======== Newsgroups: alt.comp.virus Subject: Frequently Asked Questions 2/4 From: harley@europa.lif.icnet.uk (David Harley) Date: 22 Mar 1996 16:02:35 GMT alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.01c : Part 2 of 4 Last-modified 21st March 1996 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer. Copyright Notice ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) It may not be reproduced for profit or distributed in part or as a whole with any product for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact the maintainer of the FAQ. David Harley ************ -------------------------------------------------------------------- TABLE OF CONTENTS ================= Part 1 ------ (1) I have a virus - what do I do? (2) Minimal glossary (3) What is a virus (Trojan, Worm)? (4) How do viruses work? (5) How do viruses spread? (6) How can I avoid infection? (7) How does antivirus software work? -----> Part 2 ------ -----> (8) What's the best anti-virus software (and where do I get it)? -----> (9) Where can I get further information? -----> (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the PKZip trojan? * the xyz PC virus? -----> (11) Is it true that...? -----> (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk Part 3 ------ (13) What are the legal implications of computer viruses? Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Placeholders ------------------------------------------------------------------- (8) What's the best antivirus software (and where do I get it)? =============================================================== In case it's not absolutely clear from the following, I can't possibly answer the first part of this question! There are, however, some suggestions following for sources of software and of information on particular packages, comparative reviews etc. The danger of this approach is that sites, servers, and packages come and go, and I haven't time to keep track of all these variables. Some of these URLs have been passed on by trusted sources, but I haven't the time to check them all out regularly. If you run into problems, please let me know (by e-mail, please). Most of the people who post here have their favourites: if you just ask which is the best, you'll generally get either a subjective "I like such and such", recommendation of a particular product by someone who works for that company, or a request to be more specific about your needs. Some of us who are heavily involved with virus control favour using more than one package and keeping track of the market. Don't trust anything you read in the non-technical press. Don't accept uncritically reviews in the computing press, either: even highly-regarded IT specialists often have little understanding of virus issues, and many journalists are specialists only in skimming and misinterpreting. Magazines like Virus Bulletin and Secure Computing are much better informed and do frequent comparative reviews, and are also informative about their testing criteria, procedures and virus suites. Recently, a number of articles have been posted here by people who've run their own tests on various packages. These are often of interest, but should not be accepted uncritically. (No-one's opinion should be accepted uncritically!) Valid testing of antivirus software requires a lot of care and thought, and not all those who undertake it have the resources, knowledge or experience to do it properly. You may get a more informed response if you specify what sort of system you have - DOS, Windows, Win95? XT, AT, 386 or better? Is the system networked, and are you asking about protecting the whole network? (What sort of network?) Are you running NT, OS/2 or Win95, any of which involve special considerations? Be aware that there is more than one way of judging the effectiveness of a package - the sheer number of viruses detected; speed; tendency to false alarms; size (can you run it from a single floppy when necessary?); types of virus detection & prevention (not at all the same thing) offered (command-line scanning, TSR scanning, behaviour blocking, checksumming, access-control, integrity shell etc.); technical support etc. DOS packages available from SimTel etc. include F-Prot AVP Lite McAfee TBAV Most Shareware/Freeware packages can be obtained from SimTel via anonymous FTP or WWW, e.g. http://www.coast.net/SimTel/msdos/virus ftp://ftp.coast.net/SimTel/msdos/virus/ Mirror sites include: USA:- ftp.cdrom.com uiarchive.cso.uiuc.edu oak.oakland.edu wuarchive.wustl.edu ftp.uoknor.edu ftp.pht.com UK:- micros.hensa.ac.uk src.doc.ic.ac.uk ftp.demon.co.uk as well as other sites in many other parts of the world. Of course, such products can often be obtained direct from the publisher's WWW or FTP sites too. There is a shareware program for Win95 called the Doctor, for which I can't at present find the co-ordinates. [GC points out that they have an area on Compuserve (GO