++ Maintenance of this FAQ is now shared between the following:
George will do the real work, like making sure the darn thing is posted regularly and organizing archiving, posting automagically etc., keeping an eye on whether URLs are still current etc. Bruce and I will concentrate on doing what we do best: Bruce will keep an eye open for sloppy grammar and general imprecision; I'll sit here claiming credit for the work of others and make the final decision in the event of any contention. All three of us will refer to ourselves as "co-maintainer" rather than "maintainer".
Any of us may choose to suggest edits, additions and subtractions to/from the FAQ, but, with effect from the next revision, all edits will be agreed between the three of us before inclusion in the FAQ. If anyone else wishes to contribute a suggestion, alteration or addition, they can send it to any or all of the above, and it will be used subject to the agreement of all three of us.
For the present, the authoritative version of the FAQ remains the one at http://webworlds.co.uk/dharley/. Administration of the <Guide to AntiVirus FAQs> and the <Viruses and the Macintosh> FAQ remains with David Harley alone.
This document is an honest attempt to help individuals with computer virus-related problems and queries. It can not be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document.
Not all the views expressed in this document are mine, and those views which are mine are not necessarily shared by my employer.
It may not be reproduced for profit or distributed in part or as a whole with any product for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ.
(1)
Thanks to the efforts of Ed Fenton, the FAQ is now available as a hypertext electronic document (DOS). This will be available from ftp.gate.net (see below).
A number of individuals and sites have agreed to make it available via anonymous FTP and/or WWW. These include:
I recommend that you read this FAQ in conjunction with the comp.virus (VIRUS-L)FAQ, which gives more detailed information regarding some issues which are, inevitably, covered in both FAQs.
The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus newsgroup. The latest version should be available as:
A very terse mini-FAQ maintained by George Wenzel is posted more or less daily to alt.comp.virus. I am now regularly posting a guide to virus-related FAQs (contact details and digest of contents), which I plan to extend to other security areas eventually, as a supplement to this FAQ. Both these resources will eventually be available by FTP/WWW.
Thanks also to ked@intac.com (aka Phreex), who mailed me a copy of the FAQ he posted to a.c.v. some months before this one was begun, David J. Loundy for assistance regarding legal issues, and to Nick FitzGerald, the moderator of comp.virus and maintainer of the Mk. II comp.virus FAQ. And especially to George Wenzel and Lucky the Cat.
Don't just ask "I've got xyz virus, can anyone help me".
If you think you may have a virus infection, stay calm. Once detected, a virus will rarely cause (further) damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus actually does (and a well-documented, treatable virus might be preferable to some problems!). Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the virus.
If you've been told you have something exotic, consider the possibility of a false alarm and check with a different package.
If you have a good antivirus package, use it. Better still, use more than one. If there's a problem with the package, use the publisher's tech support and/or try an alternative package. If you don't have a package, get one (see section on sources below). If you're using Microsoft's package (MSAV) get something less out-of-date.
Follow the guidelines below as far as is practicable and applicable to your situation.
Try to get expert help before you do anything else. If the problem is in your office rather than at home there may be someone whose job includes responsibility for dealing with virus incidents.
Follow the guidelines below as far as is practicable and applicable.
BSI - Boot Sector Infector (= BSV - Boot Sector Virus)
BIOS - Basic Input Output System
CMOS - Memory used to store hardware configuration information
DBR - DOS Boot Record
DBS - DOS Boot Sector
False Positive - When an antivirus program incorrectly reports a virus in memory or infecting a file. Scanners in heuristic mode and integrity checkers are, by definition, somewhat more prone to these.
False Negative - Essentially, a virus undetected by an antivirus program.
In-the-wild - describes viruses known to be spreading uncontrolled to real-life systems, as opposed to those which exist only in controlled situations such as anti-virus research labs. Virus code which has been published but not actually found spreading out of control is not usually regarded as being in-the-wild.
MBR - Master Boot Record (Partition Sector)
TSR - A memory-resident DOS program, i.e one which remains in memory while other programs are running. A good TSR should at least detect all known in-the-wild viruses and a good percentage of other known viruses. Generally, TSRs are not so good with polymorphic viruses, and should not be relied on exclusively.
vx - Those who study, exchange and write viruses, not necessarily with malicious intentions (So I'm frequently told here...) B-)
VxD - A Windows program which can run in the background. A scanner implemented as a VxD has all the advantages of a DOS TSR, but can have additional advantages: for instance, a good VxD will scan continuously and for all the viruses detected by a command-line scanner.
