Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail Message-ID: Supersedes: Expires: 21 Apr 2000 20:07:22 GMT X-Last-Updated: 2000/02/29 Organization: none From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Followup-To: alt.comp.virus Subject: [alt.comp.virus] FAQ Part 1/4 Approved: news-answers-request@MIT.EDU X-no-archive: yes Originator: faqserv@penguin-lust.MIT.EDU Date: 23 Mar 2000 20:09:03 GMT Lines: 702 NNTP-Posting-Host: penguin-lust.mit.edu X-Trace: dreaderd 953842143 2960 18.181.0.29 Xref: senator-bedfellow.mit.edu alt.comp.virus:101518 comp.virus:30976 alt.answers:47996 comp.answers:40195 news.answers:180074 Archive-name: computer-virus/alt-faq/part1 Posting-Frequency: Fortnightly URL: http://www.sherpasoft.org.uk/acvFAQ/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel -----BEGIN PGP SIGNED MESSAGE----- alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.1 : Part 1 of 4 Last modified 19th August 1999 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= New or modified entries are flagged with two plus symbols at the beginning of the line or paragraph. Maintenance of this FAQ is now shared between the following: David Harley George Wenzel Bruce Burrell Suggestions, corrections, new material etc. may be sent to any of us, but will normally require the approval of all co-maintainers. Material which can be used with a minimum of editing is particularly welcome. Sometimes we are told that something should be in here which already is. Please check carefully. Suggestions for material which - - -isn't- already in is welcomed, but we're there's no guarantee as to if and when we'll write new material. If you give us a draft, it makes things much easier (and obviously you'll be credited). The FAQ is now co-maintained by David Harley and Susan Lesch, and the authoritative version is the one at http://www.macvirus.com/. Disclaimer - - ---------- This document is primarily concerned with defending the integrity of computing systems and preventing damage caused by viruses or other malicious and/or other unauthorized software. It attempts to address many of the issues which are frequently discussed on alt.comp.virus, but does not claim to represent all shades of opinion among the users of a.c.v. - in particular, it does not include information which, in our estimation, is likely to be of more help to those interested in the spreading of unauthorized and/or malicious software than to those who wish to be protected from it. Nor is it claimed to be up-to-date in all respects. This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are those of the maintainers, and those views which *are* those of the maintainers are not necessarily shared by their respective employers. Copyright Notice - - ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. Such permission will normally be forthcoming as long as (1) reproduced text is quoted accurately (2) it is made clear that such text is derived from the FAQ (3) it is made clear that the latest version of the FAQ is available from the newsgroup and from the official home of the FAQ on the world-wide web, which is currently (4) the e-mail addresses of all co-maintainers of the FAQ are included as a contact point. The FAQ is also available at: http://www.faqs.org/faqs/computer-virus/alt-faq/ - - ---------------------------------------------------------------------- PREFACE ======= (i) What is the FAQ, and whom is it for? ----------------------------------- This FAQ is intended to make available answers to questions which are repeatedly asked on alt.comp.virus, and tries to gather the most useful information regarding this group and the issues discussed here into a relatively short document. The intention is to provide an easily-digested document for newcomers, as a means of saving those who regularly reply to posted questions having to re-invent the wheel each time. We recommend that you read this FAQ in conjunction with the comp.virus (VIRUS-L)FAQ, which gives more detailed information regarding some issues which are, inevitably, covered in both FAQs. The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus newsgroup. The latest version should be available at: http://www.faqs.org/faqs/computer-virus/faq/index.html ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip A very terse mini-FAQ maintained by George Wenzel is posted regularly to alt.comp.virus weekly and also available at: http://www.faqs.org/faqs/computer-virus/mini-faq/ (ii) Credits/Acknowledgements ------------------------ The following have contributed text and/or ideas and/or proofreading/corrections and/or URLs to the a.c.v. FAQ. Vesselin Bontchev, Dennis Boon, Bruce Burrell, Graham Cluley, Henri Delger, Edward Fenton, Nicola Ferri, Sarah Gordon, David Harley, R. Wallace Hale, Norman Hirsch, Matthew Holtz, Jan Hruska, Mikko H. Hypponen, Douglas A. Kaufman, Tom Kelchner, Paul Kerrigan, Chengi (Jimmy) Kuo, Susan Lesch, Gerard Mannig, Martin Overton, Mike Ramey, Perry Rovers, Tom Simondi, Megan Skinner, Fridrik Skulason, Robert Slade, Alan Solomon, Ken Stieers, Hector Ugalde, George Wenzel, Caroline Wilson, and Tarkan Yetiser. [Apologies to anyone who's fallen off the list.] Acknowledgement is also due to the work of Ken Van Wyk, former moderator of VIRUS-L/comp.virus, and the contributors to the comp.virus FAQ. Thanks also to ked@intac.com (aka Phreex), who mailed me a copy of the FAQ he posted to a.c.v. some months before this one was begun, David J. Loundy for assistance regarding legal issues, and to Nick FitzGerald, the moderator of comp.virus and maintainer of the comp.virus FAQ. (iii) Guide to posting etiquette -------------------------- Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The newsgroup news.announce.newusers includes information on good newsgroup etiquette, or try ftp://rtfm.mit.edu/pub/usenet/news.announce.newusers/ http://www.fau.edu/rinaldi/netiquette.html However, adhering to the following guidelines would be particularly helpful: * Keep your lines short (say 72 characters per line), so that anyone who follows up doesn't have to reformat quoted text to keep it readable). * Don't quote all or most of a message you're following up unless it's either very short, or necessary in order to address each point made. In the latter case, please put the point you're answering close to your answer and try to format it so that it's readable. Remember that some people have to pay for connection/download time. * On the other hand, a message which says something like 'I totally agree' without including enough of the original for us to tell what you're agreeing with is a waste of bandwidth. * Keep it polite. It's unlikely that anyone who replies to your posting is being paid to do so, and it wouldn't excuse bad manners if they were. Of course, the cut and thrust of debate may be a different matter altogether.... * Asking for a reply by direct e-mail may be reasonable if you need an urgent solution or are using a borrowed account. It isn't reasonable if you simply can't be bothered to check newsgroups. At least try to think up a good excuse, and be prepared to offer a summary to the group. * Check that there isn't already a thread on the subject you're asking about before posting yet another 'Has anyone heard of the GOOD TIMES virus?' message. If there is, check it first: the answer to your question may already be there (if it isn't in this document!). Please remember that many people have to pay for connect time, and don't appreciate duplicate postings or uuencoded binaries. * If you want to follow up a message which doesn't seem particularly relevant to alt.comp.virus, check the 'Newsgroups:' header: there have been a lot of responses to spammings recently which have made increased the bandwidth used, often quite unnecessarily. * Please don't post test messages here unless you really need to: use one of the newsgroups intended for the purpose: there is probably one local to your news server - ask your Systems Administrator, provider or local helpdesk. If you must post to the entire Internet, use misc.test - if you do, put the word IGNORE in your Subject: field, or you'll get auto-responder messages in your mail for weeks afterwards. Look through the postings in news.announce.newusers for relevant guidelines before you post. * If you get into an exchange of E-mail, please remember that not everyone can handle all forms of E-mail attachment (uuencoded, MIME format etc. - if it's text, *send* it as text. NB also that (uu)encoding text makes it longer as well as unreadable, so don't! * Don't assume that everyone uses or should use HTML-savvy mailers. There are good reasons why some people don't. * If you stick to what can be read easily on an 80 x 24 text window, -everyone- can read it. (iv) How to ask on the alt.comp.virus newsgroup for help --------------------------------------------------- The more relevant information you give us, the more we can help you. It helps to tell us the following: * What you think the problem is (you might think it's a virus, but maybe it isn't) * What the symptoms are. If you ran some software that gave you a message, tell us which package, version number, and the exact wording of the message. * Please be as accurate as possible about the order in which events happened. * If just one file is infected, give the filename. * If you're running more than one anti-virus product, please list them (including version number), and say what each one said about the possible virus. * Which version of which operating system you are running. * Any other configuration information which you think may have a bearing. Don't take action, then ask if that was the right action - if it wasn't, it's too late. Don't just ask "I've got xyz virus, can anyone help me". - - ------------------------------------------------------------------------- Table of Contents ***************** Part 1 ------ (1) I have a virus - what do I do? (2) Minimal glossary (3) What is a virus (Trojan, Worm)? (4) How do viruses work? (5) How do viruses spread? (6) How can I avoid infection? (7) How does antivirus software work? Part 2 ------ (8) What's the best anti-virus software (and where do I get it)? (9) Where can I get further information? (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the PKZip300 trojan virus? * the xyz PC virus? * the Psychic Neon Buddha Jesus virus? * the blem wit virus * The Irina Virus * Ghost * General Info on Hoaxes/Erroneous Alerts (11) Is it true that...? (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk Part 3 ------ (13) What are the legal implications of computer viruses? Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped/archived files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. It said in a review...... Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? How do I know I have a clean boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Why do people write/distribute viruses? Where can I get an anti-virus policy? Are there virus damage statistics? What is ICSA approval? What language should I write a virus in? No, seriously, what language are they written in? [DRD], Doren Rosenthal, the Universe and Everything What are CARO and EICAR? - - ------------------------------------------------------------------------- (1) I have a virus problem - what do I do? ========================================== The following guidelines will, one hopes, be of assistance. However, you may get better use out of them if you read the rest of this document before acting rashly... If you think you may have a virus infection, *stay calm*. Once detected, a virus will rarely cause (further) damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus actually does (and a well-documented, treatable virus might be preferable to some problems!). Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the virus. If you've been told you have something exotic, consider the possibility of a false alarm and check with a different package. If you have a good antivirus package, use it. Better still, use more than one. If there's a problem with the package, use the publisher's tech support and/or try an alternative package. If you don't have a package, get one (see section on sources below). If you're using Microsoft's package (MSAV) get something less out-of-date. Follow the guidelines below as far as is practicable and applicable to your situation. Try to get expert help *before* you do anything else. If the problem is in your office rather than at home there may be someone whose job includes responsibility for dealing with virus incidents. Follow the guidelines below as far as is practicable and applicable. * Do not attempt to continue to work with an infected system, or let other people do so. * Generally, it's considered preferable to switch an infected system off until a competent person can deal with it: don't allow other people to use it in the meantime. If possible, close down applications, Windows etc. properly and allow any caches/buffers to flush, rather than just hit the power switch. * If you have the means of checking other office machines for infection, you should do so and take appropriate steps if an infection is found. * If you are unable to check other machines, assume that all machines are infected and take all possible steps to avoid spreading infection any further. * If there are still uninfected systems in the locality, don't use floppy disks on them [except known clean write-protected DOS boot floppies] * users of infected machines should not *under any circumstances * trade disks with others until their systems and disks are cleaned. * if the infected system is connected to a Novell network, Appleshare etc., it should be logged off all remote machines unless someone knowledgeable says different. If you're not sure how to do this, contact whoever is responsible for the administration of the network. You should in any case ensure that the network administrator or other responsible and knowledgeable individual is fully aware of the situation. * No files should be exchanged between machines by any other means until it's established