NCSAVIRUS): GW has found an elderly copy at http://www.tucows.com/files/doc9509.zip Also, McAfee and Thunderbyte have Win95 programs. ftp://ftp.mcafee.com/pub/antivirus/ http://thunderbyte.com/ftp/thunderbyte/ ftp://ftp.thunderbyte.com/ ChekMate is described by its author as a targeted integrity checker. It's a potentially useful shareware supplement to a good virus scanner. Via anonymous ftp at: ftp.coast.net/SimTel/msdos/virus/cm200.zip ftp.demon.co.uk/pub/simtel/msdos/virus/cm200.zip ftp.demon.co.uk/antivirus/ibmpc/av-progs/cm200.zip gate.net/pub/users/ris1/cm200.zip At the World-Wide Web site: http://www.valleynet.com/~joe/avdos.html Commercial ---------- [vendors are invited to supply full contact details and indicate the range of platforms their product range covers. Let's not overdo the hype, though, guys.] There is a pretty comprehensive list of anti-virus developers at http://www.virusbtn.com/AVLinks/ (NB Some of the following, though not shareware, can be obtained for evaluation via anon FTP or WWW. Please note, I have not tested or even seen all the packages listed here, or all the contact data, come to that, and listing here does not imply recommendation (though I won't list anything I *know* is rubbish....). DSAVTK (Dr Solomon's Anti-Virus ToolKit) [DOS; DOS & Windows; DOS & Win95; NetWare; NT; OS/2; Unix; Mac] UK Support: support@uk.drsolomon.com US Support: support@us.drsolomon.com UK Tel: +44 (0)1296 318700 USA Tel: +1 617-273-7400 CompuServe: GO DRSOLOMON Web: http://www.drsolomon.com FTP: ftp://ftp.drsolomon.com Evaluation copy of Findvirus Dos scanner available via the Web. ************* F-Prot Pro (DOS, Windows 3.x, Win95, WinNT, NetWare) There are two flavours, though I gather that Command Software and Data Fellows are currently doing joint development. Command Software Systems Inc. 1+407-575 3200 ftp://ftp.commandcom.com Data Fellows Ltd. f-prot@DataFellows.com ftp://ftp.DataFellows.com http://www.DataFellows.com http://www.Europe.DataFellows.com UK: Portcullis (for Data Fellows) 44-181-868-0098 Command Software UK 44-171-259-5710 command@command.co.uk More details inc. in ORDER-2.DOC, supplied with the shareware version. ************ IBM AntiVirus: http://www.brs.ibm.com/ibmav.html 800-551-3579 (US only) 800-465-7999 fax: 800-267-5185 ************ McAfee Associates 2710 Walsh Ave Santa Clara, CA 95051 95054-3107 USA Voice (408) 988-3832 FAX (408) 970-9727 BBS (408) 988-4004 CompuServe ID: 76702,1714 or GO MCAFEE mcafee@netcom.com ftp://ftp.mcafee.com/pub/antivirus/ http://www.mcafee.com/ [DOS, Windows, Win95, NetWare] ************ NAV (Norton AntiVirus) [DOS, Windows, Win95, Mac] http://www.symantec.com/ ftp://ftp.symantec.com US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 ************ AVP LITE ftp: ftp.command-hq.com sub-directory: pub/command/avp file: avplite.zip ************ Sweep http://www.sophos.com/ ftp://ftp.sophos.com ************ Thunderbyte http://thunderbyte.com/ftp/thunderbyte/software/ ftp://ftp.thunderbyte.com (?) ************ Invircible ftp://ftp.invircible.com ftp://ftp.datasrv.co.il/pub/usr/netz/ http://invircible.com/ ************ Reflex Magnetics Ltd 31-33 Priory Park Road London NW6 7UP United Kingdom Tel+44 (0)171 372 6666 Fax+44 (0)171 372 2507 BBS+44 (0)171372 2584 Emailsales@reflex-magnetics.co.uk http://www.reflex-magnetics.co.uk/ ************ Reflex Magnetics Ireland Unit 24 Johnstown Industrial Centre, Waterford, Ireland. tel: +353-(0)51-841051 J fax: +353-(0)51-841052 http://www.iol.ie/~ralf/ ************ NH&A 577 Isham St. # 2-B New York, NY 10034 Phone: 212-304-9660 Fax: 212-304-9759 CompuServe: 72115,661 Internet: nhirsch@nha.com URL: http://www.nha.com BBS: 212-304-9759,,,,,,,3 ************ Microsoft (Macro Virus fixes) - http://www.microsoft.com For updates to MSAV, contact Symantec (but better to get a more up-to-date package). CPAV updates from the same source. There is a paper by Yisrael Radai which documents many of the problems with MSAV. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip ************ ViruSafe, ViruSafe-95 I believe a version of this program was at one time marketed by Xtree. They also maintain a Virus Hot Line via their WWW site or E-mail (virus@eliashim.co.il). ------------------------------------------------------------- EliaShim, LTD. Computer Security Specialists 5 Haganim st. Haifa 35022 Tel: +972-4-8516111 ISRAEL Fax: +972-4-8528613 Email: shimon@eliashim.co.il BBS: +972-4-8516113 URL: http://www.eliashim.com ------------------------------------------------------------- ---------------------------------------------------------------------------- VirusNet PC (DOS, Win3.x, Win95) - (File: VNPC.EXE) VirusNet LAN (DOS, Win3.x, Win95, All Networks) - (File: VNLAN.EXE) StopLight PC (DOS, Win3.x) - (File: SLELS.EXE) StopLight for Win95 (Win95, Win3.x, DOS) - (File: Check Site) StopLight for OS/2 (OS/2, Dual Boot to DOS and Win3.x) - (File: sltmos2.exe) Safetynet, Inc. 