Zoo - suite of viruses used for testing.
Here are some commonly referred to anti-virus packages, including acronyms (hence their inclusion in this section). [Suggestions for expansion are, again, welcomed.]
Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.
A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted).
A dropper is a program which installs a virus or Trojan, often covertly.
A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems. There is an excellent and considerably longer definition in the Mk. 2 version of the Virus-L FAQ.
(The following is a slightly academic diversion)
A lot of bandwidth is spent on precise definitions of some of the terms above. I have Fridrik Skulason's permission to include the following definition of a virus, which I like because it demonstrates most of the relevant issues.
#1 A virus is a program that is able to replicate - that is, create (possibly modified) copies of itself.#1 is the main definition, which distinguishes between viruses and Trojans and other non-replicating malware.#2 The replication is intentional, not just a side-effect.
#3 At least some of the replicants are also viruses, by this definition.
#4 A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus.
#2 is necessary to exclude for example a disk-copying program copying a disk, which contains a copy of itself.
#3 is necessary to exclude "intended" not-quite-viruses.
#4 is necessary to exclude "worms", but at the same time it has to be broad enough to include companion viruses and .DOC viruses.
Boot sector viruses alter the program that is in the first sector (boot sector) of every DOS-formatted disk. Generally, a boot sector infector executes its own code (which usually infects the boot sector or partition sector of the hard disk), then continues the PC bootup (start-up) process. In most cases, all write-enabled floppies used on that PC from then on will become infected.
Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected file is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system.
The following virus types are more fully defined in the comp.virus FAQs (see preamble):
POLYMORPHIC VIRUSES - viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication.
COMPANION VIRUSES - viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. N.B. this is not the only type of companion (or 'spawning') virus.
ARMOURED VIRUSES - viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do.
A file virus infects other files when the program to which it is attached is run, and so can spread across a network (often very quickly). They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and bulletin boards. (This applies also to Trojan Horses.)
A multipartite virus infects boot sectors and files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across a network.
One sensible setting to make (if your CMOS allows) is to adjust the boot sequence of your PC. Changing the default boot-up drive order from A: C: to C: will mean that the PC will attempt to boot from drive C: even if a floppy disk has been left in drive A:. This way boot sector virus infection can often be avoided. Remember, however, to set your CMOS back temporarily if you ever do want to boot clean from floppy (for example, when running a cryptographical checksummer after a cold boot).
SCSI controllers have their own BIOS. On some systems, this will override the boot sequence set in CMOS. It's always a good idea to check with a (known clean) bootable floppy after you've disabled floppy booting that it really is disabled. I don't think it's necessary to use the Rosenthal Simulator to do this, thank you, Doren.
TSR scanner - a TSR (memory-resident program) that checks for viruses while other programs are running. It may have some of the characteristics of a monitor and/or behaviour blocker.
VxD scanner - a scanner that works under Windows or perhaps under Win 95, or both), which checks for viruses continuously while you work.
Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus.
Monitor/Behaviour Blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus.
Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus.
Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular checksummer.
Most of the people who post here have their favourites: if you just ask which is the best, you'll generally get either a subjective "I like such and such", recommendation of a particular product by someone who works for that company, or a request to be more specific about your needs. Some of us who are heavily involved with virus control favour using more than one package and keeping track of the market. Don't trust anything you read in the non-technical press. Don't accept uncritically reviews in the computing press, either: even highly-regarded IT specialists often have little understanding of virus issues, and many journalists are specialists only in skimming and misinterpreting. Magazines like Virus Bulletin and Secure Computing are much better informed and do frequent comparative reviews, and are also informative about their testing criteria, procedures and virus suites. Recently, a number of articles have been posted here by people who've run their own tests on various packages. These are often of interest, but should not be accepted uncritically. (No-one's opinion should be accepted uncritically!)
Valid testing of antivirus software requires a lot of care and thought, and not all those who undertake it have the resources, knowledge or experience to do it properly.
