non-DOS partitions, and so on--are all major questions in themselves. Therefore, it is better if you first try to answer your question yourself. There are several sources of information about the known computer viruses, so please consult one of them before requesting information publicly. Chances are that your virus is rather well known and that it is already described in detail in at least one of these sources (see A6 for some help in finding these.) C5) What are "false positives" and "false negatives"? A FALSE POSITIVE (or Type-I) error is one in which antivirus software claims that a given object is infected by a virus when, in reality, the object is clean. This is a failure of *detection* (see B15). A FALSE NEGATIVE (or Type-II) error is one in which the software fails to indicate that an infected object is infected. Clearly false negatives are more serious than false positives, although both are undesirable. Following from some of Fred Cohen's work, it has been proven that every virus detector must have an infinite number of false positives, false negatives, or both. This is expressed by saying that detection of viruses, either by appearance or behavior, is UNDECIDABLE. The interpretation and practical significance of this depends upon the interpretation of the terms used, and as with Fred's definition of the term "computer virus", there is some debate over this. In the case of virus scanners, false positives are rare, but they can arise if the scan string chosen for a given virus is also present in some benign objects because the string was not well chosen. In modern scanners, most false positives probably occur because some virus encryption engines produce very "normal looking" code and scanners that only try to decide if a piece of code could have been generated by a known virus encryption procedure will occasionally detect "innocent" code as "suspicious". False negatives are more common with virus scanners because scanners will miss completely new or heavily modified viruses. One other serious problem could occur: A positive that is misdiagnosed. As an example, imagine a scanner faced with the Empire virus in a boot record that reports it as the Stoned virus. In this case, use of a Stoned-specific "cure" to recover from an Empire infection could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" disinfection (see D1) can result in unusable files, unless a check is made (e.g. by comparing checksums) that the recovered file is identical to the original file. The better generic disinfection products all store information about the original files to allow verification of recovery processes. A particular type of false positive, where (part of) an *inactive* virus is detected, is known as a GHOST POSITIVE. Ghost positives usually occur in one of four situations (the first two of which are examples of antivirus programs "upsetting" each other): Ghost positives can be caused when the disinfection routine of an antivirus program "unhooks" a virus from its target (be it a file or boot sector) but it does so in such a way that part of the virus code is left intact (though that code will never be executed). Another antivirus program might see this code and report it is an infection. In this case the second antivirus program is seeing a "ghost"--part of a virus that was there. A scanner may "see" the unencoded scan strings of another scanner, left in memory after the first has run or held in memory by a resident scanner, and report these "ghosts" as active viruses (see C6 and C8). As explained elsewhere (see E10) a copy of an infected diskette boot sector, sitting in the disk buffers, may be detected and reported as an active virus. Disinfection procedures can result in virus "remnants" being left in "slack space" (disk space allocated to files but not actually occupied). As in the case of copies of infected diskette boot sectors being held in disk buffers, these remnants can be detected and incorrectly reported as being active. Ghost positives of this nature should disappear after running disk defragmentation or "optimization" programs with the option to "clean" slack space. Occasionally running a defragmenter (like MS- DOS 6's DEFRAG) after a full data backup (see D10), is a good idea anyway--especially before installing new software. Unfortunately, DOS's DEFRAG does not have a "clean slack space" option, though some third- party defragmenters do. There are also utilities that clean unallocated and slack space and these should remove ghost positives caused by "remnants". C6) Could an antivirus program itself be infected? Yes, so it is important to obtain this software from good sources, and to trust results only after running scanners from a "clean" system. But there are situations where a scanner appears to be infected when it isn't. Most antivirus programs try very hard to identify viral infections only, but sometimes they give false alarms (see C5). If two different antivirus programs are both of the "scanner" type, they will contain "scan strings" from which they identify viral infections. If the strings are not "encoded", then they may be identified as a virus by another scanner type program. Also, if the scanner does not remove the strings from memory after it has run, then another scanner may detect a virus string "in memory". This often causes the second scanner to report that your system is "infected", *but* only after you have run the first scanner (which may be a memory resident one). The major contributors to this group are so tired of dealing with non-virus reports of this sort that they *strongly* recommend users to avoid antivirus software which doesn't keep its scan strings encoded in memory. Some "change detection" antivirus programs add a snippet of code or data to a program in order to "protect" it. (This process is sometimes called "inoculation", but this term is also used for other antivirus techniques.) These file changes will likely be detected by other "change detection" programs, and may therefore raise a warning of a suspicious file change (see F8 for a discussion of the inadvisability of adding self-checking code to *existing* programs). It is good practice to use more than one antivirus program but, by their nature, multiple antivirus programs may confuse each other! C7) Where can I get a virus scanner for my Unix system? Basically, you shouldn't bother scanning for Unix viruses at this point in time. Although it is possible to write Unix-based viruses we have yet to see any instance of a non-experimental virus in that environment. Someone with sufficient knowledge and access to write an effective virus would be more likely to conduct other activities than virus-writing. Furthermore, the typical form of software sharing in the Unix environment does not support virus spread as easily as some others. This answer is not meant to imply that Unix viruses are impossible, or that there aren't security problems in a typical Unix environment--there are, and Fred Cohen's first experimental virus was implemented and tested on a Unix system. True viruses in the Unix environment are, however, unlikely to spread well. For more information on Unix security, see the book "Practical Unix Security" by Garfinkel and Spafford, O'Reilly & Associates, 1991, price $29.95 (it can be ordered via e-mail from nuts@ora.com). There *are* special cases in which scanning Unix systems for non-Unix viruses does make sense. For example, a Unix system acting as a file server (e.g., PC-NFS) for PC systems is quite capable of containing PC file infecting viruses that are a danger to PC clients. Note that, in this example, the Unix system would be scanned for PC viruses, not Unix viruses. Also, *any* PC is vulnerable to PC MBR infectors, so special care should be taken to prevent booting a PC hosted Unix OS from a floppy infected with an MBR virus (see C12). In addition, a file integrity checker (to detect unauthorized changes in executable files) on Unix systems is a very good idea. (One free program that can do this test, as well as other tests, is Tripwire, available by anonymous FTP from its "home" site of coast.cs.purdue.edu in /pub/COAST/Tripwire, and from several other antivirus sites.) Unauthorized file changes on Unix systems are very common, although they are not usually due to virus activity. C8) Why does my scanner report an infection only sometimes? There are circumstances where part of a virus exists in RAM without being active. If your scanner occasionally reports a virus in memory, it could be due to the operating system buffering diskette reads or harmlessly keeping disk contents that include a virus in memory, or after running another scanner, there may be scan strings left (again harmlessly) in memory. These are known as GHOST POSITIVE alerts (see C5 for more details). C9) I think I have detected a new virus; what do I do? Whenever there is doubt over a virus, you should obtain the latest versions of several (not just one) major virus scanners. Some scanning programs now use "heuristic" methods (F-PROT and TBSCAN are examples), and "activity monitoring" programs can report a program as being possibly infected when it is in fact perfectly safe (odd, perhaps, but not infected). If no scanner finds a virus, but a heuristic program raises some alarms (or there are other reasons to suspect a virus--e.g. change in size of files, change in memory allocation) then it is possible that you have found a new virus, although the chances are probably greater that it is an "odd but okay" disk or file. Start by looking in recent Virus-L/comp.virus postings for "known" false positives, then contact the author of the antivirus software that reports the virus-like features; the documentation for the software may have a section explaining what to do if you think you have found a new virus. C10) CHKDSK reports 639K (or less) total memory on my DOS system; am I infected? If CHKDSK displays 639KB (654,336 bytes) for the total memory instead of 640K (655,360 bytes)--so that you are missing only 1KB-- it is possibly due to reasons other than a virus, but there are a few common viruses that take only 1KB from total memory (Monkey and AntiEXE). Non-virus reasons for a deficiency of 1KB include: 1. A PS/2 computer. IBM PS/2 computers reserve 1KB of conventional RAM for an Extended BIOS Data Area, i.e. for additional data storage required by its BIOS. 2. A computer with a BIOS, which is set to use the upper 1KB of memory for its internal variables. (Most BIOSes with this option can be instructed to use lower memory instead.) 3. Some SCSI controllers. 4. The DiskSecure antivirus program. 5. Mouse buffers for older Compaqs. If you are missing 2KB or more from the 640KB, 512KB, or whatever the conventional memory normally is for your PC, the chances are greater that you have a boot-record virus (e.g. Stoned, Form or Michelangelo), although, even in this case there may be legitimate reasons for the missing memory: 1. Many access control programs for preventing booting from a floppy. 2. H/P Vectra computers. 3. Some special BIOS'es which use memory for a built-in calendar and/or calculator. However, these are only rough guides. In order to be more certain whether the missing memory is due to a virus, you should: 1. run several virus detectors; 2. look for a change in total memory every now and then; 3. compare the total memory size with that obtained when cold booting from a "clean" system diskette. The latter should show the normal amount of total memory for your configuration (although several BIOSes now steal 1KB of conventional memory when booted from floppy but none when booting from a hard drive). Note: In all cases, CHKDSK should be run without software such as MS- Windows or DesqView loaded, since these operating environments seem to be able to open DOS boxes only on 1KB boundaries (some seem to be even coarser); thus CHKDSK run from a DOS box may report unrepresentative values. Note also that some machines have only 512KB or 256KB instead of 640KB of conventional memory. C11) I have an infinite loop of sub-directories on my hard drive; am I infected? Probably not. This happens now and then, when something sets the "cluster number" field of a subdirectory to the same cluster as an upper- level (usually the root) directory. On PCs the /F parameter of CHKDSK should be able to "fix" this (as should many other popular disk-repair programs), usually by removing the offending directory. *Don't* erase any of the "replicated" files in the "odd" directory, since that will erase the "copy" in the root as well (these are not really copies at all; just a second pointers to the same files). C12) Can a PC not running DOS be infected with a common DOS virus? Yes! There are three distinct possibilities here. One is Novell's NetWare (and possibly other network operating systems), which boots from a DOS disk and loads a "standard" DOS executable that takes complete control of the system from DOS. This executable-- SERVER.EXE--could easily be infected by a DOS file infector. For example, a server's NetWare boot diskette may have to be taken from the server to a DOS PC to edit some of the configuration and startup files that have to be on that diskette. If the PC where the editing is done is infected with a file infecting virus, SERVER.EXE may well be infected when the new startup files are saved to the diskette. Such infections are virtually guaranteed to render SERVER.EXE inoperative and the server would fail at its next restart. No viruses are known to target the NetWare kernel specifically. Another possibility is the case of a 386 (or better) system running NetWare or a self-loading OS, such as Unix, NeXTStep486, Windows NT or OS/2, since this system is still vulnerable to infection by MBR infectors (such as Stoned or Michelangelo), as these are operating system independent. Note that an infection on such a system may result in the disabling of non-DOS disk partitions (possibly beyond easy recovery) because the tricks and system conventions these viruses employ may not apply to operating systems other than DOS. The issue here is that MBR infectors are not really "DOS viruses" so much as "PC-BIOS viruses"--they can infect any machine with a PC-compatible BIOS. Third, *any* OS that offers a "DOS box" or "DOS emulator" to run DOS programs can, potentially, run a virus-infected DOS program. Such activation of a virus should allow the virus to spread to any "targets" available to it under that DOS emulator. For example, a DOS program infected with a multipartite virus, when run under OS/2 would probably be able to infect other DOS executables, but not the MBR/DBS, as OS/2 only allows programs to read these critical areas of the hard drive (see E12 for more details on DOS viruses running under OS/2). With the increasing sophistication and power of computing environments, DOS emulators running on non-PC computers are increasingly available and able to run DOS viruses. C13) My hard-disk's file system has been garbled: Do I have a virus? Many things apart from viruses cause corruption of file systems. With DOS machines possibly the most common is Microsoft's SmartDrive disk cache program that came with Microsoft Windows 3.1 and subsequent versions of MS-DOS. Most versions of this software not only cache disk- reads but, by default, also cache disk-writes. This means that recently "written" files (say from saving a document in your word processor) may not have all the information about the associated file system updates written to disk by the time you exit the application, close Windows and turn off your PC. Users who simply save work then turn their PC off are even more likely to suffer from disk caching induced problems like this. Regardless of what caused your file-system corruption, you should probably seek expert help *before* trying to fix anything yourself. While there are many powerful and interesting-sounding utilities of the "disk fix" kind available, *all* of these have the stunning ability to render your file system all but unfixable (or at least, fixable to a much lesser degree) when presented with unusual situations their authors hadn't considered when designing the programs. Unfortunately, as these programs (by definition) do not recognize these situations, they confidently pronounce that you have such-and-such a problem then ask your permission to fix it. Even when these utilities have "undo" options, they often cannot restore your file system to its originally "broken" state to give human experts their best shot at fixing it. Thus, detecting whether it is safe to let one of these programs loose on your disks is something you should normally seek expert help in deciding. ================================= = Section D. Protection plans = ================================= D1) What is the best antivirus program? None! Different products are more or less appropriate in different situations, but in general you should build a cost-effective *strategy* based on multiple layers of defense. There are three main kinds of antivirus software, plus several other means of protection, such as hardware write-protect methods (see D4). When planning your antivirus strategy you should also look closely at your backup policies and procedures (see 10). 1. ACTIVITY MONITORING programs. These try to prevent infection before it happens by looking for virus-like activity, such as attempts to write to another executable, reformat the disk, etc. An alternative term is BEHAVIOR BLOCKER. Examples: SECURE and FluShot+ (PC), and GateKeeper (Macintosh). These programs are considered the weakest line of defense against viruses on a system that does not have memory protection, because in such an environment it is possible for a tunnelling virus (see B12) to bypass or disable them. 2. SCANNERS. Most look for known viruses by searching your disks and files for "scan strings" or patterns, but a few use heuristic techniques to recognize viral code. Most now also include some form of "algorithmic scanning" in order to detect known polymorphic viruses. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program which is about to be executed. Most scanners also include virus removers. Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk Software's F-PROT, McAfee's VirusScan (all PC), Disinfectant (Macintosh). Resident scanners: McAfee's V-Shield, and F-PROT's VIRSTOP. Heuristic scanners: the Analyse option in F-PROT, TBAV's TbScan and ChkBoot (from Padgett Peterson's FixUtils). Scanners are the most convenient and the most widely used kind of antivirus programs. They are a relatively weak line of defense because even the simplest virus can bypass them if it is new and unknown to the scanner. Therefore, your virus protection system should not rely on a scanner alone. 3. INTEGRITY CHECKERS or MODIFICATION DETECTORS. These compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides *generic* detection. On the other hand, modifications can also be due to reasons other than viruses. Usually, it is up to the user to decide which modifications are intentional and which might be due to viruses, although a few products give the user help in making this decision. As in the case of scanners, integrity checkers may be called to checksum entire disks or specified files on demand, or they may be resident, checking each program which is about to be executed (the latter is sometimes called an INTEGRITY SHELL). A third implementation is as a SELF-TEST, where the checksumming code is attached to each executable file so they check themselves just before execution. It is generally considered a bad idea to add such code to existing executables (see F8). Examples: ASP Integrity Toolkit (commercial), and Integrity Master and VDS (shareware), all for the PC. Integrity checkers are considered to be the strongest line of defense against computer viruses, because they are not virus- specific and can detect new viruses without being constantly updated. However, they should not be considered as an absolute protection--they have several drawbacks, cannot identify the particular virus that has attacked the system, and there are successful methods of attack against them too. 3a. Some modification detectors provide HEURISTIC DISINFECTION. Sufficient information is saved for each file so that it can be restored to its original state in the case of the great majority of viral infections, even if the virus is unknown. Examples: V-Analyst 3 (BRM Technologies, Israel), the VGUARD module of V-Care and ThunderByte's TbClean. Note that behavior blockers and scanners are virus *prevention* tools, while integrity checkers are virus *detection* tools. Of course, only a few examples of each type have been given. All of these types of antivirus program have a place in protecting against computer viruses, but you should appreciate the limitations of each method, along with system-supplied security measures that may or may not be helpful in defeating viruses. Ideally, you should arrange a combination of methods that cover each others' weaknesses. A typical PC installation might include a protection system on the hard disk's MBR to protect against viruses at load time (ideally this would be hardware or in BIOS, but software methods such as DiskSecure and Henrik Stroem's HS are pretty good). This would be followed by resident virus detectors loaded as part of the machine's startup (CONFIG.SYS or AUTOEXEC.BAT), such as FluShot+ and/or VirStop and/or ChkBoot. A scanner such as F-PROT or McAfee's VirusScan and an integrity checker, such as Integrity Master, could be put into AUTOEXEC.BAT, but this may be a problem if you have a large disk to check, or don't reboot often enough. Most importantly, new files and diskettes should be scanned as they arrive *regardless* of their source. If your system has DR DOS installed, you should use the PASSWORD command to write-protect all system executables and utilities. If you have Stacker or SuperStor, you can get some improved security from these compressed drives, but also a risk that those viruses stupid enough to directly write to the disk could do much more damage than normal. In this case a software write- protect system (such as provided with Disk Manager or The Norton Utilities) may help. Possibly the best solution is to put all executables on a disk of their own, with a hardware write-protect system that sounds an alarm if a write is attempted. If you do use a resident BSI detector or a scan-while-you-copy detector, it is important to trace back any infected diskette to its source. The reason viruses survive so well is that usually you cannot do this, because the infection is found long after the infecting diskette has been forgotten due to most people's lax scanning policies. Organizations should devise and implement a careful policy that may include a system of vetting new software brought into the building and free virus detectors for home machines of employees/students/etc who take work home with them. Other antivirus techniques include: 1. Creation of a special MBR to make the hard disk inaccessible when booting from a diskette (the latter is useful since booting from a diskette will normally bypass any protection measures loaded in the CONFIG.SYS and/or AUTOEXEC.BAT files on the hard disk). Some of these systems won't prevent attack by some MBR virus infections if booting from an infected floppy. This approach is less important now, as most newer PCs allow you to change the boot order so the first hard drive is tried *before* any of the floppy drives. 2. Use of Artificial Intelligence to learn about new viruses and extract scan patterns for them. Examples: V-Care (CSA Interprint, Israel; distributed in the US by Sela Consultants Corp.), Victor Charlie (Bangkok Security Associates, Thailand; distributed in the US by Computer Security Associates). 3. Encryption of files (with decryption before execution). 4. Diskette "fences". There are three different approaches to this. One prevents executables from being accessed from floppy drives while another prohibits the use of unscanned (possibly "unclean") files or diskettes. A third method uses a non-standard diskette format so diskettes can only be used on (and therefore shared among) machines using the appropriate antivirus software (usually all those within a site or company). This last method is probably the most common diskette fence and provides better protection against boot sector viruses than the other "fence" types. The workings of the first and third are probably fairly clear from these brief descriptions. The second approach works by writing special information to normally unused areas of the diskette as part of the scanning process and employing a driver in the users' machines prevents access to files that aren't marked as scanned (or to any part of a diskette that contains unscanned files). Alternatives include encrypting scanned files and drivers that only allow access to encrypted files, and so on. One advantage of this second type of system is that you only need scanners for "perimeter checking" machines, reducing the overhead and cost of keeping your scanners up to date. Examples: D-Fence, Virus Fence, TbFence, DiskNet. D2) Is it possible to protect a computer system with only software? Not perfectly; although software defenses can significantly reduce your risk of being affected by viruses *when applied appropriately*. All virus defense systems are tools--each with its own capabilities and shortcomings. Learn how your system works and be sure to work within its limitations. Using a layered approach, a very high level of protection/detection can be achieved with software only. 1. ROM BIOS--password (access control) and selecting to boot from the hard drive rather than from diskette. (Some may consider this hardware.) 2. Boot sectors--integrity management and change detection. 3. OS programs--integrity management of existing programs, scanning of unknown programs. Requirement of authentication values for any new or transmitted software. 4. Locks that prevent writing to a fixed or floppy disk. As each layer is added, undetected invasion becomes more difficult. Nevertheless, complete protection against any possible attack cannot be provided without dedicating the computer to pre-existing or unique tasks. International standardization on the IBM PC architecture is both its greatest asset and its greatest vulnerability. D3) Is it possible to write-protect the hard disk with software only? The answer is no. There are several programs that claim to do this, but *all* of them can be bypassed with techniques already used by some viruses. Therefore you should never rely on such programs *alone*, although they can be useful in combination with other antivirus measures. D4) What can be done with hardware protection? Hardware protection can accomplish various things, including: write protection for hard disk drives, memory protection, monitoring and trapping unauthorized system calls, etc. Again, no single tool will be foolproof and the "stronger" hardware-based protection is, the more likely it will interfere with the "normal" operation of your computer. The popular idea of write-protection (see D3) may stop viruses *spreading* to the disk that is protected, but doesn't, in itself, prevent a virus from *running*. Also, some existing hardware protection schemes can be easily bypassed, fooled, or disconnected, if the virus writer knows them well and designs a virus that is aware of the particular defense. The big problem with hardware protection is that there are few (if any) operations that a general-purpose computer can perform that are used by viruses *only*. Therefore, making a hardware protection system for such a computer typically involves deciding on some (small) set of operations that are "valid but not normally performed except by viruses", and designing the system to prevent these operations. Unfortunately, this means either designing limitations into the level of protection the hardware system provides or adding limitations to the computer's functionality by installing the hardware protection system. Much can be achieved, however, by making the hardware "smarter". This is double- edged: while it provides more security, it usually means adding a program in an EPROM to control it. This allows a virus to locate the program and to call it directly after the point that allows access. It is still possible to implement this correctly though--if this program is not in the address space of the main CPU, has its own CPU and is connected directly to the hard disk and the keyboard. As an example, there is a PC-based product called ExVira which does this and seems fairly secure, but it is a whole computer on an add-on board and is quite expensive. D5) Does setting a file's attributes to READ ONLY protect it from viruses? Generally, no. While the Read Only attribute will protect your files from a few viruses, most simply override it, and infect normally. So, while setting executable files to Read Only a good idea (it protects against accidental deletion), it is certainly not a thorough protection against viruses! In some environments the Read Only attribute does provide some additional protection. For instance, under Novell Netware a user can be denied the right to modify file attributes in directories on the server. This means that a virus that infects such a user's machine will be unable to infect files in those server directories if the files have their Read Only attribute set. D6) Do password/access control systems protect my files from viruses? All password and other access control systems are designed to protect the user's data from other users and/or their programs. Remember, however, that when you execute an infected program the virus in it will gain your current rights/privileges. Therefore, if the access control system provides *you* the right to modify some files, it will provide it to the virus too. Note that this does not depend on the operating system used--DOS, Unix, or whatever. Therefore, an access control system will protect your files from viruses no better than it protects them from you. Under DOS, there is no memory protection, so a virus could disable the access control system in memory, or even patch the operating system itself. On more advanced operating systems (Unix, OS/2, Windows NT) this is much harder or impossible, so there is much less risk that such protection measures could be disabled by a virus. Even so, viruses will still be able to spread, for the reasons noted above. In general, access control systems (if implemented correctly) are only able to slow down virus spread, not to eliminate viruses entirely. Of course, it's better to have access control than not to have it at all. Just be sure to not develop a false sense of security or come to rely *entirely* on your access control system to protect you. D7) Do the protection systems in DR DOS work against viruses? Partially. Neither the password file/directory protection available from DR DOS version 5 onwards, nor the secure disk partitions from DR DOS 6 were intended to combat viruses, but they do so to some extent. If you have DR DOS, it is very wise to password-protect your files (to stop accidental damage too), but don't depend on it as your only means of defense. The use of the password command (e.g. PASSWORD/W:MINE *.EXE *.COM) will stop more viruses than the plain DOS attribute facility (see D5), but that isn't saying much! The combination of the password system plus a disk compression system may be more secure, because to bypass the password system a virus must access the disk directly, but under SuperStor or Stacker the physical disk will be meaningless to a virus. There may be some viruses that, rather than invisibly infecting files on compressed disks, very visibly corrupt such disks. The main use of the "secure disk partitions" system, introduced in DR DOS 6, is to stop people from fiddling with your hard disk while you are away from the PC. The way this is implemented, however, may also help against a few viruses that look for DOS partitions on a disk. Furthermore, DR DOS is not fully compatible with MS/PC-DOS, especially when you get down to the low-level tricks that some viruses use. For instance, some internal memory structures are "read-only" in the sense that they are constantly updated (for MS/PC-DOS compatibility) but not really used by DR DOS, so even if a sophisticated virus modifies them, it will not have any effect, or at least not that intended by the virus's author. In general, using a less compatible system diminishes the number of existing viruses that can infect it. For instance, the introduction of hard disks made the Brain virus almost disappear; the introduction of the 80286 and DOS 4.0+ made the Yale and Ping Pong viruses next to extinct, and so on. D8) Does a write-protect tab on a floppy disk stop viruses? In general, yes. The write-protection on IBM PC (and compatible) and Macintosh floppy disk drives is implemented in hardware, not software, so viruses cannot infect a diskette when the write-protection mechanism is functioning properly (though many "friend of a friend" stories abound contesting this). But remember: 1. A computer may have a faulty write-protect system (this happens!)--you can test it by trying to copy a file to a diskette that is apparently write-protected. 2. Someone may have removed the tab for a while, allowing a virus on. 3. The files may have been infected before the disk was protected. Even some diskettes "straight from the factory" have been known to be infected during the production process. Thus, you should scan even new, write-protected disks for viruses. You should also scan new, pre-formatted diskettes, as there have been cases of infected, shrink-wrapped new diskettes. D9) Do local area networks (LANs) help to stop viruses or do they facilitate their spread? Both. A set of computers connected in a well managed LAN, with carefully established security settings, with minimal privileges for each user, and without a transitive path of information flow between the users (i.e., the objects writable by any of the users are not readable by any of the others) is more virus-resistant than the same set of computers if they are not interconnected. The reason is that when all computers have (read-only) access to a common pool of executable programs, there is usually less need for diskette swapping and software exchange between them, and therefore less chances for a virus to spread. However, if the LAN has lax security and is not well managed, it could help a virus to spread like wildfire. It might even be impossible to remove the infection without shutting down the entire LAN. Stories of LAN login programs, shared copies of which are run on every workstation, becoming infected are, unfortunately, not uncommon. A network that supports login scripting is inherently more resistant to viruses than one that does not *if* this is used to validate the client before allowing access to the network. D10) What is the proper way to make backups? A good backup regime is at the heart of any comprehensive virus defense scheme. No matter what combination of software and hardware defenses you install, nor what "policy" you implement, there is always the possibility that some new virus will be devised that can beat your defenses *or* that someone will fail to follow "proper protocol" with "foreign" media or file sources. In corporate settings, the possibility of the latter as a form of directed attack by disgruntled employees cannot be overlooked. Planning to minimize the impact of a virus infection on your computing is much like planning to minimize the effect of an earthquake or fire. You cannot be sure where, when or even *if* you will ever be "hit"; the potential impact could fall anywhere in a very wide range of possible damage; being "completely safe" can involve enormous expense; and you cannot adequately test your preparations without exposing yourself to serious risk of damage. Therefore, finalizing on the defense scheme that suits you involves deciding on the level of loss you can afford to stand and probably settling on a system that, while not "perfectly watertight," is "good enough". Despite the importance of a good backup scheme, it is really beyond the scope of this FAQ sheet to provide a definitive guide to planning your backup procedure--that could easily take another document the size of this! All this said however, we provide the following advice as, we hope, a good starting point. Planning an effective backup scheme really starts with answering some important questions. Consider: 1. Who is dependent on the files on this system? Is it a home computer mostly used by the kids for games, a standalone workstation running a small business, a networked workstation in a medium-sized company or the same in a large corporate environment, or a server with many (hundreds) of users? 2. How long can the most important user be without access to these files? One hour, 2, 4, 8, a day, a week? Remember to assume that your problems will arise at the worst possible moment (like 24 hours before a tax audit is due to start!). 3. What proportion (and volume!) of files are "fixed" (in the sense that they seldom change) versus those that change? Do all changes have to be backed-up, or is a "once-some-given- time-period" backup acceptable? 