that this can be done safely. * Ensure that all people in your office and anyone else at risk are aware of the situation. * Get *all* floppy disks together for checking and check every one. This includes write-protected floppies and program master disks. Check all backups too (on tape or file servers as well as on floppy). (2) Minimal Glossary ==================== [There is room for improvement and expansion here. Contributions will be gratefully accepted.] * AV - AntiVirus. Sometimes applied as a shorthand term for anti-virus researchers/programmers/publishers - may include those whose work is not AV research, but includes virus-control. (See also Vx.) * BSI - Boot Sector Infector (= BSV - Boot Sector Virus) * BIOS - Basic Input Output System * CMOS - Memory used to store hardware configuration information * DBR - DOS Boot Record * DBS - DOS Boot Sector * False Positive - When an antivirus program incorrectly reports a virus in memory or infecting a file or system area. Heuristic scanners & integrity checkers are, by definition, somewhat more prone to these. Also known as false alarms, though this may have a wider application. * False Negative - Essentially, a virus undetected by an antivirus program. * In-the-wild - describes viruses known to be spreading uncontrolled to real-life systems, as opposed to those which exist only in controlled situations such as anti-virus research labs. Virus code which has been published but not actually found spreading out of control is not usually regarded as being in-the-wild. * MBR - Master Boot Record (Partition Sector) * TSR - A memory-resident DOS program, i.e one which remains in memory while other programs are running. A good TSR should at least detect all known in-the-wild viruses and a good percentage of other known viruses. Generally, TSRs are not so good with polymorphic viruses, and should not be relied on exclusively. Most TSR scanners don't detect macro viruses. * vx - Those who study, exchange and write viruses, not necessarily with malicious intentions So we're frequently told here... * VxD - A Windows program which can run in the background. A scanner implemented as a VxD has nearly all the advantages of a DOS TSR, but can have additional advantages: for instance, a good VxD will scan continuously *and* for all the viruses detected by an on-demand scanner. * Zoo - suite of viruses used for testing. See the comp.virus FAQ for fuller definitions of some of these terms and others which aren't addressed here. (3) What is a virus (and what are Trojans and Worms)? ===================================================== A (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted). A dropper is a program which installs a virus or Trojan, often covertly. A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems. There is an excellent and considerably longer definition in the Mk. 2 version of the Virus-L FAQ. (The following is a slightly academic diversion) A lot of bandwidth is spent on precise definitions of some of the terms above. I have Fridrik Skulason's permission to include the following definition of a virus, which I like because it demonstrates most of the relevant issues. #1 A virus is a program that is able to replicate - that is, create (possibly modified) copies of itself. #2 The replication is intentional, not just a side-effect. #3 At least some of the replicants are also viruses, by this definition. #4 A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus. -- #1 is the main definition, which distinguishes between viruses and Trojans and other non-replicating malware. #2 is necessary to exclude for example a disk-copying program copying a disk, which contains a copy of itself. #3 is necessary to exclude "intended" not-quite-viruses. #4 is necessary to exclude "worms", but at the same time it has to be broad enough to include companion viruses and .DOC viruses. (4) How do viruses work? ======================== A file virus attaches itself to a file (but see the section below or the comp.virus FAQ on the subject of companion viruses), usually an executable application (e.g. a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files can contain embedded executable code such as macros, which may be used by virus or trojan writers. Recent versions of Microsoft Word are particularly vulnerable to this kind of threat. Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware (malicious software), though such malware is not at present common. Boot sector viruses alter the program that is in the first sector (boot sector) of every DOS-formatted disk. Generally, a boot sector infector executes its own code (which usually infects the boot sector or partition sector of the hard disk), then continues the PC bootup (start-up) process. In most cases, all write-enabled floppies used on that PC from then on will become infected. Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected *file* is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system. Macro viruses typically infect global settings files such as Word templates so that subsequently edited documents are contaminated with the infective macros. The following virus types are more fully defined in the comp.virus FAQs (see preamble): * STEALTH VIRUSES - viruses that go to some length to conceal their presence from programs which might notice. * POLYMORPHIC VIRUSES - viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication. * COMPANION VIRUSES - viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. N.B. this is not the *only* type of companion (or 'spawning') virus. * ARMOURED VIRUSES - viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do. (5) How do viruses spread? ========================== A PC is infected with a boot sector virus (or partition sector virus) if it is (re-)booted (usually by accident) from an infected floppy disk in drive A. Boot Sector/MBR infectors are the most commonly found viruses, and cannot normally spread across a network. These (normally) spread by accident via floppy disks which may come from virtually any source: unsolicited demonstration disks, brand-new software (even from reputable sources), disks used on your PC by salesmen or engineers, new hardware, or repaired hardware. A file virus infects other files when the program to which it is attached is run, and so *can* spread across a network (often very quickly). They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and bulletin boards. (This applies also to Trojan Horses.) A multipartite virus infects boot sectors *and* files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across a network. (6) How can I avoid infection? ============================== There is no way to guarantee that you will avoid infection. However, the potential damage can be minimized by taking the following precautions: * make sure you have a clean boot disk - test with whatever (up-to-date!) antivirus software you can get hold of and make sure it is (and stays) write-protected. Boot from it and make a couple of copies. * use reputable, up-to-date and properly-installed anti-virus software regularly. (See below) If you use a shareware package for which payment and/or registration is required, do it. Not only does it encourage the writer and make you feel virtuous, it means you can legitimately ask for technical support in a crisis. * do some reading (see below). If you're a home user, you may well get an infection sooner or later. If you're a business user, it'll be sooner. Either way you'll benefit from a little background. If you're a business user you (or your enterprise) need a policy. * don't rely *solely* on newsgroups like this to get you out of trouble: it may be a while before you get a response (especially from a moderated group like comp.virus), and the first response you act upon may not offer the most appropriate advice for your particular problem. * if you use a shareware/freeware package, make sure you have hard copy of the documentation *before* your system falls apart! * always run a memory-resident scanner to monitor disk access and executable files before they're run. * if you run Windows, a reputable anti-virus package which includes DOS *and* Windows components is likely to offer better protection than a DOS only package. If you run Windows 95, you need a proper Win95 32-bit package for full protection. * make sure your home system is protected, as well as your work PC. * check all new systems and all floppy disks when they're brought in (from *any* source) with a good virus-scanning program. * acquire software from reputable sources: 2nd-hand software is frequently unchecked and sometimes infected. Bear in mind that shrinkwrapped software isn't necessarily unused. In any case, reputable firms have shipped viruses unknowingly. * once formatted, keep floppies write-disabled except when you need to write a file to them: then write-disable them again. * make sure your data is backed up regularly and that the procedures for restoring archived data *work* properly. * scan pre-formatted diskettes before use. * Get to know all the components of the package you're using and consider which bits to use and how best to use them. Different packages have different strengths: diversifying and mixing and matching can, if carefully and properly done, be a good antivirus strategy, especially in a corporate environment * if your PC can be prevented with a CMOS setting from booting with a disk in drive A, do it (and re-enable floppy booting temporarily when you need to clean-boot). CMOS settings - - ------------- Some CMOSes come with special anti-virus settings. These are normally vague about what they do but typically they write-protect your hard disk's boot sector and partition sector (MBR). This can be some use against boot sector viruses but may false alarm when you upgrade your operating system. One sensible setting to make (if your CMOS allows) is to adjust the boot sequence of your PC. Changing the default boot-up drive order from A: C: to C: will mean that the PC will attempt to boot from drive C: even if a floppy disk has been left in drive A:. This way boot sector virus infection can often be avoided. Remember, however, to set your CMOS back temporarily if you ever *do* want to boot clean from floppy (for example, when running a cryptographical checksummer after a cold boot). SCSI controllers have their own BIOS. On some systems, this will override the boot sequence set in CMOS. It's always a good idea to check with a (known clean) bootable floppy after you've disabled floppy booting that it really is disabled. I don't think it's necessary to use the Rosenthal Simulator to do this, thank you, Doren. (7) How does antivirus software work? - - ------------------------------------- * Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognisable patterns ('scan strings', 'search strings', 'signatures' [a term best avoided for its ambiguity]). * TSR scanner - a TSR (memory-resident program) that checks for viruses while other programs are running. It may have some of the characteristics of a monitor and/or behaviour blocker. * VxD scanner - a scanner that works under Windows or perhaps under Win 95, or both), which checks for viruses continuously while you work. * Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus. * Monitor/Behaviour Blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus. * Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus. * Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular checksummer. - - --------------------------------------------------------------------- End of a.c.v. FAQ Part 1 of 4 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use Comment: PGP Key ID 0xDCC35C75 available on Keyservers iQCVAwUBOLvlLLcpzG7cw1x1AQFOagQApMdBjccOExlbB42DTM5WCPeeK3SB1pqf KwbK3pok3c+8aolZpxr5TsIteVdMoJ2ATjOP13/SK02DPigUHzw7kn69C35ZDOh7 6n1F5RTzVLKXUB8wedU78ZAWS5hh/JY/EyM7718vAHT6kpgviaNK7MvxXxatPwDB LUiW7ziicS8= =WgMU -----END PGP SIGNATURE----- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail Message-ID: Supersedes: Expires: 21 Apr 2000 20:07:22 GMT References: X-Last-Updated: 2000/02/29 Organization: none From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Followup-To: alt.comp.virus Subject: [alt.comp.virus] FAQ Part 2/4 Approved: news-answers-request@MIT.EDU X-no-archive: yes Originator: faqserv@penguin-lust.MIT.EDU Date: 23 Mar 2000 20:09:05 GMT Lines: 957 NNTP-Posting-Host: penguin-lust.mit.edu X-Trace: dreaderd 953842145 2960 18.181.0.29 Xref: senator-bedfellow.mit.edu alt.comp.virus:101519 comp.virus:30977 alt.answers:47997 comp.answers:40196 news.answers:180075 Archive-name: computer-virus/alt-faq/part2 Posting-Frequency: Fortnightly URL: http://www.sherpasoft.org.uk/acvFAQ/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel -----BEGIN PGP SIGNED MESSAGE----- alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.1 : Part 2 of 4 Last modified 19th August 1999 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer - - ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. NB It is not claimed that this document is up-to-date in all respects. Not all the views expressed in this document are those of the maintainers, and those views which *are* those of the maintainers are not necessarily shared by their respective employers. Copyright Notice - - ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley George Wenzel Bruce Burrell [Please check out the more detailed copyright notice at the beginning of Part 1 of the FAQ] - - -------------------------------------------------------------------- TABLE OF CONTENTS ================= See Part 1 of this FAQ for the full Table of Contents Part 2 ------ (8) What's the best anti-virus software (and where do I get it)? (9) Where can I get further information? (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the PKZip300 trojan virus? * the xyz PC virus? * the Psychic Neon Buddha Jesus virus? * the blem wit virus * the Irina virus * Ghost * General Info on Hoaxes/Erroneous Alerts (11) Is it true that...? (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk ================= (8) What's the best