You may get a more informed response if you specify what sort of system you have - DOS, Windows, Win95? XT, AT, 386 or better? Is the system networked, and are you asking about protecting the whole network? (What sort of network?) Are you running NT, OS/2 or Win95, any of which involve special considerations? Be aware that there is more than one way of judging the effectiveness of a package - the sheer number of viruses detected; speed; tendency to false alarms; size (can you run it from a single floppy when necessary?); types of virus detection & prevention (not at all the same thing) offered (command-line scanning, TSR scanning, behaviour blocking, checksumming, access-control, integrity shell etc.); technical support etc.
One possible measure of a package's efficiency in terms of virus detection is NCSA approval. Under the current testing protocol, a scanner must detect all viruses on the Wild List plus 90% of NCSA's full test suite.
DOS packages available from SimTel etc. include
USA:-
There is some confusion at present regarding SimTel: you may find that some mirrors are still pointing to the Coast to Coast collection while others are pointing to SimTelnet (Walnut Creek).
Of course, such products can often be obtained direct from the publisher's WWW or FTP sites too.
There is a shareware program for Win95 called the Doctor.
Via anonymous ftp at:
There is a pretty comprehensive list of anti-virus developers at
Please note, I have not tested or even seen all the packages listed here, or all the contact data, come to that, and listing here does not imply recommendation (though I won't list anything I know is rubbish....).
DSAVTK (Dr Solomon's Anti-Virus ToolKit)
[DOS; DOS & Windows; DOS & Win95; NetWare; NT; OS/2; Unix; Mac]
Virus handling workshops.
Access-control, software audit and other packages.
F-Prot Pro (DOS, Windows 3.x, Win95, WinNT, NetWare)
There are two flavours, though I gather that Command Software and
Data Fellows are currently doing joint development.
Data Fellows Ltd.
f-prot@DataFellows.com
ftp://ftp.DataFellows.com
http://www.DataFellows.com
http://www.Europe.DataFellows.com
UK:
Portcullis (for Data Fellows) 44-181-868-0098
Command Software UK 44-171-259-5710
command@command.co.uk
More details inc. in ORDER-2.DOC, supplied with the shareware version. [The filename is now PRO.DOC in recent versions]
IBM AntiVirus:
McAfee Associates
[DOS, Windows, Win95, NetWare, Unix, Mac, NT]
NAV (Norton AntiVirus)
[DOS, Windows, Win95, Mac (SAM), NT, NetWare]
AntiViral Toolkit Pro
AVP LITE
Central Command Inc.
P.O. Box 856
Brunswick, Ohio 44212
Phone: 330-273-2820
FAX: 330-220-4129
BBS: 330-220-4036
WWW: www.command-hq.com/command
ftp: ftp.command-hq.com pub/command/avp
email: sales@command-hq.com support@command-hq.com
(2) Switzerland
E-Mail: info@avp.ch
WWW: http://www.avp.ch/
AVP Virus Encyclopedia: http://www.avp.ch/avpve/
AVP Updates & News: http://www.avp.ch/E/avp-news.htm
AVP Distributors List: http://www.avp.ch/E/distrib.htm
BBS: +41 (0)31 348 1331
FAX: +41 (0)31 348 1335
Sweep
Thunderbyte
Invircible
There is a growing tendency in the UK press to push InVircible as a one-fits-all solution which renders known-virus scanning obsolete, while Zvi Netiv and those who support his product have a tendency to promote it by attacking the better-known scanners as being a security risk. While my personal view is that there is a place for both known-virus scanning and generic solutions, I would suggest reading a couple of papers which take an opposing view before putting all your eggs in the InVircible basket.
http://www.primenet.com/~mwest/iv-toc.htm
http://www.primenet.com/~mwest/iv-bill.txt
Discussion on these issues has generated a great deal of heat and personal abuse. I have to advise caution when considering using a product whose proponents are apt to descend to mudslinging and unethical advertising practices.
Reflex Magnetics Ltd
Tel+44 (0)171 372 6666
Fax+44 (0)171 372 2507
BBS+44 (0)171372 2584
Email: sales@reflex-magnetics.co.uk
http://www.reflex-magnetics.co.uk/
Disknet access-control/virus control
Diskette duplication.
Security/Virus-control training.