4. What type of information is in the regularly changing files? The answers to these (and other) questions help shape backup and recovery plans and are fairly well understood issues amongst computer systems professionals. Highly critical systems containing crucial data will be designed from the outset to have high redundancy (disk mirroring, disk arrays, UPSes, maybe even redundant servers), though such system options *alone* provide no real protection from virus attacks. You may opt for a backup system that records every change to any files on your system (server-only or clients and servers) or regular (often nightly) backup of changed data files, and so on. When it comes to planning backup regimes with an eye to the possibility of recovering from a virus attack, you also have to consider that regularly backing-up executables (loosely, "programs") can cause problems. If you do and are infected by a virus, unless you can be *absolutely sure* of the date of first infection (despite sounding simple, this is not something that can commonly be done!), you may have quite a few problems finding the best backup set to restore from, as you will probably have several sets including infected executables. For home or small business use, it may be best to maintain two kinds of backups. One would contain only your data files and one your operating system and program files (issues to consider are covered in the next two paragraphs). This may be facilitated by maintaining a strict separation of the two kinds of files, perhaps by putting the operating system and programs on one drive or partition and your data files on another. While this is probably not practical for many existing machines, enforcing adherence to the "rule" that data files should only be placed in appropriate sub-directories (folders) within a prescribed data directory may not be a bad thing. The best way to manage backup of data files depends on the answers to too many of the questions listed above for us to give definitive advice here. While planning your backup regime, bear in mind that some viruses damage some kinds of data files, while others make small, occasional, random modifications as files are written to disk. While viruses with either of these "features" are quite rare, both of these possibilities mean that vital data files should probably be backed-up to long-cycle media sets as well as to shorter cycle sets and other steps taken to ensure you can recreate the sequence of changes. (For example, retain all transaction records so they can be re-entered.) You should probably backup executables once after installing them and only *after* you are sure they are virus-free according to your current antivirus screening procedures. *Never* make a backup containing executables over media that hold *any* of your current backups. The more cautious of us maintain several cycles of executable backups. These precautions should ensure you don't face the problem outlined several paragraphs ago, and mean that should a newly installed program be infected with a virus your current defenses don't detect, you can easily restore your system and installed software to how it was before the infected software was installed, when you do become aware of its presence. You will probably have to manually reinstall any programs you installed subsequent to installing the infected program. Having referred to this second kind of backup as "executables only", we should point out that a complete system backup is also acceptable for this type of backup. However, note that a sequence of full system backups with interim "incremental" backups (when only those files that have changed since the last complete backup are saved) is *not* what we are advocating. Such systems tend to be too "broad brush" to be truly useful for recovering from an unknown, future virus attack. Unfortunately, this tends to be the preferred/recommended backup scheme for small-to-medium sized systems (including most personal computers), and is typically what most popular backup software for such systems is designed to do. This doesn't mean that popular backup systems and software aren't useful, just that you have to exercise some care in using them (like excluding executable files from your incremental backups). Having said all this, there are still a few other problems to consider, especially: Which files should you count as "data" files? This can be problematic as most people immediately think of their word-processor and spreadsheet files, and the like, as data, and that's about it. What about the files in which your programs store their configuration information? In a sense, these are as much "your data" as they are program files, because they reflect your preferred screen colors and layouts, default fonts, personalized button bars and so on. When you look at the time people spend finding the (often obscure) options settings in their programs and making them work "just right", and how upset they can be if they lose these settings, it makes sense to treat such configuration files as you treat other "personal data files" in your backup regimes. Similarly, people tend to treat system configuration files (in DOS/Windows PCs CONFIG.SYS, AUTOEXEC.BAT, WIN.INI, SYSTEM.INI at a minimum!) as part of the system, often ignoring the (sometimes considerable) fine-tuning these configuration files go through *between* system and executable backups. One last point--it cannot be stressed enough that you *MUST* have a full, working copy of the software you need to restore your backups in a safe place. You must be able to guarantee that this software is not virus infected should you ever have to use it, *AND* that it is fully usable should you be facing a machine that has had its entire hard drive "wiped clean". ====================================================== = Section E. Facts and Fibs About Computer Viruses = ====================================================== E1) Can boot sector viruses infect non-bootable DOS floppy disks? Any DOS diskette that has been properly formatted contains some executable code in its boot sector. (There is some debate as to whether this code should be called a program or not. The important thing here is that this code is *executed* at system startup if the diskette is in the system's boot drive.) If a diskette is not "bootable", all that boot sector (normally) does is print a message (on a PC, typically something like "Non-system disk or disk error; replace and strike any key when ready"). However, the boot sector is still executable and therefore vulnerable to infection. Should you accidentally boot your machine with a "non-bootable" diskette in the boot drive, and see that message, it means that any boot virus that may have been on that diskette *has* run, and had the chance to infect your hard drive, or whatever. So, when talking about viruses, the words "bootable" and "non- bootable" are misleading. All formatted diskettes are capable of carrying boot sector viruses. Most current computers will try to boot from their (first) floppy drive before trying to load an operating system off their hard disks. Because of this and the fact that every floppy disk is possibly infected with a boot sector virus, it is a *very* good idea to set your computer to try to boot from its hard disk. Many newer PCs offer the option to select boot order in their system CMOS setup routines. If your computer has such an option, set it to try to boot from your hard disk first. E2) Can a virus hide in a PC's CMOS memory? No. The CMOS RAM in which PC system information is stored and backed up by batteries is accessible through the I/O ports and not directly addressable. That is, in order to read its contents you have to use I/O instructions rather than standard memory addressing techniques. Therefore, anything stored in CMOS is not directly "in memory". Nothing in a normal machine loads the data from CMOS and executes it, so a virus that "hid" in CMOS RAM would still have to infect an executable object of some kind in order to load and execute whatever had been written to CMOS. A malicious virus can of course *alter* values in the CMOS as part of its payload, but it can't spread through, or hide itself in, the CMOS. Further, most PCs have only 64 bytes of CMOS RAM and the use of the first 48 bytes of this is predetermined by the IBM AT specification. Several BIOS'es also use many of the "extra" bytes of CMOS to hold their own, machine-specific settings. This means that anything that a virus stores in CMOS can't be very large. A virus could use some of the "surplus" CMOS RAM to hide a small part of its body (e.g. its payload, counters, etc). Any executable code stored there, however, must first be extracted to ordinary memory in order to be executed. This issue should not be confused with whether a virus can *modify* the contents of a PC's CMOS RAM. Of course viruses can, as this memory is not specially protected (on normal PCs), so any program that knows how to change CMOS contents can do so. Some viruses do fiddle with the contents of CMOS RAM (mostly with ill-intent) and these have often been incorrectly reported as "infecting CMOS" or "hiding in CMOS". An example is the PC boot sector virus EXE_Bug, which changes CMOS settings to indicate that no floppy drives are present (see G8 for more details). E3) Can a PC virus hide in Extended or in Expanded RAM in a PC? Yes. If one does though, it has to have a small part resident in conventional RAM; it cannot reside *entirely* in Extended or in Expanded RAM. Currently there are no known XMS viruses and only a few EMS viruses (Emma is an example). E4) Can a virus hide in a PC's Upper Memory or in High Memory Area? Yes, it is possible to construct a virus which will locate itself in Upper Memory Blocks (UMBs--640K to 1024K) or in the High Memory Area (HMA--1024K to 1088K). Some viruses (e.g. EDV) do hide in UMBs and at least one, Goldbug, will use the HMA if it is available. It might be thought that there is no point in scanning in these areas for any viruses other than those that are specifically known to inhabit them. However, there are cases when even ordinary viruses can be found in Upper Memory. Suppose that a conventional memory-resident virus infects a TSR program and this program is loaded high by the user (for instance, from AUTOEXEC.BAT). Then the virus code will also reside in Upper Memory. Therefore, an effective scanner must be able to scan this part of memory for viruses too. E5) Can a virus infect data files? Some viruses (e.g., Frodo, Cinderella) modify non-executable files. However, in order to spread, the virus code must be executed. Therefore "infected" non-executable files cannot be sources of further infection. Such "infections" are usually mistakes, due to bugs in the virus. Even so, note that it is not always possible to make a sharp distinction between executable and non-executable files. One person's data can be another's code and vice versa. Some files that are not directly executable contain code or data which can, under some conditions, be executed or interpreted. Some examples from the PC world are OBJ files, libraries, device drivers, source files for any compiler or interpreter (including DOS BAT files and OS/2 CMD files), macro files for some packages like Microsoft Word and Lotus 1-2-3, and many others. Currently there are viruses that infect boot sectors, master boot records, COM files, EXE files, BAT files, OBJ files, device drivers, Microsoft Word document and template files, and C source code files, although any of the objects mentioned above theoretically can be used as an infection carrier. PostScript files can also be used to carry a virus, although no currently known virus does this. Aside from the above, however, there is an increasing possibility of viruses spreading through the sharing of data files. More and more we see the ease with which software producers give their programs the ability to embed "objects" of many kinds into document files, and into fields in databases and spreadsheets. Perhaps the best-known of these systems are Object Linking and Embedding (OLE) in MS Windows and the OpenDoc format. As these embedded objects often have the ability to "display" themselves we see that many files traditionally thought of as data-only, will increasingly be containers carrying data and executable code. We are not aware of any virus that specifically targets such executable "objects", but it is now a trivial task to embed executable files into some kinds of document files so they will be run when the icon representing them is clicked in the finished document. There is nothing to prevent infected executables being embedded in this way, and thus for viruses to be spread through the distribution of "data files". E6) Can viruses spread from one type of computer to another? The simple answer is that no currently known viruses can do this. Although some disk formats may be the same (e.g. Atari ST and DOS), the different machines interpret the code differently. For example, the Stoned virus cannot infect an Atari ST as the ST cannot execute the virus code in the boot sector. The Stoned virus contains instructions for the 80x86 family of CPUs that the 680x0 CPU family (used in the Atari ST) can't understand or execute. The more general answer is that such viruses are possible, but unlikely. Such a virus would be quite a bit larger than current viruses and might well be easier to find. Additionally, the low incidence of cross- platform sharing of software means that any such virus would be unlikely to spread--it would be a poor environment for virus growth. A related, but different, issue is that of viruses running under operating system emulators on machines other than those for which the operating system was originally designed. This is covered in some detail elsewhere in the FAQ sheet (see C12). E7) Are mainframe computers susceptible to computer viruses? Yes. Numerous experiments have shown that computer viruses spread very quickly and effectively on mainframe systems. To our knowledge, however, no non-research computer virus has been seen on mainframe systems. (Despite often being described as such, the widely reported Internet Worm of November 1988 was not a computer virus by most definitions, although it had some virus-like characteristics.) Many people think that computer viruses are impossible on mainframe computers, because their operating systems provide means of protection (e.g., memory protection, access control, etc.) that cannot by bypassed by a program, unlike the operating systems of most personal computers. Unfortunately, this belief is false. As demonstrated by Fred Cohen in 1984, access controls are unable to prevent computer viruses--they can only slow down the speed with which viruses spread. If there is a transitive path of information flow from one account to another on a mainframe computer, then a virus can spread from one account to the other, without having to bypass any protections. Consider the following example. The attacker (A) has an account on a machine and wants to attack it with a virus. In order to do this, A writes a virus and releases it. Due to the protection provided by the operating system, the virus can only infect the files writable by A. On a typical system, those would be only the files owned by A. However, A is not alone on the system. A works with B on some joint projects. At some time, B might want to check how far A has progressed in her/his part of the project. This might involve running one of the programs that A has written--programs that are now all infected with A's virus. On a sytem with protection based on discretionary access controls (e.g., Unix, VMS, and most other popular OSes), the program that is being executed usually runs with the privileges of the user who is executing it--not with those of the program's owner. (In the few instances where this is not the case, it presents a different kind of security threat, unrelated to viruses.) That is, when B runs A's infected program, the virus in it will run with B's privileges and will be able to infect all programs writable by B. At some later time, A and B's boss, C, might want to check whether they have completed that joint project. Even if the boss has reasons to suspect A (e.g., as a disgruntled employee), s/he is likely to trust B and execute one of her/his programs. This results in the virus running with C's privileges (which are likely to be significantly greater than those of A and B) and infecting all programs writable by C. Quite possibly, these programs will include many owned by other employees, thus creating many more distribution chains that nobody suspects. The virus may interfere somehow with C's normal work, which causes C (who is probably not very knowledgeable about such things as computer security and viruses) to ask the system administrator, D, for help. If D executes one of C's infected programs (and s/he is much more likely to trust a respectable person like C--who is quite probably D's boss as well--than any of C's employees), this will cause the virus that A wrote a long time ago to run with system administrator privileges and do whatever it wants with the system--infect other users' files, attack other systems, etc. A trivial improvement of the above scenario (in terms of speeding up the virus' spread) would be for the attacker to place the virus in some kind of Trojan Horse--for example, in an attractive game or utility--placed in a publicly accessible area. Why, then, are there so many fewer viruses for mainframe computers than for personal ones? The answer to this question is complex. First, writing a well-made mainframe virus--one that does not cause problems and is likely to remain unnoticed--is not a trivial task. It requires a lot of knowledge about the operating system. This knowledge is not commonly available and the typical youngster who is likely to hack a quick-and-dirty PC virus is unlikely to possess it or be in a position to learn it. People who possess this knowledge are likely to use it in more constructive, satisfying, and profitable ways. Second, the culture of software exchange in the mainframe world differs considerably from that of the PC world--we don't see many VMS users running around with a bootable tape of the latest game... Third, very often it is easier to attack a mainframe computer by using some security hole or a Trojan Horse, instead of by using a virus. So, computer viruses for mainframe computers are definitely possible and several already exist (see question F1). Also, some IBM PC viruses can infect any IBM PC compatible machine, even if it runs a "real" OS like Unix. For more information, refer to questions D6 and E7. Forms of malware other than computer viruses--notably Trojan Horses--are far quicker, more effective, and harder to detect than computer viruses. Nevertheless, on personal computers many more viruses are written than Trojan Horses. There are two reasons for this: 1. Since a virus is self-propogating, the number of users to which it can spread (and cause damage) can be much greater than in the case of a Trojan; 2. It's almost impossible to trace the source of a virus since (generally) viruses are not attached to any particular program. For further information on malicious programs on multi-user systems, see Matt Bishop's paper, "An Overview of Malicious Logic in a Research Environment", available by anonymous FTP on Dartmouth.edu (IP = 129.170.16.4) as pub/security/mallogic.ps. E8) Some people say that disinfecting is a bad idea. Is that true? Disinfection is completely "safe" only if the disinfecting process completely restores the non-infected state of the object. That is, not only must the virus be removed from the object, but the original length must be restored exactly, as well as any system attributes (such as time and date of last modification, fields in the header, etc). Sometimes it is necessary to be sure that the object is placed on the same sectors of the disk that it occupied prior to infection (this is particularly important for some system areas and some files from programs which use certain kinds of self-checking or copy protection). None of the currently available disinfecting programs do all this. For instance, because of the bugs that exist in many viruses and because some infection processes involve overwriting (part of) the objects of infection, some of the information about the original object may be irrevocably destroyed. Sometimes it is not even possible to detect that this information has been destroyed and to warn the user. Furthermore, some viruses corrupt information very slightly and in a random way (Nomenklatura, Ripper), so that it is not even possible to tell which objects have been corrupted. Therefore, it is usually better to replace infected objects with clean backups, provided you are certain that your backups are uninfected (see D10), or from the original media. You should try to disinfect files only if they contain some valuable data that cannot be restored from backups or recompiled from their original source. E9) Can I avoid viruses by avoiding shareware, free software or games? No. There are many documented instances in which even commercial "shrink wrapped" software was inadvertently distributed containing viruses. Avoiding shareware, freeware, games, etc, only isolates you from a vast collection of software (some of it very good, some of it very bad, most of it somewhere in between...). The important thing is not to avoid a certain type of software, but to be cautious of *any and all* newly acquired software and diskettes. Merely scanning all new software media for known viruses would be rather effective at preventing virus infections, especially when combined with some other prevention/detection strategy such as integrity management of programs. E10) Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk? Assuming the PC you are using is virus free before you perform the DIR command, then the answer is "No". When you perform a DIR, the contents of the boot sector of the diskette are loaded into a buffer for use in determining disk layout etc, and certain antivirus products will scan these buffers. If a boot sector virus has infected your diskette, the virus code will be contained in the buffer, which may cause some antivirus packages to produce a message like "xyz virus found in memory...". In fact, the virus is not a threat at this point since control of the CPU is never passed to the virus code residing in the buffer. Even though the virus is really not a threat at this point, this message should not be ignored. If you get a message like this, and then reboot from a clean DOS diskette (see G8) and scan your hard-drive and find no virus, then you know that the false positive was caused by an infected boot-sector loaded into a buffer, and the diskette should be disinfected before use. The use of DIR will not infect a clean system, even if the diskette it is being performed on does contain a virus (see C8 also). Please note, however, that running DIR on a diskette can result in the infection of a clean diskette if the PC is already infected. Despite our categorical "No" answer above, there is a small risk that a virus infection could be transferred from a floppy through a DIR listing. If you use an ANSI console driver that allows key remapping, it is possible that a specially prepared diskette could reprogram your keyboard so that pressing a particular key caused an infected program on the diskette to run the next time the reprogrammed key was pressed. The risk of such an attack is very low and can easily be negated following the general advice for preventing ANSI bombs (see B14). Mac users with system software prior to version 7.0 should be aware of a greater threat in their environment. Various system resources (which can contain executable code) are loaded from the automatic access to a diskette that is part of the system building its desktop view of the diskette's contents. When such a resource is required, the most recently loaded one will be used. Thus, if a diskette with a virus- infected resource in the Desktop file is in your Mac's drive, and an uninfected copy of that resource has not subsequently loaded from elsewhere, the next time that resource is required the infected copy will be executed, along with the virus. This kind of attack was removed with the introduction of version 7.0 (and later) of the system software, which handles such things quite differently. A common Mac virus, WDEF, uses this infection path, as do a few others. Early versions of AmigaDOS are susceptible to a threat similar to the Mac WDEF virus--on inserting a diskette into the drive, the operating system runs the Disk Validator from the diskette. At least one Amiga virus, Saddam, attaches itself to Disk Validator to help it spread. Version 2.0 of AmigaDOS eliminated the threat of this type of attack by removing the need for the Disk Validator. E11) Is there any risk in copying data files from an infected floppy disk to a clean PC's hard disk? Assuming that you did not boot or run any executable programs from the infected disk, the answer generally is no. There are two caveats: 1. You should be somewhat concerned about checking the integrity of these data files as they may have been destroyed or altered by the virus. 2. If any of the "data" files are interpretable as executable by some other program (such as a Lotus macro) then these files should be treated as potentially malicious until the symptoms of the infection are known. The copying process itself is safe (given the above scenario) although you should be concerned with what type of files are being copied to avoid introducing other problems. E12) Can a DOS virus survive and spread on an OS/2 system using the HPFS file system? Yes, both file-infecting and boot sector viruses can infect HPFS partitions. File-infecting viruses function normally and can activate and do their dirty deeds, and boot sector viruses can prevent OS/2 from booting if the primary bootable partition is infected. Viruses that try to address disk sectors directly cannot function under OS/2 because the operating system prevents this activity. E13) Under OS/2 2.0+, could a virus infected DOS session infect another DOS session? Each DOS program is run in a separate Virtual DOS Machine (their memory spaces are kept separate by OS/2). However, any DOS program has almost complete access to the files and disks, so infection can occur if the virus infects files; any other DOS session that executes a program infected by a virus that makes itself memory resident would itself become infected. Also, bear in mind that generally all DOS sessions share the same copy of the command interpreter. Hence if *it* becomes infected, the virus will be active in *all* DOS sessions. E14) Can normal DOS viruses work under MS Windows? Most of them cannot. A system that runs exclusively MS Windows is, in general, more virus-resistant than a plain DOS system. The reason is that most resident viruses are not compatible with the memory management in Windows. Furthermore, most existing viruses will damage Windows applications if they try to infect them as normal (i.e. DOS) EXE files. The damaged applications will stop working and this will alert the user that something is wrong. Virus-resistant however, is by no means virus-proof. For instance, most of the well-behaved resident viruses that infect only COM files (Cascade is an excellent example), will work perfectly in a "DOS box". All non- resident COM infectors will be able to run and infect too. Aside from DOS viruses, MS Windows users can also contract several currently known Windows-specific viruses, which are able to infect Windows applications properly (i.e., they are compatible with the NewEXE file format). Any low level trapping of Interrupt 13, as by resident boot sector and MBR viruses, can also affect Windows operation, particularly if protected disk access (32BitDiskAccess=ON in SYSTEM.INI) is used. E15) Can I get a virus from reading e-mail, BBS message forums or USENET News? In general terms, the answer is no. E-mail messages and postings on BBSes and News are text data and will not be executed as programs. Computer viruses are programs, and must be executed to do anything, so the simple act of reading online messages doesn't pose a threat of catching a computer virus. There are a few provisos to be made. If your computer uses ANSI screen and keyboard controls, you may be susceptible to an ANSI bomb (see B14). An ANSI bomb may, merely by being placed in text read on the screen, temporarily redefine keys on the keyboard to perform various functions. It is, however, very unlikely that you will ever see an ANSI bomb in e-mail, or that it could do significant damage while you are reading mail. Another possibility is that mail can be used to send programs. To do this program files have to be encoded into a special form so the binary (8-bit) program files are not corrupted by transfer over the text-only (7-bit) e-mail transport medium. Probably the commonest of these encoding schemes is uuencoding, though there are several others. If you receive an encoded program, you normally have to use a decoding program or special option in your e-mail program to extract it and decode it before it can be run. Once you have extracted the program though, you should then treat it as you would any other program whose source you do not know, and test it before you run it. A third possibility is with the newer, highly-automated online systems. Some of these attempt to make online access much easier for the user by automating such features as file transfer and program updates. At least one commercial online service is known to have the capability of sending new programs to the user and to invoke those programs while the user is still online. While there is no reason to assume that any service that does this *will* infect you, any time things are going on that you are not being told about, you are at greater risk. E16) Can a virus "hide" in a GIF or JPEG file? The simple answer is "no". The complete answer is more complex. GIF and JPEG (.JPG) files contain compressed graphical information. Every now and then, rumors arise that is possible to infect those files with a virus in such a way, that it will spread when you display one of these images. This is technically impossible--no part of the GIF or JPEG format contains code that is executed by the viewer program. It *is* possible to use the least significant bit of the color information for each pixel in GIF files to store additional information, without visibly altering the quality of the picture contained in the file. This is called "steganography" and is sometimes used to transmit secretly encrypted messages. Since a virus is nothing more than information, it is possible to "encode" it into a GIF file and transmit it this way. However, the recipients must be aware that the GIF file contains such hidden information and take some deliberate steps to extract it--it cannot happen against their will. ======================================== = Section F. Miscellaneous Questions = ======================================== F1) How many viruses are there? It is not possible to give an exact number because new viruses are literally being created every day. Furthermore, different antivirus researchers use different criteria to decide whether two viruses are different or one and the same. Some count viruses as different if they differ by at least one bit in their non-variable code. Others group viruses in families and do not count the closely related variants within a family as different viruses. Further, some antivirus researchers have samples in their collections that they count as viruses, but that several other experts strongly deny are viruses. Sometimes these are "partial viruses", where a virus has not properly infected a host and are therefore non-infective, other times they are well-known non-viruses. As some of these non-viruses are known to be in some of the common test sets, some antivirus software vendors count them amongst the viruses they detect. As of January 1995 there were about 5,600 PC viruses, about 150 Amiga viruses, about 100 Acorn Archimedes viruses, about 45 Macintosh viruses, several Atari ST viruses, a few Apple II viruses, four Unix viruses, three MS Windows viruses, at least two OS/2 viruses and two VMS DCL- based viruses. Fortunately, few of the existing viruses are widespread. For instance, only about three dozen of the known PC viruses cause most of the reported infections and fewer than 200 PC viruses have been found in the wild at all. F2) How do viruses spread so quickly? This is a very complex issue, and some viruses don't spread quickly at all (though talk of them often does!). Those that do spread widely are able to do so for a variety of reasons. A large target population--millions of compatible computers--helps. A large virus population helps. Vendors whose quality assurance relies on, for example, outdated scanners, help. Users who gratuitously install new software on their systems without making any attempt to test for viruses help. All of these things are factors. F3) What is the correct plural of "virus"? "Viruses" or "viri" or "virii" or "vira" or... The correct English plural of "virus" is "viruses". The Latin word is a mass noun (like "air") and, therefore, there is no correct Latin plural. Please use "viruses", and if people use other forms, please do *not* use Virus-L/comp.virus to correct them. F4) When reporting a virus infection (and looking for assistance), what information should be included? People frequently post messages to Virus-L/comp.virus requesting assistance with a suspected virus problem. Quite often the information supplied is insufficient for the various experts on the list to be able to help at all. Also, please note that any such assistance from members of the list is provided on a voluntary basis; be grateful for any help received. Try to provide the following information in your requests for assistance: 1. The date and location (town and country) of suspected infection. 2. The name of the virus (if known) 3. The program (or programs) and version that called the virus by that name. 4. Any other antivirus software that you are running and whether it has been able to detect the virus or not, and if yes, what name it called the virus. 5. Your software and hardware configuration (computer type, kinds of disk(ette) drives, amount of memory and configuration (extended/expanded/conventional), the exact version of your OS, TSR programs and device drivers used, control panels and INITs, etc.). 6. Any "unusual" behavior that has occurred recently and any new software (including upgrades) you have recently installed. It is helpful if you can use more than one scanning program to identify a virus, and to say which scanner gave which identification. However, some scanning programs leave "scan strings" in memory which will confuse others, so it is best to do a "cold reboot" between runs of successive scanners, particularly if you are getting conflicting results (see C6). F5) How often should we upgrade our antivirus tools to minimize software and labor costs and maximize our protection? This is a difficult question to answer. Antivirus software is a kind of insurance, and these type of calculations are difficult. There are two things to watch out for here: the general "style" of the software, and the scan strings that scanners use to identify viruses. Scanners should be updated more frequently than other software, and it is probably a good idea to update a scanner's set of scan strings at least once every two months. In the six or so months prior to January 1995, most of the popular PC-based virus scanners typically added detection of about 500-600 new viruses or variants--this averages out to between two and three new viruses per day! Some antivirus software looks for changes to programs or specific types of viral "activity", and these programs generally claim to be good for "all current and future viral programs". However, even these programs cannot guarantee to protect against all future viruses, as new "attack" and anti-antivirus methods are continually being developed by virus writers. Thus, even this type of antivirus software needs to be upgraded occasionally. Of course, not every antivirus product is effective against all viruses, even if upgraded regularly. Thus, do *not* depend on the fact that you have upgraded your product recently as a guarantee that your system is free of viruses! F6) What are "virus simulators" and what use are they? There are three different kinds of programs that are often called "virus simulators". None of the three generate actual viruses. The first kind demonstrate the audio- and video-effects of some real computer viruses. The second kind are programs that simulate a virtual environment--a virtual computer, with virtual disks, virtual files, and virtual viruses on them. The user of such programs can manipulate the simulated objects, letting the simulated viruses infect the simulated files on the simulated disks, watching every step of the process, without a danger of "real infection". The third kind are programs that generate files containing scan strings used by some scanners to detect real viruses. The idea is that those scanners will detect the generated files too, thus letting the user get the feeling of what discovering a virus is like, but without the danger of risking a real infection. There are three ways in which virus simulators are usually used: 1) For educational purposes. The second kind of virus simulators are very useful and valuable for this purpose, provided the simulated environment is realistic enough. The first kind are also somewhat useful--mainly teaching the users what the video- or audio-effects of particular viruses are like. There is the danger, however, that users will get the incorrect impression that *every* computer virus demonstrates itself in some visible or audible way. The third kind of virus simulators are not useful for this purpose--they do not show how computer viruses work, do not show what computer viruses do, and because their virus fragments are not reliably detected as viruses by many good scanners, may give the wrong impression of a scanner's value. 2) As an installation check that antivirus defenses are installed and working. The first and second kinds of virus simulators are unsuitable for this, because they do not trigger any antivirus defenses. Even the third kind of virus simulators have a rather limited value in this regard, as the files generated by them often fail to trigger virus defenses, which are designed to protect against *real* viruses. Unlike the producers of such simulators, many believe it is the job of the producer of an antivirus product to provide the means of checking whether their product is installed and working. This position is based on the authors knowing their products better than anyone else and that updated check methods will normally be provided as the antivirus defenses employed in any given product change. 