anti-virus software (and where do I get it)? In case it's not absolutely clear from the following, it simply isn't possible to answer the first part of this question. There are, however, some suggestions for sources of software and of information on particular packages, comparative reviews etc. The danger of this approach is that sites, servers, and packages come and go, and it isn't possible to keep track of all of them. If URL's in this section have changed, please inform the maintainers so that they may be updated. Most of the people who post here have their favourites: if you just ask which is the best, you'll generally get either a subjective "I like such and such", recommendation of a particular product by someone who works for that company, or a request to be more specific about your needs. Some of us who are heavily involved with virus control favour using more than one package and keeping track of the market. Don't trust anything you read in the non-technical press. Don't accept uncritically reviews in the computing press, either: even highly-regarded IT specialists often have little understanding of virus issues, and many journalists are specialists only in skimming and misinterpreting. Magazines like Virus Bulletin and Secure Computing are much better informed and do frequent comparative reviews, and are also informative about their testing criteria, procedures and virus suites. Recently, a number of articles have been posted here by people who've run their own tests on various packages. These are often of interest, but should not be accepted uncritically. (No-one's opinion should be accepted uncritically!) Valid testing of antivirus software requires a lot of care and thought, and not all those who undertake it have the resources, knowledge or experience to do it properly. You may get a more informed response if you specify what sort of system you have - DOS, Windows, Win95, WinNT, Mac? XT, AT, 386 or better? Is the system networked, and are you asking about protecting the whole network? (What sort of network?) Are you running NT, OS/2 or Win95, any of which involve special considerations? Be aware that there is more than one way of judging the effectiveness of a package - the sheer number of viruses detected; speed; tendency to false alarms; size (can you run it from a single floppy when necessary?); types of virus detection & prevention (not at all the same thing) offered (command-line scanning, TSR scanning, behaviour blocking, checksumming, access-control, integrity shell etc.); technical support etc. One possible (but imperfect) measure of a package's efficiency in terms of virus detection is ICSA approval. Under the current testing protocol, a scanner must detect all viruses on the Wild List plus 90% of NCSA's full test suite. See http://www.icsa.net/services/product_cert/ for details. Comprehensive product reviews can sometimes be found at the following sites, but are not necessarily the latest available. http://www.virusbtn.com/ _Virus Bulletin_ http://www.westcoast.com/ _Secure Computing_ http://www.uta.fi/laitokset/virus/ University of Tampere ftp://ftp.informatik.uni-hamburg.de/pub/virus/ Virus Test Center and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm http://victoria.tc.ca/int-grps/books/techrev/mnvr.html and a number of reputable vendors include comparative reviews, papers on testing etc. on their WWW/FTP servers. Many anti-virus packages are available from the SimTel mirrors: http://www.simtel.net/simtel.net/msdos/virus.html ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/ For information on mirror sites, a regularly-updated listing can be found at http://www.simtel.net/simtel.net/mirrors.html Of course, such products can often be obtained direct from the publisher's WWW site, too. The following information is not intended to be a totally comprehensive list; it is merely a reference to where major anti-virus packages can be downloaded. Please note that the maintainers have not tested or even seen all the packages listed here, and listing here does not imply recommendation (though we won't list anything we *know* is rubbish....). - - ------------ AntiViral Toolkit Pro (commercial with evaluation versions) Platform(s): DOS, Win3.x, Win95/98, NT, OS/2, NetWare. URL: http://www.avp.com http://www.avp.ch http://www.avp.tm http://www.avp.ru - - ------------ AVAST!, AVAST32 (Commercial with evaluation versions) Platform(s): DOS, Win3.x, Win95/98, NT. URL: http://www.anet.cz/alwil/ - - ------------ Calluna Hardwall (Hardware-based virus protection) Platform(s): Win3.x, Win95, NT. URL: http://www.hardwall.com/ - - ------------ ChekMate (Integrity Checker; commercial w/ evaluation versions) Platform(s): DOS, Win3.x, Win95/98, OS/2. URL: http://chekware.simplenet.com/cmindex.htm - - ------------ ESafe Protect Platform(s): Win95/98, NT. URL: http://www.esafe.com/ - - ------------ F-Prot (Free for personal, non-commercial use) Platform(s): DOS with limited Windows support URL: http://www.complex.is - - ------------ F-Prot Professional (Commercial; distributed by both Command Software and DataFellows) Platform(s): DOS, Win3.x, Win95/98, WinNT, NetWare URL: http://www.commandcom.com/ http://www.DataFellows.com/ More details inc. in PRO.DOC, supplied with the shareware version. - - ------------ InoculateIT (formerly InocuLan) - Commercial with freeware version) Platform(s): Win95/98, NT, Netware. URL: http://www.cai.com/products/inoculateit.htm - - ------------ Integrity Master (Commercial with evaluation versions) Platform(s): DOS, Win3.x, Win95/98, NT, OS/2. URL: http://www.stiller.com - - ------------ Invircible (commercial with evaluation versions) Platform(s): DOS, Win3.x, Win95/98, NT. URL: http://www.invircible.com/ Note: The creators of InVircible have marketed it as the be-all and end-all of anti-virus products. As with any product, the buyer should beware such outlandish claims. - - ------------ McAfee VirusScan (also Dr. Solomon's products) - eval versions available Platform(s): DOS, Windows, Win95, NetWare, Mac, NT, Lotus Notes, Groupware, Exchange, SunOS, Solaris, FreeBSD, SCO, Linux. URL: http://www.nai.com - - ------------ Microsoft (Macro Virus fixes) URL: http://www.microsoft.com Note: Microsoft anti-virus (MSAV) is no longer supported. If you're using it, get something else (anything else). MSAV is not adequate protection as it does not protect against current viruses. There is a paper by Yisrael Radai which documents many of the other problems with MSAV and CPAV. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip - - ------------ MIMESweeper (Mail scanning 'firewall') Platform(s): Domino, SMTP, Exchange, Raptor URL: http://www.mimesweeper.com - - ------------ NH&A (Distributors of various anti-virus products; see URL for details) Platform(s): Various, depends on the product URL: http://www.nha.com - - ------------ Norman Virus Control Platform(s): DOS, Win3.x, Win95, NT, OS/2, NetWare, Lotus Domino, Exchange. URL: http://www.norman.com/ - - ------------ Norton Anti-virus, Symantec Anti-virus for Mac Platform(s): DOS, Win3.x, Win95/98, Mac (SAM), NT, NetWare, OS/2, Lotus Notes, Exchange. URL: http://www.symantec.com/ - - ------------ Panda Anti-Virus Platform(s): DOS, Win3.x, Win95/98, NT, OS/2. URL: http://www.pandasoftware.com - - ------------ PC-Cillin, InterScan, Scanmail, Serverprotect Platform(s): Win95/98, NT, Lotus Notes, Exchange, Outlook, cc:mail. URL: http://www.antivirus.com/ - - ------------ Reflex Magnetics Ltd - DiskNet, Macro Interceptor, and Data Vault Platform(s): Win95/98, NT. URL: http://www.reflex-magnetics.co.uk/ - - ------------ ScanMaster for Novell/Vines (Uses McAfee VirusScan engine) URL: http://www.netpro.com - - ------------ Sophos Sweep (commercial with evaluation versions) Platform(s): DOS, Win3.x, Win95/98, NT, Mac, OS/2, Netware, AIX, Linux, FreeBSD, HP-UX/HP-PA, SCO, Solaris, OpenVMS, Banyan VINES. URL: http://www.sophos.com/ - - ------------ VirusBUSTER, MacroVirusBUSTER, CyberBUSTER Platform(s): DOS, Win3.x, Win95/98, NT URL: http://www.leprechaun.com.au/ - - ------------ VirusNet Platform(s): DOS, Win3.x, Win95/98, NT URL: http://www.safetynet.com - - ------------ In the event of a *real* tragedy, there are a number of firms which specialise in data recovery. Examples include: Ontrack Data Recovery, Inc. URL: http://www.ontrack.com DataRescue: URL: http://www.datarescue.com/ (9) Where can I get further information? ======================================== The following sites are not regularly checked. Please advise of any changes which aren't reflected in this document. ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/ [mirror sites] ftp://ftp.uu.net/pub/security/virus/ ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/ http://www.SevenLocks.com/ http://www.hitchhikers.net/av.shtml http://csrc.ncsl.nist.gov/virus http://www.nc5.infi.net/~wtnewton/vinfo/master.html Virus Bulletin Home Page - vendor contact info, comparative reviews, review protocol info etc. http://www.virusbtn.com Henri Delger's home page has much useful info and useful links http://pages.prodigy.net/henri_delger/index.htm Tom Simondi has written a freeware virus tutorial (VTUTOR11.ZIP). http://www.cknow.com/ Some information is available from The Scanner, an on-line anti-virus newsletter. It may not be entirely current, however. http://diversicomm.com/scanner Doug Muth has not only AV links but geek code as well.... http://www.claws-and-paws.com/ Bob Rosenberger's Computer Virus Myths Page http://www.kumite.com/myths/ A few Amiga links: http://ftp.uni-paderborn.de/aminet/dirs/util_virus.html [Antivirus info and programs] ftp://ftp.uni-paderborn.de/aminet/util/virus/ According to Dennis Boon, trsivw65.lha has info about 100 or so viruses; VT_docfiles.lha has info on nearly all amiga viruses (in German); VIB9508.lha file contains info on all viruses up to August 1995 (in English). The WildList (List of viruses currently 'in the wild' - doesn't include much description) http://www.wildlist.org Virus Descriptions - - ------------------ http://www.avpve.com AVP Virus Encyclopedia http://www.datafellows.com/vir-info/ Data Fellows Virus Database http://www.symantec.com/avcenter/vinfodb.html Symantec Virus Database http://www.avertlabs.com McAfee Virus Database Virus demonstrations - - -------------------- AVP includes some virus demonstrations, and other publishers have demos available. There are also virus simulators, which are not quite the same thing. These are sometimes advocated as a means of testing antivirus packages, but there are dangers to this approach: after all, a package which detects one of these simulators as the virus it detects is, technically, false-alarming. See section F6 of the Mark 2 Virus-L FAQ, which is rather good on types and uses of virus simulation. Books which may be of use: Robert Slade's Guide to Computer Viruses - Springer-Verlag Pretty good introduction & general resource. Currently in its second edition. Computers Under Attack (ed. Denning) - Addison-Wesley Aging, but some classic texts Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin Uneven, but includes useful stuff from Virus Bulletin Dr. Solomon's Virus Encyclopedia You may from time to time find copies of an older edition of this in bookshops, though it's better known as part of Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide to some of the older viruses. A Short Course on Computer Viruses (F. Cohen) - Wiley By the man who 'invented' the concept of computer viruses. Some aspects are controversial, but a good introduction to his work. The comp.virus FAQ includes pointers to some books. Useful (and expensive) periodicals: Virus Bulletin http://www.virusbtn.com Secure Computing http://www.westcoast.com Computers and Security Elsevier Advanced Technology PO Box 150 Kidlington Oxford OX5 1AS 44 (0) 1865-843666 a.verhoeven@elsevier.co.uk The Disaster Recovery Journal (more info & on-line articles) http://www.drj.com (10) Does anyone know about... ============================== ...Mac viruses? - - --------------- David Harley co-maintains (with Susan Lesch) a FAQ on Mac/virus issues, which can be found at: http://www.macvirus.com/ http://www.sherpasoft.com/MacSupporters/ Mac-specific virus information: http://www.symantec.com http://www.nai.com http://www.sherpasoft.com/MacSupporters/ http://www.hyperactivesw.com http://ciac.llnl.gov/ciac/CIACVirusDatabase.html/ ...UNIX viruses? - - ---------------- In general, there are virtually no non-experimental UNIX viruses. There have been a few Worm incidents, most notably the Morris Worm (a.k.a. the Internet Worm) of 1988, and a couple of minor Linux viruses. Some Linux viruses exist, but are not widespread. There are products which scan some Unix systems for PC viruses, though any machine used as a file server (Novell, Unix etc.) can be scanned for PC viruses by a DOS scanner if it can be mounted as a logical drive on a PC running appropriate network client software such as PC-NFS. Unix servers running as webserver, ftp servers, intranet servers etc. should be considered as a potential source of files infected with viruses specific to other platforms, even if they are not directly infectable themselves. This problem is sometimes referred to as the 'latent virus problem', or 'heterogeneous virus transmission'. Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.) can also be infected by a DOS boot-sector virus if booted from an infected disk. The same goes for other PC-hosted operating systems such as NetWare. While viruses are not a major risk on Unix platforms, integrity checkers and audit packages are frequently used by system administrators to detect file changes made by other kinds of attack. However, Unix security is outside the scope of this FAQ (see comp.security.unix). In fact, such packages generally target PC viruses more than the handful of Unix viruses. See also the Unix section in the Virus-L/comp.virus FAQ. A useful book: Practical Unix Security & Internet Security (Garfinkel, Spafford) - O'Reilly ...macro viruses? - - ----------------- Macro viruses and trojans are specific to certain applications which use sophisticated macro languages, rather than being specific to a particular operating system. Macro viruses comprise a high percentage of the viruses now in the wild. Most current macro viruses and trojans are specific to Microsoft Word and Excel: however, many applications, not all of them Windows applications, have potentially damaging and/or infective macro capabilities too. Macro languages such as WordBasic and Visual Basic for Applications (VBA) are powerful programming languages in their own right. Word and Excel are particularly vulnerable to this threat, due to the way in which the macro language is bound to the command/menu structure in vulnerable versions of Word, the way in which macros and data can exist in the same file, and the eccentricities of OLE-2. For further info on macro viruses, you might like to try the main antivirus vendor sites. ...The AOLgold virus - - -------------------- This was actually a trojan. Information is available on the CIAC archive: You can get this and other CIAC notices from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ ...the PKZip trojan virus? - - -------------------------- Most of us prefer to distinguish between trojans and viruses (see Part 1). The threat described in recent warnings is definitely not a virus, since it doesn't replicate by infection. There have been at least two attempts to pass off Trojans as an upgrade to PKZip, the widely used file compression utility. A recent example was of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading on the Internet. An earlier Trojan passed itself off as version 2.0. For this reason, PKWare have never released a version 2.0 of PKZip: presumably, if they ever do release another DOS version (unlikely, at this date, in my opinion), it will not be numbered version 3.0(0). In fact, there are hardly any known cases of someone downloading and being hit by this Trojan, which few people have seen (though most reputable virus scanners will detect it). As far as I know, this Trojan was only ever seen on warez servers (specialising in pirated software). There are recorded instances of a fake PKZIP vs. 3 found infected with a real live in-the-wild file virus, but this too is very rare. To the best of my knowledge, the latest version of PKZip is 2.04g, or 2.50 for Windows. There was a version 2.06 put together specifically for IBM internal use only (confirmed by PKWare). If you find it in circulation, avoid it. It's either illicit or a potentially damaging fake. The recent rash of resuscitated warnings about this is at least in part a hoax. It's not a virus, it's a trojan. It doesn't (and couldn't) damage modems, V32 or otherwise, though I suppose a virus or trojan might alter the settings of a modem - if it happened to be on and connected.... I don't want to get into hypothetical arguments about programmable modems right now. It appears to delete files, not destroy disks irrevocably. It's certainly a good idea to avoid files claiming to be PKZip vs. 3, but the real risk hardly justifies the bandwidth this alert has occupied. ...xyz PC virus? - - ---------------- There are several thousand known PC viruses, and the number 'in the wild' is in the hundreds. It is not practical to include information about all of these in this FAQ. There are rarely enquiries about viruses on other computing platforms raised in alt.comp.virus, but there is some information concerning viruses on most platforms available at the Virus Test Center in Hamburg. See the section above on Virus Descriptions for sites where information is available. ...the Psychic Neon Buddha Jesus virus? - - --------------------------------------- This is an allegedly humorous bit of javascript programming that found its way onto a website. On clicking on a particular button, you may be told that this virus has been detected.Javascript has many interesting properties, but virus detection is not one of them. It was a joke, and it's long gone, though others like it pop up from time to time. ...the blem wit virus? - - ---------------------- See the Virus-L FAQ. Basically, it's a mangled message that may come up with older Novell drivers "[pro]blem wit[h]....." The Irina Virus? - - ---------------- Publicity stunt generated by Penguin Books to promote their 'interactive novel'. More info in the 'Viruses and the Mac' FAQ, a CIAC bulletin on hoax and semi-hoax viruses, the Computer Virus Myths website (http://www.kumite.com/myths/) and many other sources. GHOST - - ----- Just a screensaver...... More info in the CIAC bulletin mentioned above and/or the Computer Virus myths website. General Info on Hoaxes/Erroneous Alerts - - --------------------------------------- The CIAC updated bulletion mentioned several times above is at: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml It includes info on the alerts mentioned below, some historical background, and suggestions on validating hoaxes rather than passing them on uncritically. CIAC have now set up a hoaxes web page at: http://ciac.llnl.gov/ciac/CIACHoaxes.html There's also a page on chain letters which includes relevant material. There are lots of useful links at: http://www.kumite.com/myths - - -----------------extract------------------------------- INFORMATION BULLETIN H-05 Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost November 20, 1996 16:00 GMT PROBLEM: This bulletin addresses the following hoaxes and erroneous warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and Ghost.exe PLATFORM: All, via e-mail DAMAGE: Time lost reading and responding to the messages SOLUTION: Pass unvalidated warnings only to your computer security department or incident response team. See below on how to recognize validated and unvalidated warnings and hoaxes. VULNERABILITY New hoaxes and warnings have appeared on the Internet and old ASSESSMENT: hoaxes are still being cirulated. - - ---------------------end extract-------------------------------- (11) Is it true that....? ========================= (*or* some favourite hoaxes...) (1) There is *no* Good Times virus that trashes your hard disk and launches your CPU into an nth-complexity binary loop when you read mail with "Good Times" in the Subject: field. You can get a copy of Les Jones' FAQ on the Good Times Hoax from: http://www.public.usit.net/lesjones/goodtimes.html There *is* at least one file virus christened Good Times by the individual who posted it in an attempt to cause confusion. It is more commonly referred to as GT-spoof. (2) There is no modem virus that spreads via an undocumented subcarrier - whatever that means.... (3) Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers don't usually allow this by default and without prompting, but certainly some mailers can support this: for instance, cc:mail can, it seems, launch attachments straight into AmiPro. There's room for a lot of discussion here. The jury is still out on web browsers: Netscape can certainly be set up to do things I don't approve of, such as opening a Word document in Word without asking. Microsoft have made available a Word viewer which reads Word files, but doesn't run attached macros. If possible, use this instead. If you have both Word and the Word Viewer, it is a good idea to set the Word Viewer as the default association instead of Word itself. This protects you from macro viruses to a certain extent, while not preventing you from using Word to edit documents (just use file/open instead of double-clicking on the file). The term 'ANSI bomb' usually refers to a mail message or other text file that takes advantage of an 'enhancement' to the MS-DOS ANSI.SYS driver which allows keys to be redefined with an escape sequence, in this case to echo some potentially destructive command to the console. In fact, few systems nowadays run programs which need ANSI terminal emulation to run, and there's no guarantee that the program reading the file would pass such an escape sequence unfiltered to the console anyway. There are plenty of PD or shareware alternatives to ANSI.SYS that don't support keyboard redefinition, or allow it to be turned off. The term mail bomb is usually applied to the intentional bombardment of an e-mail address with multiple copies of a (frequently abusive) message, rather than to the above. (4) There is no known way in which a virus could sensibly be spread by a graphics file such as a JPEG or .GIF file, which does not contain executable code. Macro viruses work because the files to which they are attached are not 'pure' data files. (5) In general, software cannot physically damage hardware - this includes viruses. There is a possibility that specific hardware may be damaged by specific code: however, a virus which drops a particular payload on the offchance that it's running on a system with a particular type of obsolete video card seems more than usually futile. At least one virus (named CIH, AKA Chernobyl) contains code that can overwrite BIOS code on some machines. This does not constitute hardware damage, since the chip involved is still intact. Problem is, without the appropriate software on that chip, the system won't boot. Repair from this payload generally involves reprogramming the BIOS chip, which can be more expensive than just buying a new motherboard. (12) Favourite myths ==================== * DOS file attributes protect executable files from infection File attributes are set by software, and can therefore be changed by software, including viruses. Many viruses reset a ReadOnly/System/Hidden file to Read/Write, infect it, and often reset it to the original attributes afterwards. This also applies to other software mechanisms such as simulating hardware write-protection on a hard disk. However, file protection rights in NetWare *can* help to contain virus infections, if set up properly, as can trustee rights. [Trustee assignments govern whether an individual user has right of access to a subdirectory: the Inherited Rights Mask governs the protection rights of individual files and (sub)directories.] Basically, a file virus has the same rights of access as the user who happens to inadvertantly activate it. Setting up these levels of security is really a function of the network Administrator, but you might like to check (politely) that yours is not only reassuringly paranoid but also knowledgeable about viruses as well as networks, since a LAN which is not, in this respect, securely configured, can result in very rapid infection and reinfection of files across the whole LAN. In particular, accounts with supervisor equivalence can, potentially, be the unwitting cause of very rapid dissemination of viruses. [See also the comp.virus FAQ (version 2) section D] * I'm safe from viruses because I don't use bulletin boards/shareware/ Public Domain software. Many of the most widely-spread viruses are Boot Sector Infectors, which can't normally infect over a serial or network connection. Writers of shareware, freeware etc. are no more prone to accidental infection than commercial publishers, and possibly less. The only 'safe' PC is still in it's original wrapping (which doesn't mean it isn't already infected...) And don't forget that shrinkwrapped software may have been rewrapped. As well, the most common viruses today are macro viruses, which depend on you running a commercial application (usually MS Word or Excel). They spread via documents exchanged between computers, which is a common occurrance on many systems, regardless of how 'connected' they are. * FDISK /MBR fixes boot sector viruses. The mark II comp.virus FAQ is worth reading on this (see Part 1 of this FAQ as well as Part 4, section 14). In brief, don't use FDISK /MBR *unless* you're *very* sure of what you're doing, as you may lose data. Note also that if you set up the drive with a disk manager such as EZDrive, you won't be able to access the drive until and unless you can reinstall it. ****************************************************************** (i) What does FDISK /MBR do? ------------------------ It places "clean" partition code onto the partition of your hard disk. It does not necessarily change the partition information, however. [It does sometimes, and when it does it us usually fatal (for the common user, anyway). FDISK /MBR will wipe the partition table data if the last two bytes of the MBR are not 55 AA.] The /MBR command-line switch is not officially documented in all DOS versions and was introduced in DOS 5.0 (ii) What is the partition? ---------------------- The partition sector is the first sector on a hard disk. It contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The partition sector is also called the "Master Boot Record" (MBR). When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code. Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it. [Unless one assembles into memory] Floppy disks do not have a partition sector. FDISK /MBR will change the code in a hard disk partition sector. (iii) What is a boot sector? ---------------------- The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program. When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and usually moves the original elsewhere on the disk. Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up. FDISK /MBR will not change the code in a hard disk boot sector (as opposed to the partition sector). Most boot sector viruses infect the partition sector of hard disks and floppy disk boot sectors: most do not infect the boot sector of a hard disk - the Form virus is an exception. (iv) How can I remove a virus from my hard disk's partition sector? -------------------------------------------------------------- There are two main alternatives: run an anti-virus product, or use FDISK /MBR. Most effective anti-virus products will be able to remove a virus from a partition sector, but some have difficulties under certain circumstances. In these cases the user may decide to use FDISK /MBR. Unless you know precisely what you are doing this is unwise. You may lose access to the data on your hard disk if the infection was done by a virus such as Monkey or OneHalf. Part 4, section 14 of this FAQ contains details as to how losing data might happen. (v) Won't formatting the hard disk help? ------------------------------------ Not necessarily. Formatting the hard disk can result in everything being wiped from the drive *apart* from the virus. Format alters the DOS partition, but leaves the partition sector (AKA the MBR) untouched. There is usually a better way of removing a virus infection than formatting the hard disk. ****************************************************************** * Write protecting suspect floppies stops infection. This sounds so silly I hesitate to include it. I've never seen it said on a.c.v., but I've heard it so often in other contexts, I've included it anyway. Write-protecting a suspect floppy will only protect that diskette from *re-infection*, if it's already infected. It won't stop an infected floppy from infecting other (write-enabled) drives. If you boot with a disk in drive A which is infected with a boot-sector virus, the fact that the diskette is write-protected will make no difference at all. Write-protecting a *clean* floppy will indeed prevent it from being infected (but see below!). * The write protect tab always stops a disk write Briefly, write protection is built into the hardware on the Mac and on the PC (and most other systems, of course, but we can't cover everything), and can't be circumvented in software. However, it is possible for the hardware to fail: it's not common, but it happens. Thus when I do a cleanup, I try to create a file on a sacrificial floppy before risking my R/O boot disk. Sometimes, I even remember.... Other caveats: a disk which you receive write-protected could have been de-protected, infected, and re-protected. Even a 3.5" disk with the write-enable tab removed can be written to by covering the hole with (e.g.) masking tape. And, of course, shrink-wrapped software could have been infected before the duplication process. * I can infect my system by running DIR on an infected disk If you have a clean PC system, you can't contract a boot sector virus *or* a file virus just by listing the files on an infected floppy. Of course, if your PC is infected, you may well infect a *clean* floppy by using DIR A: It *is* possible to have a scanner report a virus in memory after a DIR of a floppy with an infected boot sector. The distinction here is that the virus is not actually loaded into memory, so the PC has *not* been infected. - - ----------------------------------------------------------------------- End of a.c.v. FAQ part 2 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use Comment: PGP Key ID 0xDCC35C75 available on Keyservers iQCVAwUBOD6h4bcpzG7cw1x1AQEQRwP+LJoYLFvcBlzMVGJdrxJRPLh1z6YPdPst mx1uEM0x3VEq4frRqhN9O4zVaaeJ+XaK3KwI3z5TsT/se2ccwiWWQZ0P+Svy9U4J UO/vgVh6P+oHxA/SnymmgWuggvY1+tM12y/kADVMSg24yzRNWpOg3XmwjMj8sUNK 9Z0JkvkPeWs= =vek1 -----END PGP SIGNATURE----- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail Message-ID: Supersedes: Expires: 21 Apr 2000 20:07:22 GMT References: X-Last-Updated: 2000/02/29 Organization: none From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Followup-To: alt.comp.virus Subject: [alt.comp.virus] FAQ Part 3/4 Approved: news-answers-request@MIT.EDU X-no-archive: yes Originator: faqserv@penguin-lust.MIT.EDU Date: 23 Mar 2000 20:09:06 GMT Lines: 312 NNTP-Posting-Host: penguin-lust.mit.edu X-Trace: dreaderd 953842146 2960 18.181.0.29 Xref: senator-bedfellow.mit.edu alt.comp.virus:101520 comp.virus:30978 alt.answers:47998 comp.answers:40197 news.answers:180076 Archive-name: computer-virus/alt-faq/part3 Posting-Frequency: Fortnightly URL: http://www.sherpasoft.org.uk/acvFAQ/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel -----BEGIN PGP SIGNED MESSAGE----- alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.1 : Part 3 of 4 Last modified 19th August 1999 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer - ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. It should not be assumed that this document is up-to-date in all respects. Not all the views expressed in this document are those of the maintainers, and those views which *are* those of the maintainers are not necessarily shared by their respective employers. Copyright Notice - ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley George Wenzel Bruce Burrell [Please check out the more detailed copyright notice at the beginning of part 1 of the FAQ] - ------------------------------------------------------------------------ TABLE OF CONTENTS ***************** ++ See Part 1 of this FAQ for the full Table of Contents Part 3 ------ (13) What are the legal implications of computer viruses? (13) What are the Legal Implications of Computer Viruses? ========================================================= ********************************************************************** The material in this section has no formal legal standing. It consists of several persons' attempts to interpret and clarify the legal issues, and cannot possibly be authoritative. If you want bona-fide legal advice, seek a qualified lawyer. This section hasn't been updated in a good while, and isn't likely to be in the near future, so it can't possibly be more than a rough guide to the issues. ********************************************************************** Overview - -------- It isn't possible to deal briefly with all the relevant legislation in one country, let alone all of them. In the USA, local statutes may be much more rigorous than federal legislation, which is, arguably, more concerned with computers in which the government has an interest than it is with those belonging to individuals. In many countries, writing of viruses is not an offence in itself, whereas in others, not only is this not the case, but distribution, even the sharing of virus code between antivirus researchers is, at least technically, also an offence. Once a virus is released 'into the wild', it is likely to cross national boundaries, making the writer and/or distributor answerable for his/her actions under a foreign legal system, in a country he/she may never have visited. Where virus writing and distribution may not apply locally in a particular case, the individual may nevertheless be subject to civil action: in other words, where you may be held to have committed no offence, you may still be sued for damage. Some of the grounds on which virus writing or distribution may be found to be illegal (obviously I'm not stating that all these grounds will apply at all times in all states or countries!) include: * Unauthorized access - you may be held to have obtained unauthorised access to a computer you've never seen, if you are responsible for distribution of a virus which infects that machine. * Unauthorized modification - this could be held to include an infected file, boot sector, or partition sector. * Loss of data - this might include liability for accidental damage as well as intentional disk/file trashing. * Endangering of public safety * Incitement (e.g. making available viruses, virus code, information on writing viruses, and virus engines) * Denial of service * Application of any of the above with reference to computer systems or data in which the relevant government has an interest. Since the law does vary widely from country to country (and even within countries), it is entirely possible for one to break the law of another country, state, province, or whatever, without ever leaving your own, and since extradition treaties do exist, perhaps it's best to assume that any act that might be construed as being or causing wilful and malicious damage to a computer or computer system could get you a roommate with undesirable tendencies and no social graces. :) The best advice to give to any one contemplating a possibly illegal act would be to contact their local Crown Prosecutor, Crown Attorney, District Attorney, or whatever label the local government prosecutor wears. Acting on the advice of one's own attorney doesn't render one immune from prosecution, and the cost of defence can be high, even if successful. An extremely biased opinion is that very often attorneys attempt to provide the answer they believe the client wishes to hear, or give an opinion in areas where they have no real expertise. Prosecutors, on the other hand, tend to look at a particular action in the light of whether a successful prosecution can be mounted. If the local Crown Prosecutor were to suggest that something was a Bad Thing, I should be extremely nervous about doing it. :) USA & Canada - ------------ The following is an interpretation of the laws in the USA and Canada, and has no legal standing as an authoritative document in those countries or any other. Relevant legislation in other parts of the world may be very different and in some cases far stricter. Many thanks to David J. Loundy for his assistance with the legalities regarding computer crime. A valuable source of information on this topic can be found in his E-Law paper, which can be accessed via the URL: http://www.Loundy.com/E-LAW/E-Law4-full.html It is illegal in both the USA and Canada to damage data within a computer system which is used or operated by the government. This means that if you write a virus, and it eventually infects a government system (highly probable), you are in violation of the law. Inclusive in this category are damages incurred due to computer stoppages (i.e. writing a virus that causes a computer to crash or become unusable), and viruses that destroy data. The question regarding the writing of malevolent computer viruses being illegal isn't really that hard to answer: It is illegal to write and spread a virus that infects a government system. Federal law is unclear as to whether this extends to private computer systems as well, but State statutes are frequently unequivocal about defining virus-related crimes against property. The question has come up, however, about the distribution of viruses and virus-related programs. A general guideline is that it is legal to distribute viruses, for example, on a BBS, as long as the people who are downloading the virus know EXACTLY what they are getting. If you intentionally infect a file and make it available for downloading, you may be subject to prosecution. Your conscience should be your guide in this kind of a situation. If a virus distributed by you is used to damage or otherwise modify a major system, you can be held accountable. Note that there are different kinds of distribution for viruses. If you simply make a virus available on a web page, and clearly label it as such, then you are unlikely to face any (criminal) consequences. The possibility exists, however, that you could be charged under "incitement" laws - in other words, it could be argued that distributing viruses on web pages (even if clearly labeled as such) amounts to inciting other people to use the viruses to break laws. If you distribute the virus via newsgroups, however, you may be held liable. Distributing viruses via newsgroups, e-mail lists, and the like can lead to prosecution because these media 'push' viruses to people who would otherwise not want them on their systems. This is not the case with simply placing a virus on a web page (provided your ISP doesn't have problems with it). Keep in mind, however, that an ISP's stance on viruses can change quickly if negative publicity comes about due to their inaction in removing the viruses on their systems. The reason that the explanations in this section are vague is that the laws in various states, provinces, etc., are different, and you should check with your local police before you decide you want to distribute viruses. If you spread a virus unknowingly, you generally cannot be prosecuted unless it can be proven that you spread the virus due to pure carelessness. The definition of carelessness has not been tested in a court of law, as far as I know at the date of writing (9/22/95) The Canadian Criminal Code - -------------------------- Please bear in mind that the following information was culled from the Criminal Code in 1993 and those sections may have been expanded or revised since then, or possibly some computer-specific legislation may have been enacted of which we are unaware. No mention is made in the Code (as of 1993) of computer viruses as such, but it would seem that prosecution under Sec. 430 (Mischief) or section 342.1 (Unauthorized use of computer) would be appropriate. Apparently the laws governing trespass have not been considered as having any application in cyberspace. Offenders under section 342.1 would be charged with mischief, which covers a multitude of sins under Canadian law. The penalties stipulated in Sec. 342.1 are the same as the penalties for sabotage, just as a point of interest. A prosecutor would probably deal with incitement (i.e. inciting somebody else to maliciously use viruses) under Sec. 21 (Parties to offence), Sec. 463 (Attempts), or Sec. 465 (Conspiracy). Sec. 21-24 of the Criminal Code may be of interest because they detail aiding and abetting, incitement, and related issues which have some application in the realm of viruses. Under certain circumstances, laws in other countries may be applicable in cyberspace, where there are no formal territorial boundaries. For instance, Sec. 465 (4) of the Canadian Criminal Code stipulates that every one, "while in a place outside Canada" conspires to commit an offence in Canada "shall be deemed to have conspired in Canada to do that thing." The UK - ------ In the UK, the Computer Misuse Act makes it a crime to make an unauthorised modification on a computer. If you own a computer, you can authorise anything you want for that computer, so you can spread a virus on a computer you own. A virus makes a modification, so if someone deliberately spreads a virus on someone else's computer, that's a crime. Giving a virus to someone else isn't a crime if it's with his/her knowledge and permission, however. So, sending a diskette with a virus on to an AV company, together with a note saying "There's a virus on this disk, please