Reflex Magnetics Ireland
NH&A
Microsoft (Macro Virus fixes)
There is a paper by Yisrael Radai which documents many of the problems
with MSAV.
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip
ViruSafe, ViruSafe-95
They also maintain a Virus Hot Line via their WWW site or E-mail (virus@eliashim.co.il).
EliaShim, LTD.
Computer Security Specialists
5 Haganim st. Haifa 35022
ISRAEL
Tel: +972-4-8516111
Fax: +972-4-8528613
BBS: +972-4-8516113
Email: shimon@eliashim.co.il
URL: http://www.eliashim.com
VirusNet PC (DOS, Win3.x, Win95) - (File: VNPC.EXE)
VirusNet LAN (DOS, Win3.x, Win95, All Networks) - (File: VNLAN.EXE)
StopLight PC (DOS, Win3.x) - (File: SLELS.EXE)
StopLight for Win95 (Win95, Win3.x, DOS) - (File: Check Site)
StopLight for OS/2 (OS/2, Dual Boot to DOS and Win3.x) - (File: sltmos2.exe)
AntiVirus and security software evals and product updates are available from the Safetynet Web, FTP, BBS and CompuServe sites.
MIMESweeper (Mail scanning 'firewall')
US Office in Kirkland, WA.
Phone 206-889-4724.
Cybersoft
CyberSoft, Inc.
1508 Butler Pike
Conshohoken, Pennsylvania 19428-1322 USA
Voice: +1 (610) 825-4748
Fax +1 (610) 825-6785
Info@cyber.com
http://www.cyber.com
NetPro Computing
Products:
PC ScanMaster for Novell/Vines
Server ScanMaster for Banyan Vines
(Use McAfee VirusScan engine)
General Office: 602.941.3600
Sales: 800.998.5090
International Sales: 602.941.3630
DS Expert Info Line: 800.998.1550
Technical Support: 602.941.3670
FAX: 602.941.3610
On Line:
BBS: 602.941.3620
FTP: ftp.netpro.com
HTTP: www.netpro.com
e-mail: info@netpro.com or 70524,2670@compuserve.com
F/Win is a scanner which is intended as a supplement to your main scanner: it detects Windows/macro viruses. There is a shareware version available. More information at:
There is a comprehensive set of product reviews at:
Virus Bulletin comparative reviews are available from
Product reviews and other kewl stuff from Robert Slade:
There are links to just about every anti-virus site you ever heard of at
UK:
The Pavilions
1 Weston Road, Kiln Lane
Epsom
Surrey KT17 1JG
Toll Free: 0800 24 39 96 (UK only)
From France: 05 90 72 42
International: +44(0)181 974 5522
Fax: 011-441-372-741-441
Tech Support: 011-441-372-747-414
Japan:
Ontrack Data Recovery Japan
182 Shinkoh, Iruma,
Saitama, 358 Japan
Phone: 81 429 32-6365
Fax: 81 429 32-6370
Toll-Free From Japan: 0120-413-374
***NEW OFFICE***
Germany:
Ontrack Data Recovery GmbH
Hanns-Klemm-Strasse 5
71034 Boeblingen
Germany
Toll free: 0130.815.198
International: 011-49-7031-644-00
Fax: 011-49-7031-644-100
Compuserve: GO DATARECOVERY
W3: http:\\www.ontrack.com
Email: sales@ontrack.com
I'm now intermittently posting details of virus-related FAQs to alt.comp.virus. This will eventually be available by FTP/WWW and include other security resources.]
Search engine to check out documents in the following archives: VIRUS-L Forum, 40Hex Archives, Risks Forum, Privacy Forum, CERT Advisories, Internet RFCs, State Computer Crime Laws, The Telecom Privacy Digest, CIAC Advisories, Firewalls Digest.
http://www.datafellows.com/vir-info/ Data Fellows Virus Database
http://www.symantec.com/avcenter/vinfodb.html Symantec Virus Database
http://www.mcafee.com/support/techdocs/vinfo/#top McAfee Virus Database
also ftp://mcafee.com/pub/3rdparty/vsumx603.zip
[VSUM - not highly-rated for its accuracy]
There are also virus simulators, which are not quite the same thing. These are sometimes advocated as a means of testing antivirus packages, but there are dangers to this approach: after all, a package which detects one of these simulators as the virus it detects is, technically, false-alarming.