3) As a test of the quality of the antivirus defense--usually a scanner. Again, the first two kinds of simulators are unsuitable for this purpose because they do not trigger antivirus defenses. The third kind of virus simulators often do, from which many users get the impression that they are suitable for these testing purposes. This is a serious misconception. The files that such programs generate are not real viruses; antivirus programs, particularly virus-specific ones like scanners, are designed to detect real viruses. Therefore, one must not draw a conclusion from the ability or the inability of a product to detect "simulated viruses" of the third kind--the fact that they are detected does not necessarily mean that a real virus will be detected, and the fact that they are not detected does not mean that the real virus it is supposed to represent will not be detected! One exception to the above are simulators that do not generate files containing scan strings, but which simulate the different kinds of attacks that real viruses use, but without being able to replicate. Examples of such attacks include different methods of tunnelling, stealth, attacks against integrity checkers, and so on. Such simulators are useful for testing antivirus products that are not virus-specific, especially if the simulator exercises a wide range of known attacks. F7) I've heard talk of "good viruses". Is it possible to use a computer virus for something useful? A very hotly debated topic that has flared-up dramatically several times in Virus-L/comp.virus. The answer to this is not simple and largely hinges on your definition or interpretation of the term computer virus. By definition (see B1), viruses do not have to do something "bad" (although many people argue that the uninvited "resource wasting" that is almost inherent in viral activity is necessarily bad). From this point (and based on his somewhat esoteric definition of the term computer virus) Fred Cohen has argued that "good" or "useful" computer viruses are a serious possibility. In fact, Dr. Cohen offered a reward of $1000 for the first clearly "useful" virus--despite several potential claimants, however, he hasn't paid up. Although there has never been a position that was widely agreed upon as a result of any of these discussions, many contributors to this forum believe that there are serious problems with the idea of implementing useful computing functionality through self-replicating programs. Vesselin Bontchev's paper originally delivered at the 1994 EICAR conference, titled "Are `Good' Computer Viruses Still a Bad Idea?", is available by anonymous FTP from ftp.informatik.uni-hamburg.de (IP = 134.100.4.42), as pub/virus/texts/viruses/goodvir.zip. *Anyone* wishing to raise this discussion in Virus-L/comp.virus again should read and carefully consider this paper before posting. It contains many strong arguments against the idea of "good computer viruses", and some prescriptions of how good viruses would have to be implemented and distributed to deserve the label "good". To date no strong arguments countering the points in this paper or otherwise arguing in favor of the concept of good viruses have been posted to the group. F8) Wouldn't adding self-checking code to your programs be a good idea? Every few months somebody suggests the idea of adding a small piece of code to existing programs. This code would check for virus infections when the program is executed by comparing a previously computed CRC or cryptographic checksum (hash value) of the file in its known clean state with its current value. The idea is that this will detect any virus infection immediately, and is thus effective against unknown viruses. A simple and intuitively attractive idea--in fact, some antivirus programs have included options to do just this. There are, however, some serious flaws with this approach. This method cannot prevent the program from getting infected in the first place. Further, if a program that has been protected this way becomes infected later, whenever it is run the virus code will be activated first. The virus may then be able to detect or even remove the self-checking code, or it might make it totally ineffective by using stealth techniques, so the self-checking code only "sees" the original, non-infected program. Some programs contain an internal self-check--much antivirus software, for example. Such internal code might also be unable to detect stealth viruses, but unless the external self-check code uses stealth techniques too, the result will be a conflict, where the internal check will notice the newly added code and decide that it has been "infected". Moreover, this method is ineffective against "companion" viruses that don't modify the applications they infect. It may not be possible to protect all programs this way. For example, under DOS it is relatively easy to add code of this type to most COM files (unless the original program was slightly less than 64K, and the resulting file would break that limit). However, EXE files are more of a problem--especially those containing internal overlays, where one cannot append the code to the file, as the resulting file might become too big to load. Windows applications are also a problem, as they have two different entry points, and special care has to be taken to handle that correctly. On the other hand, adding internal self-checking to programs as part of their development is a good idea. Although it has the same limitations regarding stealth viruses, it does not cause the conflicts described above, and can be put in any program at compile-time. It is also much more difficult for viruses to bypass. =================================================================== = Section G. Specific Virus and Antivirus Software Questions... = =================================================================== G1) I was infected by the Jerusalem virus and disinfected the infected files with my favorite antivirus program. However, WordPerfect and some other programs still refuse to work. Why? The Jerusalem virus and WordPerfect 4.2 program combination is an example of a virus and program that cannot be completely disinfected by an antivirus tool. In some cases such as this, the virus will destroy code by overwriting it instead of appending itself to the file. The only solution is to re-install the programs from clean (non-infected) backups or distribution media (see D10 and E8). G2) Is my disk infected with the Stoned virus? Of course the answer to this, and many similar questions, is to obtain a good virus detector. There are many to choose from, including ones that will scan diskettes automatically as you use them. As Stoned is a boot sector infector, remember to check all diskettes, even non-system or "data" diskettes (see E1). It is possible, if you have an urgent need to check a system when you don't have any antivirus tools, to run CHKDSK or MEM and note down the values reported (see C1) and then to boot from a known clean system diskette and compare the results returned by CHKDSK or MEM. If the total amount of conventional memory reported is different between the two boots then you may have a viral problem but this information alone cannot tell us if it is Stoned. If you cannot see the PC's hard disk (usually the C: drive) then it is even more likely you have a virus problem, though definitely not Stoned. If you have a "disk editor" type program, looking at the boot sector of a suspect floppy, or the MBR of the suspect hard drive may be helpful. If you have Stoned, the first byte will indicate the characteristic far jump of the virus (hex: EA) instead of the more common short jump (hex: EB) of the boot loader. Even if that is the first byte, you could be looking at a perfectly good disk that has been "inoculated" against the virus *or* is infected with some other virus which makes similar changes, or at a diskette that seems safe but contains a totally different type of virus. G3) I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why? The "original" Stoned message was ".Your PC is now Stoned!", where the "." represents the "bell" character (ASCII 7 or "PC speaker beep"). The message is displayed with a probability of 1 in 8 *only* when a PC is booted from an infected *diskette*. When booting from an infected hard disk, Stoned never displays this message. Further, versions of Stoned with no message whatsoever or only the leading bell character have become very common. These versions of Stoned are likely to go unnoticed by all but the most observant, even when regularly booting from infected diskettes. Contrary to some reports, the Stoned virus does *not* display the message "LEGALISE MARIJUANA", although such a string is quite clearly visible in the boot sectors of diskettes and MBR's of hard disks infected with the "original" version of Stoned. G4) I was infected by both Stoned and Michelangelo. Why has my computer become unbootable? And why, each time I run my favorite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there? These two viruses store the original Master Boot Record at one and the same place on the hard disk. They do not recognize each other, and therefore a computer can become infected with both of them at the same time. The first of these viruses that infects the computer will overwrite the Master Boot Record with its body and store the original MBR at a certain place on the disk. So far, this is normal for a boot-record virus. But if now the other virus infects the computer too, it will replace the MBR (which now contains the virus that has come first) with its own body, and store what it believes is the original MBR (but in fact is the body of the first virus) *at the same place* on the hard disk, thus *overwriting* the original MBR. When this happens, the contents of the original MBR are lost. Therefore the disk becomes non-bootable. When a virus removal program inspects such a hard disk, it will see the *second* virus in the MBR and will try to remove it by overwriting it with the contents of the sector where this virus normally stores the original MBR. However, now this sector contains the body of the *first* virus. Therefore, the virus removal program will install the first virus in trying to remove the second. In all probability it will not wipe out the sector where the (infected) MBR has been stored. When the program is run again, it will find the *first* virus in the MBR. By trying to remove it, the program will get the contents of the sector where this virus normally stores the original MBR, and will move it over the current (infected) MBR. Unfortunately, this sector still contains the body of the *first* virus. Therefore, the body of this virus will be re-installed over the MBR ad infinitum. There is no easy solution to this problem, since the contents of the original MBR are lost. The only solution for the antivirus program is to detect that there is a problem, and to overwrite the contents of the MBR with a valid MBR program, which the antivirus program has to provide itself. If your favorite antivirus program is not that smart, consider replacing it with a better one, or try using the boot sector disinfection procedure described elsewhere (see C3). In general, infection of the same file or area by multiple viruses is possible and vital areas of the original may be lost. This can make it difficult or impossible for virus disinfection tools to be effective, and replacement of the lost file/area will be necessary. G5) My scanner finds the Filler and/or Israeli Boot virus in memory, but after I boot from a clean floppy it reports no viruses. Am I infected? This is almost certainly a "false positive" (see C5). One particular, popular antivirus product (usually its TSR scanner/monitor VSAFE) leaves its scan strings in memory in an unencoded form, and is well-known for causing false positives on Filler and Israeli Boot. Your other scanner sees the first's scan strings (at least those for Filler and/or Israeli Boot) and reports a virus in memory. When you boot from a floppy you (probably) are not loading the resident scanner, so it doesn't have a chance to "booby-trap" your other scanner. To fix this problem, try adding "REM " to the beginning of the line in your AUTOEXEC.BAT or CONFIG.SYS file that loads the suspect TSR, and see if the problem disappears. G6) I was infected with Flip and now a large part of my hard disk seems to have disappeared. What has happened? Flip has a logic error, probably based on its author only knowing about hard disk partitioning schemes under DOS 3.x (where partitions could not exceed 32MB in size). Part of Flip's infection routine decrements by six the "total number of sectors" field in the BIOS Parameter Block (BPB--a table of critical disk geometry data) in the DOS boot sector of the boot partition. For partitions of 32MB and under this field is meaningful, but in larger partitions, this field is set to zero and a field in the "extended BPB" contains the "big number of sectors" for that partition instead. Not knowing about larger partitions, Flip renders the large partitions it meets a shade under 32MB. The fix for this is to use a disk sector editor to set the word at offset 13h of the affected DOS boot sector to "00 00" (they should be set to "FA FF" if the situation above applies). If you don't understand these instructions, do *not* attempt to follow them and seek the help of a more technically knowledgeable person. G7) What does the GenB and/or the GenP virus do? There is no such thing as *the* GenB or GenP virus. It is a heuristic used by a very popular scanner to detect boot sector viruses and means "There is something very suspicious in the boot sector (GenB) or in the MBR (GenP), and I am pretty sure that it is a virus, however, I have no idea which particular virus it might be". You should run a scanner which has better recognition and identification capabilities (see B15), if you want to know which particular virus you have. One advantage of the GenB/GenP report is that you can often use the disinfection utility from the same producer to remove the virus, even if no other scanner can remove it. When told to remove the GenB/GenP "virus", the utility scans the disk for something that looks like a saved copy of the original boot sector or MBR and will put it back in place, thus removing the virus, or it writes a good generic MBR if there is an apparently valid partition table in the virus MBR. G8) How do I "boot from a clean floppy"? "Put it in the A: drive and turn the power on." The facetious answer aside, the real question here is usually more one of "How do I ensure I have a clean boot floppy?" As with so many issues concerning viruses, the important thing is to be prepared *in advance*. As with backups, a current, clean boot disk should be a standard part of every personal computer system, as there are other occasions than when facing a real or suspected virus infection where being able to boot your computer to a "known good" state are useful or desirable (e.g. you accidentally delete your disk-compression driver from your hard disk). As with backups, a current, clean boot disk is one of the standard parts of a personal computer system most commonly missing. The important thing in preparing a clean boot diskette, especially where it has to be used with a (suspected) virus infection, is that it must *not* run a single byte of code from your hard disk. This means your boot floppy must contain all the basic operating system files, device drivers and configuration commands necessary to make your system minimally usable. This diskette must be prepared on a system that is, itself, guaranteed "clean" and it should be write-protected immediately after it is completed. Aside from a basic, minimal operating system, your emergency boot diskette should contain the utilities necessary to install your OS to a hard disk *and* basic diagnostic or "fix it" programs and your favorite antivirus tools. Depending upon disk space considerations, you may need additional diskettes to hold all these utilities. For example, if you use DOS it is a good idea to copy the following utility programs to your emergency boot disk (if your version of DOS includes them): FDISK, CHKDSK and/or SCANDISK, FORMAT, SYS, MEM, UNFORMAT, UNDELETE, MSD. When it comes to rebooting your computer from a clean system disk, it is most important that you perform a "cold start". On a PC, this means pressing the reset button or turning the power off on again, *not* by pressing Ctrl-Alt-Del. Regardless of the machine type, if you are unsure, use the power off then power on method just described. It is even more important that your machine is correctly configured to try booting from the floppy first. Most contemporary BIOSes have an option to select the boot order (A: then C: or C: then A:)--this must be set to A: then C: for this procedure, though normally we strongly recommend that you set this option to C: then A:. As systems change from time to time, you may occasionally need to update this most critical of diskettes so it will still boot your system to a usable state. As you may have recently contracted a new virus that bypasses your current antivirus precautions, this update process can put you at risk of infecting your "clean" emergency boot diskette. Because of this, it is prudent to have two such diskettes. With system changes you would update these in a "leap frog" manner. This means your previous emergency boot diskette might still bring your machine up to a minimally useful state (such that you may still be able to make repairs) should your updated emergency boot diskette be infected by a previously unknown virus. Unfortunately, this isn't the whole story either! A PC virus known as EXE_Bug can fake out the boot process by setting the PC's CMOS to look as if there are no floppy drives in the machine. Most BIOS'es don't even try to boot from a floppy in this case, and go straight to the hard disk, loading the virus from the MBR. When EXE_Bug first loads into memory, it checks to see if there is a diskette in the first floppy drive, and if there is, it loads the boot sector from the diskette and lets the floppy boot as normal. Most people don't notice the subtly different boot time and drive access order involved in this, so they think they have booted clean, when in fact the virus is active in memory! To circumvent this possibility, you have to check the PC's CMOS settings before letting the floppy boot proceed, make sure that your PC "knows" it has a floppy drive, *and*, with some PCs, make sure that the boot order option is set to "A: then C:". This presents a chicken-and- egg situation on some machines, as you may have to boot DOS on the machine to be able to run the utility program that lets you change its CMOS settings. Remember, if you changed your BIOS's boot order option, set it back to C: then A: after disinfecting your PC. G9) My PC diagnostic utility lists "Cascade" amongst the hardware interrupts (IRQs). Does this mean I have the Cascade virus? No! This is quite normal on AT-style (286 and better) PCs (and on a few 8086 (XT) class machines). The original IBM PC design had one Programmable Interrupt Controller (PIC) to handle hardware interrupts generated when devices like disk controllers, serial and parallel ports, LAN adaptors, etc have to be serviced. While developing the AT, IBM decided that the eight Interrupt ReQuest (IRQ) lines the original PIC supported were probably insufficient for likely future expansion needs, so they added a second PIC. The two PIC's had to cooperate, so both didn't interrupt the CPU concurrently. This was achieved by having the second PIC use an IRQ to signal the first PIC when it has an IRQ to service. IRQs 2 and 9 were used for this and are commonly called the "cascade" IRQ, as they allow the second PIC to cascade an IRQ down to the first PIC. G10) Occasionally the text "welcome datacomp" appears in my Mac documents without me typing it. Is this a virus? Most likely not. This phenomenon has been reported for a particular make/model of third-party Macintosh-compatible keyboard. It appears to be a practical joke, coded into the keyboard's ROM, that causes the keyboard to output that text (as if it was typed) after a period of keyboard inactivity. The only practical fix is to replace the keyboard. This is, in effect, a hardware (technically "firmware") Trojan Horse-- the keyboard has features or functions that are not advertised and that will be performed without the owner's or user's wish or permission. G11) How good are the antivirus tools included with MS-DOS 6? While this FAQ sheet avoids answering specific questions about particular antivirus software (partly because the ground tends to move very quickly!), the antivirus tools included with MS-DOS 6 are very widely distributed and accessible. We will not give a wide-ranging answer here, but will point out that Microsoft Corporation does not use MSAV but a competitor's product. We suggest that anyone considering using the antivirus tools supplied with MS-DOS 6 as a significant part of their virus defense should read the review available by anonymous FTP from (amongst others) ftp.informatik.uni-hamburg.de (IP = 134.100.4.42) as /pub/virus/texts/viruses/msaveval.zip. G12) When I do a "DIR | MORE", I see two files with random names that are not there when I just use "DIR". On my friends's system they cannot be seen. Do I have a virus? No. DOS's default commandline interpreter (COMMAND.COM) creates two temporary files with unique names for every pipe character ("|") used on the command line. Starting with DOS version 5.0, these files are created in the directory pointed to by the TEMP environment variable, not in the current directory as they were in earlier DOS versions. If your TEMP setting is invalid or you have an earlier version of DOS you will see these files in the current directory when you pipe the output of a DIR command through MORE (or any other filter). If you don't see these files in the current directory's listing, performing the command "DIR | MORE" on the directory specified by the TEMP variable will reveal them. Generally, you would be better to use "DIR /P" instead of "DIR | MORE", as this avoids the creation of the temporary files. If you use an alternative commandline interpreter, none of the above may apply. G13) What is the ChipAway virus? (Or ChipAwayVirus?) The ChipAway virus is not a virus at all. In fact, it is a poorly chosen name for a good idea. Many PCs have an advanced BIOS feature that, when activated, prevents any writes to the MBR through BIOS disk routines. If active, this feature can cause problems if you install non- DOS operating systems (like OS/2, Windows 95 or Windows NT), as their installation routines typically need to write to the MBR, but for general purpose computers, it is a good idea to turn on these options, if they exist. Unfortunately, one of the earliest and most widely available implementations of this idea prints a message on screen at each system startup to the effect "ChipAwayVirus installed". This is supposed to calm the owner's nerves, making them confident that their BIOS antivirus system is working for them. For fairly obvious reasons, it tends to have the opposite effect! [End of Virus-L/comp.virus FAQ sheet] -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQCVAgUBMHhJLo2yC8NpBpE5AQHa7gQA1Ye63ZVHxrk5rqMuTfj0468b+8tmdsfi UpAdPblOPR44TwTFi6vU9BUYxGBjwoegO4yqufTpxEHlJDeaGBG3T3ACllROmr/4 1RqHm0oYh4APKgwZIM7vuWAevU3QFcM1cxY702w/5YD/AMnSXj5rIHfMHBtbYNo9 PFNR0XgrQ6o= =q4G1 -----END PGP SIGNATURE----- From csus.edu!csulb.edu!logbridge.uoregon.edu!su-news-hub1.bbnplanet.com!cam-news-feed5.bbnplanet.com!news.gtei.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:22 1999 Path: csus.edu!csulb.edu!logbridge.uoregon.edu!su-news-hub1.bbnplanet.com!cam-news-feed5.bbnplanet.com!news.gtei.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Subject: [alt.comp.virus] FAQ Part 1/4 Supersedes: Followup-To: alt.comp.virus Date: 23 Mar 1999 15:18:52 GMT Organization: none Expires: 21 Apr 1999 14:47:20 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu X-Last-Updated: 1998/04/02 Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:101379 comp.virus:28440 alt.answers:36894 comp.answers:33623 news.answers:142294 Archive-name: computer-virus/alt-faq/part1 Posting-Frequency: Fortnightly URL: http://www.webworlds.co.uk/dharley/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.05: Part 1 of 4 Last modified 20th Dec 1997 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ++ ADMINISTRIVIA ============= ++ New or modified entries are now flagged with two plus symbols at the beginning of the line or paragraph. Due to a communications breakdown between co-maintainers, not all changes may have been flagged in this update (1.05), especially in section 2. ++ Amendments between official upgrades are flagged with two ampersands (@@) in the first two columns. As there have been no amendments of this sort for a good while, this may be dropped: however, if you see any, it probably means that a change has been made but not approved by all three maintainers. Maintenance of this FAQ is now shared between the following: David Harley Bruce Burrell George Wenzel ++ Suggestions, corrections, new material etc. may be sent to any of us, but will normally require the approval of all three co-maintainers (this includes edits by any of the co-maintainers). Material which we can use with a minimum of editing is particularly welcome. Sometimes I'm told that something should be in here which already is. Please check carefully. Suggestions for material which -isn't- already in is welcomed, but we're all busy people and there's no guarantee as to if and when we'll write new material. If you give us a draft, it makes things much easier (and obviously you'll be credited). ++ For the present, the authoritative version of the FAQ remains the one at http://webworlds.co.uk/dharley/. Administration of the remains with David Harley alone. At present it's in abeyance, due to the need for extensive re-casting. The FAQ is now co-maintained by David Harley and Susan Lesch, and the authoritative version is the one at http://www.macvirus.com/. ++ The placeholders section has been dropped, since the structure of the FAQ is now pretty stable. Disclaimer ---------- This document is primarily concerned with defending the integrity of computing systems and preventing damage caused by viruses or other malicious and/or other unauthorized software. It attempts to address many of the issues which are frequently discussed on alt.comp.virus, but does not claim to represent all shades of opinion among the users of a.c.v. - in particular, it does not include information which, in my estimation, is likely to be of more help to those interested in the spreading of unauthorized and/or malicious software than to those who wish to be protected from it. This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer. David Harley ------------ Copyright Notice ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact David Harley or one of the other co-maintainers of the FAQ. Such permission will normally be forthcoming as long as (1) reproduced text is quoted accurately (2) it is made clear that such text is derived from the FAQ (3) it is made clear that the latest version of the FAQ is available from the newsgroup and from the official home of the FAQ on the world-wide web, which is currently http://webworlds.co.uk/dharley (4) the e-mail addresses of all three of the co-maintainers of the FAQ are included as a contact point. Availability ------------ The latest version of this document is available from: (1) http://www.webworlds.co.uk/dharley/ (this is the primary source) ++ My site at totalweb is no longer being maintained due to lack of time: I'm unlikely to renew the subscription. (2) Thanks to the efforts of Ed Fenton, the FAQ is now available as a hypertext electronic document (DOS). This will be available from ftp.gate.net (see below). ftp.gate.net/pub/users/ris1/acvfaqht.zip ++ I've kind of lost touch with Ed, so this may not be the latest version. ++ [References to foreign-language versions dropped. There are one or two, but I don't have details at present.] A number of individuals and sites have agreed to make it available via anonymous FTP and/or WWW. These include: ftp://ftp.gate.net/pub/users/ris1/acvfaq.zip http://www.drsolomon.com/ http://www.innet.net/~ewillems/ http://emt.doit.wisc.edu/acvfaq/acvFAQ.html It is no longer available on AOL in the Macintosh Virus Information Center, which is no longer being updated. I note that it -is- being used, without due credit, by the PC Virus Information Center. This is quite against the spirit -and- the letter of this copyrighted document, and is being checked out now. ---------------------------------------------------------------------- PREFACE ======= (i) What is the FAQ, and whom is it for? ----------------------------------- This FAQ is intended to make available answers to questions which are repeatedly asked on alt.comp.virus, and tries to gather the most useful information regarding this group and the issues discussed here into a relatively short document. The hope is to produce (eventually) an easily-digested document for newcomers, as a means of saving those who regularly reply to posted questions having to re-invent the wheel each time. I recommend that you read this FAQ in conjunction with the comp.virus (VIRUS-L)FAQ, which gives more detailed information regarding some issues which are, inevitably, covered in both FAQs. The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus newsgroup. The latest version should be available at: http://www.faqs.org/faqs/computer-virus/faq/index.html ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip A very terse mini-FAQ maintained by George Wenzel is posted more or less weekly to alt.comp.virus. I am now regularly posting a guide to virus-related FAQs (contact details and digest of contents), which I plan to extend to other security areas eventually, as a supplement to this FAQ. Both these resources will eventually be available by FTP/WWW. [The guide to virus-related FAQs is withdrawn for the present, due to the need for extensive updating] (ii) Credits/Acknowledgements ------------------------ The following have contributed text and/or ideas and/or proofreading/corrections and/or URLs to the a.c.v. FAQ. Vesselin Bontchev Dennis Boon Bruce Burrell Graham Cluley Henri Delger Edward Fenton Nicola Ferri Sarah Gordon David Harley R. Wallace Hale Norman Hirsch Matthew Holtz Mikko H. Hypponen Douglas A. Kaufman Tom Kelchner Paul Kerrigan Chengi Jimmy Kuo Susan Lesch Gerard Mannig Martin Overton Mike Ramey Perry Rovers Megan Skinner Fridrik Skulason Robert Slade Alan Solomon Ken Stieers Hector Ugalde George Wenzel Caroline Wilson Tarkan Yetiser Acknowledgement is also due to the work of Ken Van Wyk, former moderator of VIRUS-L/comp.virus, and the contributors to the comp.virus FAQ (both versions). Thanks also to ked@intac.com (aka Phreex), who mailed me a copy of the FAQ he posted to a.c.v. some months before this one was begun, David J. Loundy for assistance regarding legal issues, and to Nick FitzGerald, the moderator of comp.virus and maintainer of the Mk. II comp.virus FAQ. And especially to George Wenzel and Lucky the Cat. (iii) Guide to posting etiquette -------------------------- Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The newsgroup news.announce.newusers includes information on good newsgroup etiquette, or try ftp://rtfm.mit.edu/pub/usenet/news.announce.newusers/ http://www.fau.edu/rinaldi/netiquette.html However, adhering to the following guidelines would be particularly helpful: * Keep your lines short (say 72 characters per line), so that anyone who follows up doesn't have to reformat quoted text to keep it readable). * Don't quote all or most of a message you're following up unless it's either very short, or necessary in order to address each point made. In the latter case, please put the point you're answering close to your answer and try to format it so that it's readable. Remember that some people have to pay for connection/download time. * On the other hand, a message which says something like 'I totally agree' without including enough of the original for us to tell what you're agreeing with is a waste of bandwidth. * Keep it polite. It's unlikely that anyone who replies to your posting is being paid to do so, and it wouldn't excuse bad manners if they were. Of course, the cut and thrust of debate may be a different matter altogether.... * Asking for a reply by direct e-mail may be reasonable if you need an urgent solution or are using a borrowed account. It isn't reasonable if you simply can't be bothered to check newsgroups. At least try to think up a good excuse, and be prepared to offer a summary to the group. * Check that there isn't already a thread on the subject you're asking about before posting yet another 'Has anyone heard of the GOOD TIMES virus?' message. If there is, check it first: the answer to your question may already be there (if it isn't in this document!). Please remember that many people have to pay for connect time, and don't appreciate duplicate postings or uuencoded binaries. * If you want to follow up a message which doesn't seem particularly relevant to alt.comp.virus, check the 'Newsgroups:' header: there have been a lot of responses to spammings recently which have made increased the bandwidth used, often quite unnecessarily. * Please don't post test messages here unless you really need to: use one of the newsgroups intended for the purpose: there is probably one local to your news server - ask your Systems Administrator, provider or local helpdesk. If you must post to the entire Internet, use misc.test - if you do, put the word IGNORE in your Subject: field, or you'll get auto-responder messages in your mail for weeks afterwards. Look through the postings in news.announce.newusers for relevant guidelines before you post. * If you get into an exchange of E-mail, please remember that not everyone can handle all forms of E-mail attachment (uuencoded, MIME format etc. - if it's text, *send* it as text. NB also that (uu)encoding text makes it longer as well as unreadable, so don't! (iv) How to ask on the alt.comp.virus newsgroup for help --------------------------------------------------- The more relevant information you give us, the more we can help you. It helps to tell us the following: * What you think the problem is (you might think it's a virus, but maybe it isn't) * What the symptoms are. If you ran some software that gave you a message, tell us which package, version number, and the exact wording of the message. * Please be as accurate as possible about the order in which events happened. * If just one file is infected, give the filename. * If you're running more than one anti-virus product, please list them (including version number), and say what each one said about the possible virus. * Which version of which operating system you are running. * Any other configuration information which you think may have a bearing. Don't take action, then ask if that was the right action - if it wasn't, it's too late. Don't just ask "I've got xyz virus, can anyone help me". ------------------------------------------------------------------------- Table of Contents ***************** -----> Part 1 ------ -----> (1) I have a virus - what do I do? -----> (2) Minimal glossary -----> (3) What is a virus (Trojan, Worm)? -----> (4) How do viruses work? -----> (5) How do viruses spread? -----> (6) How can I avoid infection? -----> (7) How does antivirus software work? Part 2 ------ (8) What's the best anti-virus software (and where do I get it)? (9) Where can I get further information? (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the PKZip300 trojan virus? * the xyz PC virus? * the Psychic Neon Buddha Jesus virus? * the blem wit virus * The Irina Virus * Ghost * General Info on Hoaxes/Erroneous Alerts (11) Is it true that...? (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk Part 3 ------ (13) What are the legal implications of computer viruses? Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. It said in a review...... Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? How do I know I have a clean boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Why do people write/distribute viruses? Where can I get an anti-virus policy? Are there virus damage statistics? What is NCSA approval? What language should I write a virus in? No, seriously, what language are they written in? [DRD], Doren Rosenthal, the Universe and Everything What are CARO and EICAR? ++ Placeholders [dropped with 1.05] ++ Supplement: Virus-related FAQs vs. 1.02b [not currently available] * The alt.comp.virus FAQ * The comp.virus/Virus-L FAQ * The macro-virus FAQ * The alt.comp.virus mini-FAQ * The Antiviral Software Evaluation FAQ ------------------------------------------------------------------------- (1) I have a virus problem - what do I do? ========================================== The following guidelines will, one hopes, be of assistance. However, you may get better use out of them if you read the rest of this document before acting rashly... If you think you may have a virus infection, *stay calm*. Once detected, a virus will rarely cause (further) damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus actually does (and a well-documented, treatable virus might be preferable to some problems!). Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the virus. If you've been told you have something exotic, consider the possibility of a false alarm and check with a different package. If you have a good antivirus package, use it. Better still, use more than one. If there's a problem with the package, use the publisher's tech support and/or try an alternative package. If you don't have a package, get one (see section on sources below). If you're using Microsoft's package (MSAV) get something less out-of-date. Follow the guidelines below as far as is practicable and applicable to your situation. Try to get expert help *before* you do anything else. If the problem is in your office rather than at home there may be someone whose job includes responsibility for dealing with virus incidents. Follow the guidelines below as far as is practicable and applicable. * Do not attempt to continue to work with an infected system, or let other people do so. * Generally, it's considered preferable to switch an infected system off until a competent person can deal with it: don't allow other people to use it in the meantime. If possible, close down applications, Windows etc. properly and allow any caches/buffers to flush, rather than just hit the power switch. * If you have the means of checking other office machines for infection, you should do so and take appropriate steps if an infection is found. * If you are unable to check other machines, assume that all machines are infected and take all possible steps to avoid spreading infection any further. * If there are still uninfected systems in the locality, don't use floppy disks on them [except known clean write-protected DOS boot floppies] * users of infected machines should not *under any circumstances * trade disks with others until their systems and disks are cleaned. * if the infected system is connected to a Novell network, Appleshare etc., it should be logged off all remote machines unless someone knowledgeable says different. If you're not sure how to do this, contact whoever is responsible for the administration of the network. You should in any case ensure that the network administrator or other responsible and knowledgeable individual is fully aware of the situation. * No files should be exchanged between machines by any other means until it's established that this can be done safely. * Ensure that all people in your office and anyone else at risk are aware of the situation. * Get *all* floppy disks together for checking and check every one. This includes write-protected floppies and program master disks. Check all backups too (on tape or file servers as well as on floppy). (2) Minimal Glossary ==================== [There is room for improvement and expansion here. Contributions will be gratefully accepted.] * AV - AntiVirus. Sometimes applied as a shorthand term for anti-virus researchers/programmers/publishers - may include those whose work is not AV research, but includes virus-control. (See also Vx.) * BSI - Boot Sector Infector (= BSV - Boot Sector Virus) * BIOS - Basic Input Output System * CMOS - Memory used to store hardware configuration information * DBR - DOS Boot Record * DBS - DOS Boot Sector * False Positive - When an antivirus program incorrectly reports a virus in memory or infecting a file. Scanners in heuristic mode and integrity checkers are, by definition, somewhat more prone to these. * False Negative - Essentially, a virus undetected by an antivirus program. * In-the-wild - describes viruses known to be spreading uncontrolled to real-life systems, as opposed to those which exist only in controlled situations such as anti-virus research labs. Virus code which has been published but not actually found spreading out of control is not usually regarded as being in-the-wild. * MBR - Master Boot Record (Partition Sector) * TSR - A memory-resident DOS program, i.e one which remains in memory while other programs are running. A good TSR should at least detect all known in-the-wild viruses and a good percentage of other known viruses. Generally, TSRs are not so good with polymorphic viruses, and should not be relied on exclusively. * vx - Those who study, exchange and write viruses, not necessarily with malicious intentions (So I'm frequently told here...) B-) * VxD - A Windows program which can run in the background. A scanner implemented as a VxD has all the advantages of a DOS TSR, but can have additional advantages: for instance, a good VxD will scan continuously *and* for all the viruses detected by a command-line scanner. * Zoo - suite of viruses used for testing. See the comp.virus FAQ for fuller definitions of some of these terms and others which aren't addressed here. Here are some commonly referred to anti-virus packages, including acronyms (hence their inclusion in this section). [Suggestions for expansion are, again, welcomed.] * AVP - AntiViral Toolkit Pro * AVTK - Dr. Solomon's AntiVirus ToolKit * CPAV - Central Point AntiVirus * The Doctor (Not Dr. Solomon!) * Disinfectant (Mac) * DSAVTK - Dr. Solomon's AntiVirus ToolKit * DSAV - Dr. Solomon's Anti-Virus (North American Retail Edition) * F-Prot * FindViru(s) - DSAVTK scanner * Gatekeeper (Mac) * Invircible * MSAV - MicroSoft AntiVirus * McAfee Antivirus * NAV - Norton AntiVirus * SCAN - ViruScan (McAfee's scanner) * Sweep - Scanner by Sophos * TBAV - Thunderbyte AntiVirus * VET (3) What is a virus (and what are Trojans and Worms)? ===================================================== A (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted). A dropper is a program which installs a virus or Trojan, often covertly. A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems. There is an excellent and considerably longer definition in the Mk. 2 version of the Virus-L FAQ. (The following is a slightly academic diversion) A lot of bandwidth is spent on precise definitions of some of the terms above. I have Fridrik Skulason's permission to include the following definition of a virus, which I like because it demonstrates most of the relevant issues. #1 A virus is a program that is able to replicate - that is, create (possibly modified) copies of itself. #2 The replication is intentional, not just a side-effect. #3 At least some of the replicants are also viruses, by this definition. #4 A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus. -- #1 is the main definition, which distinguishes between viruses and Trojans and other non-replicating malware. #2 is necessary to exclude for example a disk-copying program copying a disk, which contains a copy of itself. #3 is necessary to exclude "intended" not-quite-viruses. #4 is necessary to exclude "worms", but at the same time it has to be broad enough to include companion viruses and .DOC viruses. (4) How do viruses work? ======================== ++ A file virus attaches itself to a file (but see the section below or the comp.virus FAQ on the subject of companion viruses), usually an executable application (e.g. a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files can contain embedded executable code such as macros, which may be used by virus or trojan writers. Recent versions of Microsoft Word are particularly vulnerable to this kind of threat. Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware (malicious software), though such malware is not at present common. Boot sector viruses alter the program that is in the first sector (boot sector) of every DOS-formatted disk. Generally, a boot sector infector executes its own code (which usually infects the boot sector or partition sector of the hard disk), then continues the PC bootup (start-up) process. In most cases, all write-enabled floppies used on that PC from then on will become infected. Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected *file* is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system. ++ Macro viruses typically infect global settings files such as Word templates so that subsequently edited documents are contaminated with the infective macros. The following virus types are more fully defined in the comp.virus FAQs (see preamble): * STEALTH VIRUSES - viruses that go to some length to conceal their presence from programs which might notice. * POLYMORPHIC VIRUSES - viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication. * COMPANION VIRUSES - viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. N.B. this is not the *only* type of companion (or 'spawning') virus. * ARMOURED VIRUSES - viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do. (5) How do viruses spread? ========================== A PC is infected with a boot sector virus (or partition sector virus) if it is (re-)booted (usually by accident) from an infected floppy disk in drive A. Boot Sector/MBR infectors are the most commonly found viruses, and cannot normally spread across a network. These (normally) spread by accident via floppy disks which may come from virtually any source: unsolicited demonstration disks, brand-new software (even from reputable sources), disks used on your PC by salesmen or engineers, new hardware, or repaired hardware. A file virus infects other files when the program to which it is attached is run, and so *can* spread across a network (often very quickly). They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and bulletin boards. (This applies also to Trojan Horses.) A multipartite virus infects boot sectors *and* files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across a network. (6) How can I avoid infection? ============================== There is no way to guarantee that you will avoid infection. However, the potential damage can be minimized by taking the following precautions: * make sure you have a clean boot disk - test with whatever (up-to-date!) antivirus software you can get hold of and make sure it is (and stays) write-protected. Boot from it and make a couple of copies. * use reputable, up-to-date and properly-installed anti-virus software regularly. (See below) If you use a shareware package for which payment and/or registration is required, do it. Not only does it encourage the writer and make you feel virtuous, it means you can legitimately ask for technical support in a crisis. * do some reading (see below). If you're a home user, you may well get an infection sooner or later. If you're a business user, it'll be sooner. Either way you'll benefit from a little background. If you're a business user you (or your enterprise) need a policy. * don't rely *solely* on newsgroups like this to get you out of trouble: it may be a while before you get a response (especially from a moderated group like comp.virus), and the first response you act upon may not offer the most appropriate advice for your particular problem. * if you use a shareware/freeware package, make sure you have hard copy of the documentation *before* your system falls apart! * always run a memory-resident scanner to monitor disk access and executable files before they're run. * if you run Windows, a reputable anti-virus package which includes DOS *and* Windows components is likely to offer better protection than a DOS only package. If you run Windows 95, you need a proper Win95 32-bit package for full protection. * make sure your home system is protected, as well as your work PC. * check all new systems and all floppy disks when they're brought in (from *any* source) with a good virus-scanning program. * acquire software from reputable sources: 2nd-hand software is frequently unchecked and sometimes infected. Bear in mind that shrinkwrapped software isn't necessarily unused. In any case, reputable firms have shipped viruses unknowingly. * once formatted, keep floppies write-disabled except when you need to write a file to them: then write-disable them again. * make sure your data is backed up regularly and that the procedures for restoring archived data *work* properly. * scan pre-formatted diskettes before use. * Get to know all the components of the package you're using and consider which bits to use and how best to use them. Different packages have different strengths: diversifying and mixing and matching can, if carefully and properly done, be a good antivirus strategy, especially in a corporate environment * if your PC can be prevented with a CMOS setting from booting with a disk in drive A, do it (and re-enable floppy booting temporarily when you need to clean-boot). CMOS settings ------------- Some CMOSes come with special anti-virus settings. These are normally vague about what they do but typically they write-protect your hard disk's boot sector and partition sector (MBR). This can be some use against boot sector viruses but may false alarm when you upgrade your operating system. One sensible setting to make (if your CMOS allows) is to adjust the boot sequence of your PC. Changing the default boot-up drive order from A: C: to C: will mean that the PC will attempt to boot from drive C: even if a floppy disk has been left in drive A:. This way boot sector virus infection can often be avoided. Remember, however, to set your CMOS back temporarily if you ever *do* want to boot clean from floppy (for example, when running a cryptographical checksummer after a cold boot). SCSI controllers have their own BIOS. On some systems, this will override the boot sequence set in CMOS. It's always a good idea to check with a (known clean) bootable floppy after you've disabled floppy booting that it really is disabled. I don't think it's necessary to use the Rosenthal Simulator to do this, thank you, Doren. (7) How does antivirus software work? ------------------------------------- * Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognisable patterns ('scan strings', 'search strings', 'signatures'). * TSR scanner - a TSR (memory-resident program) that checks for viruses while other programs are running. It may have some of the characteristics of a monitor and/or behaviour blocker. * VxD scanner - a scanner that works under Windows or perhaps under Win 95, or both), which checks for viruses continuously while you work. * Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus. * Monitor/Behaviour Blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus. * Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus. * Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular checksummer. --------------------------------------------------------------------- End of a.c.v. FAQ Part 1 of 4 -- ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Club Secretary & Webmaster, _..`--'_..-_/ /--'_.' ,' University of Alberta Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ From csus.edu!newshub.csu.net!news.sdsc.edu!news.tc.cornell.edu!news3.cac.psu.edu!newsserver.jvnc.net!198.138.0.5!newshub.northeast.verio.net!iad-peer.news.verio.net!peer.news.verio.net!newsfeed.cwix.com!18.181.0.26!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:23 1999 Path: csus.edu!newshub.csu.net!news.sdsc.edu!news.tc.cornell.edu!news3.cac.psu.edu!newsserver.jvnc.net!198.138.0.5!newshub.northeast.verio.net!iad-peer.news.verio.net!peer.news.verio.net!newsfeed.cwix.com!18.181.0.26!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Subject: [alt.comp.virus] FAQ Part 2/4 Supersedes: Followup-To: alt.comp.virus Date: 23 Mar 1999 15:19:17 GMT Organization: none Expires: 21 Apr 1999 14:47:20 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu X-Last-Updated: 1998/04/02 Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:101380 comp.virus:28441 alt.answers:36895 comp.answers:33625 news.answers:142297 Archive-name: computer-virus/alt-faq/part2 Posting-Frequency: Fortnightly URL: http://www.webworlds.co.uk/dharley/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.05: Part 2 of 4 Last modified 20th Dec 1997 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer. Copyright Notice ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) ++ It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley Bruce Burrell George Wenzel [Please check out the more detailed copyright notice at the beginning of Part 1 of the FAQ] -------------------------------------------------------------------- TABLE OF CONTENTS ================= Part 1 ------ (1) I have a virus - what do I do? (2) Minimal glossary (3) What is a virus (Trojan, Worm)? (4) How do viruses work? (5) How do viruses spread? (6) How can I avoid infection? (7) How does antivirus software work? -----> Part 2 ------ -----> (8) What's the best anti-virus software (and where do I get it)? -----> (9) Where can I get further information? -----> (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the PKZip300 trojan virus? * the xyz PC virus? * the Psychic Neon Buddha Jesus virus? * the blem wit virus * the Irina virus * Ghost * General Info on Hoaxes/Erroneous Alerts -----> (11) Is it true that...? -----> (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk Part 3 ------ (13) What are the legal implications of computer viruses? Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. It said in a review..... Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? How do I know I have a clean boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Why do people write/distribute viruses? Where can I get an anti-virus policy? Are there virus damage statistics? What is NCSA approval? What language should I write a virus in? No, seriously, what language are they written in? [DRD], Doren Rosenthal, the Universe and Everything What are CARO and EICAR? "Am I idle?" - Yellow Smiley in Win95 System Tray ++ Placeholders [dropped from 1.05 onwards] ++ Supplement: Virus-related FAQs vs. 1.02b [Not currently available] * The alt.comp.virus FAQ * The comp.virus/Virus-L FAQ * The macro-virus FAQ * The alt.comp.virus mini-FAQ * The Antiviral Software Evaluation FAQ ------------------------------------------------------------------- (8) What's the best antivirus software (and where do I get it)? =============================================================== In case it's not absolutely clear from the following, I can't possibly answer the first part of this question! There are, however, some suggestions following for sources of software and of information on particular packages, comparative reviews etc. The danger of this approach is that sites, servers, and packages come and go, and I haven't time to keep track of all these variables. Some of these URLs have been passed on by trusted sources, but I haven't the time to check them all out regularly. If you run into problems, please let me know (by e-mail, please). Most of the people who post here have their favourites: if you just ask which is the best, you'll generally get either a subjective "I like such and such", recommendation of a particular product by someone who works for that company, or a request to be more specific about your needs. Some of us who are heavily involved with virus control favour using more than one package and keeping track of the market. Don't trust anything you read in the non-technical press. Don't accept uncritically reviews in the computing press, either: even highly-regarded IT specialists often have little understanding of virus issues, and many journalists are specialists only in skimming and misinterpreting. Magazines like Virus Bulletin and Secure Computing are much better informed and do frequent comparative reviews, and are also informative about their testing criteria, procedures and virus suites. Recently, a number of articles have been posted here by people who've run their own tests on various packages. These are often of interest, but should not be accepted uncritically. (No-one's opinion should be accepted uncritically!) Valid testing of antivirus software requires a lot of care and thought, and not all those who undertake it have the resources, knowledge or experience to do it properly. You may get a more informed response if you specify what sort of system you have - DOS, Windows, Win95? XT, AT, 386 or better? Is the system networked, and are you asking about protecting the whole network? (What sort of network?) Are you running NT, OS/2 or Win95, any of which involve special considerations? Be aware that there is more than one way of judging the effectiveness of a package - the sheer number of viruses detected; speed; tendency to false alarms; size (can you run it from a single floppy when necessary?); types of virus detection & prevention (not at all the same thing) offered (command-line scanning, TSR scanning, behaviour blocking, checksumming, access-control, integrity shell etc.); technical support etc. ++ One possible (but imperfect) measure of a package's efficiency in terms of virus detection is NCSA approval. Under the current testing protocol, a scanner must detect all viruses on the Wild List plus 90% of NCSA's full test suite. DOS packages available from SimTel etc. include F-Prot AVP Lite McAfee TBAV Most Shareware/Freeware packages can be obtained from SimTel or SimTelNet via anonymous FTP or WWW, e.g. http://www.simtel.net/simtel.net/msdos/virus.html ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/ For information on mirror sites, a regularly-updated listing can be found at http://www.simtel.net/simtel.net/mirrors.html Of course, such products can often be obtained direct from the publisher's WWW or FTP sites too: F-Prot http://www.complex.is ftp://ftp.complex.is McAfee http://www.nai.com ftp://ftp.mcafee.com/ TBAV http://www.thunderbyte.com/ ftp://ftp.thunderbyte.com/ ChekMate is described by its author as a targeted integrity checker. It's a potentially useful shareware supplement to a good virus scanner. Via anonymous ftp at: ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/cm211.zip Via HTTP at: http://chekware.simplenet.com/cmindex.htm Commercial ---------- [vendors are invited to supply full contact details and indicate the range of platforms their product range covers. Let's not overdo the hype, though, guys.] There is a pretty comprehensive list of anti-virus developers at http://www.virusbtn.com/AVLinks/ (NB Some of the following, though not shareware, can be obtained for evaluation via anon FTP or WWW. Please note, I have not tested or even seen all the packages listed here, or all the contact data, come to that, and listing here does not imply recommendation (though I won't list anything I *know* is rubbish....). ************* ++ Dr. Solomon's Software International DSAVTK (Dr Solomon's Anti-Virus ToolKit) [DOS; DOS & Windows; DOS & Win95; NetWare; NT; OS/2; Unix; Mac] Virus handling workshops. Access-control, software audit, helpdesk packages. UK Support: support@uk.drsolomon.com US Support: support@us.drsolomon.com UK Tel: +44 (0)1296 318700 USA Tel: +1 617-273-7400 CompuServe: GO DRSOLOMON Web: http://www.drsolomon.com FTP: ftp://ftp.drsolomon.com Evaluation copy of Findvirus scanner available via the Web. ************* ++ F-Prot Pro (DOS, Windows 3.x, Win95, WinNT, NetWare) There are two flavours of F-Prot Professional, but both use the same detection engine. Data Fellows' F-Secure uses the F-Prot -and- AVP scanning engines. Command Software Systems Inc. 1+407-575 3200 ftp://ftp.commandcom.com http://www.commandcom.com/ Data Fellows Ltd. f-prot@DataFellows.com ftp://ftp.DataFellows.com http://www.DataFellows.com UK: Portcullis (for Data Fellows) 44-181-868-0098 Command Software UK 44-171-259-5710 command@command.co.uk More details inc. in PRO.DOC, supplied with the shareware version. ************ IBM AntiVirus: http://www.av.ibm.com/ 800-551-3579 (US only) 800-465-7999 fax: 800-267-5185 ************ ++ Network Associates (Formerly McAfee) 2805 Bowers Ave. Santa Clara, CA 95051 95054-3107 USA Voice (408) 988-3832 FAX (408) 970-9727 BBS (408) 988-4004 CompuServe ID: 76702,1714 or GO MCAFEE ftp://ftp.mcafee.com/ http://www.nai.com/ [DOS, Windows, Win95, NetWare, Unix, Mac, NT] ************ NAV (Norton AntiVirus) [DOS, Windows, Win95, Mac (SAM), NT, NetWare] http://www.symantec.com/ ftp://ftp.symantec.com/ US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 ************ AntiViral Toolkit Pro AVP LITE (1) USA Central Command Inc. P.O. Box 856 Brunswick, Ohio 44212 Phone: 330-273-2820 FAX: 330-220-4129 BBS: 330-220-4036 WWW: http://www.command-hq.com/ email: sales@command-hq.com support@command-hq.com (2) Switzerland E-Mail: info@avp.ch WWW: http://www.avp.ch/ BBS: +41 (0)31 348 1331 FAX: +41 (0)31 348 1335 ************ Sweep http://www.sophos.com/ ftp://ftp.sophos.com ************ Thunderbyte http://www.thunderbyte.com ftp://ftp.thunderbyte.com ************ Invircible http://www.invircible-av.com/ There is a growing tendency in the UK press to push InVircible as a one-fits-all solution which renders known-virus scanning obsolete, while Zvi Netiv and those who support his product have a tendency to promote it by attacking the better-known scanners as being a security risk. While my personal view is that there is a place for both known-virus scanning and generic solutions, I would suggest reading a couple of papers which take an opposing view before putting all your eggs in the InVircible basket. http://www.primenet.com/~mwest/iv-toc.htm http://www.primenet.com/~mwest/iv-bill.txt Discussion on these issues has generated a great deal of heat and personal abuse. I have to advise caution when considering using a product whose proponents are apt to descend to mudslinging and unethical advertising practices. ************ Reflex Magnetics Ltd 31-33 Priory Park Road London NW6 7UP United Kingdom Tel+44 (0)171 372 6666 Fax+44 (0)171 372 2507 BBS+44 (0)171372 2584 Emailsales@reflex-magnetics.co.uk http://www.reflex-magnetics.co.uk/ Disknet access-control/virus control Diskette duplication. Security/Virus-control training. ************ Reflex Magnetics Ireland Unit 24 Johnstown Industrial Centre, Waterford, Ireland. tel: +353-(0)51-841051 J fax: +353-(0)51-841052 http://www.reflex.ie/ ************ NH&A 577 Isham St. # 2-B New York, NY 10034 Phone: 212-304-9660 Fax: 212-304-9759 CompuServe: 72115,661 Internet: nhirsch@nha.com URL: http://www.nha.com BBS: 212-304-9759,,,,,,,3 ************ ++ Microsoft (Macro Virus fixes) - http://www.microsoft.com Be advised that Microsoft's command of the macro virus issue is by no means perfect, and their statements and free software is not to be trusted uncritically. ++ Microsoft AntiVirus (MSAV), the anti-virus program included with DOS 6.x, is no longer supported and virus definitions updates are no longer available. ++ No system which relies for antivirus protection on MSAV or Central Point AntiVirus, the package on which it is based, can be considered to be adequately protected. If you have such a system, change your antivirus software to something current. ++ There is a paper by Yisrael Radai which documents many of the other problems with MSAV and CPAV. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip ************ ViruSafe, ViruSafe-95 They also maintain a Virus Hot Line via their WWW site or E-mail (virus@eliashim.co.il). ------------------------------------------------------------- EliaShim, LTD. Computer Security Specialists 5 Haganim st. Haifa 35022 Tel: +972-4-8516111 ISRAEL Fax: +972-4-8528613 Email: shimon@eliashim.co.il BBS: +972-4-8516113 URL: http://www.eliashim.com ------------------------------------------------------------- --------------------------------------------------------------------- VirusNet PC (DOS, Win3.x, Win95) - (File: VNPC.EXE) VirusNet LAN (DOS, Win3.x, Win95, All Networks) - (File: VNLAN.EXE) StopLight PC (DOS, Win3.x) - (File: SLELS.EXE) StopLight for Win95 (Win95, Win3.x, DOS) - (File: Check Site) StopLight for OS/2 (OS/2, Dual Boot to DOS and Win3.x) - (File: sltmos2.exe) Safetynet, Inc. 140 Mountain Ave. Springfield, NJ 07081 201-467-1024 (Sales and Support) 800-OS2-SAFE (Sales and Support in US and Canada) 201-467-1611 (Fax) 201-467-1581 (BBS 28800,n,8,1) Web: http://www.safetynet.com/ EMail: safety@safetynet.com CompuServe: GO CIS:SAFE AntiVirus and security software evals and product updates are available from the Safetynet Web, FTP, BBS and CompuServe sites. ***************** MIMESweeper (Mail scanning 'firewall') Integralis Ltd. 10 Brewery Court Theale Berkshire RG7 5AH +44(0) 1734 306060 Fax +44(0) 1734 302143 info@integralis.co.uk US Office in Kirkland, WA. Phone 206-889-4724. -------------------------------------- Cybersoft have antivirus products for a variety of Unix platforms including detection for DOS, Mac and Amiga malware. CyberSoft, Inc. 1508 Butler Pike Conshohoken, Pennsylvania 19428-1322 USA Voice: +1 (610) 825-4748 Fax +1 (610) 825-6785 Info@cyber.com http://www.cyber.com (?) -------------------------------------- NetPro Computing 7150 E Camelback Rd, Suite 100 Scottsdale, AZ 85251 USA Products: * PC ScanMaster for Novell/Vines * Server ScanMaster for Banyan Vines (Use McAfee VirusScan engine) General Office: 602.941.3600 Sales: 800.998.5090 International Sales: 602.941.3630 DS Expert Info Line: 800.998.1550 Technical Support: 602.941.3670 FAX: 602.941.3610 On Line: BBS: 602.941.3620 FTP: ftp://ftp.netpro.com HTTP: http://www.netpro.com e-mail: info@netpro.com or 70524,2670@compuserve.com ---------------------------------------------------------------------- ++ F/Win is a scanner which is intended as a supplement to your main scanner: it detects Windows/macro viruses. There is a shareware version available. More information at: http://www.psnw.com/~joe/downfwin.html F/Win is no longer available in English; the current version is only available in German. ------------------------------------------------------------------------ ++ Comprehensive product reviews can sometimes be found at the following sites, but are not necessarily the latest available. http://www.virusbtn.com/ _Virus Bulletin_ http://www.westcoast.com/ _Secure Computing_ http://www.uta.fi/laitokset/virus/ University of Tampere ftp://ftp.informatik.uni-hamburg.de/pub/virus/ Virus Test Center and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm and a number of reputable vendors include comparative reviews, papers on testing etc. on their WWW/FTP servers. Product reviews and other kewl stuff from Robert Slade: telnet://freenet.victoria.bc.ca login as guest, give the command "go virus" http://www.freenet.victoria.bc.ca/techrev/mnvr.html For a list of scanners that have received the "NCSA Approved" rating of the National Computer Security Association in the U.S.A. see http://www.ncsa.com/avpdcert.html The page also explains the certification procedure. In the event of a *real* tragedy, there are a number of firms which specialise in data recovery. In the UK, there is Ontrack Data Recovery Europe (0800-243996) - see below Authentec (formerly Dr. Solomon's) - 0800-581263/fax 01296-318813 Vogon International - 0118-989-0042/fax 0118-989-0042 In the US, there's Ontrack Computer Systems (parent company of Ontrack Data Recovery Europe). Ontrack Data Recovery, Inc. 6321 Bury Drive, Suites 13-21 Eden Prairie, MN 55346 Phone: 612-937-5161 FAX: 612-937-5750 BBS: 612-937-0860 Toll free: 1-800-872-2599 UK The Pavilions 1 Weston Road, Kiln Lane Epsom Surrey KT17 1JG Toll Free: 0800 24 39 96 (UK only) >From France: 05 90 72 42 International: +44(0)181 974 5522 Fax: 011-441-372-741-441 Tech Support: 011-441-372-747-414 Japan: Ontrack Data Recovery Japan 182 Shinkoh, Iruma, Saitama, 358 Japan Phone: 81 429 32-6365 Fax: 81 429 32-6370 Toll-Free From Japan: 0120-413-374 Germany: Ontrack Data Recovery GmbH Hanns-Klemm-Strasse 5 71034 Boeblingen Germany Toll free: 0130.815.198 International: 011-49-7031-644-00 Fax: 011-49-7031-644-100 Compuserve: GO DATARECOVERY W3: http://www.ontrack.com Email: sales@ontrack.com DataRescue: http://www.datarescue.com/ info@datarescue.com Anti-virus/security training/workshops in the UK: Dr. Solomon's Software International - live virus workshops http://www.drsolomon.com (see above) Sophos - 01235-544028 http://www.sophos.com Precise Publishing Ltd. 01384-560527 Reflex Magnetics (see above) - live virus workshops, Internet security/hacking, DTI codes of practice. Information on similar resources in the US or elsewhere would be gratefully received. (9) Where can I get further information? ======================================== ++ The following sites are not regularly checked. Please advise of any changes which aren't reflected in this document. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/ [mirror sites] ftp://ftp.uu.net/pub/security/virus/ ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/ http://www.SevenLocks.com/ Lots of virus descriptions and other security information. Well worth a look. http://www.hitchhikers.net/av.shtml http://csrc.ncsl.nist.gov/virus http://www.nc5.infi.net/~wtnewton/vinfo/master.html Virus Bulletin Home Page - vendor contact info, comparative reviews, review protocol info etc. http://www.virusbtn.com Henri Delger's home page has much useful info and useful links HTTP://pages.prodigy.com/virushelp/ VSUM (not highly-rated for its accuracy) (Try SimTel mirrors, McAfee sites) Tom Simondi has written a freeware virus tutorial (VTUTOR11.ZIP). http://www.cknow.com/ The Scanner is an AV newsletter also available online at http://diversicomm.com/scanner Try antivirus online at http://www.av.ibm.com/ Doug Muth has not only AV links but geek code as well.... http://www.ot.com/~dmuth/ Bob Rosenberger's Computer Virus Myths Page http://www.kumite.com/myths/ A few Amiga links: http://www.cybercity.dk/users/ccc2452/antivirus.html http://ftp.uni-paderborn.de/aminet/dirs/util_virus.html [Antivirus info and programs] ftp://ftp.uni-paderborn.de/aminet/util/virus/ According to Dennis Boon, trsivw65.lha has info about 100 or so viruses; VT_docfiles.lha has info on nearly all amiga viruses (in German); VIB9508.lha file contains info on all viruses up to August 1995 (in English). The WildList (List of viruses currently 'in the wild' maintained by Joe Wells - doesn't include much description) ftp://ftp.ncsa.com/pub/virus/wildlist http://www.drsolomon.com/ Most anti-virus packages include some information on common viruses, too. Virus Descriptions ------------------ Dr Solomon's Virus Encyclopedia: http://www.drsolomon.com/ free-form searches from the datafellows F-Prot virus description database: http://www.datafellows.com/v-descs/ The AVP database: http://www.datarescue.com/avpbase/ http://www.avp.ch/avpve/ http://www.datafellows.com/vir-info/ Data Fellows Virus Database http://www.symantec.com/avcenter/vinfodb.html Symantec Virus Database http://www.nai.com/support/techdocs/vinfo/#top McAfee Virus Database Virus demonstrations -------------------- AVP includes some virus demonstrations, and other publishers have demos available. There are also virus simulators, which are not quite the same thing. These are sometimes advocated as a means of testing antivirus packages, but there are dangers to this approach: after all, a package which detects one of these simulators as the virus it detects is, technically, false-alarming. See section F6 of the Mark 2 Virus-L FAQ, which is rather good on types and uses of virus simulation. Books which may be of use: Robert Slade's Guide to Computer Viruses - Springer-Verlag Pretty good introduction & general resource. Currently in its second edition. Computers Under Attack (ed. Denning) - Addison-Wesley Aging, but some classic texts Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin Uneven, but includes useful stuff from Virus Bulletin Dr. Solomon's Virus Encyclopedia You may from time to time find copies of an older edition of this in bookshops, though it's better known as part of Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide to some of the older viruses. A Short Course on Computer Viruses (F. Cohen) - Wiley By the man who 'invented' the concept of computer viruses. Some aspects are controversial, but a good introduction to his work. The comp.virus FAQ includes pointers to some books. Useful (but expensive) periodicals: Virus Bulletin Virus Bulletin Ltd 21 The Quadrant Abingdon Oxfordshire OX14 3YS 44 (0) 1234 555139 Compuserve 100070,1340 Computers and Security Elsevier Advanced Technology PO Box 150 Kidlington Oxford OX5 1AS 44 (0) 1865-843666 a.verhoeven@elsevier.co.uk Rather cheaper (though still expensive for the non-corporate non-specialist in security) is the magazine Secure Computing. Secure Computing West Coast Publishing Ltd. William Knox House Britannic Way Llandarcy Swansea SA10 6EL UK 44 (0) 1792 324000 Compuserve 70007,5406 Doubts have been expressed concerning the impartiality or otherwise of Virus Bulletin, which is a sister company to Sophos, who market Sweep and other antivirus/security products. VB uses an advisory board of anti-virus experts from a wide variety of vendors and other organisations, and its virus statistics are collated monthly from a variety of sources, not only from Sophos. Secure Computing, though formerly associated with S&S International, who market Dr.Solomon's AntiVirus ToolKit and other security products, is now an independent organization. SC also has input from experts associated with various vendors and other organisations. *************************************************************************** * As a regular and reasonably knowledgeable reader of both publications, * * I'm personally satisfied that neither displays editorial bias, nor do * * I believe that either publication intentionally weights its methodology * * to the unfair advantage of an affiliated product [DH] * *************************************************************************** The Disaster Recovery Journal (more info & on-line articles) http://www.drj.com (10) Does anyone know about... ============================== ...Mac viruses? --------------- I have put together an FAQ on Mac/virus issues, now co-maintained with Susan Lesch, which can be found at: http://www.macvirus.com/ http://www.webworlds.co.uk/dharley/ It's much more up-to-date than this section. ++ You might also consider checking out my paper for the 1997 Virus Bulletin Conference "The State of the Macintosh Nation", which is the most recent and comprehensive document on the subject I know of. ++ There are around 35 Mac-specific viruses that I know of. There are few macro viruses which have a Mac-specific payload, but every one I know of can infect on Macs (and any other platform which runs Word 6.x or later). The best single source of information on Mac system viruses is the online help included in the freeware package Disinfectant, which can be obtained from ftp://ftp.acns.nwu.edu/pub/disinfectant CompuServe GEnie America Online Calvacom Delphi BIX Information on Mac viruses is also available from the AntiVirus Catalog/ CARObase (see above). Mac-specific virus information: http://www.datawatch.com http://www.symantec.com http://www.nai.com http://www.webworlds.co.uk/dharley/ http://www.hyperactivesw.com http://ciac.llnl.gov/ciac/CIACVirusDatabase.html/ Disinfectant is an excellent anti-virus package: however, it doesn't catch much in the way of hypercard infectors or trojans, nor does it detect Word 6 macro viruses. McAfee have a scanner for the Mac which is based on Disinfectant: version 2, however, includes detection of trojans, macro viruses etc. You can get a 30-day evaluation copy from http://www.nai.com/ For other mac packages, try Info-Mac mirrors like: ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/ The University of Texas holds the latest versions of Disinfectant and Gatekeeper, and some documentation on Mac viruses. http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html Commercial packages include SAM (Symantec AntiVirus for Mac), Virex, and Dr. Solomon's AntiVirus ToolKit for Macintosh. Dr. Solomon's for Mac has the unusual capacity for detecting PC boot-sector viruses on DOS floppies, which could be useful in a mixed environment. ++ Note that Virex has now been purchased by Dr. Solomon's Software. Info at http://www.drsolomon.com. ...UNIX viruses? ---------------- In general, there are virtually no non-experimental UNIX viruses. There have been a few Worm incidents, most notably the Morris Worm (a.k.a. the Internet Worm) of 1988. There are products which scan some Unix systems for PC viruses, though any machine used as a file server (Novell, Unix etc.) can be scanned for PC viruses by a DOS scanner if it can be mounted as a logical drive on a PC running appropriate network client software such as PC-NFS. Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.) can also be infected by a DOS boot-sector virus if booted from an infected disk. The same goes for other PC-hosted operating systems such as NetWare. While viruses are not a major risk on Unix platforms, integrity checkers and audit packages are frequently used by system administrators to detect file changes made by other kinds of attack. However, Unix security is outside the scope of this FAQ (see comp.security.unix). In fact, such packages generally target PC viruses more than the handful of Unix viruses. CyberSoft sell products for a number of Unix platforms which include scanning (VFInd) and cryptographic integrity checking. Scanning includes PC, Mac and Amiga viruses. http://www.cyber.com/ Dr. Solomon's Software Ltd. (formerly S&S) have a scanner which detects (primarily) DOS viruses on SCO Unix. http://www.drsolomon.com/ McAfee have a scanner for SunOS, Solaris, FreeBSD and Linux, and offer downloadable evaluation copies. http://www.nai.com/ Sophos' Intercheck client-server technology requires a Unix which is capable of running DOS emulation. http://www.sophos.com/ Some other out-and-out DOS scanners may work to some extent on a PC running emulation, but this is not recommended unless the package is specifically configurable to run under these circumstances. [See also the Unix section in the Virus-L/comp.virus FAQ] A useful book: Practical Unix Security (Garfinkel, Spafford) - O'Reilly Make sure you get the 2nd edition (retitled "Practical Unix and Internet Security") ...macro viruses? ----------------- Macro viruses spread from files in applications which use macros capable of being infected, and are limited to the specific applications for which they were written. This class of virus is now predominant in computing generally, and the only significant virus threat on some platforms. Most current macro viruses and trojans are specific to Microsoft Word and Excel: however, many applications, not all of them Windows applications, have potentially damaging and/or infective macro capabilities too. Macro languages such as WordBasic and Visual Basic for Applications (VBA) are powerful programming languages in their own right. Word and Excel are particularly vulnerable to this threat, due to the way in which the macro language is bound to the command/menu structure in vulnerable versions of Word, the way in which macros and data can exist in the same file, and the eccentricities of OLE-2. ++ For further info on macro viruses, you might like to try the main antivirus vendor sites. ++ There is an FAQ on the subject by Richard Martin, but it's well out-of-date. Try: ftp.gate.net/pub/users/ris1/word.faq ++ http:/webworlds.co.uk/dharley/ or mail to Bd326@TorFree.Net Subject: PLEASE SEND FAQ ++[This may not work any longer] ...The AOLgold virus -------------------- This is actually a trojan. The following is extracted from the CIAC bulletin (Number G-03). Apparently, an e-mail message is being circulated that contains an attached archive file named AOLGOLD.ZIP. A README file that is in the archive describes it as a new and improved interface for the AOL online service. Note that there is no such program as AOLGOLD. Also, simply reading an e-mail message or even downloading an included file will not do damage to your machine. You must execute (or run) the downloaded file to release the Trojan and have it cause damage. If you unzip the archive, you get two files: INSTALL.EXE and README.TXT. The README.TXT file again describes AOLGOLD as a new and improved interface to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP archive. When you run the install program, it extracts 18 files onto your hard drive. The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive. When the batch file completes, it prints a crude message on the screen and attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent the DOOMDAY.EXE program from running. Other bugs in the file cause it to delete itself if it is run from any drive but the C: drive. The programming style and bugs in the batch file indicates that the Trojan writer appears to have little programming experience. You can get this and other CIAC notices from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) ...the PKZip trojan virus? -------------------------- Most of us prefer to distinguish between trojans and viruses (see Part 1). The threat described in recent warnings is definitely not a virus, since it doesn't replicate by infection. There have been at least two attempts to pass off Trojans as an upgrade to PKZip, the widely used file compression utility. A recent example was of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading on the Internet. An earlier Trojan passed itself off as version 2.0. For this reason, PKWare have never released a version 2.0 of PKZip: presumably, if they ever do release another DOS version (unlikely, at this date, in my opinion), it will not be numbered version 3.0(0). In fact, there are hardly any known cases of someone downloading and being hit by this Trojan, which few people have seen (though most reputable virus scanners will detect it). As far as I know, this Trojan was only ever seen on warez servers (specialising in pirated software). There are recorded instances of a fake PKZIP vs. 3 found infected with a real live in-the-wild file virus, but this too is very rare. To the best of my knowledge, the latest version of PKZip is 2.04g, or 2.50 for Windows. ++ There was a version 2.06 put together specifically for IBM internal use only (confirmed by PKWare). If you find it in circulation, avoid it. It's either illicit or a potentially damaging fake. The recent rash of resuscitated warnings about this is at least in part a hoax. It's not a virus, it's a trojan. It doesn't (and couldn't) damage modems, V32 or otherwise, though I suppose a virus or trojan might alter the settings of a modem - if it happened to be on and connected.... I don't want to get into hypothetical arguments about programmable modems right now. It appears to delete files, not destroy disks irrevocably. It's certainly a good idea to avoid files claiming to be PKZip vs. 3, but the real risk hardly justifies the bandwidth this alert has occupied over the last year or so. ...xyz PC virus? ---------------- There are several thousand known PC viruses, and the number 'in the wild' is in the hundreds. It is not practical to include information about all of these in this FAQ. However, information about some or most of those which regularly get asked about may shortly (Real Soon Now) be available in a separate document. Meanwhile, sources of information on specific viruses are included in the preceding sections. There are rarely enquiries about viruses on other computing platforms raised in alt.comp.virus, but there is some information concerning viruses on most platforms available at the Virus Test Center in Hamburg. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/ The following sites also have virus descriptions listed alphabetically: http://www.DataFellows.com/ http://www.drsolomon.com ...the Psychic Neon Buddha Jesus virus? --------------------------------------- This is an allegedly humorous bit of javascript programming that found its way onto a website. On clicking on a particular button, you may be told that this virus has been detected.Javascript has many interesting properties, but virus detection is not one of them. It's a joke. ...the blem wit virus? ---------------------- See the Virus-L FAQ. Basically, it's a mangled message that may come up with older Novell drivers "[pro]blem wit[h]....." The Irina Virus? ---------------- Publicity stunt generated by Penguin Books to promote their 'interactive novel'. More info in the 'Viruses and the Mac' FAQ, a CIAC bulletin on hoax and semi-hoax viruses, the Computer Virus Myths website, www.drsolomon.com and many other sources. ++ GHOST ----- Just a screensaver...... More info in the CIAC bulletin mentioned above. ++ General Info on Hoaxes/Erroneous Alerts --------------------------------------- The CIAC updated bulletion mentioned several times above is at: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml It includes info on the alerts mentioned below, some historical background, and suggestions on validating hoaxes rather than passing them on uncritically. CIAC have now set up a hoaxes web page at: http://ciac.llnl.gov/ciac/CIACHoaxes.html -----------------extract------------------------------- INFORMATION BULLETIN H-05 Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost November 20, 1996 16:00 GMT PROBLEM: This bulletin addresses the following hoaxes and erroneous warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and Ghost.exe PLATFORM: All, via e-mail DAMAGE: Time lost reading and responding to the messages SOLUTION: Pass unvalidated warnings only to your computer security department or incident response team. See below on how to recognize validated and unvalidated warnings and hoaxes. VULNERABILITY New hoaxes and warnings have appeared on the Internet and old ASSESSMENT: hoaxes are still being cirulated. ---------------------end extract-------------------------------- Mini-paper on "Dealing with Internet hoaxes": http://webworlds.co.uk/dharley/ The Computer Virus Myths page has lots of information on various hoaxes: http://www.kumite.com/myths/ (11) Is it true that....? ========================= (*or* some favourite hoaxes...) (1) There is *no* Good Times virus that trashes your hard disk and launches your CPU into an nth-complexity binary loop when you read mail with "Good Times" in the Subject: field. You can get a copy of Les Jones' FAQ on the Good Times Hoax from: On the World Wide Web: http://www.nsm.smcm.edu/News/GTHoax.html There *is* at least one file virus christened Good Times by the individual who posted it in an attempt to cause confusion. It is more commonly referred to as GT-spoof. (2) There is no modem virus that spreads via an undocumented subcarrier - whatever that means.... (3) Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers don't usually allow this by default and without prompting, but certainly some mailers can support this: for instance, cc:mail can, it seems, launch attachments straight into AmiPro. [further information on this or other potentially dangerous associations would be gratefully received] There's room for a lot of discussion here. The jury is still out on web browsers: Netscape can certainly be set up to do things I don't approve of, such as opening a Word document in Word without asking. Microsoft have made available a Word viewer which reads Word files, but doesn't run attached macros. If possible, use this instead. The term 'ANSI bomb' usually refers to a mail message or other text file that takes advantage of an 'enhancement' to the MS-DOS ANSI.SYS driver which allows keys to be redefined with an escape sequence, in this case to echo some potentially destructive command to the console. In fact, few systems nowadays run programs which need ANSI terminal emulation to run, and there's no guarantee that the program reading the file would pass such an escape sequence unfiltered to the console anyway. There are plenty of PD or shareware alternatives to ANSI.SYS that don't support keyboard redefinition, or allow it to be turned off. The term mail bomb is usually applied to the intentional bombardment of an e-mail address with multiple copies of a (frequently abusive) message, rather than to the above. See SimTel/keyboard on sites carrying a SimTel mirror. (4) There is no known way in which a virus could sensibly be spread by a graphics file such as a JPEG or .GIF file, which does not contain executable code. Macro viruses work because the files to which they are attached are not 'pure' data files. (5) In general, software cannot physically damage hardware - this includes viruses. There is a possibility that specific hardware may be damaged by specific code: however, a virus which drops a particular payload on the offchance that it's running on a system with a particular type of obsolete video card seems more than usually futile. (12) Favourite myths ==================== * DOS file attributes protect executable files from infection File attributes are set by software, and can therefore be changed by software, including viruses. Many viruses reset a ReadOnly/System/Hidden file to Read/Write, infect it, and often reset it to the original attributes afterwards. This also applies to other software mechanisms such as simulating hardware write-protection on a hard disk. However, file protection rights in NetWare *can* help to contain virus infections, if set up properly, as can trustee rights. [Trustee assignments govern whether an individual user has right of access to a subdirectory: the Inherited Rights Mask governs the protection rights of individual files and (sub)directories.] Basically, a file virus has the same rights of access as the user who happens to inadvertantly activate it. Setting up these levels of security is really a function of the network Administrator, but you might like to check (politely) that yours is not only reassuringly paranoid but also knowledgeable about viruses as well as networks, since a LAN which is not, in this respect, securely configured, can result in very rapid infection and reinfection of files across the whole LAN. In particular, accounts with supervisor equivalence can, potentially, be the unwitting cause of very rapid dissemination of viruses. [See also the comp.virus FAQ (version 2) section D] * I'm safe from viruses because I don't use bulletin boards/shareware/ Public Domain software. Many of the most widely-spread viruses are Boot Sector Infectors, which can't normally infect over a serial or network connection. Writers of shareware, freeware etc. are no more prone to accidental infection than commercial publishers, and possibly less. The only 'safe' PC is still in it's original wrapping (which doesn't mean it isn't already infected...) And don't forget that shrinkwrapped software may have been rewrapped. * FDISK /MBR fixes boot sector viruses. The mark II comp.virus FAQ is worth reading on this (see Part 1 of this FAQ). In brief, don't use FDISK /MBR *unless* you're *very* sure of what you're doing, as you may lose data. Note also that if you set up the drive with a disk manager such as EZDrive, you won't be able to access the drive until and unless you can reinstall it. ****************************************************************** (i) What does FDISK /MBR do? ------------------------ It places "clean" partition code onto the partition of your hard disk. It does not necessarily change the partition information, however. [It does sometimes, and when it does it us usually fatal (for the common user, anyway). FDISK /MBR will wipe the partition table data if the last two bytes of the MBR are not 55 AA.] The /MBR command-line switch is not officially documented and was introduced in DOS 5.0 (ii) What is the partition? ---------------------- The partition sector is the first sector on a hard disk. It contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The partition sector is also called the "Master Boot Record" (MBR). When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code. Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it. [Unless one assembles into memory] Floppy disks do not have a partition sector. FDISK /MBR will change the code in a hard disk partition sector. (iii) What is a boot sector? ---------------------- The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program. When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and usually moves the original elsewhere on the disk. Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up. FDISK /MBR will not change the code in a hard disk boot sector. Most boot sector viruses infect the partition sector of hard disks and floppy disk boot sectors: most do not infect the boot sector of a hard disk - Form virus is an exception. (iv) How can I remove a virus from my hard disk's partition sector? -------------------------------------------------------------- There are two main alternatives: run an anti-virus product, or use FDISK /MBR. Most effective anti-virus products will be able to remove a virus from a partition sector, but some have difficulties under certain circumstances. In these cases the user may decide to use FDISK /MBR. Unless you know precisely what you are doing this is unwise. You may lose access to the data on your hard disk if the infection was done by a virus such as Monkey or OneHalf. (v) Won't formatting the hard disk help? ------------------------------------ Not necessarily. Formatting the hard disk can result in everything being wiped from the drive *apart* from the virus. Format leaves the partition sector untouched. There is always a better way of removing a virus infection than formatting the hard disk. [Clarification: FORMAT alters the DOS partition, but leaves the *partition sector*, aka MBR, alone.] ****************************************************************** * Write protecting suspect floppies stops infection. This sounds so silly I hesitate to include it. I've never seen it said on a.c.v., but I've heard it so often in other contexts, I've included it anyway. Write-protecting a suspect floppy will only protect that diskette from *re-infection*, if it's already infected. It won't stop an infected floppy from infecting other (write-enabled) drives. If you boot with a disk in drive A which is infected with a boot-sector virus, the fact that the diskette is write-protected will make no difference at all. Write-protecting a *clean* floppy will indeed prevent it from being infected (but see below!). * The write protect tab always stops a disk write Briefly, write protection is built into the hardware on the Mac and on the PC (and most other systems, of course, but we can't cover everything), and can't be circumvented in software. However, it is possible for the hardware to fail: it's not common, but it happens. Thus when I do a cleanup, I try to create a file on a sacrificial floppy before risking my R/O boot disk. Sometimes, I even remember.... Other caveats: a disk which you receive write-protected could have been de-protected, infected, and re-protected. Even a 3.5" disk with the write-enable tab removed can be written to by covering the hole with (e.g.) masking tape. And, of course, shrink-wrapped software could have been infected before the duplication process. * I can infect my system by running DIR on an infected disk If you have a clean PC system, you can't contract a boot sector virus *or* a file virus just by listing the files on an infected floppy. Of course, if your PC is infected, you may well infect a *clean* floppy by using DIR A: It *is* possible to have a scanner report a virus in memory after a DIR of a floppy with an infected boot sector. The distinction here is that the virus is not actually loaded into memory, so the PC has *not* been infected. ----------------------------------------------------------------------- End of a.c.v. FAQ part 2 -- ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Club Secretary & Webmaster, _..`--'_..-_/ /--'_.' ,' University of Alberta Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ From csus.edu!newshub.csu.net!nntp.csuchico.edu!xmission!newsfeed.berkeley.edu!su-news-hub1.bbnplanet.com!cam-news-feed5.bbnplanet.com!news.gtei.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:24 1999 Path: csus.edu!newshub.csu.net!nntp.csuchico.edu!xmission!newsfeed.berkeley.edu!su-news-hub1.bbnplanet.com!cam-news-feed5.bbnplanet.com!news.gtei.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Subject: [alt.comp.virus] FAQ Part 3/4 Supersedes: Followup-To: alt.comp.virus Date: 23 Mar 1999 15:19:38 GMT Organization: none Expires: 21 Apr 1999 14:47:20 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu X-Last-Updated: 1998/04/02 Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:101382 comp.virus:28443 alt.answers:36897 comp.answers:33627 news.answers:142300 Archive-name: computer-virus/alt-faq/part3 Posting-Frequency: Fortnightly URL: http://www.webworlds.co.uk/dharley/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.05: Part 3 of 4 Last modified 20th Dec 1997 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer. Copyright Notice ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) ++ It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley Bruce Burrell George Wenzel [Please check out the more detailed copyright notice at the beginning of part 1 of the FAQ] ------------------------------------------------------------------------ TABLE OF CONTENTS ***************** Part 1 ------ (1) I have a virus - what do I do? (2) Minimal glossary (3) What is a virus (Trojan, Worm)? (4) How do viruses work? (5) How do viruses spread? (6) How can I avoid infection? (7) How does antivirus software work? Part 2 ------ (8) What's the best anti-virus software (and where do I get it)? (9) Where can I get further information? (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the PKZip trojan virus? * the xyz PC virus? * the Psychic Neon Buddha Jesus virus? * the blem wit virus? * the Irina virus * Ghost * General Info on Hoaxes/Erroneous Alerts (11) Is it true that...? (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk -----> Part 3 ------ -----> (13) What are the legal implications of computer viruses? Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. It said in a review...... Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? How do I know I have a clean boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Why do people write/distribute viruses? Where can I get an anti-virus policy? Are there virus damage statistics? What is NCSA approval What language should I write a virus in? No, seriously, what language are they written in? [DRD], Doren Rosenthal, the Universe and Everything What are CARO and EICAR? "Am I idle?" - Yellow Smiley in Win95 System Tray Placeholders [section now dropped] ++ Supplement: Virus-related FAQs vs. 1.02b [not currently available] * The alt.comp.virus FAQ * The comp.virus/Virus-L FAQ * The macro-virus FAQ * The alt.comp.virus mini-FAQ * The Antiviral Software Evaluation FAQ ------------------------------------------------------------------- (13) What are the Legal Implications of Computer Viruses? ========================================================= ********************************************************************** The material in this section has no formal legal standing. It consists of several persons' attempts to interpret and clarify the legal issues, and cannot possibly be authoritative. If you want bona-fide legal advice, seek a qualified lawyer. ********************************************************************** Overview -------- It isn't possible to deal briefly with all the relevant legislation in one country, let alone all of them. In the USA, local statutes may be much more rigorous than federal legislation, which is, arguably, more concerned with computers in which the government has an interest than it is with those belonging to individuals. In many countries, writing of viruses is not an offence in itself, whereas in others, not only is this not the case, but distribution, even the sharing of virus code between antivirus researchers is, at least technically, also an offence. Once a virus is released 'into the wild', it is likely to cross national boundaries, making the writer and/or distributor answerable for his/her actions under a foreign legal system, in a country he/she may never have visited. Where virus writing and distribution may not apply locally in a particular case, the individual may nevertheless be subject to civil action: in other words, where you may be held to have committed no offence, you may still be sued for damage. Some of the grounds on which virus writing or distribution may be found to be illegal (obviously I'm not stating that all these grounds will apply at all times in all states or countries!) include: * Unauthorized access - you may be held to have obtained unauthorised access to a computer you've never seen, if you are responsible for distribution of a virus which infects that machine. * Unauthorized modification - this could be held to include an infected file, boot sector, or partition sector. * Loss of data - this might include liability for accidental damage as well as intentional disk/file trashing. * Endangering of public safety * Incitement (e.g. making available viruses, virus code, information on writing viruses, and virus engines) * Denial of service * Application of any of the above with reference to computer systems or data in which the relevant government has an interest. One major problem is that some residents of the United States firmly believe that U.S. law is universal law. Worse, most of them have limited knowledge of their own legal system, but this may apply to the citizens of many countries. The idea that a person can be acquitted of a criminal offence yet still lose a civil suit in connection with that same offence strikes most laymen as preposterous, yet it does happen in both Canada and the U.S., at least. Since the law does vary widely from country to country (and even within countries), it is entirely possible for one to break the law of another country, state, province, or whatever, without ever leaving your own, and since extradition treaties do exist, perhaps it's best to assume that any act that might be construed as being or causing wilful and malicious damage to a computer or computer system could get you a roommate with undesirable tendencies and no social graces. :) The best advice to give to any one contemplating a possibly illegal act would be to contact their local Crown Prosecutor, Crown Attorney, District Attorney, or whatever label the local government prosecutor wears. Acting on the advice of one's own attorney doesn't render one immune from prosecution, and the cost of defence can be high, even if successful. An extremely biased opinion is that very often attorneys attempt to provide the answer they believe the client wishes to hear, or give an opinion in areas where they have no real expertise. Prosecutors, on the other hand, tend to look at a particular action in the light of whether a successful prosecution can be mounted. If the local Crown Prosecutor were to suggest that something was a Bad Thing, I should be extremely nervous about doing it. :) USA & Canada ------------ The following is an interpretation of the laws in the USA and Canada, and has no legal standing as an authoritative document in those countries or any other. Relevant legislation in other parts of the world may be very different and in some cases far stricter. Many thanks to David J. Loundy for his assistance with the legalities regarding computer crime. A valuable source of information on this topic can be found in his E-Law paper, which can be accessed via the URL: http://www.leepfrog.com/E-Law/E-Law/Part_VII.html It is illegal in both the USA and Canada to damage data within a computer system which is used or operated by the government. This means that if you write a virus, and it eventually infects a government system (highly probable), you are in violation of the law. Inclusive in this category are damages incurred due to computer stoppages (i.e. writing a virus that causes a computer to crash or become unusable), and viruses that destroy data. The question regarding the writing of malevolent computer viruses being illegal isn't really that hard to answer: It is illegal to write and spread a virus that infects a government system. Federal law is unclear as to whether this extends to private computer systems as well, but State statutes are frequently unequivocal about defining virus-related crimes against property. The question has come up, however, about the distribution of viruses and virus-related programs. A general guideline is that it is legal to distribute viruses, for example, on a BBS, as long as the people who are downloading the virus know EXACTLY what they are getting. If you intentionally infect a file and make it available for downloading, you may be subject to prosecution. Your conscience should be your guide in this kind of a situation. If a virus distributed by you is used to damage or otherwise modify a major system, you can be held accountable. The reason that the explanations in this section are vague is that the laws in various states, provinces, etc., are different, and you should check with your local police before you decide you want to distribute viruses. If you spread a virus unknowingly, you generally cannot be prosecuted unless it can be proven that you spread the virus due to pure carelessness. The definition of carelessness has not been tested in a court of law, as far as I know at the date of writing (9/22/95) The UK ------ In the UK, the Computer Misuse Act makes it a crime to make an unauthorised modification on a computer. If you own a computer, you can authorise anything you want for that computer, so you can spread a virus on a computer you own. A virus makes a modification, so if someone deliberately spreads a virus on someone else's computer, that's a crime. Giving a virus to someone else isn't a crime if it's with his/her knowledge and permission, however. So, sending a diskette with a virus on to an AV company, together with a note saying "There's a virus on this disk, please investigate it for me" is legal. If an action is a crime, then encouraging that action can also be a crime ("incitement"). If you spread a virus unwittingly, then it isn't a crime, as you don't have "intent". If someone is negligent, and so spreads a virus (even unwittingly), then there could be a civil action for damages through negligence. The Canadian Criminal Code -------------------------- Please bear in mind that the following information was culled from the Criminal Code in 1993 and those sections may have been expanded or revised since then, or possibly some computer-specific legislation may have been enacted of which I am unaware. No mention is made in the Code (as of 1993) of computer viruses as such, but it would seem that prosecution under Sec. 430 would be appropriate. Quoting from the Code:- Section 342.1 (1) Every one who, fraudulently and without color of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electro-magnetic, acoustic, mechanical or any other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, or (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction. (2) In this section, "computer program" means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function; "computer service" includes data processing and the storage or retrieval of data; "computer system" means a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform other functions; "data" means representation of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system; "electro-magnetic, acoustic, mechanical or other device" means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing; "function" includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system; "intercept" includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof. --------------- End of Sec. 342.1 --------------- Apparently the laws governing trespass have not been considered as having any application in cyberspace. Offenders under the above section would be charged with mischief, which covers a multitude of sins under Canadian law. The penalties stipulated in Sec. 342.1 are the same as the penalties for sabotage, just as a point of interest. Mischief is covered by Sec. 430:- Section 430 (1) Every one commits mischief who wilfully (a) destroys or damages property; (b) renders property dangerous, useless, inoperative or ineffective; (c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property, or (d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property. (1.1) Every one commits mischief who wilfully (a) destroys or alters data; (b) renders data meaningless, useless or ineffective; (c) obstructs, interrupts or interferes with the lawful use of data; or (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto. (2) Every one who commits mischief that causes actual danger to life is guilty of an indictable offence and liable to imprisonment for life. (3) Every one who commits mischief in relation to property that is a testamentary instrument or the value of which exceeds one thousand dollars (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or (b) is guilty of an offence punishable on summary conviction. (4) Every one who commits mischief in relation to property, other than property described in subsection (3), (a) is guilty of an indictable offence and liable for imprisonment for a term not exceeding two years; or (b) is guilty of an offence punishable on summary conviction. (5) Every one who commits mischief in relation to data (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or (b) is guilty of an offence punishable on summary conviction. (5.1) Every one who wilfully does an act or wilfully omits to do an act that it is his duty to do, if that act or omission is likely to constitute mischief causing actual danger to life, or to constitute mischief in relation to property or data, (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years; or (b) is guilty of an offence punishable on summary conviction. (6) No person commits mischief within the meaning of this section by reason only that (a) he stops work as a result of the failure of his employer and himself to agree on any matter relating to his employment; (b) he stops work as a result of his employer and a bargaining agent acting on his behalf to agree on any matter relating to his employment; or (c) he stops work as a result of his taking part in a combination of workmen or employees for their own reasonable protection as workmen or employees. (7) No person commits mischief within the meaning of this section by reason that he attends at or near or approaches a dwelling-house or place for the purpose only of obtaining or communicating information. (8) In this section, "data" has the same meaning as in section 342.1. -------------- End of Sec. 430 ----------------- For the record, from Sec. 785:- Section 785 (1) "summary conviction court" means a person who has jurisdiction in the territorial division where the subject-matter of the proceedings is alleged to have arisen and who (a) is given jurisdiction over the proceedings by the enactment under which the proceedings are taken, (b) is a justice or provincial court judge, where the enactment under which the proceedings are taken does not expressly give jurisdiction to any person or class of persons, or (c) is a provincial court judge, where the enactment under which the proceedings are taken gives jurisdiction in respect thereof to two or more justices; To the best of my limited knowledge, the Canadian Criminal Code only uses the term "incitement" in Sec. 319 (Public incitement of hatred) and Sec. 53 (incitement to commit a traitorous or mutinous act). A prosecutor would probably deal with incitement under Sec. 21 (Parties to offence), Sec. 463 (Attempts), or Sec. 465 (Conspiracy). Section 21 (1) Every one is a party to an offence who (a) actually commits it; (b) does or omits to do anything for the purpose of aiding any person to commit it; or (c) abets any person in committing it. (2) Where two or more persons form an intention in common to carry out an unlawful purpose and to assist each other therein and any one of them, in carrying out the common purpose, commits an offence, each of them who knew or ought to have known that the commission of the offence would be a probable consequence of carrying out the common purpose is a party to that offence. --------------- End of Sec. 21 ------------------ "Incite" does get mentioned in Sec. 22:- Section 22 (1) Where a person counsels another person to be a party to an offence and that other person is afterwards a party to that offence, the person who counselled is a party to that offence, notwithstanding that the offence was committed in a way different from that which was counselled. (2) Every one who counsels another person to be a party to an offence is a party to every offence that the other commits in consequence of the counselling that the person who counselled knew or ought to have known was likely to be committed in consequence of the counselling. (3) For the purpose of this Act, "counsel" includes procure, solicit or incite. -------------- End of Sec. 22 ------------------- Section 23 deals with an accessory after the fact, and I've already quoted too much, and more to come, but Sections 23.1 and 24 are interesting..... Section 23.1 For greater certainty, sections 21 to 23 apply in respect of an accused notwithstanding the fact that the person whom the accused aids or abets, counsels or procures or receives, comforts or assists cannot be convicted of the offence. Section 24 (1) Every one who, having an intent to commit an offence, does or omits to do anything for the purpose of carrying out the intention is guilty of an attempt to commit the offence whether or not it was possible under to circumstances to commit the offence. (2) The question whether an act or omission by a person who has an intent to commit an offence is or is not mere preparation to commit the offence, and too remote to constitute an attempt to commit the offence, is a question of law. -------------- End of Sec. 23.1 and 24 ---------- Under Sec. 465 (1)(c) and 465 (1)(d), conspiring to commit an offence carries the same penalties as the actual commission of the crime. Under certain circumstances, laws in other countries may be applicable in cyberspace, where there are no formal territorial boundaries. For instance, Sec. 465 (4) of the Canadian Criminal Code stipulates that every one, "while in a place outside Canada" conspires to commit an offence in Canada "shall be deemed to have conspired in Canada to do that thing." Further Information ------------------- Computer Crime (Icove, Seger, Von Storch) - O'Reilly Computer Law & Security Report (periodical) - Elsevier Advanced Technology Dr. Alan Solomon includes information on Hacking and Virus Laws in the UK and elsewhere on his webpage at: http://www.ibmpcug.co.uk/~drsolly The NCSA have info on individual state legislation at: http://www.ncsa.com/ncsalaws/ Try also: http://www.law.cornell.edu/ ----------------------------------------------------------------------- End of a.c.v. FAQ Part 3 of 4 -- ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Club Secretary & Webmaster, _..`--'_..-_/ /--'_.' ,' University of Alberta Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ From csus.edu!csulb.edu!gatech!cpk-news-hub1.bbnplanet.com!cam-news-feed5.bbnplanet.com!news.gtei.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:25 1999 Path: csus.edu!csulb.edu!gatech!cpk-news-hub1.bbnplanet.com!cam-news-feed5.bbnplanet.com!news.gtei.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Subject: [alt.comp.virus] FAQ Part 4/4 Supersedes: Followup-To: alt.comp.virus Date: 23 Mar 1999 15:19:45 GMT Organization: none Expires: 21 Apr 1999 14:47:20 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu X-Last-Updated: 1998/04/02 Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:101381 comp.virus:28442 alt.answers:36896 comp.answers:33626 news.answers:142298 Archive-name: computer-virus/alt-faq/part4 Posting-Frequency: Fortnightly URL: http://www.webworlds.co.uk/dharley/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.05: Part 4 of 4 Last modified 20th Dec 1997 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer. Copyright Notice ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley Bruce Burrell George Wenzel [Please check out the more detailed copyright notice at the beginning of part 1 of the FAQ] -------------------------------------------------------------------------- TABLE OF CONTENTS ***************** Part 1 ------ (1) I have a virus - what do I do? (2) Minimal glossary (3) What is a virus (Trojan, Worm)? (4) How do viruses work? (5) How do viruses spread? (6) How can I avoid infection? (7) How does antivirus software work? Part 2 ------ (8) What's the best anti-virus software (and where do I get it)? (9) Where can I get further information? (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLgold virus? * the PKZip300 trojan virus? * the xyz PC virus? * the Psychic Neon Buddha Jesus virus? * the blem wit virus? * the Irina virus * Ghost * General Info on Hoaxes/Erroneous Alerts (11) Is it true that...? (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk Part 3 ------ (13) What are the legal implications of computer viruses? -----> Part 4 ------ -----> (14) Miscellaneous -----> Are there anti-virus packages which check zipped files? -----> What's the genb/genp virus? -----> Where do I get VCL and an assembler, & what's the password? -----> Send me a virus. -----> It said in a review..... -----> Is it viruses, virii or what? -----> Where is alt.comp.virus archived? -----> What about firewalls? -----> Viruses on CD-ROM. -----> Removing viruses. -----> Can't viruses sometimes be useful? -----> Do I have a virus, and how do I know? -----> What should be on a (clean) boot disk? -----> How do I know I have a clean boot disk? -----> What other tools might I need? -----> What are rescue disks? -----> Are there CMOS viruses? -----> How do I know I'm FTP-ing 'good' software? -----> What is 386SPART.PAR? -----> Can I get a virus to test my antivirus package with? -----> When I do DIR | MORE I see a couple of files with funny names... -----> Reasons NOT to use FDISK /MBR -----> Why do people write/distribute viruses? -----> Where can I get an Anti-Virus policy? -----> Are there virus damage statistics? -----> What is NCSA approval? -----> What language should I write a virus in? -----> No, seriously, what language are they written in? -----> [DRD], Doren Rosenthal, the Universe and Everything -----> What are CARO and EICAR? -----> "Am I idle?" Yellow Smiley in Win95 System Tray ++ -----> Placeholders [Removed from 1.05] ++ Supplement: Guide to Virus-related FAQs vs. 1.02a [not currently available] * The alt.comp.virus FAQ * The comp.virus/Virus-L FAQ * The macro-virus FAQ * The alt.comp.virus mini-FAQ * The Antiviral Software Evaluation FAQ ------------------------------------------------------------------- (14) Miscellaneous ================== Are there anti-virus packages which check zipped files? ------------------------------------------------------- An increasing number of packages seem to support checking .ZIP and other compression formats on the fly. DSAVTK, AVP and NAV/NAV95 support some formats. The number of formats supported may become as big a selling point as the total number of viruses detected, but for most of us it's only really an issue if we do a lot of scanning of CDs, for instance. Even then, it becomes urgent only if you *unpack* the archive and want to run programs. Compilers of CDs, however, are *not* entitled to use this as an excuse for not scanning their collections. What's the genb/genp virus? --------------------------- This is McAfee-ese for "You may have an unrecognised ('generic') boot-sector (genb) or partition-sector (genp) virus". Re-check with a more recent version or the latest version of another reputable package. Where do I get VCL and an assembler, & what's the password? ----------------------------------------------------------- Wrong FAQ. You don't learn anything about viruses, programming or anything else from virus toolkits. You want rec.knitting. B-) I can't believe there's anyone left on the Internet who doesn't know the VCL password, but I'm not going to tell you anyway. OK, maybe you want an assembler to learn assembly-language, not just to rehash prefabricated code. Where do you get TASM? You buy it from Borland or one of their agents, either stand-alone or with one of their high-level languages. If you want freeware or shareware, I guess you can still get the likes of CHASM and A86 (SimTel mirror sites in SimTel/asm). Send me a virus --------------- Anti-virus researchers don't usually share viruses with people they can't trust. Pro-virus types are often unresponsive to freeloaders. And why would you *trust* someone who's prepared to mail you a virus, bona-fide or otherwise? [A high percentage of the 'viruses' available over the internet are non-replicating junk.] Requests for viruses by people 'writing a new anti-virus utility' are usually not taken too seriously. * We get rather a lot of such requests, which leads to a certain amount of cynicism. * Writing a utility to detect a single virus is one thing: writing a usable, stable, reasonably fast scanner which detects all known viruses is a considerable undertaking. There are highly experienced and qualified people working more or less full time on adding routines to do this to antivirus packages which are already mature, and unless you have a distinctly novel approach, you don't have much chance of keeping up with them. * It may be that the research you're interested in has already been done. Say what sort of information you're looking for, and someone may be able to help. * You can't afford to use junk 'viruses' for research, and the best collections are largely in the hands of people who won't allow access to them to anyone without cast-iron credentials. If you want to test anti-virus software with live viruses, this is *not* the way to get good virus samples. Valid testing of antivirus software requires a lot of time, care and thought and a valid virus test-set. Virus simulators are unhelpful in this context: a scanner which reports a virus when it finds one of these is actually false-alarming, which isn't necessarily what you want from a scanner. Read Vesselin Bontchev's paper on maintaining a virus library: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/virlib.zip There have been one or two requests for source code. Assuming you have the necessary knowledge of programming (especially x86 assembler) and the PC, this is probably the wrong approach, unless you're a serious antivirus researcher (in which case you need to sell yourself to the antivirus research community, and asking for viruses here isn't the way to earn their trust). * How can you trust any source code you're sent? Antivirus researchers won't send it to you, so you have to rely on the goodwill of a virus writer or distributor: not always a good idea. Many so-called viruses picked up from CDs, VX websites etc. aren't viruses at all. * Are you going to examine all 8-9000(-ish) known viruses? Or all the 180-ish listed in the WildList? If not, what are your selection criteria going to be? How will you tell an insignificant variant from a completely different virus type? Your first task is to understand the general principles, and you won't get those from snippets of code. If you still need low-level analysis afterwards, you might like to try http://www.virusbtn.com/VirusInformation/ where you can find analyses (without source code) of a number of common viruses, analysed by experts. It said in a review.... ----------------------- Reviews in the general computing press are rarely useful. Most journalists don't have the resources or the knowledge to match the quality of the reviews available in specialist periodicals like Virus Bulletin or Secure Computing. Of course, it's possible to produce a useful, if limited assessment of a package without using live viruses based on good knowledge of the issues involved (whether the package is NCSA-certified, for instance): unfortunately, most journalists are unaware of how little they know and have a vested interest in giving the impression that they know much more than they do. Even more knowledgeable writers may not make clear the criteria applied in their review. Is it viruses, virii or what? ----------------------------- The Latin root of virus has no plural form. Since the use of the word virus is borrowed from biology, you might like to conform to the