140 Mountain Ave. Springfield, NJ 07081 201-467-1024 (Sales and Support) 800-OS2-SAFE (Sales and Support in US and Canada) 201-467-1611 (Fax) 201-467-1581 (BBS 28800,n,8,1) Web: http://www.safe.net/safety/ FTP: ftp.safe.net /pub/safetynet/ EMail: support@safe.net CompuServe: GO CIS:SAFE AntiVirus and security software evals and product updates are available from the Safetynet Web, FTP, BBS and CompuServe sites. ***************** MIMESweeper (Mail scanning 'firewall') Integralis Ltd. 10 Brewery Court Theale Berkshire RG7 5AH +44(0) 1734 306060 Fax +44(0) 1734 302143 info@integralis.co.uk ----------------------------------------------------------------------------- There is a comprehensive set of product reviews at: http://www.first.org/virus/virrevws/ and a number of reputable vendors include comparative reviews, papers on testing etc. on their WWW/FTP servers. Virus Bulletin comparative reviews are available from http://www.virusbtn.com/Comparatives/ and information is also available on their testing protocols. There are links to just about every anti-virus site you ever heard of at http://www.innet.net/~ewillems/ In the event of a *real* tragedy, there are a number of firms which specialize in data recovery. In the UK, there are S&S International (see above) and Ontrack Data Recovery Europe (0800-243996). In the US, there's Ontrack Computer Systems (parent company of Ontrack ...Europe). I believe Maxtor also offer a service of this sort, but I have no details at present. Ontrack Data Recovery, Inc. 6321 Bury Drive, Suites 13-21 Eden Prairie, MN 55346 Phone: 612-937-5161 FAX: 612-937-5750 BBS: 612-937-0860 Toll free: Minnesota office: 1-800-872-2599 California office: 1-800-752-7557 Washington, DC: 1-800-650-2410 Japan: 0120-413-374 (Japan only) International: (0429)32-6365 UK office: 0800 24 39 96 (UK only) From Germany: 0130 815 198 From France: 05 90 72 42 International: +44(0)181 974 5522 Compuserve: GO DATARECOVERY W3: http:\\www.ontrack.com Email: sales@ontrack.com (9) Where can I get further information? ======================================== [I haven't checked all these: please mail me if you find any errors] ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/ ftp://ftp.uu.net/pub/security/virus/ http://all.net:8000/cgi-bin/all-search-2 Virus Text Search Search engine to check out documents in the following archives: VIRUS-L Forum, 40Hex Archives, Risks Forum, Privacy Forum, CERT Advisories, Internet RFCs, State Computer Crime Laws, The Telecom Privacy Digest, CIAC Advisories, Firewalls Digest. http://www-iwi.unisg.ch/~sambucci/icaro/texts http://lipsmac.acs.unt.edu/Virus/virinfo.html http://www.valleynet.com/~joe/avinfo.html http://www.primenet.com/~mwest/av.htm http://csrc.ncsl.nist.gov/virus http://www.jumbo.com/home/dos/virus http://www.valleynet.com/~joe/top10.html ftp://ftp.uu.net/pub/virus/progs/virlab15.zip http://www.infi.net/~wtnewton/vinfo/master.html Virus-List Archive (you can also pick up the mk. II FAQ from here): ftp://corsa.ucr.edu/pub/virus-l/ Virus Bulletin Home Page - vendor contact info, comparative reviews, review protocol info etc. http://www.virusbtn.com S&S International: evaluation copy of FindVirus, product info, virus encyclopaedia on-line, papers, links to other sites etc. http://www.drsolomon.com/ ftp://ftp.drsolomon.com/ ftp://ftp.sophos.com/ http://www.sophos.com/ Dr.Solomon's History of PC Viruses: http://dbweb.agora.stm.it/webforum/virus/solomhis.htm Robert Slade's Virus History: http://dbweb.agora.stm.it/webforum/virus/sladehis.htm http://www.innet.net/~ewillems/ http://www.thenet.ch/metro/ Nic Ferri has an expansive home page w. many useful links http://www.agora.stm.it/htbin/wwx?fi^N.Ferri (if that fails, I've had better luck with the one below) http://www.agora.stm.it/N.Ferri/antivir.htm Henri Delger's home page has useful info and links http://pages.prodigy.com/X/W/A/XWWC29A http://www.DataFellows.com/ http://www.Europe.DataFellows.com/ VSUM (not highly-rated for its accuracy) (Try SimTel mirrors, McAfee sites) Tom Simondi has written a freeware virus tutorial (VTUTOR10.ZIP). Unfortunately, I haven't been able to download it so far. http://ourworld.compuserve.com/homepages/ck The WildList (List of viruses currently 'in the wild' maintained by Joe Wells - doesn't include much description) ftp://ftp.ncsa.com/pub/virus/wildlist http://www.drsolomon.com/ http://www.symantec.com/virus/wl.html http://www.innet.net/~ewillems/vwild.htm AV Software Update Auto-Notification: http://www.primenet.com/~Emwest/up-form.htm Most anti-virus packages include some information on common viruses, too. Virus Descriptions ------------------ Dr Solomon's Virus Encyclopedia: http://www.drsolomon.com/virus/enc/enc.htm free-form searches from the datafellows F-Prot virus description database: http://www.datafellows.fi/virsearc/query.htm Virus demonstrations -------------------- ftp://ftp.uu.net/pub/virus/progs/virsim1.zip (I haven't checked this one out yet). AVP also includes some virus demonstrations, and I know that other publishers have demos available. There are also virus simulators, which are not quite the same thing. These are sometimes advocated as a means of testing antivirus packages, but there are dangers to this approach: after all, a package which detects one of these simulators as the virus it detects is, technically, false-alarming. See section F6 of the Mark 2 Virus-L FAQ, which is rather good on types and uses of virus simulation. Books which may be of use: Robert Slade's Guide to Computer Viruses - Springer-Verlag Pretty good introduction & general resource. Computers Under Attack (ed. Denning) - Addison-Wesley Aging, but some classic texts Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin Uneven, but includes useful stuff from Virus Bulletin Dr. Solomon's Virus Encyclopaedia You may from time to time find copies of an older edition of this in bookshops, though it's better known as part of Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide to some of the older viruses. A Short Course on Computer Viruses (F. Cohen) - Wiley By the man who 'invented' the concept of computer viruses. Some aspects are controversial, but a good introduction to his work. The comp.virus FAQ includes pointers to some books. Useful (but expensive) periodicals: Virus Bulletin Virus Bulletin Ltd 21 The Quadrant Abingdon Oxfordshire OX14 3YS 44 (0) 1234 555139 Compuserve 100070,1340 Computers and Security Elsevier Advanced Technology PO Box 150 Kidlington Oxford OX5 1AS 44 (0) 1865-843666 a.verhoeven@elsevier.co.uk Rather cheaper (though still expensive for the non-corporate non-specialist in security) is the magazine Secure Computing. West Coast are launching a corporate licence scheme which may be of interest to corporate users Secure Computing West Coast Publishing Ltd. William Knox House Britannic Way Llandarcy Swansea SA10 6EL UK 44 (0) 1792 324000 Compuserve 70007,5406 Doubts have been expressed concerning the impartiality or otherwise of Virus Bulletin, which is a sister company to Sophos, who market Sweep and other antivirus/security products. VB uses an advisory board of anti-virus experts from a wide variety of vendors and other organisations, and its virus statistics are collated monthly from a variety of sources, not only from Sophos. Secure Computing, though formerly associated with S&S International, who market Dr.Solomon's AntiVirus ToolKit and other security products, is now an independent organization. SC also has input from experts associated with various vendors and other organisations. *************************************************************************** * As a regular and reasonably knowledgeable reader of both publications, * * I'm personally satisfied that neither displays editorial bias, nor do * * I believe that either publication intentionally weights its methodology * * to the unfair advantage of an affiliated product [DH] * *************************************************************************** (10) Does anyone know about... ============================== ...Mac viruses? --------------- The best single source of information on Mac viruses is the online help included in the freeware package Disinfectant, which can be obtained from ftp://ftp.acns.nwu.edu/pub/disinfectant CompuServe GEnie America Online Calvacom Delphi BIX sumex-aim.stanford.edu rascal.ics.utexas.edu comp.binaries.mac Information on Mac viruses is also available from the AntiVirus Catalog/ CARObase (see above). I've also noticed some Mac info at Symantec's web site (www.symantec.com). Disinfectant is an excellent anti-virus package: however, it doesn't catch much in the way of hypercard infectors or trojans, nor does it detect Word 6 macro viruses. For other mac packages, try Info-Mac mirrors like: ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/ The University of Texas holds the latest versions of Disinfectant and Gatekeeper, and some documentation on Mac viruses. http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html Commercial packages include SAM (Symantec) and Virex. Dr. Solomon's AntiVirus ToolKit for Macintosh is about to be released. ...UNIX viruses? ---------------- In general, there are virtually no non-experimental UNIX viruses. There have been a few Worm incidents, most notably the Morris Worm (a.k.a. the Internet Worm) of 1988. There are products which scan some Unix systems for PC viruses, though any machine used as a file server (Novell, Unix etc.) can be scanned for PC viruses by a DOS scanner if it can be mounted as a logical drive on a PC running appropriate network client software such as PC-NFS. Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.) can also be infected by a DOS boot-sector virus if booted from an infected disk. The same goes for other PC-hosted operating systems such as NetWare. While viruses are not a major risk on Unix platforms, integrity checkers and audit packages are frequently used by system administrators to detect file changes made by other kinds of attack. However, Unix security is outside the scope of this FAQ (see comp.security.unix). [See also the comp.virus FAQ] A possibly useful book: Practical Unix Security (Garfinkel, Spafford) - O'Reilly ...macro viruses? ----------------- Macro viruses spread from files in applications which use macros capable of being infected, and are limited to the specific applications for which they were written. The macro viruses which are receiving attention currently are specific to Word 6/WordBasic and Excel: however, many applications, not all of them Windows applications, have potentially damaging and/or infective macro capabilities too. One, now widespread, infects macros attached to Word 6.0 for Windows, Word 6.0.1 for Macintosh, Word 6.0 for Windows NT, and Word for Windows 95 documents. What makes such a virus possible is that the macros are created by WordBASIC, a program language which links features used in Word to macros, and even allows DOS commands to be run. This virus, named "Concept," has no destructive payload; it merely spreads, after a document containing the virus is opened, copying itself to other documents as they are saved, without affecting the contents of documents. However, other macro viruses have been discovered, and some of them contain destructive routines. Microsoft suggests opening files without macros, to prevent macro viruses from spreading, unless the user can verify that the macros contained in the document will not cause damage. (This does NOT work for all macro viruses.) For further info on macro viruses, you might like to try http://www.drsolomon.com/ http://www.datafellows.com/macrovir.htm Richard Martin is working on an FAQ on this subject. ftp.gate.net/pub/users/ris1/word.faq or mail to Bd326@TorFree.Net Subject: PLEASE SEND FAQ ...The AOLgold virus -------------------- This is actually a trojan. The following is extracted from the CIAC bulletin (Number G-03). Apparently, an e-mail message is being circulated that contains an attached archive file named AOLGOLD.ZIP. A README file that is in the archive describes it as a new and improved interface for the AOL online service. Note that there is no such program as AOLGOLD. Also, simply reading an e-mail message or even downloading an included file will not do damage to your machine. You must execute (or run) the downloaded file to release the Trojan and have it cause damage. If you unzip the archive, you get two files: INSTALL.EXE and README.TXT. The README.TXT file again describes AOLGOLD as a new and improved interface to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP archive. When you run the install program, it extracts 18 files onto your hard drive. The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive. When the batch file completes, it prints a crude message on the screen and attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent the DOOMDAY.EXE program from running. Other bugs in the file cause it to delete itself if it is run from any drive but the C: drive. The programming style and bugs in the batch file indicates that the Trojan writer appears to have little programming experience. You can get this and other CIAC notices from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) ...the PKZip Trojan? -------------------- There have been at least two attempts to pass off Trojans as an upgrade to PKZip, the widely used file compression utility. A recent example was of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading from various sources. An earlier Trojan passed itself off as version 2.0. For this reason, PKWare have never released a version 2.0 of PKZip: presumably, if they ever do release another DOS version (unlikely, at this date, in my opinion), it will not be numbered version 3.0(0). To the best of my knowledge, the latest version of PKZip is 2.04g. ...xyz PC virus? ---------------- There are several thousand known PC viruses, and the number 'in the wild' is in the hundreds. It is not practical to include information about all of these in this FAQ. However, information about some or most of those which regularly get asked about may shortly (Real Soon Now) be available in a separate document. Meanwhile, sources of information on specific viruses are included in the preceding sections. There are rarely enquiries about viruses on other computing platforms raised in alt.comp.virus, but there is some information concerning viruses on most platforms available at the Virus Test Center in Hamburg. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/ The following sites also have virus descriptions listed alphabetically: http://www.DataFellows.com/ http://www.drsolomon.com (11) Is it true that....? ========================= (*or* some favourite hoaxes...) (1) There is *no* Good Times virus that trashes your hard disk and launches your CPU into an nth-complexity binary loop when you read mail with "Good Times" in the Subject: field. You can get a copy of Les Jones' FAQ on the Good Times Hoax from: Via FTP: ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt On the World Wide Web: http://www.tcp.co.uk/tcp/good-times/index.html http://www.singnet.com.sg/staff/lorna/Virus http://www.nsm.smcm.edu/News/GTHoax.html There's a Mini-FAQ available as: ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ.txt There *is* at least one file virus christened Good Times by the individual who posted it in an attempt to cause confusion. It is more commonly referred to as GT-spoof. (2) There is no modem virus that spreads via an undocumented subcarrier - whatever that means.... (3) Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers don't usually allow this by default and without prompting, but certainly some mailers can support this: for instance, cc:mail can, it seems, launch attachments straight into AmiPro. [further information on this or other potentially dangerous associations would be gratefully received] There's room for a lot of discussion here. The jury is still out on web browsers: Netscape can certainly be set up to do things I don't approve of, such as opening a Word document in Word without asking. Microsoft have made available a Word viewer which reads Word files, but doesn't run attached macros. If possible, use this instead. The term 'ANSI bomb' usually refers to a mail message or other text file that takes advantage of an 'enhancement' to the MS-DOS ANSI.SYS driver which allows keys to be redefined with an escape sequence, in this case to echo some potentially destructive command to the console. In fact, few systems nowadays run programs which need ANSI terminal emulation to run, and there's no guarantee that the program reading the file would pass such an escape sequence unfiltered to the console anyway. There are plenty of PD or shareware alternatives to ANSI.SYS that don't support keyboard redefinition, or allow it to be turned off. The term mail bomb is usually applied to the intentional bombardment of an e-mail address with multiple copies of a (frequently abusive) message, rather than to the above. See SimTel/keyboard on sites carrying a SimTel mirror. (4) There is no known way in which a virus could sensibly be spread by a graphics file such as a JPEG or .GIF file, which does not contain executable code. Macro viruses work because the files to which they are attached are not 'pure' data files. (5) In general, software cannot physically damage hardware - this includes viruses. There is a possibility that specific hardware may be damaged by specific code: however, a virus which drops a particular payload on the offchance that it's running on a system with a particular type of obsolete video card seems more than usually futile. (12) Favourite myths ==================== * DOS file attributes protect executable files from infection File attributes are set by software, and can therefore be changed by software, including viruses. Many viruses reset a ReadOnly/System/Hidden file to Read/Write, infect it, and often reset it to the original attributes afterwards. This also applies to other software mechanisms such as simulating hardware write-protection on a hard disk. However, file protection rights in NetWare *can* help to contain virus infections, if set up properly, as can trustee rights. [Trustee assignments govern whether an individual user has right of access to a subdirectory: the Inherited Rights Mask governs the protection rights of individual files and (sub)directories.] Basically, a file virus has the same rights of access as the user who happens to inadvertantly activate it. Setting up these levels of security is really a function of the network Administrator, but you might like to check (politely) that yours is not only reassuringly paranoid but also knowledgeable about viruses as well as networks, since a LAN which is not, in this respect, securely configured, can result in very rapid infection and reinfection of files across the whole LAN. In particular, accounts with supervisor equivalence can, potentially, be the unwitting cause of very rapid dissemination of viruses. [See also the comp.virus FAQ (version 2) section D] * I'm safe from viruses because I don't use bulletin boards/shareware/ Public Domain software. Many of the most widely-spread viruses are Boot Sector Infectors, which can't normally infect over a serial or network connection. Writers of shareware, freeware etc. are no more prone to accidental infection than commercial publishers, and possibly less. The only 'safe' PC is still in it's original wrapping (which doesn't mean it isn't already infected...) And don't forget that shrinkwrapped software may have been rewrapped. * FDISK /MBR fixes boot sector viruses. The mark II comp.virus FAQ is worth reading on