investigate it for me" is legal. If an action is a crime, then encouraging that action can also be a crime ("incitement"). If you spread a virus unwittingly, then it isn't a crime, as you don't have "intent". If someone is negligent, and so spreads a virus (even unwittingly), then there could be a civil action for damages through negligence. Further Information - ------------------- Computer Crime (Icove, Seger, Von Storch) - O'Reilly Computer Law & Security Report (periodical) - Elsevier Advanced Technology Dr. Alan Solomon includes information on Hacking and Virus Laws in the UK and elsewhere on his webpage at: http://www.pcug.co.uk/~drsolly/ The ICSA has details on state computer crime laws: http://www.icsa.net/icsalaws/ Try also: http://www.law.cornell.edu/ - ----------------------------------------------------------------------- End of a.c.v. FAQ Part 3 of 4 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use Comment: PGP Key ID 0xDCC35C75 available on Keyservers iQCVAwUBN7xpObcpzG7cw1x1AQELYAP/XC7bnLxDZLO46JQNy5SN9Y7nlVbGhzen 31HAtN1Xsz2vLaqHV/EUKgFQFz+JFUJY35F24iVGqknZLYu2edyC/tjO/FOAv/kX qHOh4mEeXYXEf/AsXck3hrnwDMw3z+DR7lgSqeJzE4bri8DKEDsBrCyuBmE0DmsK BpFyL0Jc6ak= =ogr9 -----END PGP SIGNATURE----- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail Message-ID: Supersedes: Expires: 21 Apr 2000 20:07:22 GMT References: X-Last-Updated: 2000/02/29 Organization: none From: George Wenzel Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers Followup-To: alt.comp.virus Subject: [alt.comp.virus] FAQ Part 4/4 Approved: news-answers-request@MIT.EDU X-no-archive: yes Originator: faqserv@penguin-lust.MIT.EDU Date: 23 Mar 2000 20:09:08 GMT Lines: 1003 NNTP-Posting-Host: penguin-lust.mit.edu X-Trace: dreaderd 953842148 2960 18.181.0.29 Xref: senator-bedfellow.mit.edu alt.comp.virus:101521 comp.virus:30979 alt.answers:47999 comp.answers:40198 news.answers:180077 Archive-name: computer-virus/alt-faq/part4 Posting-Frequency: Fortnightly URL: http://www.sherpasoft.org.uk/acvFAQ/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel -----BEGIN PGP SIGNED MESSAGE----- alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.1 : Part 4 of 4 Last modified 19th August 1999 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer - ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. You should not assume that all or any information in this document is up-to-date. Not all the views expressed in this document are those of the maintainers, and those views which *are* those of the maintainers are not necessarily shared by their respective employers. Copyright Notice - ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley George Wenzel Bruce Burrell [Please check out the more detailed copyright notice at the beginning of part 1 of the FAQ] - -------------------------------------------------------------------------- TABLE OF CONTENTS ***************** See Part 1 of this FAQ for the full Table of Contents Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped/archived files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. It said in a review..... Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? How do I know I have a clean boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Why do people write/distribute viruses? Where can I get an Anti-Virus policy? Are there virus damage statistics? What is ICSA approval? What language should I write a virus in? No, seriously, what language are they written in? [DRD], Doren Rosenthal, the Universe and Everything What are CARO and EICAR? - ------------------------------------------------------------------- (14) Miscellaneous ================== Are there anti-virus packages which check zipped/archived files? - ------------------------------------------------------- More and more anti-virus programs are scanning within zipped, packed, or archived files. The specific archive formats supported will vary from product to product - check with the makers of the product for details. Some products will check recursively within archives, meaning they will scan (for example) a zip file within an arj file within another zip file, and so on. Scanning within zipped files is beneficial when scanning newly-downloaded files, but it is simply a convenience - a product that supports more archive formats may not be better suited to your needs, especially if you never use files archived with those formats. Products that scan lots of archive types are generally most useful for people who run software archives or other large collections of zipped/archived files. What's the genb/genp virus? - --------------------------- This is McAfee-ese for "You may have an unrecognised ('generic') boot-sector (genb) or partition-sector (genp) virus". Re-check with a more recent version or the latest version of another reputable package. Where do I get VCL and an assembler, & what's the password? - ----------------------------------------------------------- Wrong FAQ. You don't learn anything about viruses, programming or anything else from virus toolkits. You want rec.knitting. B-) I can't believe there's anyone left on the Internet who doesn't know the VCL password, but I'm not going to tell you anyway. OK, maybe you want an assembler to learn assembly-language, not just to rehash prefabricated code. Where do you get TASM? You buy it from Borland or one of their agents, either stand-alone or with one of their high-level languages. If you want freeware or shareware, I guess you can still get the likes of CHASM and A86 (SimTel mirror sites in SimTel/asm). Send me a virus - --------------- Anti-virus researchers don't usually share viruses with people they can't trust. Pro-virus types are often unresponsive to freeloaders. And why would you *trust* someone who's prepared to mail you a virus, bona-fide or otherwise? [A high percentage of the 'viruses' available over the internet are non-replicating junk.] Requests for viruses by people 'writing a new anti-virus utility' are usually not taken too seriously. * We get rather a lot of such requests, which leads to a certain amount of cynicism. * Writing a utility to detect a single virus is one thing: writing a usable, stable, reasonably fast scanner which detects all known viruses is a considerable undertaking. There are highly experienced and qualified people working more or less full time on adding routines to do this to antivirus packages which are already mature, and unless you have a distinctly novel approach, you don't have much chance of keeping up with them. * It may be that the research you're interested in has already been done. Say what sort of information you're looking for, and someone may be able to help. * You can't afford to use junk 'viruses' for research, and the best collections are largely in the hands of people who won't allow access to them to anyone without cast-iron credentials. If you want to test anti-virus software with live viruses, this is *not* the way to get good virus samples. Valid testing of antivirus software requires a lot of time, care and thought and a valid virus test-set. Virus simulators are unhelpful in this context: a scanner which reports a virus when it finds one of these is actually false-alarming, which isn't necessarily what you want from a scanner. Read Vesselin Bontchev's paper on maintaining a virus library: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/virlib.zip There have been one or two requests for source code. Assuming you have the necessary knowledge of programming (especially x86 assembler) and the PC, this is probably the wrong approach, unless you're a serious antivirus researcher (in which case you need to sell yourself to the antivirus research community, and asking for viruses here isn't the way to earn their trust). * How can you trust any source code you're sent? Antivirus researchers won't send it to you, so you have to rely on the goodwill of a virus writer or distributor: not always a good idea. Many so-called viruses picked up from CDs, VX websites etc. aren't viruses at all. * Are you going to examine all known viruses? Or all those listed in the current WildList? If not, what are your selection criteria going to be? How will you tell an insignificant variant from a completely different virus type? Your first task is to understand the general principles, and you won't get those from snippets of code. If you still need low-level analysis afterwards, you might like to try http://www.virusbtn.com/VirusInformation/ where you can find analyses (without source code) of a number of common viruses, analysed by experts. It said in a review.... - ----------------------- Reviews in the general computing press are rarely useful. Most journalists don't have the resources or the knowledge to match the quality of the reviews available in specialist periodicals like Virus Bulletin or Secure Computing. Of course, it's possible to produce a useful, if limited assessment of a package without using live viruses based on good knowledge of the issues involved (whether the package is ICSA-certified, for instance): unfortunately, most journalists are unaware of how little they know and have a vested interest in giving the impression that they know much more than they do. Even more knowledgeable writers may not make clear the criteria applied in their review. Is it viruses, virii or what? - ----------------------------- The Latin root of virus has no commonly used plural form. Since the use of the word virus is borrowed from biology, you might like to conform to the usage normally favoured by biologists, doctors etc., which is viruses. However, a number of people favour the terms virii/viri, either to avoid confusion with the biological phenomenon (but what's the point of distinguishing in the plural but not in the singular?), or to avoid being mistaken for anti-virus researchers..... Bottom line, 'viruses' is the correct English plural for the singular 'virus'. Viri, virii, and so on are all slang. Where is alt.comp.virus archived? - --------------------------------- It isn't, as far as anyone seems to know. No-one currently working on the FAQ is likely to offer archiving, since a full archive would include uploaded viruses. Tom Simondi points that there is an archive of sorts at Dejanews. You can search for several months of messages by subject at: http://www.deja.com/ What about firewalls? - --------------------- Firewalls don't generally screen computer viruses, though some firewall products may allow for virus-scanning plug-ins. There are also "viruswalls" that scan for viruses at the Internet gateway. Some such products can scan incoming and outgoing E-mail attachments, ftp'd or http'd files etc. for viruses. MIMESweeper, uses yout favourite scanner for scanning the viruses after it has opened up the E-Mail attachments in a secure area on the hard drive of the NT machine. Obviously, the on-demand scanner is an additional cost. MIMESweeper has advanced content filtering abilities which go beyond its capabilities (with assistance from other software) for detection of file viruses and trojans. These products do real scanning before the mail hits the workstation hard drive but make sure your mail attachments, WWW downloads etc. can't be automatically executed and use a good TSR/VXD in combination with a good on-demand scanner. Note that realtime virus scanning at the gateway can add a heavy network overhead and probably won't catch as many viruses as checking *all* files from *all* sources with a desktop scanner. Current informed thinking tends to be that detection of viruses at the firewall is acceptable (1) if you can afford the additional hardware, software and latency (processing overhead), not to mention the hidden administrative overheads of configuration and policy for dealing with boundary conditions such as unusual 7-bit encoding formats, encrypted files etc. (2) as long as you appreciate that it can only be supplementary to checking at the desktop, not a replacement. Mail attachments, FTP and HTTP are more significant vectors for virus transmission than formerly, especially with the near-exponential boom in macro viruses, but other vectors (especially floppy disks) are still of vital concern. System administrators are attracted by the fact that it's easier to update server software than control the use of scanning on individual workstations, but the fact remains that in most environments, until the desktop is adequately protected with good, up-to-date realtime (on-access) scanning and/or scheduled on-demand scanning, virus scanning at the perimeter is a semi-irrelevance. For firewall-related information see the newsgroups comp.security comp.security.firewalls or, if you don't mind your mail by the ton, the firewalls mailing-lists. mailto: info@lists.gnac.net http://lists.gnac.net/ Marcus Ranum's firewalls FAQ: http://www.clark.net/pub/mjr/pubs/fwfaq/ http://www.interhack.net/pubs/fwfaq/ Books: Firewalls and Internet Security - Repelling the Wily Hacker (Cheswick, Bellovin) - Addison-Wesley Building Internet Firewalls (Chapman, Zwicky) - O'Reilly Viruses on CD-ROM - ----------------- Viruses have been distributed on CD ROM (for instance, Microsoft shipped Concept, the first (in the wild) macro virus, on a CD ROM called "Windows 95 Software Compatability Test" in 1995). It is wise to scan CD ROMs on arrival for viruses, just like floppies. If the CD ROM has compressed or archived files it is wise to scan it with an anti-virus package which can cope with large amounts of compressed and archived files. If you scan all drives at every boot, though, you may find that this gives you a good incentive to remove CDs from your CD drive before you power down, especially if your scanner isn't set to allow you to break out of a scan. B-) Removing viruses - ---------------- It is always better from a security point of view to replace infected files with clean, uninfected copies. However, in some circumstances this is not convenient. For example, if an entire network were infected with a fast-infecting file virus then it may be a lot quicker to run a quick repair with a reliable anti-virus product than to find clean, backup copies of the files. It should also be realised that clean backups are not always available. If a site has been hit by Nomenklatura, for example, it may take a long time before it is realised that you have been infected. By that time the data in backups has been seriously compromised. There are virtually no circumstances under which you should need to reformat a hard disk, however: in general, this is an attempt to treat the symptom instead of the cause. Likewise, re-partitioning with FDISK is unnecessary. If you use a generic low-level format program, i.e. one which isn't specifically for the make and model of drive you actually own, you stand a good chance of trashing the drive more thoroughly than any virus yet discovered. Can't viruses sometimes be useful? - ---------------------------------- Vesselin Bontchev wrote a respected paper on this subject: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip Fred Cohen has done some heavy-duty writing in the other direction. Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley). In general, it's hard to imagine a situation where (e.g.) a maintenance virus is the *only* option. I have yet to see a convincing example of a potentially useful virus which *needs* to be a virus. Such a program would have to be *much* better written and error-trapped than viruses usually are. Do I have a virus, and how do I know? - ------------------------------------- Almost anything odd a computer may do can (and has been) blamed on a computer "virus," especially if no other explanation can readily be found. In most cases, when an anti-virus program is then run, no virus is found. A computer virus can cause unusual screen displays, or messages - but most don't do that. A virus may slow the operation of the computer - but many times that doesn't happen. Even longer disk activity, or strange hardware behaviour can be caused by legitimate software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be accessed unexpectedly (and the drive light to go on) - but legitimate programs can do that also. One usually reliable indicator of a virus infection is a change in the length of executable (*.com/*.exe) files, a change in their content, or a change in their file date/time in the Directory listing. But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM. Another common indication of a virus infection is a change to interrupt vectors or the reassignment of system resources. Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant. In short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable. What should be on a (clean) boot disk? - -------------------------------------- A boot floppy is one which contains the basic operating system, so that if the hard disk becomes inaccessible, you can still boot the machine to attempt some repairs. All formatted floppies contain a boot sector, but only floppies which contain the necessary system files can be used as boot floppies. A clean boot disk is one which is known not to be virus-infected. It's best to use a clean boot disk before routine scans of your hard disk(s). Some antivirus packages will refuse to run if there is a virus in memory. It is usually better and sometimes mandatory to disinfect a system without the virus in memory, and an undetected file virus may actually spread faster during a scan, since scanners normally open all executable files in all directories. To make an emergency bootable floppy disk, put a disk in drive A and type FORMAT A: /S Be careful to avoid 'cross-formatting', i.e. formatting a double-density disk as high-density or vice versa, if you system allows this. (You should avoid this all the time, not just when creating a boot disk. I'd also recommend avoiding single-density and quad-density disks, and there may be problems writing to double-density 5.25" disks on a different machine to the one on which they were formatted, if one machine is an XT and the other an AT or better.) You can also make a pre-formatted floppy into a boot disk by typing SYS A: I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB, CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and RESTORE (or whatever backup program you use, if it will fit). They may come in handy if you can't access the hard disk, or it won't boot up. You may be aware that if there is a problem with your boot sequence, you can boot from the hard disk on a DOS 6/7/Win95 system while bypassing AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot: it won't help at all if you have a boot sector/partition sector infector, or if any or all of the basic operating system files have been infected by a file virus. The boot disk should have been created with the same version of DOS as you have on your hard disk. It should also include any drivers necessary to access your hard disk and other devices (such as a CD-ROM). If, for some reason, you can't obtain a clean boot disk with the same version of DOS, you can often get away with booting from a (clean) disk using a different version, though: indeed, there are viruses which exploit a bug in recent versions of MS-DOS which will prevent a clean boot from DOS vs. 4-6. If you *do* use a different version, remember that you won't be able to use many of the standard DOS system utilities on the hard disk, which will simply return a message like 'Wrong DOS version' when you try to run them, and avoid the use of FORMAT or FDISK. If you become virus-infected it can be very helpful to have backup of your hard disk's boot sector and partition sector (also known as MBR). Some anti-virus and disk utilities can do this. Other useful tools to include are a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so forth), a copy of the DOS commands COMP or FC (for comparing files), FDISK and SYS (make sure they are from the same version of DOS as you are booting). There is a school of thought that your boot disk should also include your anti-virus software. The problem with this is that anti-virus software should be updated frequently, and you may forget to update (and re-write-protect) your boot disk each time. Ideally you will have been sent a clean, write-protected copy of the latest version of your anti-virus software by your vendor/supplier. If you want to use the DOS program EDIT, remember that you need both EDIT.* and QBASIC.* on the same disk. When you have everything you need on your boot floppy and any supplementary floppies (see below), make sure they're all *write-protected*! How do I know I have a clean boot disk? - --------------------------------------- You can't usually make up a clean boot disk on a system which has been booted from an infected floppy or hard disk. So how do you know you're booting clean? Actually, you can never be 100% sure. If you buy a PC with the system already installed, you can't be sure the supplier didn't format it with an infected disk. If you get a set of system disks, can you assume that Microsoft or the disk duplicator didn't somehow release a contaminated disk image? (Yes, something rather like this has indeed happened...) However, you can be better than 99% sure. * If you have (and use) a reputable, up-to-date virus scanner, it will almost invariably detect a known virus in memory (scanners can't be relied on to detect an unknown virus, in memory or not). If a good scanner doesn't ring an alarm bell, you've *almost* certainly booted clean. What constitutes a good scanner is another question, however. * If you have a set of original system disks which you received shrinkwrapped *and* which you've never used *or* which have only been used write-protected, you can probably use Disk 1 as a boot disk and it *probably* isn't infected - after all, Microsoft doesn't use MSAV for jobs like this..... It has been reported, though, that DOS systems disks have been distributed infected, and the fact that they're often distributed write-enabled doesn't inspire confidence. * You could always contact the supplier of your most-trusted anti-virus utility and ask whether you can send them a boot floppy to check. Of course, even anti-virus gurus sometimes make mistakes, but a boot disk verified in this way would still be worth paying for, especially for organizations with mission-critical systems. What other tools might I need? - ------------------------------ Other suggestions have included a sector editor, and Norton Utilities components such as Disk Doctor (NDD). These are not suitable for use by the technically-challenged - any tool which can manipulate disks at a low-level is potentially dangerous. If you do use tools like this, make sure they're good quality and up-to-date. If you attack a 1Gb disk with a package that thinks 32Mb is the maximum for a partition and MFM disk controllers are leading edge, you're in for trouble.... A copy of PKZIP/PKUNZIP or similar compression/decompression utility may be useful both for retrieving data and for cleaning (some) stealth viruses. The MSD diagnostic tool supplied with recent versions of DOS and Windows is a useful addition. Heavy duty diagnostic packages like CheckIt! may be of use. There are some useful shareware/freeware diagnostic packages, too. Obviously, these are not all going to go on one bootdisk. When you prepare a toolkit like this, make sure *all* the disks are write-protected! Tech support types are likely to find that an assortment of bootable disks including various versions of DOS comes in useful on occasion. If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS or PC-DOS), they can be a useful addition. DoubleSpaced or similar drives will need DOS 6.x; Stacked drives will need appropriate drivers loaded. My understanding of the copyright position is that Microsoft does not encourage you to *distribute* bootable disks (even if they contain only enough files to minimally boot the system) *unless* the target system is loaded with the same version of MS-DOS as the boot floppy. Support engineers will need to ensure that they are legally entitled to all DOS versions for which they have bootable disks. What are rescue disks? - ---------------------- Many antivirus and disk repair utilities can make up a (usually bootable) rescue disk for a specific system. This needs a certain amount of care and maintenance, especially if you make up more than one of these for a single PC with more than one utility. Make sure you update *all* your rescue disks when you make a significant change, and that you understand what a rescue disk does and how it does it before you try to use it. Don't try to use a rescue disk made up on one PC on another PC, unless you're very sure of what you're doing: you may lose data. Are there CMOS viruses? - ----------------------- Although a virus CAN write to (and corrupt) a PC's CMOS memory, it can NOT "hide" there. The CMOS memory used for system information (and backed up by battery power) is not "addressable," and requires Input/Output ("I/O") instructions to be usable. Data stored there are not loaded from there and executed, so virus code written to CMOS memory would still need to infect an executable program in order to load and execute whatever it wrote. A virus could use CMOS memory to store part of its code, and some tamper with the CMOS Setup's values. However, executable code stored there must first be first moved to DOS memory in order to be executed. Therefore, a virus can NOT spread from, or be hidden in CMOS memory. No known viruses store code in CMOS memory. There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. by a rogue programmer at American Megatrends Inc., the manufacturers. If the date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC speaker. In this case, the only cure is a new BIOS (or motherboard) - contact your dealer. The trojanized chip run was BIOS version M82C498 Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy Kuo's "What is NOT a virus" paper. - From time to time there are reports from Mac users that the message 'welcome datacomp' appears in their documents without having been typed. This appears to be the result of using a trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it can't infect anything - and the only cure is to replace the keyboard. How do I know I'm FTP-ing 'good' software? - ------------------------------------------ Reputable sites like SimTel and Garbo check uploaded utilities for viruses before making them publicly available. However, it makes sense not to take anything for granted. I'm aware of at least one instance of a virus-infected file being found on a SimTel mirror: you can't scan a newly-uploaded file for a virus your scanner doesn't know about. Good A/V packages include self-checking code, though it's unsafe to depend even on this 100%. Be paranoid: you know it makes sense.... In general, don't run *anything* downloaded from the Internet, BBSs etc. until it's been checked with at least one reputable and up-to-date antivirus scanner. What is 386SPART.PAR? - --------------------- People are sometimes alarmed at finding they have a hidden file with this name. It is, in fact, created by Windows 3.x when you configure it to use a permanent swap file (a way of allowing Windows to work as if you had more memory than you really do. On no account should you delete it, as it will upset your configuration. If you wish to remove it or adjust the size, do so via the 386 Enhanced setting in Control Panel. However, a permanent swap file usually improves performance on a machine with relatively little memory. The file is not executable as such, and reports of virus infection are usually false positives. Can I get a virus to test my antivirus package with? - ---------------------------------------------------- Well, I won't send you one... Most packages have some means of allowing you to trigger a test alert. There is a standard EICAR test file which is recognized by some packages. Most reputable, current anti-virus products will now alert on the EICAR anti-virus test file. See the following site for background on this file: http://www.eicar.org/ To make use of the EICAR test string, type or copy/paste the following text into a file called EICAR.COM, or TEST.COM or whatever. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". The EICAR file isn't an indication of a scanner's -efficiency- at detecting viruses, since (1) it isn't a virus and (2) detecting a single virus or non-virus isn't a useful test of the number of viruses detected. It's a (limited) check on whether the program is installed, but I'm not sure it's a measure of whether it's installed correctly. For instance, the fact that a scanner reports correctly that a file called EICAR.COM contains the EICAR string, doesn't tell you whether it will detect macro viruses, for example. In fact, if I wanted to be really picky, I'd have to say that it doesn't actually tell you anything except that the scanner detects the EICAR string in files with a particular extension. The string is supposed to trigger an alarm only when detected at the beginning of the file. Some products are known to 'false alarm' by triggering on files which contain the string elsewhere. [I have Chengi Jimmy Kuo's permission to reproduce the following, a propos of the last-but-one paragraph]: "The purpose of the EICAR test file is for the user to test all the bells and whistles associated with detecting a virus. And, if given that one platform detects it, is everything else working? It is to enable such things as: Is the alert system working correctly? Does the beeper work? Does the network alert work? Does it log correctly? What does it say? Is the NLM working? For inbound? For outbound? Is compressed file scanning working? Surprise MIS testing of AV security placements. The file serves no purpose in testing whether one product is better than another. Previously, every product had to supply its own test methods. This allows for an independent standard.' When I do DIR | MORE I see a couple of files with funny names... - ---------------------------------------------------------------- Actually, this is in the Virus-L FAQ. Read that and post the question to comp.virus or alt.comp.virus if you're still worried. Basically, the answer is that MORE creates a couple of temporary files, being considerably less efficient than the Unix utility it attempts to emulate. Most versions of DOS since the Middle Ages support the syntax DIR /P, which does the same job less messily. In fact, if you have a version of DOS later than 5, you might consider incorporating it into the environment variable DIRCMD, so that it becomes your default on directory listings which exceed 1 screenful. Of course, other utilities such as ATTRIB can also be filtered through MORE like this, which may result in similar symptoms. - ------------------------------------------------------------ Reasons NOT to use FDISK /MBR - ----------------------------- See Section 12 in part 2 of this FAQ for further information about FDISK with the undocumented /MBR switch. However, people with virus problems are frequently advised, out of ignorance or maliciousness, to use this switch in circumstances where it can lead to an inability to access your disk drive and possible loss of data (not to mention hair and sanity). Essentially, you should avoid using FDISK /MBR unless you have it on good authority that it's safe and necessary to do so. In most circumstances, it's safer to clean a partition sector with a good anti-virus program. You should avoid FDISK /MBR at all costs under the following circumstances: 1. Under an infection of viruses that don't preserve the Partition Table e.g., Monkey, reported at 7.2% of the infections reported to _Virus Bulletin_ for December '95, the last report for which I have data 2. Under an infection that encrypts data on the hard drive and keeps the key in the MBR, e.g, One_half -- reported at 0.8% worldwide 3. When security software, e.g., PC-DACS is in use 4. When a driver like Disk Manager or EZDrive is installed 5. When a controller that stores data in (0,0,1) is in use 6. When more than one BSI virus is active, in some conditions 7. When a data diddler is active, e.g. Ripper, accountable for 3.8% of the infections reported in the study cited above (N.B.: while this case won't be fixed by AV utilities, at least one will know why there are problems with the drive) - ------------------------------------------------------------ Why do people write/spread viruses? - ----------------------------------- - From postings which have appeared in alt.comp.virus in the past: * they don't understand or prefer not to think about the consequences for other people * they simply don't care * they don't consider it to be their problem if someone else is inconvenienced * they draw a false distinction between creating/publishing viruses and distributing them * they consider it to be the responsibility of someone else to protect systems from their creations * they get a buzz, acknowledged or otherwise, from vandalism * they consider they're fighting authority * they like 'matching wits' with antivirus vendors * it's a way of getting attention, getting recognition from their peers and their names (or at least that of their virus) in the papers and the Wild List * they're keeping the antivirus vendors in a job - ------------------------------------------------------------ Where can I get an anti-virus policy? - ------------------------------------- There is some relevant material in the Virus-L FAQ document, but you'll need to do most of the work specific to your own environment. It's worth doing some general reading on security policies generally and getting the distinctions straight between policies, strategies, standards, procedures and protocols. I'm working on this in other contexts: some of that material may eventually seep back into here. The ICSA have a Corporate Virus Prevention Policy disk/document which can be ordered via their web page (www.icsa.net) for around $20, or downloaded from Compuserve. In the UK, the British Standards Institution have a Code of Practice for Information Security Management which includes virus-management (BS7799). [It's not necessarily well-regarded by practitioners, though.] BSI 389 Chiswick High Road London W4 4AL DTI (Dept. of Trade & Industry) IT Security Policy Unit 151 Buckingham Palace Road London SW1W 9SS The Dr. Solomon's web page (www.drsolomon.com) has a paper on Guidelines for an Anti-Virus Policy by David Emm which is a reasonable starting point, though a comprehensive virus management policy is no small undertaking. The Dr. Solomon's page may be moved to the www.nai.com site in the near future, as Dr. Solomon's has been purchased by NAI. - ------------------------------------------------------------ Are there virus damage statistics? - ---------------------------------- Some, possibly even less reliable than the average survey on general security breaches. Why? * Many reported virus incidents aren't, in fact, virus incidents, as many a PC support specialist will confirm. There is a tendency to attribute any PC anomaly to a virus, among those who are not well acquainted with the virus arena. Unfortunately, this includes virtually the entire press corps and many security consultants. Also, some widely-used packages are noticeably prone to false alarms. * Many actual virus incidents and other security breaches are not reported, due to the intervention of top management or Public Relations, out of fear of losing competitive advantage because of being perceived as badly-managed and insecure. * Many other virus incidents and security breaches aren't reported because they're simply not recognised as such, or at all. * There are no standards for reporting and assessing damage from viruses and other security breaches. Take the case of Christopher Pile (the Black Baron), who was convicted in the UK under the Computer Misuse Act: I have seen estimates in the UK press of the damage sustained by the company most affected by the viruses Pile spread ranging from #40,000 to #500,000, and this is an unusually well-documented incident. How can the average survey respondent be expected to make an accurate assessment? The trouble is, there's a lot more to 'damage' than the figures estimated for a particular outbreak. Cost of maintaining virus protection Training and maintaining a response team Management costs Cost of software licences Cost in time/productivity/money of maintaining upgrades etc. Formulating and enforcing policy Educating users in the issues and good hygienic practice Cost in time of routine anti-virus measures Cost in money and time of servicing false alarms Cost of sheepdip systems Cost of having part-time A/V people taking time off from their 'real' jobs Alternatively, the cost of having full-time A/V personnel Cost of tracking the product market, technological changes Formulating and enforcing a backup policy Development of protective systems Resource utilisation by undetected viruses Cost of specific outbreaks Loss of productivity Workstation/Server downtime Damage to reputation of the organization Damage to involved personnel Psychological damage - witch hunts Damage limitation Time spent cleaning up, examining floppies etc. Restoration of backups/reinstallation Replacing unrecoverable data Time and money spent increasing virus protection..... However, the Poor Bloody Infantry often have to spend time and effort persuading the Generals of the need to expend money on ammunition. You might care to check out: * The Information Security Breaches Survey 1996 [UK] [National Computing Centre, ICL, ITSEC, Dept. of Trade & Industry] NCC Oxford House Oxford Road Manchester M1 7ED (voice) +44(0) 161 228 6333 (fax) +44(0) 161 242 2171 enquiries@ncc.co.uk http://www.ncc.co.uk/ This came up with the highly suspect but much quoted average of about #4000 per virus incident. * Computer Virus & Security Survey 1995 [Ireland] [Price Waterhouse, Priority Data Systems] Price Waterhouse Wilton Place Dublin 2 (353 1) 6606700 ++Added August 18th. * ICSA have published surveys for some years. The 1999 survey is the best to date. - ------------------------------------------------------------ What is ICSA Approval? - ---------------------- The ICSA has a certification program for PC virus scanners which offers a measure of the detection capabilities of specific versions. In the past, ICSA's modus operandi was the subject of much scepticism within the antivirus community, but the current procedures are much improved (but not perfect, but nothing is). The specific criteria are available at: http://www.icsa.net/services/consortia/anti-virus/certification.shtml A list of the certified products is available at: http://www.icsa.net/services/consortia/anti-virus/certified_products.shtml The ICSA sponsors an Anti-Virus Product Developers consortium. The ICSA and consortium members have created standards for anti-virus products and the ICSA Anti-virus lab in Carlisle tests new versions of scanners that are submitted to it and issues an "NCSA Approved" seal for those products which past the test. For more information about the NCSA or for links to the members of the AVPD consortium: http://www.icsa.net/ - ------------------------------------------------------------ What language should I write a virus in? - ---------------------------------------- Choose your own squelch: * ANSI COBOL * LOGO * Karel the Robot * PL/I * dBase II * Get a life * Or my personal favourite (thanks, Bruce!) "Hey, man; where can I get a copy of Visual English to write some hot new virii?!?" If you need to ask this question, you'd be better off collecting tazos than trying to write viruses. No, seriously, what language are they written in? - ------------------------------------------------- The simple answer is "Assembler, mostly (on the PC)". High-level languages such as C and Pascal are sometimes used, as are various flavours of command shells on various systems (Unix shell scripts, DCL scripts etc.). Macro viruses are written in macro languages, surprisingly....... B-) [DRD], Doren Rosenthal, the Universe and Everything - --------------------------------------------------- Doren Rosenthal offers a shareware utilities suite including a virus simulator. Many of the AV pros in this group have a low opinion of the Rosenthal utilities, and regard their author as more of a virus writer than an anti-virus researcher, and are annoyed by his habit of offering his utilities as a solution for problems to which their relevance is not always obvious. As discussions on Rosenthal-related topics sometimes generate much heat and bandwidth, some people have taken to adding [DRD] to the subject header when posting to these threads, to make it easier to avoid them. What are CARO and EICAR? - ------------------------ CARO - Computer Anti-Virus Research Organisation. Invitation-only group of techie researchers, mostly representing AV vendors. CARO approves 'standard' names for viruses. Some people tend to mistrust the fact that CARO members often share virus samples: however, CARO membership is a convenient yardstick by which other members can judge whether an individual can be trusted with samples. In general, users at large benefit: this way, AV vendors with CARO members can include most known viruses in their definitions databases. EICAR - European Institute for Computer AntiVirus Research. Membership comprises academic, commercial, media, governmental organisations etc, with experts in security, law etc., combining in the pursuit of the control of the spread of malicious software and computer misuse. Membership is more open, but members are expected to subscribe to a code of conduct. And yes, this is the origin of the EICAR test file. EICAR has a web page at http://www.eicar.org/ - ------------------------------------------------------------------ End of a.c.v. FAQ Part 4 of 4 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use Comment: PGP Key ID 0xDCC35C75 available on Keyservers iQCVAwUBN7xqtLcpzG7cw1x1AQHFoAQAiHNzI9neRiEFc/Q6sgU/iWGDiXaLCsD3 516p05bQNX8vSQfCZGPbLteKjwXpFyttbnYjJF/WBZzpmkkyD35BU14m2ZcAJsPL G5Gk17mQ6NDKcpNiV7LVD1SxmtIZfXtXOjmdB+wKFrk9GspzltWDGoGVnT6c5lOR W/iCyi+DrFU= =FpZ4 -----END PGP SIGNATURE-----