usage normally favoured by biologists, doctors etc., which is viruses. However, a number of people favour the terms virii/viri, either to avoid confusion with the biological phenomenon (but what's the point of distinguishing in the plural but not in the singular?), or to avoid being mistaken for anti-virus researchers..... Where is alt.comp.virus archived? --------------------------------- It isn't, as far as anyone seems to know. No-one currently working on the FAQ is likely to offer archiving, since a full archive would include uploaded viruses. Tom Simondi points that there is an archive of sorts at dejanews. You can search for several months of messages by subject at: http://www.dejanews.com/ Kevin Marcus has announced that he is archiving alt.comp.virus at: ftp://ftp.infospace.com/pub/alt.comp.virus-archives However, these archives may not be as current as DejaNews. [Since postings are being archived manually, binaries, source code etc. will not be available from this site.] What about firewalls? --------------------- Firewalls don't generally screen computer viruses, though version 3 of Checkpoint's Firewall-1 can use a plug-in scanning module based on Computing Associates/Cheyenne's Innoculan engine. However, there are a number of products that scan for viruses at a point either before or after a "normal" firewall to the Internet (or internally between post offices.) These products can scan incoming and outgoing E-mail attachments for viruses. MIMESweeper, by Integralis, uses your favourite scanner (e.g. F-PROT, Thunderbyte, Dr. Solomon's, Sophos, etc) for scanning the viruses after it has opened up the E-Mail attachments in a secure area on the hard drive of the NT machine. Obviously, the on-demand scanner is an additional cost. The use of a "batch" file allows the scanning to use any switches or commands that are available to the scanner program(s) and also allows multiple scanners to be used with different switches, etc. which it runs. If clean, it sends the E-Mail on. Files which it cannot scan can be 'quarantined' in the secure area to be scanned 'by hand' or otherwise disposed of. MIMESweeper vs. 1.0 reads MIME attachments and recognises ZIP archives, but does not read other compression formats or binary encoding formats such as uuencode. MIMESweeper ver. 2.1 reads MIME attachments, UUENCODE, and recognises ZIP and recursive .ZIP archives, OLE, but does not yet read many other compression or binary encoding formats. (CDA, BinHex, LHA and Stuffit are expected in due course). It runs under NT Workstation and requires, at minimum, a 486 with 24Mb RAM, 500Mb hard disk, and a CD-ROM drive (for installation only). It works with cc:Mail, SMTP with MIME attachments, Microsoft Mail, or MHS, MIMESweeper 3.0 adds FTP/HTTP but not NNTP. Minimum requirement is still a 486 with 24Mb, but medium to high volumes will require a Pentium with 32Mb RAM. WEBSweeper requires NT version 4.0 (apply Service Pack 4 if accessed via NetWare). MIMESweeper requires TCP/IP for remote management MIMESweeper has advanced content filtering abilities which go beyond its capabilities (with assistance from other software) for detection of file viruses and trojans. Trend's InterScan VirusWall is similar to MIMEsweeper but uses Trend's own scanning engine only as the scanner. Trend also scans FTP traffic. Trend currently runs on SUN Solaris 2.4-5 and will be adding NT later. These products do real scanning before the mail hits the hard drive but, at least until the holes are filled in the above products, make sure your mail attachments, WWW downloads etc. can't be automatically executed and use a good TSR/VXD in combination with a good scanner. Note that scanning FTP traffic is likely to add a heavy network overhead and probably won't catch as many viruses as checking *all* files from *all* sources with a desktop scanner Current informed thinking tends to be that detection of viruses at the firewall is acceptable (1) if you can afford the additional hardware, software and latency (processing overhead), not to mention the hidden administrative overheads of configuration and policy for dealing with boundary conditions such as unusual 7-bit encoding formats, encrypted files etc. (2) ss long as you appreciate that it can only be supplementary to checking at the desktop, not a replacement. Mail attachments, FTP and HTTP are more significant vectors for virus transmission than formerly, especially with the near-exponential boom in macro viruses, but other vectors (especially floppy disks) are still of vital concern. System administrators are attracted by the fact that it's easier to update server software than control the use of scanning on individual workstations, but the fact remains that in most environments, until the desktop is adequately protected with good, up-to-date realtime (on-access) scanning and/or scheduled on-demand scanning, virus scanning at the perimeter is a semi-irrelevance. McAfee's WebScan also addresses this market, but has detection only, not disinfection: you need their on-demand scanner too. Dr. Solomon's MailGuard is based on MIMESweeper. Norton AntiVirus for Firewalls is due for release in June 1997. For firewall-related information see the newsgroups comp.security comp.security.firewalls or, if you don't mind your mail by the ton, the firewalls mailing-lists. mailto: majordomo@greatcircle.com subject: message: subscribe firewalls mailto: majordomo@greatcircle.com subject: message: subscribe firewalls-digest GreatCircle Associates website with links to the GreatCircle mailing list and archives and other security/firewall resources. http://www.greatcircle.com/firewalls/ Marcus Ranum's FAQ: http://www.clark.net/pub/mjr/pubs/fwfaq Books: Firewalls and Internet Security - Repelling the Wily Hacker (Cheswick, Bellovin) - Addison-Wesley Building Internet Firewalls (Chapman, Zwicky) - O'Reilly Vendors: http://www.integralis.com/ http://www.checkpoint.com/ http://www.trendmicro.com/ http://www.nai.com/ http://www.drsolomon.com/ Viruses on CD-ROM ----------------- Viruses have been distributed on CD ROM (for instance, Microsoft shipped Concept, the first (in the wild) macro virus, on a CD ROM called "Windows 95 Software Compatability Test" in 1995). It is wise to scan CD ROMs on arrival for viruses, just like floppies. If the CD ROM has compressed or archived files it is wise to scan it with an anti-virus package which can cope with large amounts of compressed and archived files. [If you scan all drives at every boot, though, you may find that this gives you a good incentive to remove CDs from your CD drive before you power down, especially if your scanner isn't set to allow you to break out of a scan. B-)] Removing viruses ---------------- It is always better from a security point of view to replace infected files with clean, uninfected copies. However, in some circumstances this is not convenient. For example, if an entire network were infected with a fast-infecting file virus then it may be a lot quicker to run a quick repair with a reliable anti-virus product than to find clean, backup copies of the files. It should also be realised that clean backups are not available. If a site has been hit by Nomenklatura, for example, it may take a long time before it is realised that you have been infected. By that time the data in backups has been seriously compromised. There are virtually no circumstances under which you should need to reformat a hard disk, however: in general, this is an attempt to treat the symptom instead of the cause. Likewise re-partitioning with FDISK. If you use a generic low-level format program, i.e. one which isn't specifically for the make and model of drive you actually own, you stand a good chance of trashing the drive more thoroughly than any virus yet discovered. Can't viruses sometimes be useful? ---------------------------------- Vesselin Bontchev wrote a respected paper on this subject: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip Fred Cohen has done some heavy-duty writing in the other direction. Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley). In general, it's hard to imagine a situation where (e.g.) a maintenance virus is the *only* option. I have yet to see a convincing example of a potentially useful virus which *needs* to be a virus. Such a program would have to be *much* better written and error-trapped than viruses usually are. Do I have a virus, and how do I know? ------------------------------------- Almost anything odd a computer may do can (and has been) blamed on a computer "virus," especially if no other explanation can readily be found. In most cases, when an anti-virus program is then run, no virus is found. A computer virus can cause unusual screen displays, or messages - but most don't do that. A virus may slow the operation of the computer - but many times that doesn't happen. Even longer disk activity, or strange hardware behaviour can be caused by legitimate software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be accessed unexpectedly (and the drive light to go on) - but legitimate programs can do that also. One usually reliable indicator of a virus infection is a change in the length of executable (*.com/*.exe) files, a change in their content, or a change in their file date/time in the Directory listing. But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM. Another common indication of a virus infection is a change to interrupt vectors or the reassignment of system resources. Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant. In short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable. What should be on a (clean) boot disk? -------------------------------------- A boot floppy is one which contains the basic operating system, so that if the hard disk becomes inaccessible, you can still boot the machine to attempt some repairs. NB All formatted floppies contain a boot sector, but only floppies which contain the necessary system files can be used as boot floppies. A clean boot disk is one which is known not to be virus-infected. It's best to use a clean boot disk before routine scans of your hard disk(s). Some antivirus packages will refuse to run if there is a virus in memory. It is usually better and sometimes mandatory to disinfect a system without the virus in memory, and an undetected file virus may actually spread faster during a scan, since scanners normally open all executable files in all directories. To make an emergency bootable floppy disk, put a disk in drive A and type FORMAT A: /S Be careful to avoid 'cross-formatting', i.e. formatting a double-density disk as high-density or vice versa, if you system allows this. (You should avoid this all the time, not just when creating a boot disk. I'd also recommend avoiding single-density and quad-density disks, and there may be problems writing to double-density 5.25" disks on a different machine to the one on which they were formatted, if one machine is an XT and the other an AT or better.) You can also make a pre-formatted floppy into a boot disk by typing SYS A: I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB, CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and RESTORE (or whatever backup program you use, if it will fit). They may come in handy if you can't access the hard disk, or it won't boot up. You may be aware that if there is a problem with your boot sequence, you can boot from the hard disk on a DOS 6/7/Win95 system while bypassing AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot: it won't help at all if you have a boot sector/partition sector infector, or if any or all of the basic operating system files have been infected by a file virus. The boot disk should have been created with the same version of DOS as you have on your hard disk. It should also include any drivers necessary to access your hard disk and other device. If, for some reason, you can't obtain a clean boot disk with the same version of DOS, you can often get away with booting from a (clean) disk using a different version, though: indeed, there are viruses which exploit a bug in recent versions of MS-DOS which will prevent a clean boot from DOS vs. 4-6. If you *do* use a different version, remember that you won't be able to use many of the standard DOS system utilities on the hard disk, which will simply return a message like 'Wrong DOS version' when you try to run them, and avoid the use of FORMAT or FDISK. If you become virus-infected it can be very helpful to have backup of your hard disk's boot sector and partition sector (also known as MBR). Some anti-virus and disk utilities can do this. Other useful tools to include are a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so forth), a copy of the DOS commands COMP or FC (for comparing files), FDISK and SYS (make sure they are from the same version of DOS as you are booting). There is a school of thought that your boot disk should also include your anti-virus software. The problem with this is that anti-virus software should be updated frequently, and you may forget to update (and re-write-protect) your boot disk each time. Ideally you will have been sent a clean, write-protected copy of the latest version of your anti-virus software by your vendor/supplier. If you want to use the DOS program EDIT, remember that you need both EDIT.* and QBASIC.* on the same disk. When you have everything you need on your boot floppy and any supplementary floppies (see below), make sure they're all *write-protected*! How do I know I have a clean boot disk? --------------------------------------- You can't usually make up a clean boot disk on a system which has been booted from an infected floppy or hard disk. So how do you know you're booting clean? Actually, you can never be 100% sure. If you buy a PC with the system already installed, you can't be sure the supplier didn't format it with an infected disk. If you get a set of system disks, can you assume that Microsoft or the disk duplicator didn't somehow release a contaminated disk image? (Yes, something rather like this has indeed happened...) However, you can be better than 99% sure. * If you have (and use) a reputable, up-to-date virus scanner, it will almost invariably detect a known virus in memory (scanners can't be relied on to detect an unknown virus, in memory or not). If a good scanner doesn't ring an alarm bell, you've *almost* certainly booted clean. What constitutes a good scanner is another question.... * If you have a set of original system disks which you received shrinkwrapped *and* which you've never used *or* which have only been used write-protected, you can probably use Disk 1 as a boot disk and it *probably* isn't infected - after all, Microsoft doesn't use MSAV for jobs like this..... It has been reported, though, that DOS systems disks have been distributed infected, and the fact that they're often distributed write-enabled doesn't inspire confidence. * You could always contact the supplier of your most-trusted anti-virus utility and ask whether you can send them a boot floppy to check. Of course, even anti-virus gurus sometimes make mistakes, but a boot disk verified in this way would still be worth paying for, especially for organizations with mission-critical systems. * Dr. Solomon's are now distributing a 'Magic Bullet' (AKA S.O.S.) disk with their Dr. Solomon product, which will boot a PC with just enough functionality to enable users to run their scanning software without infringing Microsoft's copyright (as they would be doing if they distributed a boot-able DOS floppy). This strikes me as an excellent idea, though it won't work on every system. * When the unit I work for approached Microsoft to check on the legal position as regards distributing a clean boot disk with anti-virus software updates within the organization, we were told that this was OK as long as the boot floppy was made with the same version of DOS as the version on the target machine. Any organization wishing to do this might like to check with Microsoft that this is still their formal position. What other tools might I need? ------------------------------ Other suggestions have included a sector editor, and Norton Utilities components such as Disk Doctor (NDD). These are not suitable for use by the technically-challenged - any tool which can manipulate disks at a low-level is potentially dangerous. If you do use tools like this, make sure they're good quality and up-to-date. If you attack a 1Gb disk with a package that thinks 32Mb is the maximum for a partition and MFM disk controllers are leading edge, you're in for trouble.... A copy of PKZIP/PKUNZIP or similar compression/decompression utility may be useful both for retrieving data and for cleaning (some) stealth viruses. The MSD diagnostic tool supplied with recent versions of DOS and Windows is a useful addition. QEMM includes a useful diagnostic tool called Manifest. Heavy duty diagnostic packages like CheckIt! may be of use. There are some useful shareware/freeware diagnostic packages, too. Obviously, these are not all going to go on one bootdisk. When you prepare a toolkit like this, make sure *all* the disks are write-protected! Tech support types are likely to find that an assortment of bootable disks including various versions of DOS comes in useful on occasion. If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS or PC-DOS), they can be a useful addition. DoubleSpaced or similar drives will need DOS 6.x; Stacked drives will need appropriate drivers loaded. My understanding of the copyright position is that Microsoft does not encourage you to *distribute* bootable disks (even if they contain only enough files to minimally boot the system) *unless* the target system is loaded with the same version of MS-DOS as the boot floppy. Support engineers will need to ensure that they are legally entitled to all DOS versions for which they have bootable disks. What are rescue disks? ---------------------- Many antivirus and disk repair utilities can make up a (usually bootable) rescue disk for a specific system. This needs a certain amount of care and maintenance, especially if you make up more than one of these for a single PC with more than one utility. Make sure you update *all* your rescue disks when you make a significant change, and that you understand what a rescue disk does and how it does it before you try to use it. Don't try to use a rescue disk made up on one PC on another PC, unless you're very sure of what you're doing: you may lose data. Are there CMOS viruses? ----------------------- Although a virus CAN write to (and corrupt) a PC's CMOS memory, it can NOT "hide" there. The CMOS memory used for system information (and backed up by battery power) is not "addressable," and requires Input/Output ("I/O") instructions to be usable. Data stored there are not loaded from there and executed, so virus code written to CMOS memory would still need to infect an executable program in order to load and execute whatever it wrote. A virus could use CMOS memory to store part of its code, and some tamper with the CMOS Setup's values. However, executable code stored there must first be first moved to DOS memory in order to be executed. Therefore, a virus can NOT spread from, or be hidden in CMOS memory. No known viruses store code in CMOS memory. There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. by a rogue programmer at American Megatrends Inc., the manufacturers. If the date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC speaker. In this case, the only cure is a new BIOS (or motherboard) - contact your dealer. The trojanized chip run was BIOS version M82C498 Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy Kuo's "What is NOT a virus" paper. >From time to time there are reports from Mac users that the message 'welcome datacomp' appears in their documents without having been typed. This appears to be the result of using a trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it can't infect anything - and the only cure is to replace the keyboard. How do I know I'm FTP-ing 'good' software? ------------------------------------------ Reputable sites like SimTel and Garbo check uploaded utilities for viruses before making them publicly available. However, it makes sense not to take anything for granted. I'm aware of at least one instance of a virus-infected file being found on a SimTel mirror: you can't scan a newly-uploaded file for a virus your scanner doesn't know about. Good A/V packages include self-checking code, though it's unsafe to depend even on this 100%. Be paranoid: you know it makes sense.... In general, don't run *anything* downloaded from the Internet, BBSs etc. until it's been checked with at least one reputable and up-to-date antivirus scanner. What is 386SPART.PAR? --------------------- People are sometimes alarmed at finding they have a hidden file with this name. It is, in fact, created by Windows 3.x when you configure it to use a permanent swap file (a way of allowing Windows to work as if you had more memory than you really do. On no account should you delete it, as it will upset your configuration. If you wish to remove it or adjust the size, do so via the 386 Enhanced setting in Control Panel. However, a permanent swap file usually improves performance on a machine with relatively little memory. The file is not executable as such, and reports of virus infection are usually false positives. Can I get a virus to test my antivirus package with? ---------------------------------------------------- Well, I won't send you one... Most packages have some means of allowing you to trigger a test alert. There is a standard EICAR test file which is recognized by some packages. George Wenzel recently reported that recent versions of the following should recognise it. Well done George for promoting the EICAR file among vendors who hadn't been taking notice! AVAST! AVP AVScan Dr. Solomon's Dr. Web F-Prot McAfee Norton Norman Sophos Sweep ThunderByte Virus ALERT! VET ViruSafe To make use of the EICAR test string, type or copy/paste the following text into a file called EICAR.COM, or TEST.COM or whatever. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Scanning the file with one of the components of these packages should trigger an alert. The EICAR file isn't an indication of a scanner's -efficiency- at detecting viruses, since (1) it isn't a virus and (2) detecting a single virus or non-virus isn't a useful test of the number of viruses detected. It's a (limited) check on whether the program is installed, but I'm not sure it's a measure of whether it's installed correctly. For instance, the fact that a scanner reports correctly that a file called EICAR.COM contains the EICAR string, doesn't tell you whether it will detect macro viruses, for example. In fact, if I wanted to be really picky, I'd have to say that it doesn't actually tell you anything except that the scanner detects the EICAR string in files with a particular extension. ++ The string is supposed to trigger an alarm only when detected at the beginning of the file. Some products are known to 'false alarm' by triggering on files which contain the string elsewhere. [I have Chengi Jimmy Kuo's permission to reproduce the following, a propos of the last-but-one paragraph]: "The purpose of the EICAR test file is for the user to test all the bells and whistles associated with detecting a virus. And, if given that one platform detects it, is everything else working? It is to enable such things as: Is the alert system working correctly? Does the beeper work? Does the network alert work? Does it log correctly? What does it say? Is the NLM working? For inbound? For outbound? Is compressed file scanning working? Surprise MIS testing of AV security placements. The file serves no purpose in testing whether one product is better than another. Previously, every product had to supply its own test methods. This allows for an independent standard.' There have been long threads recently on whether the Rosenthal Simulator is useful for this sort of job. This will be considered at length here when I have the time to look at it in more detail, but it should be noted that many anti-virus researchers have expressed considerable scepticism. Certainly, having looked at an earlier incarnation, I see no urgent need to research this further. When I do DIR | MORE I see a couple of files with funny names... ---------------------------------------------------------------- Actually, this is in the Virus-L FAQ. Read that and post the question to comp.virus or alt.comp.virus if you're still worried. Basically, the answer is that MORE creates a couple of temporary files, being considerably less efficient than the Unix utility it attempts to emulate. Most versions of DOS since the Middle Ages support the syntax DIR /P, which does the same job less messily. In fact, if you have a version of DOS later than 5, you might consider incorporating it into the environment variable DIRCMD, so that it becomes your default on directory listings which exceed 1 screenful. Of course, other utilities such as ATTRIB can also be filtered through MORE like this, which may result in similar symptoms. ------------------------------------------------------------ Reasons NOT to use FDISK /MBR ----------------------------- See Section 12 in part 2 of this FAQ for further information about FDISK with the undocumented /MBR switch. However, people with virus problems are frequently advised, out of ignorance or maliciousness, to use this switch in circumstances where it can lead to an inability to access your disk drive and possible loss of data (not to mention hair and sanity). Essentially, you should avoid using FDISK /MBR unless you have it on good authority that it's safe and necessary to do so. In most circumstances, it's safer to clean a partition sector with a good anti-virus program. You should avoid FDISK /MBR at all costs under the following circumstances: 1. Under an infection of viruses that don't preserve the Partition Table e.g., Monkey, reported at 7.2% of the infections reported to _Virus Bulletin_ for December '95, the last report for which I have data 2. Under an infection that encrypts data on the hard drive and keeps the key in the MBR, e.g, One_half -- reported at 0.8% worldwide 3. When security software, e.g., PC-DACS is in use 4. When a driver like Disk Manager or EZDrive is installed 5. When a controller that stores data in (0,0,1) is in use 6. When more than one BSI virus is active, in some conditions 7. When a data diddler is active, e.g. Ripper, accountable for 3.8% of the infections reported in the study cited above (N.B.: while this case won't be fixed by AV utilities, at least one will know why there are problems with the drive) ------------------------------------------------------------ Why do people write/spread viruses? ----------------------------------- >From postings which have appeared in alt.comp.virus in the past: * they don't understand or prefer not to think about the consequences for other people * they simply don't care * they don't consider it to be their problem if someone else is inconvenienced * they draw a false distinction between creating/publishing viruses and distributing them * they consider it to be the responsibility of someone else to protect systems from their creations * they get a buzz, acknowledged or otherwise, from vandalism * they consider they're fighting authority * they like 'matching wits' with antivirus vendors * it's a way of getting attention, getting recognition from their peers and their names (or at least that of their virus) in the papers and the Wild List * they're keeping the antivirus vendors in a job How seriously you take some of these assertions is up to you.... ------------------------------------------------------------ Where can I get an anti-virus policy? ------------------------------------- There is some relevant material in the Virus-L FAQ document, but you'll need to do most of the work specific to your own environment. It's worth doing some general reading on security policies generally and getting the distinctions straight between policies, strategies, standards, procedures and protocols. I'm working on this in other contexts: some of that material may eventually seep back into here. The NCSA have a Corporate Virus Prevention Policy disk/document which can be ordered via their web page (www.ncsa.com) for around $20, or downloaded from Compuserve. In the UK, the British Standards Institution have a Code of Practice for Information Security Management which includes virus-management (BS7799). [It's not necessarily well-regarded by practitioners, though.] BSI 389 Chiswick High Road London W4 4AL DTI (Dept. of Trade & Industry) IT Security Policy Unit 151 Buckingham Palace Road London SW1W 9SS The last time I looked at the S&S International web page (www.drsolomon.com) they had a paper on Guidelines for an Anti-Virus Policy by David Emm which is a reasonable starting point, though a comprehensive virus management policy is no small undertaking. ------------------------------------------------------------ Are there virus damage statistics? ---------------------------------- Some, possibly even less reliable than the average survey on general security breaches. Why? * Many reported virus incidents aren't, in fact, virus incidents, as many a PC support specialist will confirm. There is a tendency to attribute any PC anomaly to a virus, among those who are not well acquainted with the virus arena. Unfortunately, this includes virtually the entire press corps and many security consultants. Also, some widely-used packages are noticeably prone to false alarms. * Many actual virus incidents and other security breaches are not reported, due to the intervention of top management or Public Relations, out of fear of losing competitive advantage because of being perceived as badly-managed and insecure. * Many other virus incidents and security breaches aren't reported because they're simply not recognised as such, or at all. * There are no standards for reporting and assessing damage from viruses and other security breaches. Take the case of Christopher Pile (the Black Baron), who was convicted in the UK under the Computer Misuse Act: I have seen estimates in the UK press of the damage sustained by the company most affected by the viruses Pile spread ranging from #40,000 to #500,000, and this is an unusually well-documented incident. How can the average survey respondent be expected to make an accurate assessment? The trouble is, there's a lot more to 'damage' than the figures estimated for a particular outbreak. Cost of maintaining virus protection Training and maintaining a response team Management costs Cost of software licences Cost in time/productivity/money of maintaining upgrades etc. Formulating and enforcing policy Educating users in the issues and good hygienic practice Cost in time of routine anti-virus measures Cost in money and time of servicing false alarms Cost of sheepdip systems Cost of having part-time A/V people taking time off from their 'real' jobs Alternatively, the cost of having full-time A/V personnel Cost of tracking the product market, technological changes Formulating and enforcing a backup policy Development of protective systems Resource utilisation by undetected viruses Cost of specific outbreaks Loss of productivity Workstation/Server downtime Damage to reputation of the organization Damage to involved personnel Psychological damage - witch hunts Damage limitation Time spent cleaning up, examining floppies etc. Restoration of backups/reinstallation Replacing unrecoverable data Time and money spent increasing virus protection..... However, the Poor Bloody Infantry often have to spend time and effort persuading the Generals of the need to expend money on ammunition. You might care to check out: * The Information Security Breaches Survey 1996 [UK] [National Computing Centre, ICL, ITSEC, Dept. of Trade & Industry] NCC Oxford House Oxford Road Manchester M1 7ED (voice) +44(0) 161 228 6333 (fax) +44(0) 161 242 2171 enquiries@ncc.co.uk http://www.ncc.co.uk/ This came up with the highly suspect but much quoted average of about #4000 per virus incident. * Computer Virus & Security Survey 1995 [Ireland] [Price Waterhouse, Priority Data Systems] Price Waterhouse Wilton Place Dublin 2 (353 1) 6606700 * You might also care to check out the NCSA virus survey (ftp://isrecon.ncsa.com/ncsavsrv.zip.) which is free, and the different but related virus study, which costs $95. http://www.ncsa.com/ ------------------------------------------------------------ What is NCSA Approval? ---------------------- [NCSA has a certification program for PC virus scanners which offers a measure of the detection capabilities of specific version numbers. In the past, NCSA's modus operandi was the subject of much scepticism within the antivirus community, but the current procedures are much improved. The text that follows is a very lightly edited version of mail I received from an analyst at NCSA, so it's not altogether impartial, but is nevertheless a fair summary of their activities [but not quite accurate]. By the way, NCSA has a somewhat similar program for firewalls, too (which is also somewhat controversial). I'm leaving this in pending an opportunity to edit it more thoroughly, but I must advise against giving NCSA certification quite as much weight as some vendors would like. - DH] For a list of scanners that have received the "NCSA Approved" rating of the National Computer Security Association in the U.S.A. see http://www.ncsa.com/avpdcert.html The page also explains the certification procedure. The National Computer Security Association in Carlisle, Pennsylvania, U.S.A., sponsors an Anti-Virus Product Developers consortium. The NCSA and consortium members have created standards for anti-virus products and the NCSA Anti-virus lab in Carlisle tests new versions of scanners that are submitted to it and issues an "NCSA Approved" seal for those products which past the test. ++ To pass, a scanner must detect all ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ viruses (more than 400) on the "Wild List" kept by Joe Wells of IBM ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Actually, this isn't the case: detection of all viruses on -both- parts of the Wild List isn't required for certification, as the information on NCSA's website makes clear. In fact, it looks as if the implementation of NCSA certification has somewhat slipped from its promising inception. I'll be returning to this issue and other schemes (VSUM, Secure Computing) when time allows. - DH] and 90 percent of the viruses in a suite of about 11,000 kept by NCSA (these represent not only viruses, but variations created by polymorphic viruses as well.) [The exact make-up of that test suite is one of the things I'd like to check - DH] For more information about the NCSA or for links to the members of the AVPD consortium: http://www.ncsa.com/ NCSA also maintains an Anti-Virus Vendor's Forum on CompuServe (GO NCSA) with message sections and libraries devoted to anti-virus products and issues. NCSA is a provider of security, reliability, and ethics information and services. NCSA provides information security: training, testing, research, product certification, underground reconnaissance, help-desk and consulting services. NCSA delivers information through publications, conferences, forums, and seminars -- in both traditional and electronic formats. NCSA also hosts private on-line training and seminars on CompuServe in addition to public forums and libraries and which address hundreds of information and communications security issues. NCSA's InfoSecurity Resource Catalog provides one-stop-shopping for books, guides, training and tools. [I should observe here that I've received material from NCSA in the past which advertises a book I would personally avoid recommending on grounds of ethics -and- accuracy. As there was some fuss about this, I don't suppose it's in their catalogue any longer, but this is another point I'd quite like to check. - DH] NCSA AVPD Members (July, 1996) Members of the NCSA Anti-Virus Product Developers consortium. -- Best, S.A., Miami, FL (call 305-470-9051) -- Cheyenne Software, Roslyn Heights, NY, U.S.A. -- Command Software Systems Inc, Jupiter, FL, U.S.A. -- Cybec, New South Wales, Australia -- EliaShim, Pembroke Pines, FL, U.S.A. -- IBM, Sterling Forest, NY, U.S.A. -- INTEL, American Fork, UT, U.S.A. -- IRIS Software & Computers, River Edge, NJ, U.S.A. -- Jade Corp Ltd, Shizuoka City, Japan -- Network Associates, Santa Clara, CA, U.S.A. -- Norman Data Defense Systems Inc, Fairfax, VA, U.S.A. -- ON Technology, Morrisville, NC, U.S.A. -- Pioneer Micro Systems, India -- Quantum Leap Innovations, Briarcliff Manor, NY, U.S.A. -- Stiller Research Inc., Colorado Springs, CO, U.S.A. -- S&S International, Burlington, MA, U.S.A. -- Symantec, Santa Monica, CA, U.S.A. -- ThunderByte, Massena, NY, U.S.A. -- Trend Micro Inc, Los Alamitos, CA, U.S.A. ------------------------------------------------------------ What language should I write a virus in? ---------------------------------------- Choose your own squelch: * ANSI COBOL * LOGO * Karel the Robot * PL/I * dBase II * Get a life * Or my personal favourite (thanks, Bruce!) "Hey, man; where can I get a copy of Visual English to write some hot new virii?!?" If you need to ask this question, you'd be better off collecting tazos than trying to write viruses. No, seriously, what language are they written in? ------------------------------------------------- The simple answer is "Assembler, mostly (on the PC)". High-level languages such as C and Pascal are sometimes used, as are various flavours of command shells on various systems (Unix shell scripts, DCL scripts etc.). Macro viruses are written in macro languages, surprisingly....... B-) [DRD], Doren Rosenthal, the Universe and Everything --------------------------------------------------- Doren Rosenthal offers a shareware utilities suite including a virus simulator. Many of the AV pros in this group have a low opinion of the Rosenthal utilities, and regard their author as more of a virus writer than an anti-virus researcher, and are annoyed by his habit of offering his utilities as a solution for problems to which their relevance is not always obvious. As discussions on Rosenthal-related topics sometimes generate much heat and bandwidth, some people have taken to adding [DRD] to the subject header when posting to these threads, to make it easier to avoid them. What are CARO and EICAR? ------------------------ CARO - Computer Anti-Virus Researchers Organisation. Invitation-only group of techie researchers, mostly representing AV vendors. CARO approves 'standard' names for viruses. Some people tend to mistrust the fact that CARO members often share virus samples: however, CARO membership is a convenient yardstick by which other members can judge whether an individual can be trusted with samples. In general, users at large benefit: this way, AV vendors with CARO members can include most known viruses in their definitions databases. EICAR - European Institute for Computer AntiVirus Research. Membership comprises academic, commercial, media, governmental organisations etc, with experts in security, law etc., combining in the pursuit of the control of the spread of malicious software and computer misuse. Membership is more open, but members are expected to subscribe to a code of conduct. And yes, this is the origin of the EICAR test file. EICAR has a web page at http://www.eicar.com ------------------------------------------------------------------ End of a.c.v. FAQ Part 4 of 4 -- ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Club Secretary & Webmaster, _..`--'_..-_/ /--'_.' ,' University of Alberta Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ From csus.edu!csulb.edu!logbridge.uoregon.edu!newsfeed.cwix.com!18.181.0.26!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:25 1999 Path: csus.edu!csulb.edu!logbridge.uoregon.edu!newsfeed.cwix.com!18.181.0.26!