See section F6 of the Mark 2 Virus-L FAQ, which is rather good on types and uses of virus simulation.
Books which may be of use:
Computers Under Attack (ed. Denning) - Addison-Wesley
Aging, but some classic texts
Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin
Uneven, but includes useful stuff from Virus Bulletin
Dr. Solomon's Virus Encyclopedia
You may from time to time find copies of an older edition
of this in bookshops, though it's better known as part of
Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide
to some of the older viruses.
A Short Course on Computer Viruses (F. Cohen) - Wiley
By the man who 'invented' the concept of computer viruses.
Some aspects are controversial, but a good introduction to
his work.
Useful (but expensive) periodicals:
Computers and Security
Elsevier Advanced Technology
PO Box 150
Kidlington
Oxford
OX5 1AS
44 (0) 1865-843666
a.verhoeven@elsevier.co.uk
Secure Computing, though formerly associated with S&S International, who market Dr.Solomon's AntiVirus ToolKit and other security products, is now an independent organization. SC also has input from experts associated with various vendors and other organisations.
As a regular and reasonably knowledgeable reader of both publications, I'm personally satisfied that neither displays editorial bias, nor do I believe that either publication intentionally weights its methodology to the unfair advantage of an affiliated product [DH]
The Disaster Recovery Journal (more info & on-line articles)
There are around 35 Mac-specific viruses that I know of, though Apple are, I've heard, quoting 2-300 hundred. I don't know if these include every minor variant, hypercard infectors, trojans and macro viruses, but I'll try to find out. There are virtually no macro viruses which have a Mac-specific payload, but every one I know of can infect on Macs (and any other platform which runs Word 6.x or better).
The best single source of information on Mac viruses is the online help included in the freeware package Disinfectant, which can be obtained from
I've also noticed some Mac virus info at Symantec's web site (www.symantec.com).
Disinfectant is an excellent anti-virus package: however, it doesn't catch much in the way of hypercard infectors or trojans, nor does it detect Word 6 macro viruses. McAfee have a scanner for the Mac which is based on Disinfectant: version 2, however, includes detection of trojans, macro viruses etc. You can get a 30-day evaluation copy from
There are products which scan some Unix systems for PC viruses, though any machine used as a file server (Novell, Unix etc.) can be scanned for PC viruses by a DOS scanner if it can be mounted as a logical drive on a PC running appropriate network client software such as PC-NFS.
Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.) can also be infected by a DOS boot-sector virus if booted from an infected disk. The same goes for other PC-hosted operating systems such as NetWare.
While viruses are not a major risk on Unix platforms, integrity checkers and audit packages are frequently used by system administrators to detect file changes made by other kinds of attack. However, Unix security is outside the scope of this FAQ (see comp.security.unix).
In fact, such packages generally target PC viruses more than the handful of Unix viruses.
CyberSoft sell products for a number of Unix platforms which include scanning (VFInd) and cryptographic integrity checking. Scanning includes PC, Mac and Amiga viruses.
[See also the Unix section in the Virus-L/comp.virus FAQ]
A useful book:
The macro viruses which are receiving attention currently are specific to Word 6/WordBasic and Excel: however, many applications, not all of them Windows applications, have potentially damaging and/or infective macro capabilities too.
One, now widespread, infects macros attached to Word 6.0 for Windows, Word 6.0.1 for Macintosh, Word 6.0 for Windows NT, and Word for Windows 95 documents.
What makes such a virus possible is that the macros are created by WordBASIC, a program language which links features used in Word to macros, and even allows DOS commands to be run.
This virus, named "Concept," has no destructive payload; it merely spreads, after a document containing the virus is opened, copying itself to other documents as they are saved, without affecting the contents of documents. However, other macro viruses have been discovered, and some of them contain destructive routines.
Microsoft suggests opening files without macros, to prevent macro viruses from spreading, unless the user can verify that the macros contained in the document will not cause damage. (This does NOT work for all macro viruses.)