this (see Part 1 of this FAQ). In brief, don't use FDISK /MBR *unless* you're *very* sure of what you're doing, as you may lose data. Note also that if you set up the drive with a disk manager such as EZDrive, you won't be able to access the drive until and unless you can reinstall it. ****************************************************************** (i) What does FDISK /MBR do? ------------------------ It places "clean" partition code onto the partition of your hard disk. It does **not change the partition information, however. The /MBR command-line switch is not officially documented and was introduced in DOS 5.0 [It does sometimes, and when it does it us usually fatal (for the common user, anyway). FDISK /MBR will wipe the partition table data if the last two bytes of the MBR are not 55 AA.] (ii) What is the partition? ---------------------- The partition sector is the first sector on a hard disk. It contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The partition sector is also called the "Master Boot Record" (MBR). When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code. Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it. [Unless one assembles into memory] Floppy disks do not have a partition sector. FDISK /MBR will change the code in a hard disk partition sector. (iii) What is a boot sector? ---------------------- The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program. When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and usually moves the original elsewhere on the disk. Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up. FDISK /MBR will not change the code in a hard disk boot sector. Most boot sector viruses infect the partition sector of hard disks and floppy disk boot sectors: most do not infect the boot sector of a hard disk - Form virus is an exception. (iv) How can I remove a virus from my hard disk's partition sector? -------------------------------------------------------------- There are two main alternatives: run an anti-virus product, or use FDISK /MBR. Most effective anti-virus products will be able to remove a virus from a partition sector, but some have difficulties under certain circumstances. In these cases the user may decide to use FDISK /MBR. Unless you know precisely what you are doing this is unwise. You may lose access to the data on your hard disk if the infection was done by a virus such as Monkey or OneHalf. (v) Won't formatting the hard disk help? ------------------------------------ No. Formatting the hard disk can result in everything being wiped from the drive *apart* from the virus. Format leaves the partition sector untouched. There is always a better way of removing a virus infection than formatting the hard disk. [Clarification: FORMAT alters the DOS partition, but leaves the *partition sector*, aka MBR, alone.] ****************************************************************** * Write protecting suspect floppies stops infection. This sounds so silly I hesitate to include it. I've never seen it said on a.c.v., but I've heard it so often in other contexts, I've included it anyway. Write-protecting a suspect floppy will only protect that diskette from *re-infection*, if it's already infected. It won't stop an infected floppy from infecting other (write-enabled) drives. If you boot with a disk in drive A which is infected with a boot-sector virus, the fact that the diskette is write-protected will make no difference at all. Write-protecting a *clean* floppy will indeed prevent it from being infected (but see below!). * The write protect tab always stops a disk write Briefly, write protection is built into the hardware on the Mac and on the PC (and most other systems, of course, but we can't cover everything), and can't be circumvented in software. However, it is possible for the hardware to fail: it's not common, but it happens. Thus when I do a cleanup, I try to create a file on a sacrificial floppy before risking my R/O boot disk. Sometimes, I even remember.... Other caveats: a disk which you receive write-protected could have been de-protected, infected, and re-protected. Even a 3.5" disk with the write-enable tab removed can be written to by covering the hole with (e.g.) masking tape. And, of course, shrink-wrapped software could have been infected before the duplication process. * I can infect my system by running DIR on an infected disk If you have a clean PC system, you can't contract a boot sector virus *or* a file virus just by listing the files on an infected floppy. Of course, if your PC is infected, you may well infect a *clean* floppy by using DIR A: It *is* possible to have a scanner report a virus in memory after a DIR of a floppy with an infected boot sector. The distinction here is that the virus is *not* actually loaded into memory, so the PC has *not* been infected. ----------------------------------------------------------------------- End of a.c.v. FAQ part 2