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Subject: ALT.COMP.VIRUS MINI-FAQ - READ BEFORE POSTING Supersedes: Followup-To: alt.comp.virus Date: 15 Mar 1999 13:21:08 GMT Organization: none Expires: 5 Apr 1999 13:19:00 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu Summary: The most important things to know before posting to a.c.v. X-Last-Updated: 1998/07/15 X-no-archive: yes Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:99948 comp.virus:28245 alt.answers:36652 comp.answers:33513 news.answers:141429 Archive-name: computer-virus/mini-faq Posting-Frequency: Every 7 days -----BEGIN PGP SIGNED MESSAGE----- ALT.COMP.VIRUS Mini-FAQ (version 1.17) Last updated July 15, 1998 Maintained by George Wenzel Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The news group news.announce.newusers includes information on good news group etiquette. Don't reformat, low-level format, or use FDISK before posting: using DOS utilities to remove viruses is not necessary. Especially do not use FDISK unless you know EXACTLY what you're doing - you could lose access to your hard drive. Please, don't just ask "I've got a virus, can anyone help me?" When asking for help, the more relevant information you give, the more help can be returned. It helps to: * Run more than one anti-virus program. Some do make mistakes. * When reporting the output of anti-virus programs, please list them (name and version number), and say what each one said about the possible virus. Posting the exact output can be helpful. * Please consider the possibility that whatever you are seeing might not be a virus. Many system problems are not virus related. * Note that you cannot catch a virus simply by reading certain e-mail or newsgroup messages. For a virus to spread, infected code must be run. Basic answers to common questions: 1) The following "viruses" are in fact hoaxes: "Good Times", "Deeyenda", "Irina", "Penpal Greetings", "Join the Crew", "Returned or Unable to Deliver", and "NaughtyRobot". Information about these hoaxes and more can be found at http://www.kumite.com/myths/ 2) Many people have asked why alt.comp.virus is decidedly anti-virus in nature. Because of the large proportion of anti-virus producers and end users in the group, viruses are considered to be poor use of computer resources, and the open distribution of them to be irresponsible. Binaries are not welcome in UseNet discussion newsgroups. Alt.comp.virus is a discussion newsgroup, so the posting of binaries is often met with opposition and complaints to ISPs. In addition, the majority of a.c.v. readers do not want virus source code or binaries to be posted in this newsgroup. Should you post such material, you should be aware that some of those readers will complain to your ISP about it. For your own sake, check your ISP's policies regarding posting such material to newsgroups before risking your account. 3) We can't tell you definitively which is the best anti-virus software. Everybody has different criteria for quality, and different products excel in different areas. It is more important to get a reasonably good anti-virus product and to use it often than it is to worry about having the absolute best anti-virus product. For maximum protection, it is generally recommended that more than one kind of anti-virus program be used. Scanners are generally used as a front line defense, but they must be updated regularly. Generic anti-virus programs can be of use since they do not need updating as often, and they can catch new viruses that a scanner might miss. There are independent comparative reviews at: _Virus Bulletin_ http://www.virusbtn.com/ _Secure Computing_ http://www.westcoast.com/ University of Tampere http://www.uta.fi/laitokset/virus/ University of Hamburg ftp://ftp.informatik.uni-hamburg.de/pub/virus/ and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm 4) Before claiming that a "good" virus exists or could exist, it would be wise to read Vesselin Bontchev's paper "Are 'Good' Computer Viruses Still A Bad Idea", available at: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip 5) There are no viruses which damage hardware by modifying how the mechanical parts run or their electro-magnetic characteristics. There *are* reported instances of specific hardware being damaged by the misuse of specific software. That said, there is a virus (CIH) which corrupts a system BIOS, which is not hardware damage, but is as difficult to fix. With a corrupt BIOS, it is not possible for the system to start; the BIOS chip would need to be returned to the factory to get re-programmed. Hardware write-protection of the BIOS should be used whenever possible, as should current anti-virus software. 6) Testing your anti-virus program with a real virus is not generally a good idea. Most reputable PC anti-virus packages will now trigger an alert if they scan a file beginning with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* To make this file, copy the above text string into a text file using the DOS edit program or Windows Notepad, and save it with a .com extension (note that this does not work with most Macintosh anti-virus programs). Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Most people in the anti-virus community consider a "virus simulator" unnecessary and unsuitable for this task. 7) There are answers to other frequently asked questions and more details in the other virus FAQ's. They are available at various sites, but most of them are available at: http://www.webworlds.co.uk/dharley/ and http://www.faqs.org/faqs/computer-virus/ 8) Before you ask about what a specific virus does, try: http://www.drsolomon.com/vircen/enc/ http://www.datafellows.com/v-descs/ http://www.datarescue.com/avpbase/ http://www.avpve.com/ http://www.nai.com/support/techdocs/vinfo/default.asp all of which carry virus databases and links to other sites. Disclaimer: The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Copyright Notice We made this information freely available, and maintain it. Please don't abuse our work by using it for profit without getting permission from the FAQ maintainer. Copyright (c) 1998 Contributors: Bruce Burrell Graham Cluley David Harley Gerard Mannig A. Padgett Peterson Robert Slade Dr. Alan Solomon Pierre Vandevenne Special thanks to those out there that thought this work was worth something, and decided to send the maintainer a thank-you. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNazlXbcpzG7cw1x1AQEiQgP+KgsUh3G3lhjY4fTgVOVbU0Ld94WAwZOK txwHa88wCz/ztTHiTjL7BeBlgffe/vjsc3mbgFg75xz3/+zkugoOUi8rCCyHFVug 3QXqd6D6dMAaqxeoyy4WPhJAtt6uICIOEetvYgtG9sqWcEe0LBCPIQrd8NJZqhFT qaKhLLq+AvE= =n6ZT -----END PGP SIGNATURE----- From csus.edu!csulb.edu!logbridge.uoregon.edu!howland.erols.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:26 1999 Path: csus.edu!csulb.edu!logbridge.uoregon.edu!howland.erols.net!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Subject: ALT.COMP.VIRUS MINI-FAQ - READ BEFORE POSTING Supersedes: Followup-To: alt.comp.virus Date: 31 Mar 1999 15:16:21 GMT Organization: none Expires: 21 Apr 1999 14:58:51 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu Summary: The most important things to know before posting to a.c.v. X-Last-Updated: 1998/07/15 X-no-archive: yes Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:101815 comp.virus:28457 alt.answers:36919 comp.answers:33639 news.answers:142388 Archive-name: computer-virus/mini-faq Posting-Frequency: Every 7 days -----BEGIN PGP SIGNED MESSAGE----- ALT.COMP.VIRUS Mini-FAQ (version 1.17) Last updated July 15, 1998 Maintained by George Wenzel Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The news group news.announce.newusers includes information on good news group etiquette. Don't reformat, low-level format, or use FDISK before posting: using DOS utilities to remove viruses is not necessary. Especially do not use FDISK unless you know EXACTLY what you're doing - you could lose access to your hard drive. Please, don't just ask "I've got a virus, can anyone help me?" When asking for help, the more relevant information you give, the more help can be returned. It helps to: * Run more than one anti-virus program. Some do make mistakes. * When reporting the output of anti-virus programs, please list them (name and version number), and say what each one said about the possible virus. Posting the exact output can be helpful. * Please consider the possibility that whatever you are seeing might not be a virus. Many system problems are not virus related. * Note that you cannot catch a virus simply by reading certain e-mail or newsgroup messages. For a virus to spread, infected code must be run. Basic answers to common questions: 1) The following "viruses" are in fact hoaxes: "Good Times", "Deeyenda", "Irina", "Penpal Greetings", "Join the Crew", "Returned or Unable to Deliver", and "NaughtyRobot". Information about these hoaxes and more can be found at http://www.kumite.com/myths/ 2) Many people have asked why alt.comp.virus is decidedly anti-virus in nature. Because of the large proportion of anti-virus producers and end users in the group, viruses are considered to be poor use of computer resources, and the open distribution of them to be irresponsible. Binaries are not welcome in UseNet discussion newsgroups. Alt.comp.virus is a discussion newsgroup, so the posting of binaries is often met with opposition and complaints to ISPs. In addition, the majority of a.c.v. readers do not want virus source code or binaries to be posted in this newsgroup. Should you post such material, you should be aware that some of those readers will complain to your ISP about it. For your own sake, check your ISP's policies regarding posting such material to newsgroups before risking your account. 3) We can't tell you definitively which is the best anti-virus software. Everybody has different criteria for quality, and different products excel in different areas. It is more important to get a reasonably good anti-virus product and to use it often than it is to worry about having the absolute best anti-virus product. For maximum protection, it is generally recommended that more than one kind of anti-virus program be used. Scanners are generally used as a front line defense, but they must be updated regularly. Generic anti-virus programs can be of use since they do not need updating as often, and they can catch new viruses that a scanner might miss. There are independent comparative reviews at: _Virus Bulletin_ http://www.virusbtn.com/ _Secure Computing_ http://www.westcoast.com/ University of Tampere http://www.uta.fi/laitokset/virus/ University of Hamburg ftp://ftp.informatik.uni-hamburg.de/pub/virus/ and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm 4) Before claiming that a "good" virus exists or could exist, it would be wise to read Vesselin Bontchev's paper "Are 'Good' Computer Viruses Still A Bad Idea", available at: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip 5) There are no viruses which damage hardware by modifying how the mechanical parts run or their electro-magnetic characteristics. There *are* reported instances of specific hardware being damaged by the misuse of specific software. That said, there is a virus (CIH) which corrupts a system BIOS, which is not hardware damage, but is as difficult to fix. With a corrupt BIOS, it is not possible for the system to start; the BIOS chip would need to be returned to the factory to get re-programmed. Hardware write-protection of the BIOS should be used whenever possible, as should current anti-virus software. 6) Testing your anti-virus program with a real virus is not generally a good idea. Most reputable PC anti-virus packages will now trigger an alert if they scan a file beginning with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* To make this file, copy the above text string into a text file using the DOS edit program or Windows Notepad, and save it with a .com extension (note that this does not work with most Macintosh anti-virus programs). Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Most people in the anti-virus community consider a "virus simulator" unnecessary and unsuitable for this task. 7) There are answers to other frequently asked questions and more details in the other virus FAQ's. They are available at various sites, but most of them are available at: http://www.webworlds.co.uk/dharley/ and http://www.faqs.org/faqs/computer-virus/ 8) Before you ask about what a specific virus does, try: http://www.drsolomon.com/vircen/enc/ http://www.datafellows.com/v-descs/ http://www.datarescue.com/avpbase/ http://www.avpve.com/ http://www.nai.com/support/techdocs/vinfo/default.asp all of which carry virus databases and links to other sites. Disclaimer: The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Copyright Notice We made this information freely available, and maintain it. Please don't abuse our work by using it for profit without getting permission from the FAQ maintainer. Copyright (c) 1998 Contributors: Bruce Burrell Graham Cluley David Harley Gerard Mannig A. Padgett Peterson Robert Slade Dr. Alan Solomon Pierre Vandevenne Special thanks to those out there that thought this work was worth something, and decided to send the maintainer a thank-you. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNazlXbcpzG7cw1x1AQEiQgP+KgsUh3G3lhjY4fTgVOVbU0Ld94WAwZOK txwHa88wCz/ztTHiTjL7BeBlgffe/vjsc3mbgFg75xz3/+zkugoOUi8rCCyHFVug 3QXqd6D6dMAaqxeoyy4WPhJAtt6uICIOEetvYgtG9sqWcEe0LBCPIQrd8NJZqhFT qaKhLLq+AvE= =n6ZT -----END PGP SIGNATURE----- From csus.edu!csulb.edu!awabi.library.ucla.edu!208.134.241.18!newsfeed.cwix.com!18.181.0.26!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv Thu Apr 1 15:21:27 1999 Path: csus.edu!csulb.edu!awabi.library.ucla.edu!208.134.241.18!newsfeed.cwix.com!18.181.0.26!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqserv From: lesch@macvirus.com (Susan Lesch) Newsgroups: alt.comp.virus,comp.virus,comp.sys.mac.apps,comp.sys.mac.misc,comp.sys.mac.system,alt.answers,comp.answers,news.answers Subject: Viruses and the Mac FAQ Supersedes: Followup-To: alt.comp.virus,comp.virus Date: 15 Mar 1999 13:22:11 GMT Organization: none Expires: 12 Apr 1999 13:19:00 GMT Message-ID: NNTP-Posting-Host: penguin-lust.mit.edu Summary: Why viruses are a Mac problem, too.... X-Last-Updated: 1999/02/27 Originator: faqserv@penguin-lust.MIT.EDU Xref: csus.edu alt.comp.virus:99949 comp.virus:28246 comp.sys.mac.apps:259041 comp.sys.mac.misc:235404 comp.sys.mac.system:334694 alt.answers:36655 comp.answers:33515 news.answers:141453 Archive-name: computer-virus/macintosh-faq Posting-Frequency: Fortnightly Last-modified: Fri, 26 Feb 1999 23:48 PST URL: http://www.macvirus.com/reference/ http://www.webworlds.co.uk/dharley/ Copyright: Copyright 1996-1999 by David Harley and contributors Maintainer: David Harley and Susan Lesch Viruses and the Macintosh ========================= by David Harley Version 1.5k: 26th February 1999 Significant changes from the previous version are flagged with + symbols in the first two columns at the start of the relevant line or section. Amendments of minor grammatical or syntactical errors are not flagged unless they affect factual accuracy or clarity. Sections tagged with [DH] or [SL] usually denote personal opinions or other data which the originator doesn't feel the other maintainer should be held responsible for. Untagged sections using the first person are usually hangovers from when DH was sole maintainer of the FAQ. David Harley Table of Contents ================= 1.0 Copyright Notice 2.0 Preface 3.0 Availability of this FAQ 4.0 Mission Statement 5.0 Where to get further information 5.1 Computer Virus FAQs 5.2 EICAR 5.3 "Robert Slade's Guide to Computer Viruses" 5.4 Web sites 5.5 Virus Bulletin 5.6 Macro virus information resources 5.7 Other resources 6.0 How many viruses affect the Macintosh? 7.0 What viruses can affect Mac users? 7.1 Mac-specific system and file infectors 7.2 HyperCard Infectors 7.3 Mac Trojan Horses 7.4 Macro viruses, trojans, variants 7.5 Other Operating Systems, emulation on a Mac 7.6 AutoStart 9805 Worms 7.7 Esperanto.4733 8.0 What's the best antivirus package for the Macintosh? 8.1 Microsoft's Protection Tools 8.2 Disinfectant Retired 8.3 Demo Software 8.4 Other freeware/shareware packages 8.5 Commercial Packages 8.6 Contact Details 9.0 Welcome Datacomp 10.0 Hoaxes and myths 10.1 Good Times virus 10.2 Modems and Hardware viruses 10.3 Email viruses 10.4 JPEG/GIF viruses 10.5 Hoaxes Help 11.0 Glossary 12.0 General Reference Section 12.1 Mac Newsgroups 12.2 References and Publications 13.0 Mac Troubleshooting 1.0 Copyright Notice ===================== Copyright on this document remains with the author(s), and all rights are reserved. However, it may be freely distributed and quoted - accurately, and with due credit. It may not be reproduced for profit or distributed in part or as a whole with any product for which a charge is made, except with the prior permission of the copyright holder(s). To obtain such permission, please contact the maintainers of the FAQ. Primary author of this document is David Harley, who at present co-maintains it with contributor Susan Lesch. Comments and additional material have been received with gratitude from Ronnie Sutherland, Henri Delger, Mike Groh and Eugene Spafford. Thanks to Bruce Burrell, Michael Wright, Peter Gersmann, David Miller, Ladd Van Tol, Eric Hildum, Jeremy Goldman, Kevin White, Bill Jackson, Robert Slade, Robin Dover, and John Norstad for their comments and suggestions. 2.0 Preface ============ This document is intended to help individuals with computer virus-related problems and queries, and clarify the issue of computer viruses on Macintosh platforms. It should *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Corrections and additional material are welcome, especially if kept polite.... Contributions will, if incorporated, remain the copyright of the contributor, and credited accordingly within the FAQ. David Harley 3.0 Availability of this FAQ ============================= The latest version of this document will be available from: * (the primary source) * It's also available from Henri Delger's Prodigy Anti-Virus Center file library, as is the alt.comp.virus FAQ. There are HTML versions at: [J&A link removed. There are some very good links there, but also some ethical conflicts which I prefer at present to sidestep - DH] 4.0 Mission Statement ====================== This document is a little different to the alt.comp.virus FAQ, which David Harley also co-maintains (at time of writing). It is concerned with one platform only, and though it deals with the Macintosh platform at more length than the alt.comp.virus FAQ can be expected to, it is a great deal shorter. Nor is there the same degree of urgency about the Mac virus field, though the risk element may be somewhat underestimated in general, at present. This FAQ originated from a concern over the spread of macro viruses, a theme that is taken up below. Since questions about Macs and viruses tend to appear more often in the Mac groups than alt.comp.virus or Virus-L, distribution of this FAQ is wider. 5.0 Where to get further information ===================================== 5.1 Computer Virus FAQs ------------------------ Computer Virus FAQ for New Users A mainly non-Mac virus FAQ posted to news.newusers.questions, alt.newbie, alt.newbies, alt.answers, and news.answers. alt.comp.virus FAQ This is posted to alt.comp.virus approximately fortnightly. It includes a document that summarizes and gives contact information for a number of other virus-related FAQs; (not much Mac-specific material). The latest version is available from: VIRUS-L/comp.virus FAQ The Virus-L/comp.virus FAQ (also fairly low on Mac-specific information) is regularly posted to the comp.virus newsgroup (version 2.0 at time of writing). This FAQ is very long and very thorough. The document is subject to revision, so the file name may change. The latest version may be found at: 5.2 EICAR ---------- The European Institute for Computer Anti-Virus Research (EICAR) recently moved to a new domain: 5.3 "Robert Slade's Guide to Computer Viruses" ----------------------------------------------- The disk included with the 2nd Edition of this excellent general resource includes most of the information available at the University of Hamburg (see 5.5). The book also contains a reasonable quantity of Mac-friendly information. The disk includes a copy of Disinfectant 3.6, which is now out-of-date -- 3.7.1 is the latest and final release. For more information about this book: [Springer] Very few books primarily about computer viruses deal at any length with Mac viruses (I can't think of one, at present). Some general books on the Mac touch on the subject, but none I can think of add anything useful. Some of the "Totally Witless User's Guide to......." books dealing with security in general include information on PC -and- Mac viruses. Unfortunately, the quality of virus-related information in such publications is generally low. 5.4 Web sites -------------- Many major vendors have a virus information database online on their Web sites. Symantec (www.symantec.com), Network Associates (www.nai.com) and Dr. Solomon's (www.drsolomon.com) include Macintosh virus information. Precise URLs tend to come and go, but you might like to try the following: Symantec Antivirus Research Center Virus Encyclopedia based on Project VGrep: huge, quite slow and could use a Web search engine, but it is the most complete [SL]. Network Associates, formerly McAfee Associates: Virus Information Library Macintosh Viruses The Mining Co. "Macintosh Virus Descriptions" Part of work in progress by Ken Dunham Mac Virus Updated and detailed but somewhat unstructured Dr Solomon's "Mac Viral Zoo" Starting to go out of date 5.5 Virus Bulletin ------------------- The expensive (but, for the professional, essential) periodical Virus Bulletin includes Mac-specific information from time to time. However, if you have no interest in PC issues, you probably won't consider it worth the expense. Virus Bulletin Ltd 21 The Quadrant Abingdon Oxfordshire OX14 3YS 44 (0) 1234 555139 Compuserve 100070,1340 www.virusbtn.com virusbtn@vax.ox.ac.uk The proceedings of the 1997 Virus Bulletin conference contained a paper by David Harley which significantly expands on many of the issues addressed in this FAQ. Contact Virus Bulletin for further information on the annual conference and on obtaining the proceedings. The paper can also be found (by permission of Virus Bulletin) at the author's website: 5.6 Macro virus information resources -------------------------------------- University of Hamburg Virus Test Center Macro Virus List is the definitive listing. All known macro viruses, some only found in research labs, some in the wild. Doesn't include information on individual viruses apart from name and platform. Other Sources: (under Virus Information) [The following absolute URLs may change: such is the way of Web administrators..... If you get an error message, try the first part of the URL, e.g. and drill down from there.] Dr Solomon's Software Ltd. Central Command Network Associates Data Fellows Richard Martin put together an FAQ on the subject of Word viruses. It's well out-of-date in many respects, though. 5.7 Other resources -------------------- There are excellent pages on HyperCard viruses at HyperActive Software. There is information on HyperCard infectors, a link to Bill Swagerty's free Vaccine utility for detecting and cleaning them, a note on false positives reported by commercial software, inoculation, and a free HyperCard virus detection service. The CIAC virus database includes entries for PC, Macintosh, and a number of other platforms. The Macintosh section also includes a number of joke programs and one or two apparent hoaxes. Virus Test Center, Hamburg: AntiVirus Catalog/CARObase early work These links may be out-of-date: if they don't work, try Last we checked [03-Sep-97], these sites probably need updating, though some older files do have historical value. Info-Mac mirrors have Macintosh information, but includes some outdated virus information and software at this writing; still, always worth a visit. Also of interest, again sometimes outdated: Kevin Harris's Virus Reference was last updated 31-Aug-95. This HyperCard stack requires HyperCard 2.1 or later. A list of Mac viruses is available at: At present, this mirrors information in this FAQ, and updating it is considered a low priority. 6.0 How many viruses affect the Macintosh? =========================================== There are around 40 Mac-specific viruses and related threats. Mac users with Word 6 or versions of Excel supporting Visual Basic for Applications, however, are vulnerable to infection by macro viruses which are specific to these applications. Indeed, these viruses can, potentially, infect other files on any hardware platform supporting these versions of these applications. I don't know of a macro virus with a Mac-specific payload that actually works at present, but such a payload is entirely possible. Word Mac version 5.1 and below do not support WordBasic, and are not, therefore, vulnerable to direct infection. Not only do these versions not only understand embedded macros, but they can't read the Word 6 file format unaided. There is, however, at least one freeware utility which allows Word 5.x users to read Word 6 files. This will not support execution of Word 6 (or WinWord 2) macros in Word 5.x, so I would not expect either an infection routine or a payload routine to be able to execute within this application. However, Word 5.x users may contribute indirectly to the spread of infected files across platforms and systems, since it is perfectly possible for a user whose own system is uninfectable to act as a conduit for the transmission of infected documents, whether or not s/he reads it personally. Files infected with a PC-specific file virus (this excludes macro viruses) can only execute on a Macintosh running DOS or DOS/Windows emulation, if then. They can, of course, spread across platforms simply by copying infected files from one system to another. DOS diskettes infected with a boot sector virus can be read on a Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without (normally) risk to the Mac. However, leaving such an infected disk in the drive while booting an emulator such as SoftPC can mean that the virus attempts to infect the logical PC drive with unpredictable results. I am aware of at least one instance of a Mac diskette which, when read on a PC running a utility for reading Mac-formatted disks after being infected with a boot-sector infector, became unreadable as a consequence of the boot track infection. Some Mac viruses may damage files on Sun systems running MAE or AUFS. 7.0 What viruses can affect Mac users? ======================================= Not all variants are listed here. It was originally intended to reference all the major variants at least by name eventually, but since the information is of academic interest at best to most users (and available elsewhere anyway), it's no longer considered a priority. The main problem affecting Mac users nowadays is the spread of macro viruses, and I can't possibly find time to catalogue them individually, so they are only considered generally. Native Mac viruses are rather rarely seen nowadays, and most people don't need to know about them in detail -- in fact, what they need most is to know that their favoured antivirus software will deal with them. Note that neither of the co-maintainers are primarily in the business of hands-on virus analysis, and cannot accept responsibility for descriptive errors based on third-party information. [DH] The following varieties are listed below: 7.1 Mac-specific system and file infectors 7.2 HyperCard Infectors 7.3 Mac Trojans 7.4 Macro viruses, trojans, variants 7.5 Other Operating Systems, emulation on a Mac 7.6 AutoStart 9805 Worms 7.7 Esperanto 4733 7.1 Mac-specific system and file infectors ------------------------------------------- AIDS - infects application and system files. No intentional damage. (nVIR B strain) Aladin - close relative of Frankie Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under system 7.x, or System 6 under MultiFinder. Can damage applications so that they can't be 100% repaired. CDEF - infects desktop files. No intentional damage, and doesn't spread under system 7.x. CLAP: nVIR variant that spoofs Disinfectant to avoid detection (Disinfectant 3.6 recognizes it). Code 1: file infector. Renames the hard drive to "Trent Saburo". Accidental system crashes possible. Code 252: infects application and system files. Triggers when run between June 6th and December 31st. Runs a gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... [etc.]"), then self-deletes. Despite the message, no intentional damage is done, though shutting down the Mac instead of clicking to continue could cause damage. Can crash System 7 or damage files, but doesn't spread beyond the System file. Doesn't spread under System 6 with MultiFinder beyond System and MultiFinder. Can cause various forms of accidental damage. Code 9811: hides applications, replacing them with garbage files named "something like 'FIDVCXWGJKJWLOI'." According to Ken Dunham who reported this virus in November, "The most obvious symptom of the virus is a desktop that looks like electronic worms and a message that reads 'You have been hacked by the Pretorians.'" Code 32767: once a month tries to delete documents. This virus is not known to be in circulation. Flag: unrelated to WDEF A and B, but was given the name WDEF-C in some anti-virus software. Not intentionally damaging but when spreading it overwrites any existing 'WDEF' resource of ID '0', an action which might damage some files. This virus is not known to be in circulation. Frankie: only affects the Aladdin emulator on the Atari or Amiga. Doesn't infect or trigger on real Macs or the Spectre emulator. Infects application files and the Finder. Draws a bomb icon and displays 'Frankie says: No more piracy!" Fuck: infects application and System files. No intentional damage. (nVIR B strain) Init 17: infects System file and applications. Displays message "From the depths of Cyberspace" the first time it triggers. Accidental damage, especially on 68K machines. Init 29 (Init 29 A, B): Spreads rapidly. Infects system files, applications, and document files (document files can't infect other files, though). May display a message if a locked floppy is accessed on an infected system 'The disk "xxxxx" needs minor repairs. Do you want to repair it?'. No intentional damage, but can cause several problems - Multiple infections, memory errors, system crashes, printing problems, MultiFinder problems, startup document incompatibilities. Init 1984: Infects system extensions (INITs). Works under Systems 6 and 7. Triggers on Friday 13th. Damages files by renaming them, changing file TYPE and file CREATOR, creation and modification dates, and sometimes by deleting them. Init-9403 (SysX): Infects applications and Finder under systems 6 and 7. Attempts to overwrite whole startup volume and disk information on all connected hard drives. Only found on Macs running the Italian version of MacOS. Init-M: Replicates under System 7 only. Infects INITs and application files. Triggers on Friday 13th. Similar damage mechanisms to INIT-1984. May rename a file or folder to "Virus MindCrime". Rarely, may delete files. MacMag (Aldus, Brandow, Drew, Peace): first distributed as a HyperCard stack Trojan, but only infected System files. Triggered (displayed a peace message and self-deleted on March 2nd 1988, so very rarely found. MBDF (A,B): originated from the Tetracycle, Tetricycle or "tetris-rotating" Trojan. The A strain was also distributed in Obnoxious Tetris and Ten Tile Puzzle. Infect applications and system files including System and Finder. Can cause accidental damage to the System file and menu problems. A minor variant of MBDF B appeared in summer 1997: Disinfectant and Virex have been updated accordingly. MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file and application files (D doesn't infect System). No intentional damage, but can cause crashes and damaged files. MDEF-E and MDEF-F: described as simple and benign. They infect applications and system files with an 'MDEF' resource ID '0', not otherwise causing file damage. These viruses are not known to be in circulation. nCAM: nVIR variant nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect System and any opened applications. Extant versions don't cause intentional damage. Payload is either beeping or (nVIR A) saying "Don't panic" if MacInTalk is installed. nVIR-f: nVIR variant. prod: nVIR variant Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two applications that were never generally released. Can cause accidental damage, though - system crashes, problems printing or with MacDraw and Excel. Infects applications, Finder, DA Handler. SevenDust-A through G (MDEF 9806-A through D, also known as 666, E was at first called "Graphics Accelerator"): a family of five viruses which spread both through 'MDEF' resources and a System extension created by that resource. The first four variants are not known to be in circulation. Two of these viruses cause no other damage. On the sixth day of the month, MDEF 9806-B may erase all non-application files on the current volume. The SARC encyclopedia calls MDEF 9806-C, "polymorphic and encrypted, no payload," and MDEF 9806-D, "encrypting, polymorphic, symbiotic," and says the symbiotic part, "alters a 'WIND' resource from the host application." SevenDust E, not to be confused with the legitimate ATI driver "Graphics Accelerator", began as a trojan horse released to Info-Mac and deleted there on or about September 26, 1998. Takes two forms, 'INIT' resource ID '33' in an extension named "\001Graphics Accelerator" and an 'MDEF' resource ID '1' to '255'. Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any month, the virus will try to delete all non-application files on the startup disk. John Dalgliesh describes "Graphics Accelerator" on his Web page for AntiGax, a free anti-SevenDust E utility; any errors here in translation are not his. SevenDust F uses a trojan "ExtensionConflict", common extensions names, and creator 'ACCE'.[SL] T4 (A, B, C, D): infects applications, Finder, and tries to modify System so that startup code is altered. Under System 6 and 7.0, INITs and system extensions don't load. Under 7.0.1, the Mac may be unbootable. Damage to infected files and altered System is not repairable by Disinfectant. The virus masquerades as Disinfectant, so as to spoof behaviour blockers such as Gatekeeper. Originally included in versions 2.0/2.1 of the public domain game GoMoku. T4-D spreads from application to application on launch by appending itself to the 'CODE' resource. Deletes files other than the System file from the System Folder, and documents, and is termed dangerous. The D strain is not known to be in circulation [SL]. WDEF (A,B): infects desktop file only. Doesn't spread under System 7. No intentional damage, but causes beeping, crashes, font corruption and other problems. zero: nVIR variant. Zuc (A, B, C): infects applications. The cursor moves diagonally and uncontrollably across the screen when the mouse button is held down when an infected application is run. No other intentional damage is done. 7.2 HyperCard infectors ------------------------ These are a somewhat esoteric breed, but a couple have been seen since Disinfectant was last upgraded in 1995, and most of the commercial scanners detect them. Dukakis - infects the Home stack, then other stacks used subsequently. Displays the message "Dukakis for President", then deletes itself, so not often seen. HC 9507 - infects the Home stack, then other running stacks and randomly chosen stacks on the startup disk. On triggering, displays visual effects or hangs the system. Overwrites stack resources, so a repaired stack may not run properly. HC 9603 - infects the Home stack, then other running stacks. No intended effects, but may damage the Home stack. HC "Two Tunes" (referred to by some sources as "Three Tunes") - infects stack scripts. Visual/Audio effects: 'Hey, what are you doing?' message; plays the tune "Muss I denn"; plays the tune "Behind the Blue Mountains"; displays HyperCard toolbox and pattern menus; displays 'Don't panic!' fifteen minutes after activation. Even sources which describe this virus as "Three Tunes" seem to describe the symptoms consistently with the description here, but we will, for completeness, attempt to resolve any possible confusion when time allows. This virus has no known with the PC file infector sometimes known as Three Tunes. MerryXmas - appends to stack script. On execution, attempts to infect the Home stack, which then infects other stacks on access. There are several strains, most of which cause system crashes and other anomalies. At least one strain replaces the Home stack script and deletes stacks run subsequently. Variants include Merry2Xmas, Lopez, and the rather destructive Crudshot. [Ken Dunham discovered the merryXmas virus. His program merryxmasWatcher 2.0 was very popular and still can eradicate the most common two strains, merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest this family.] Antibody is a recent virus-hunting virus which propagates between stacks checking for and removing MerryXmas, and inserting an inoculation script. Independance (sic) Day - reported in July, 1997. It attempts to to be destructive, but fortunately is not well enough written to be more than a nuisance. More information at: Blink - reported in August, 1998. Nondestructive but spreads; infected stacks blink once per second starting in January, 1999. 7.3 Mac Trojan Horses ---------------------- These are often unsubtle and immediate in their effects: while these effects may be devastating, Trojans are usually very traceable to their point of entry. The few Mac-specific Trojans are rarely seen, but of course the commercial scanners generally detect them. ChinaTalk - system extension - supposed to be sound driver, but actually deletes folders. CPro - supposed to be an update to Compact Pro, but attempts to format currently mounted disks. FontFinder - supposed to lists fonts used in a document, but actually deletes folders. MacMag - HyperCard stack (New Apple Products) that was the origin of the MacMag virus. When run, infected the System file, which then infected System files on floppies. Set to trigger and self-destruct on March 2nd, 1988, so rarely found. Mosaic - supposed to display graphics, but actually mangles directory structures. NVP - modifies the System file so that no vowels can be typed. Originally found masquerading as 'New Look', which redesigns the display. Steroid - Control Panel - claims to improve QuickDraw speed, but actually mangles the directory structure. Tetracycle - implicated in the original spread of MBDF Virus Info - purported to contain virus information but actually trashed disks. Not to be confused with Virus Reference. Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which disables PostScript printers and requires replacement of a chip on the printer logic board to repair. A Mac virus guru says: "The PostScript 'Trojan' was basically a PostScript job that toggled the printer password to some random string a number of times. Some Apple laser printers have a firmware counter that allows the password to only be changed a set number of times (because of PRAM behavior or licensing -- I don't remember which), so eventually the password would get "stuck" at some random string that the user would not know. I have not heard any reports of anyone suffering from this in many years." AppleScript Trojans - A demonstration destructive compiled AppleScript was posted to the newsgroups alt.comp.virus, comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh, microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and symantec.support.mac.sam.general on 16-Aug-97, apparently in response to a call for help originally posted to alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch published Xavier Bury's finding of a second AppleScript trojan horse, which, like the call for help followup, mentioned Hotline servers. It reportedly sends out private information while running in the background. A note to users from Hotline Communications CEO Adam Hinkley is posted at . AppleScripts should be downloaded only from known trusted sources. It is nigh impossible for an average person to know what any given compiled script will do. 7.4 Macro viruses, trojans, variants ------------------------------------- At the time of the longstanding second-to-last upgrade of Disinfectant (version 3.6 in early 1995), there were no known macro viruses in the wild, apart from HyperCard infectors. In any case, Disinfectant was always intended to deal with system viruses, not trojans or macro/script viruses. However, many users are unaware of these distinctions and still assume that Disinfectant is a complete solution, even after its effective demise (in fact, there were people still relying on Gatekeeper long after its author disowned it....). Unfortunately, the number of known macro viruses is at the time of writing [as of 8-Jan-1999] in excess of 3000, though the number in the wild is far fewer. Most macro viruses (if they have a warhead at all) target Intel platforms and assume FAT-based directory structures, so they usually have no discernible effect on Macs when they trigger. Viruses that manipulate text strings within a document may work just as well on a Macintosh as on a PC. In any case, the main costs of virus control are not recovery from virus payloads, but the costs of establishing detection and protection (or of not establishing them). The costs of not establishing these measures can be considerable, irrespective of damage caused on infected machines, especially in corporate environments. Secondary distribution of infected documents may result in: * civil action - for instance, inadvertent distribution of an infected document to external organisations may be in breach of contractual obligations * legal action in terms of breach of data-protection legislation such as the UK Data Protection Act or the European Data Protection directive. The eighth principle of the Data Protection Act, for instance, requires that security measures are taken to protect against unauthorised access to, and alteration, disclosure and destruction of personal data, or its accidental loss. * damage to reputation - no legitimate organisation wants to be seen as being riddled with viruses. Since Word 6.x for Macintosh supports WordBasic macros, it is as vulnerable as Word 6.x and 7.x on Intel platforms to being infected by macro viruses, and therefore to generating other infected documents (or, strictly speaking, templates). Working Excel viruses are now beginning to appear also, and any future Macintosh application that supports Visual Basic for Applications will also be vulnerable. Note also that the possibility of virus-infected files embedded as objects in files associated with other applications: this possibility exists on any platform that supports OLE. Macro viruses are therefore highly transmissible via Macintoshes, even if they don't have a destructive effect on Motorola platforms, if there is an equivalent application available on the Macintosh. For instance, although Word for Windows versions before vs. 6 support WordBasic, Word versions for the Mac up to and including version 5.1 do not. [Thus Word 5.1 users can not be directly infected, but may, like anyone, pass on infected documents to vulnerable systems.] Unless running DOS/Windows emulation, the Green Stripe macro virus is not normally a danger on Macs, since there is no AmiPro/WordPro for Macintosh. [This paragraph may well be removed in the near future, since (1) Green Stripe is old news and not exactly common (2) I'd rather drop this than list (for consistency) a number of other viruses, trojans, intendeds, jokes and generators which will only ever run on a Mac which is pretending to be a PC.....] Network Associates, Symantec, and Intego all make known-virus scanners that detect a range of macro viruses. Microsoft make available a free 'protection tool' whose effectiveness is often overestimated. (See below.) For further information on specific macro viruses, try one of the information resources given earlier. 7.5 Other Operating Systems, emulation on a Mac ------------------------------------------------ Any Mac running any sort of DOS or Windows emulation such as Virtual PC, SoftPC, SoftWindows, RealPC, or a DOS compatibility card is a potential target for any PC virus, including Boot Sector Infectors/Multipartites; (effects will vary). It is highly recommended that anyone with such a system should run a reputable, up-to-date PC antivirus program under emulation, as well as a good Mac antivirus program. [Dr. Solomon's for the Mac detects PC boot sector infectors as well as Mac viruses, but doesn't detect PC file viruses (apart from macro viruses), and so is not sufficient protection for a Mac with DOS emulation.] Recommendations for defending PC systems or PC emulation on Macs are slightly out-of-scope for this FAQ. In fact, I don't know of any formal testing for PC antivirus software in the context of PC emulation on Macs. I've done some informal testing (referred to in another paper), but am not prepared to make vendor-specific recommendations on the basis of such testing. F-Prot, AVP, and Dr Solomon's are particularly well-regarded PC antivirus packages, of which some components on some platforms are available as freeware or for evaluation, but their efficacy in the context of PC emulation is not well tested or documented. To find a commercial or shareware package relevant to PCs, check through the independent comparative reviews sites: University of Hamburg Virus Test Center University of Tampere Virus Research Unit Secure Computing Virus Bulletin Robert Michael Slade's lists may also be helpful. 7.6 AutoStart 9805 Worms ------------------------- AutoStart 9805 is not a virus, but a worm: that is, it replicates by copying itself, but doesn't attach itself parasitically to a host program. The original took hold rapidly in Hong Kong and Taiwan in April 1998, and has been reported on at least four continents. In addition to the original worm, there are five variants. Virus Bulletin, July, 1998, includes a comprehensive analysis of AutoStart and some of its variants. CIAC Bulletin I-067 is based on Eugene Spafford's information release on the original AutoStart worm. Unfortunately,this is now a little out-of-date, particularly as regards the update status of the antivirus software it mentions. Nor does it mention any of the subsequently discovered variants. Symptoms: Perhaps the most noticeable symptom of the worms is that an infected system will _lock up and churn with unexplained disk activity_ every 6, 10, or 30 minutes.[SL] Affected platforms: any PowerMac. Macintoshes and clones driven by Motorola 680x0 series CPUs can't run the replicative code. It works under any version of Mac OS, if QuickTime 2.0 or later is installed and CD-ROM AutoPlay is enabled in the "QuickTime Settings" Control Panel. Transmission media: HFS or HFS+ volumes (hard disks, diskettes, most types of removable media, even disk images). Audio CDs can't transmit the virus, and it isn't necessary to disable "Audio CD AutoPlay". Transmission method: infected media contain an invisible application file named "DB" or "BD" or "DELDB" in the root directory (type APPL, creator ????). This is an AutoStart file: i.e. it will run automatically if CD-ROM autoplay is enabled. If the host Mac isn't already infected, it copies itself to the Extensions folder. The new copy is renamed "Desktop Print Spooler" or "Desktop Printr Spooler", or "DELDesktop Print Spooler" respectively (type appe, creator ????). Unlike the legitimate Desktop Printer Spooler extension, the worm file has the invisible attribute set, and isn't listed as a running process by the system software, though it can be seen with Process Watcher or Macsbug. After copying itself, it reboots the system and is now launched every time the system restarts. At approximately 6, 10, or 30 minute intervals, it examines mounted volumes to see if they're infected: if not, it writes itself to the root directory and sets up AutoStart (however, AutoStart won't work on a server volume). Damage: files with names ending "data", "cod" or "csa" are targeted if the data fork is larger than 100 bytes. Files with names ending "dat" are targeted if the whole file is c. 2Mb or larger. Targeted files are attacked by overwriting the data fork (up to the 1st Mb) with garbage. Besides the original, there are five variants: AutoStart 9805-B, which is less noticeable but can cause irreparable damage to files of type 'JPEG', 'TIFF', and 'EPSF'; AutoStart 9805-C and AutoStart 9805-D which do not intentionally damage data; AutoStart 9805-E which spreads like B and is most similar to the original; and AutoStart 9805-F which is most similar to A and E. Dr Solomon's, Sophos, and Symantec had descriptions on the Web: and Mac Virus had short descriptions. [SL] Detection: updates to deal with the worms are available for Virex (http://www.drsolomon.com/products/virex/), for NAV and SAM (http://www.symantec.com/avcenter/download.html), and for Rival (http://www.intego.com/). [SL] Version 7.84 of Dr. Solomon's for Mac deals only with the original worm, not the variants and there is no interim extra driver. The current version of Dr. Solomon's is 7.88 at time of writing: how many variants it detects is unknown at time of writing. VirusScan for Mac continues to be updated for macro viruses but does not have AutoStart worm definitions. Development on Disinfectant was discontinued, and the final version 3.7.1 does not detect the worms. Prevention: uninfected systems can be protected by disabling the AutoStart option in QuickTime settings (QuickTime 2.5 or later only - earlier versions don't have a disable option). This should also prevent infection by future malware exploiting the same loophole, but will fail if a setup is booted from a volume with an infected Extensions Folder [SL]. Removal: the easiest and safest method for most people will be to use the updated version of their favoured anti-virus software, as it becomes available. The worms can be also be removed manually. * Reboot with extensions disabled (hold down the shift key till an alert box tells you that extensions are off). * Use Find File to search all volumes for all instances of a file called "DB" or "BD" or "DELDB" with the invisibility attribute set (hold down Option key when clicking on "Name" pop-up menu to select for visibility). Trash 'em. * Use Find File to find and trash an invisible "Desktop Print Spooler", "Desktop Printr Spooler", or "DELDesktop Print Spooler" file (-not- Desktop Printer Spooler, which is a legitimate and usually necessary system file). * Empty the trash. * Disable AutoStart in QuickTime Settings Control Panel. * Restart. 7.7 Esperanto.4733 ------------------- This probably doesn't belong here. It's a PC file infector which works with a number of PC executable file formats. When it was first seen, it was reported to be a multiplatform virus capable of executing under some circumstances on Macintoshes. Subsequent reports indicate that this belief results from misinformation on the part of the author. However, at least two reputable PC anti-virus vendors still list it as capable of activating on a Macintosh, and we will attempt to get authoritative confirmation either way in due course. It may be significant, though, that no Mac scanner appears to try to detect it. 8.0 What's the best antivirus package for the Macintosh? ========================================================= As ever, we can't give a definitive answer to this. The best choice depends on subjective criteria and individal needs. Nonetheless, Here are some thoughts on the main contenders. 8.1 Microsoft's Protection Tools --------------------------------- Microsoft's Macro Virus Protection Tools originally detected Concept (Nuclear and DMV were also mentioned in the documentation, but were not identified specifically by the tools). Principally, they merely warned users that the document they are about to open contained macros and offered the choice of opening the file without macros, opening it with macros, or cancelling the File Open. Later implementations built into the application are better on identifying a few specific viruses and on integration into Word itself, but should not be relied on for 100% effective detection, blocking and disinfection of macro viruses. More information from Microsoft may be available at the addresses below. (no longer accessible) MSN: GO MACROVIRUSTOOL AOL: the Word forum CompuServe: the Word forum Microsoft Product Support Services 206-462-9673 (WinWord) 206-635-7200 (Word Mac) email: wordinfo@microsoft.com NB The Protection Tool traps some File Open operations, but not all. There are a number of ways of opening a document which bypass it, some of which are rather commonly used (e.g. double-clicking or using the Recent Documents list). The Protection Tool can be used to scan for Concept-infected files, but there are a number of possible problems with it. * Earlier versions could only handle a limited size of directory tree, and ran very slowly if a large number of files required scanning. Speed is certainly still a problem: I can't say about the overflow problem. * Files created in Word for Windows won't be scanned until they've been opened in Word 6 for Mac (this is a system issue, not a bug in the code). However, Microsoft suggest that you open the file in Word for the Macintosh and save it before scanning. This will do the job, but will also infect your system, if the file is infected. If it's infected with a virus -other- than Concept, this could create problems if the Protection Tool is bypassed on a subsequent file open. * Infected files embedded in OLE2 files or e-mail files will not be detected. * The Microsoft tools are not useful on non-English Windows systems (which may be run under Virtual PC or Real PC). SCANPROT cannot handle non-English documents, and will hang during the scanning process if it encounters a document created with a non-English version of Word. Microsoft's Excel add-in for the Laroux macro virus causes multiple file open buttons to appear in non-English versions of Excel, and so it has worse effects than the macro virus itself. Again this applies to Windows emulation; however, most virus protection and detection products are only tested in an English language environment, and may cause problems on non-English systems. [Thanks to Eric Hildum for this information.] Windows 95 users should be aware that SCANPROT is not recommended for use with MS Word 7.0a for Windows with internal detection enabled, as these two tools will cancel each other out. The Excel add-in for Macs removes only Laroux A and B. Office 98 moves the goalposts again. This issue will probably be addressed again here in more depth. In brief, Office 98 does a better job of implementing a primarily generic approach [i.e. "If it contains macros, it's suspicious: sort it out yourself...."], but whether this is enough is a question demanding more space and time than I have to spare right now [DH]. Microsoft's home page has recommended using an ICSA-certified antivirus utility and sidesteps any hint of responsibility for any macro virus or SCANPROT related problems. (1) not everyone is happy with the current implementation of ICSA (NCSA) certification (2) ICSA certification is not at present Mac-aware. 8.2 Disinfectant ----------------- [On May 6th 1998, John Norstad, author of this widely-used freeware package announced that it was to be retired. 3.7.1 is the latest and last version, and it won't be updated to detect AutoStart 9805 or any subsequent Macintosh malware. The main reason for this is that he doesn't have the resources to extend its capabilities to detect macro viruses, which have become by far the most significant virus problem for most Macintosh users. This is probably a wise decision, given the number of people who still overestimate the effectiveness of the package in the face of the macro virus threat. However, the entire Macintosh community owes John Norstad a debt of gratitude for making it freely available for so long, an act of altruism which has probably contributed very significantly to the comparative rarity of native Macintosh viruses.] Disinfectant was an excellent anti-virus package with exemplary documentation, and didn't cost a penny: however, it didn't detect all the forms of malware that a commercial package usually does, including HyperCard infectors, most Trojans, jokes or macro viruses. Unlike some commercial packages, it didn't scan compressed files, either: compressed files had to be expanded before scanning. Self-extracting archives were probably best scanned before unpacking, then again when unpacked. Disinfectant has been available up to now from the following sources, but this may not continue to be the case.: CompuServe GEnie America Online Calvacom Delphi BIX Info-Mac mirrors in the ../vir/ directory The Disinfectant README was updated to README-IMPORTANT on 6 May 1998, with the message, "because of the widespread and dangerous Microsoft macro virus problem," "...All Disinfectant users should switch..." to another program. README-IMPORTANT was updated again on 11 October 1998, adding, "In addition to the Autostart worm and the Microsoft macro viruses, several other new Mac viruses have appeared since Disinfectant's retirement in May. This makes it even more important that Disinfectant users switch..." to one of the commercial products. There is a copy of the retirement announcement on the Web: 8.3 Demo Software ------------------ Symantec has a 30-day fully-functioning demo of NAV (Norton AntiVirus for Macintosh). Update it with current definitions. Intego has a limited-function French demo of Rival, "miniRival." Disinfector 1.0 is described by its author as shareware. However, it's strictly speaking a limited-runtime demo -- it stops functioning after 20 trial runs on one system. It's described as a beta release, but the author expects users to register it at a charge of $30 [subsequently reduced to $15]: in return, they get a version which can be used an unlimited number of times. It only detects a handful of Mac system viruses which the author claims that commercial vendors have not detected, and have not been reported in the wild. In the early days of virus/antivirus technology, a number of utilities were made available which addressed only one or a few viruses, and a proliferation of free AutoStart worm detectors continues that honourable tradition. However, charging for this particular utility puts it into the same arena as the commercial scanners which detect a far wider range of threats and for which full support is available, an area in which it cannot at present compete. Disinfector was briefly available at Info-Mac, but has since been removed. There have also been a number of proposals since John Norstad announced the retirement of Disinfectant, suggesting that if the code was made public, it would be possible to maintain and further develop Disinfectant, possibly still as a freeware product. This is misguided, for a number of reasons. * It misses one of the main points of Norstad's announcement, which is to acknowledge the dangers of continuing to develop a scanner which detects only one class of virus, when so many people have laboured so long under the misapprehension that it was a complete solution. * Disinfectant -has- been developed further. VirusScan is based on Disinfectant technology (under licence), and NAI are in a much better position to develop it as commercial-grade software than a group of well-meaning individuals without the specialised skills and resources of a mainstream anti-virus development team. Indeed, it may be that the terms of that agreement would prevent Norstad from making the code public even if he wanted to (I doubt that he does....). * Making the code public, even to a limited circle, would increase the chances of its falling into irresponsible hands. In fact, the online documentation has long stated that the code for the detection engine is not available, though some of the interface code was. (I'm paraphrasing from memory: I may well check out exactly what it says for the next update of the FAQ.) * To think that a committee of well-intentioned amateurs (or a single ambitious amateur can develop Disinfectant to the same high standard that it achieved through its lifetime demonstrates a profound underestimation of the difficulties of maintaining (let alone creating) a first-class known-virus scanner. [DH] 8.4 Other freeware/shareware packages -------------------------------------- For other freeware\shareware Mac packages, try Info-Mac mirrors like: The University of Texas holds some older documentation on Mac viruses. Tracker INIT and DelProtect INIT, both by Ioannis Galidakis, were first released on 19-Nov-98. Tracker is a behavior blocker something like the retired program GateKeeper. DelProtect protects against malicious file deletion. Tracker is now at version 1.1. Scanner 1.1x + also by Ioannis Galidakis was released 15-Jan-99, and is a free, generic, heuristic 68k virus scanner for advanced Macintosh users. + John Dalgliesh has created Agax, an extensible, free anti-virus program which replaces his program AntiGax, and uses plug-ins called "Additives." At this time, Agax will detect and try to clean only SevenDust, CODE 9811, and the AutoStart worms (the worm additive was in beta testing at the time of this writing). The author's Web page and documentation invite Mac programmers to contribute additives. + The Exorcist, free from Laffey Computer Imaging, may give some (by one description, about 90%) protection from the SevenDust family. Gatekeeper was not a scanner, but a generic tool. It is no longer supported by its author, but is still available on some sites. It is probably not safe to use or rely on modern systems, and I believe the author recommends that people don't attempt to use it, though I've been unable to contact him to get confirmation. In January 1997 Padgett Peterson, author of the PC utility DiskSecure, released the first version of his MacroList macro detection tool, which has been tested by the author on Macs (System 7.5 on SE/30, IIci and PowerMac) as well as Windows PCs, using considerably more macro viruses than Microsoft seem to have heard of..... The MacroList template is accessed by a button in the standard toolbar. This is not a virus scanner, but allows disabling of automacros, listing of any macros found in the current document etc. Version 1.10 was due for release by the time of writing (February 1997), and an adaptation for Office97 is in progress. Watch the Web page for further details. [v1.1 and the Office 97 "late beta" were available as at 18th March 1997.] MacroList is freeware, but please be sure to read the TRIALS link. (under Anti-Virus Hobby) - NB change of URL. WormGuard by Clarence Locke is a free on-access extension that affords AutoStart worm protection: The following free scanners may remove AutoStart 9805 and its B, C, D, E, and F variants and may be useful in the absence of a commercial application. There are a few reported instances of failures by some of these programs to identify or remove the AutoStart worms, and it is likely that D might be mis-identified as C, and E may be mis-identified as the original worm. [SL] WormScanner by James Walker Autostart Hunter by Akira Nagata (English) (Japanese) BugScan by Mountain Ridge Dataworks (also detects SevenDust E) Worm Gobbler by Jim Kreinbrink Innoculator by MacOffice WormFood by Doug Baer Eradicator with update, by Uptown Solutions Ltd. As stated above, one-shot solutions to a very small subset of a particular class of threat have a long and honourable history, and are very welcome when a new threat catches the antivirus developers on the hop (it can take some time to incorporate detection of new threats into the product update cycle). NB The maintainers do not have the time or resources to do full detection testing of these products or any other. [DH] 8.5 Commercial Packages ------------------------ Commercial packages include NAV (Norton AntiVirus for Macintosh) [NAV supersedes SAM (Symantec Antivirus for Macintosh)], Virex for Macintosh, Rival, Dr. Solomon's Anti-Virus Toolkit for Macintosh, + and Sophos Anti-Virus for Macintosh (SAV). At present, the likelihood is that Dr. Solomon's Toolkit for Macintosh will be discontinued. Virex may be Network Associates' sole Mac offering. Virex, NAV, and SAM all address a full range of threats, including Trojans and macro viruses, and can do scheduled scanning as well as on-access (memory-resident) scanning. + Sophos Anti-Virus for Macintosh (SAV) was upgraded in January 1999 to include the SWEEP on-demand scanner. The shipping version can be downloaded for free evaluation. English and Japanese are supported. + The program offers customizable reporting and notification from an attractive interface. So far, compressed archives must be decompressed before scanning; I am assured that archive scanning will be in future versions. Complete documentation is in PDF format. + Sophos will shortly have a version which combines both the intercept driver (InterCheck) and the scanner application (SWEEP). Sales are not retail, but direct or through the Sophos Distributor network. Free technical support is all-year round, any time of day. Virus identity updates are on the Web in between shipping monthly CD-ROMs. A future version of this FAQ may have more information on these welcome new developments for the Macintosh from Sophos.[SL] Norton AntiVirus for Macintosh (NAV) launched May 18, 1998. New features included LiveUpdate virus definition updates over the Internet, enhanced macro virus protection, automatic file repair, a bootable CD-ROM for emergencies, faster scanning for PPC, and a universal SafeZone. NAV, SAM, and Virex offer checksumming/integrity checking (detecting possible infection by unknown viruses, by monitoring changes in infectable files) - the correct checksums or fingerprints for individual files are kept in a database file. All three applications check files compressed with StuffIt. NAV, formerly SAM, is particularly oriented towards behaviour blocking: the Intercept tool can be configured to raise an alert at the slightest whiff of a 'suspicious' operation. Unfortunately, this can be counterproductive in real life, since an over-stringent alert policy is apt to result in the facility being turned off altogether. However, configuration is very flexible. + SAM (Symantec AntiVirus for Macintosh) updates will be discontinued after May 1, according to a February 11 NUM/NAVM Technical Support Alert Bulletin. From Symantec's advice: "In order to maintain the safety and security of your data from viruses without interruption, we recommend that you upgrade to NAVM 5.0.3 before May 1st. For presales and upgrade questions, please contact customer service. They can be reached at 800-441-7234 or online at:" [SAM 4.5.x needs the 4.5->4.5.1 application patch to run current definitions, and the 4.5.3 Intercept patch to resolve a compatibility issue with Microsoft Office 98, and Segment Loader errors when Intercept loads. SAM application Minimum and Preferred memory allocations must be increased from their shipping defaults to 5000K or greater. The (May 1998) SAM definitions files included a Read Me with instructions. More information may be available from Symantec SAM support on the Web.] Symantec issued a Norton AntiVirus 5.x->5.0.3 patch for Mac OS 8.5, fixing the problem with copying files on AppleShare networks. Virex offers very fast scanning is easy to update, and includes checksumming for the detection of unknown viruses. It's also possible to buy an administration package. The basic package includes a control panel for scanning on file or diskette access which can be locked independently of the administration package. Installation and interface are easy and efficient. Virex 5.8 scans ZIP archives, has a contextual menu plug-in module, and interface enhancements. + Virex 5.9.1 was released on 18-Jan-99, for compatibility with Mac OS 8.5 and Virex Administrator 1.4, and can be downloaded. . Registered users who bought McAfee VirusScan during the past six months or so, and registered users of Virex 5.8 and 5.9 could still upgrade: . Virex Administrator version 1.4 was released by NAI on 23-Dec-98. Virex and Virex Administrator had these home pages: Dr Solomon's Software acquired Virex and netOctopus from Datawatch Corp. on 10-Oct-97. Network Associates (NAI) acquired Dr Solomon's on 13-Aug-98. Netopia, Inc., acquired what is now named Timbuktu netOctopus in late '98 or early '99. VirusScan 3.0.1 is the final version for Macintosh, and may be updated for macro viruses into 1999, but will never have AutoStart worm definitions or definitions for the new System viruses like SevenDust E. VirusScan customers need to take advantage of a free upgrade to Virex as soon as possible. Possibly more information: Dr. Solomon's for Macintosh has the unusual capacity for detecting (not cleaning) PC boot-sector viruses on DOS floppies, which could be very useful in a mixed environment. Also unusually, it now detects the EICAR test 'virus', though this program (which basically simulates a simple overwriting virus) can't execute under Mac OS (except where a PC emulator is in use). FindVirus for Mac doesn't detect viruses in compressed files (oddly, since this is one of the strengths of the DOS/Windows version). Nor does the product include checksumming. The manual is a bit sloppy, especially the virus descriptions: for instance, there's no indication that Frankie doesn't affect real Macs, only emulators. Terminology is a bit idiosyncratic, too: the frequent references to 'link' viruses are rather non-standard. The MacGuard control panel scans on file access, launch of INITs etc. [NB: my copy of the manual is now rather elderly, and the criticisms above may not apply with the current edition. - DH] + Rival 3.0.4 is available from Intego. Sophos, who supply the Sweep scanner for PCs etc., do not have a stand-alone Macintosh scanner, but do have a Macintosh client version of their InterCheck technology. This runs as an extension and communicates with the InterCheck server when an application is run on the client machine. 8.6 Contact Details -------------------- Network Associates (for Virex, Dr Solomon's Anti-Virus Toolkit, and VirusScan) Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 United States Customer Care: Voice +1 408 988 3832 Fax +1 408 970 9727 Fax-back automated response system +1 408 988 3034 BBS +1 408 988 4004 America Online keyword: MCAFEE CompuServe: GO NAI support@nai.com ftp://ftp.nai.com/pub/antivirus/mac/ http://www.nai.com/ Dr. Solomon's Software Ltd. (for Dr. Solomon's Anti-Virus Toolkit) Alton House Gatehouse Way Aylesbury Buckinghamshire HP19 3XU United Kingdom UK Support: support@uk.drsolomon.com US Support: support@us.drsolomon.com UK Tel: +44 (0)1296 318700 USA Tel: +1 781-273-7400, 1-888-DRSOLOMON CompuServe: GO DRSOLOMON Web: http://www.drsolomon.com FTP: ftp://ftp.drsolomon.com Symantec Corporation (for NAV and SAM) 10201 Torre Avenue Cupertino CA 95014 United States +1 408 725 2762 Fax: +1 408 253 4992 US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 http://www.symantec.com/ ftp://ftp.symantec.com/ Intego (for Rival) 10, rue Say 75009 Paris France +33 1 49 95 07 80 Fax: +33 1 49 95 07 83 Email: rival@intego.com http://www.intego.com/ Sophos plc (for SWEEP) The Pentagon Abingdon Oxon England OX14 3YP http://www.sophos.com/ 9.0 Welcome Datacomp ===================== From time to time there are reports from Mac users that the message 'Welcome Datacomp' appears in their documents without having been typed. This is the result of using a Trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it cannot infect anything. The only cure is to replace the keyboard (be polite but firm with the dealer if you were sold this as a new keyboard!). 10.0 Hoaxes and myths ====================== Some of these are PC-specific, rather than Mac-specific, while some have no basis in reality on any system. [I look forward to hearing about the first Turing machine infector....] They are included here (a) because Mac support staff are accustomed to being asked about them (b) because anything that -might- work on a real PC -might- also work with DOS emulation, in principle. 10.1 Good Times virus ---------------------- There is *no* Good Times virus that trashes your hard disk and launches your CPU into an nth-complexity binary loop when you read mail with "Good Times" in the Subject: field. You can get a copy of the latest version of Les Jones' FAQ on the Good Times Hoax on the World Wide Web: There's a Mini-FAQ available as: 10.2 Modems and Hardware viruses --------------------------------- There is no modem virus that spreads via an undocumented subcarrier - whatever that means.... There is no virus that causes damage to hardware. 10.3 Email viruses ------------------- Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers and browsers don't allow this: check yours. In particular, check that your Web browser doesn't automatically pass Word documents to Word 6 to open, since this may result in embedded macros being launched. 10.4 JPEG/GIF viruses ---------------------- There is no known way in which a virus could sensibly be spread by a graphics file such as a JPEG or .GIF file, which does not contain executable code. Macro viruses work because the files to which they are attached are not 'pure' data files. 10.5 Hoaxes Help ----------------- If you should receive a virus warning, look at these sites before forwarding it along (in fact, it's probably never justified to pass on a virus alert indiscriminately, and reputable antivirus companies don't do this. In fact, the information that such and such a virus exists is not, in itself, useful to the average computer user, even if it does. A statement like, "Please forward to everyone!" is one mark of a hoax. Computer Virus Myths home page Data Fellows Scams and Hoaxes FAQ: Messages you DON'T want to post Corporates who haven't sorted out their hoax management strategy might get some mileage out of my mini-paper on "Dealing with Internet Hoaxes", though it's getting a bit long in the tooth. It is, however, one of the few papers on the subject which deals with it from an adminstrator's/manager's point of view as well as from an everyday user/victim's. [DH] 11.0 Glossary ============== * Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus. * Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus that targets that particular checksummer. * Dropper - a program that installs a virus or Trojan, often covertly. * Generic - catch-all name for antivirus software that doesn't know about individual viruses, but attempts to detect viruses by detecting virus-like code, behaviour, or changes in files containing executable code. * Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus. * Monitor/Behaviour Blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus. * Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognisable patterns ('scan strings', 'search strings', 'signatures') or using a more flexible algorithmic approach for detection of polymorphic viruses, which can't be found by a search for a simple scan string. These are not usually associated with the Macintosh platform, but there are Word Macro viruses which exhibit mutation. * Trojan (Trojan Horse) - a program intended to perform some covert and usually malicious act that the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted). * Virus - a program (a block of executable code) that attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the computer user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, by introducing the risk of incompatibilities and conflicts, and by the time and expense wasted in detecting and removing them. 12.0 General Reference Section =============================== 12.1 Mac Newsgroups -------------------- comp.sys.mac.apps comp.sys.mac.comm comp.sys.mac.misc comp.sys.mac.system comp.virus alt.comp.virus The focus on these two groups tends to be IBM-compatible, but Mac issues are certainly aired. Alt.comp.virus is unmoderated, and the quality of the advice and opinions aired there is very variable - there are many reputable and expert posters, and many mischievous and misleading contributions. Caveat lector.... 12.2 References and Publications --------------------------------- Sensei Consulting Macintosh WAIS Archives "Inside the Apple Macintosh" - Peter Norton & Jim Heid (Brady) (The 2nd Edition is pre-PowerMac, and I haven't seen a later one, but there's some surprisingly useful stuff in there). "Inside Macintosh" (Addison Wesley). Essential reading for Mac programmers. (Umpteen volumes of fairly low-level info. Expensive (in the UK, at any rate), and whenever you get near some useful info, it refers you to one of the volumes you haven't got. However, the series has been re-vamped since I acquired my copies, and this may be less than just. It's possible to download them in Acrobat and in some cases other formats from: where you can also order hardcopy and CD versions. Lots of other useful files. "Power Macintosh Emergency Handbook" (Apple Computer) MacFixIt "Troubleshooting for the Macintosh" "Sad Macs, Bombs and other Disasters" Ted Landau (Addison Wesley) MacInTouch home page (info and services) MacWEEK.com (Have run MacInTouch columns about the AutoStart worms.) Macworld magazine TidBITS (Have done many good articles on Mac/macro virus issues.) 13.0 Mac troubleshooting ========================= Since the initial release of this document, a number of people have E-mailed me asking for help with a possibly virus-related problem. While I'll always help if I can, I should point out (1) I'm an experienced Mac user and an IT support professional, but I don't claim to be a Mac expert (2) pressure of work and other commitments and a huge E-mail turnover means that I can't promise a quick or in-depth response [DH]. Whether you mail direct or post to a relevant newsgroup, it's helpful if you can supply a few details, such as: * Which model of Macintosh you're using. It may be useful to know how much RAM it has, the size of the hard disk, and any peripherals you're using. * Which version of MacOS you're using. * Which applications you're using, and which version. If you're using Word, it may be critical to know whether you're using version 6 or later, or an earlier version. * Which, if any, antivirus packages you use, and what version number. If you're using NAV, for instance, what version? * List any error messages or alerts that have appeared. * List any recent changes in configuration, additional hardware etc. * List any diagnostic/repair packages you've tried, and the results. * List any other steps you've taken towards determining the cause of the problem and/or trying to fix it, e.g. rebuilding the desktop, booting without extensions, zapping PRAM etc. Here are a few steps that it might be appropriate to try if virus scanning with an up-to-date scanner finds nothing. This section will be improved when and if I have time. Rebuilding the desktop is by no means a cure-all, but rarely does any harm. It may be worth disabling extensions when you do this, especially if the operation doesn't seem to be completed successfully. To disable extensions, restart the machine with the shift key held down until you see an Extensions Off message. If you're rebuilding the desktop, release the shift key and hold down Command (the key with the Apple outline icon) & Options (alt) until requested to confirm that you want to rebuild. Disabling extensions is also a good starting point for tracking down an extensions conflict. If booting without extensions appears to bypass the problem, try removing extensions with Extensions Manager (System 7.5) - remove one at a time, and replace it before removing the next one and booting with that one removed. Remember that if removing one stops the problem, it's still worth putting it back and trying all the others to see if you can find one it's conflicting with. Extensions Manager also lets you disable control panels. If you don't have Extensions Manager, try Now Utilities or Conflict Catcher. Parameter RAM (PRAM) contains system information, notably the settings for a number of system control panels. 'Zapping' PRAM returns possibly corrupt PRAM data to default values. A likely symptom of corrupted PRAM is a problem with date and time (but could be a symptom of a corrupted system file). With system 7, hold down Command-Option-P-R at bootup until the Mac beeps and restarts. You may have restore changes to some control panels before your system works properly. If the reset values aren't retained, the battery may need replacing. -- End "Viruses and the Macintosh" version 1.5k by David Harley