For further info on macro viruses, you might like to try
Apparently, an e-mail message is being circulated that contains an attached archive file named AOLGOLD.ZIP. A README file that is in the archive describes it as a new and improved interface for the AOL online service. Note that there is no such program as AOLGOLD. Also, simply reading an e-mail message or even downloading an included file will not do damage to your machine. You must execute (or run) the downloaded file to release the Trojan and have it cause damage.You can get this and other CIAC notices from the CIAC Computer Security Archive.If you unzip the archive, you get two files: INSTALL.EXE and README.TXT. The README.TXT file again describes AOLGOLD as a new and improved interface to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP archive. When you run the install program, it extracts 18 files onto your hard drive.
The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive.
When the batch file completes, it prints a crude message on the screen and attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent the DOOMDAY.EXE program from running. Other bugs in the file cause it to delete itself if it is run from any drive but the C: drive. The programming style and bugs in the batch file indicates that the Trojan writer appears to have little programming experience.
There have been at least two attempts to pass off Trojans as an upgrade to PKZip, the widely used file compression utility. A recent example was of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading on the Internet. An earlier Trojan passed itself off as version 2.0. For this reason, PKWare have never released a version 2.0 of PKZip: presumably, if they ever do release another DOS version (unlikely, at this date, in my opinion), it will not be numbered version 3.0(0). In fact, there are hardly any known cases of someone downloading and being hit by this Trojan, which few people have seen (though most reputable virus scanners will detect it). As far as I know, this Trojan was only ever seen on warez servers (specialising in pirated software).
There are recorded instances of a fake PKZIP vs. 3 found infected with a real live in-the-wild file virus, but this too is very rare. To the best of my knowledge, the latest version of PKZip is 2.04g, or 2.50 for Windows.
+++ There was a version 2.06 put together specifically for IBM internal use only (confirmed by PKWare). If you find it in circulation, avoid it. It's either illicit or potentially damaging.
The recent rash of resuscitated warnings about this is at least in part a hoax. It's not a virus, it's a trojan. It doesn't (and couldn't) damage modems, V32 or otherwise, though I suppose a virus or trojan might alter the settings of a modem - if it happened to be on and connected.... I don't want to get into hypothetical arguments about programmable modems right now. It appears to delete files, not destroy disks irrevocably.
It's certainly a good idea to avoid files claiming to be PKZip vs. 3, but the real risk hardly justifies the bandwidth this alert has occupied over the last year or so.
There are rarely enquiries about viruses on other computing platforms raised in alt.comp.virus, but there is some information concerning viruses on most platforms available at the Virus Test Center in Hamburg.
CIAC have now set up a hoaxes web page at:
-----------------extract-------------------------------
INFORMATION BULLETIN
H-05 Internet Hoaxes: PKZ300, Irina,
Good Times, Deeyenda, Ghost
November 20, 1996 16:00 GMT
PROBLEM: This bulletin addresses the following hoaxes and erroneous
warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
Ghost.exe
PLATFORM: All, via e-mail
DAMAGE: Time lost reading and responding to the messages
SOLUTION: Pass unvalidated warnings only to your computer security
department or incident response team. See below on how to
recognize validated and unvalidated warnings and hoaxes.
VULNERABILITY New hoaxes and warnings have appeared on the Internet and old
ASSESSMENT: hoaxes are still being cirulated.
---------------------end extract--------------------------------
Mini-paper on "Dealing with Internet hoaxes":
You can get a copy of Les Jones' FAQ on the Good Times Hoax from:
Via FTP:
(2) There is no modem virus that spreads via an undocumented subcarrier - whatever that means....
(3) Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers don't usually allow this by default and without prompting, but certainly some mailers can support this: for instance, cc:mail can, it seems, launch attachments straight into AmiPro.
[further information on this or other potentially dangerous associations would be gratefully received]
There's room for a lot of discussion here. The jury is still out on web browsers: Netscape can certainly be set up to do things I don't approve of, such as opening a Word document in Word without asking.
Microsoft have made available a Word viewer which reads Word files, but doesn't run attached macros. If possible, use this instead.
The term 'ANSI bomb' usually refers to a mail message or other text file that takes advantage of an 'enhancement' to the MS-DOS ANSI.SYS driver which allows keys to be redefined with an escape sequence, in this case to echo some potentially destructive command to the console. In fact, few systems nowadays run programs which need ANSI terminal emulation to run, and there's no guarantee that the program reading the file would pass such an escape sequence unfiltered to the console anyway. There are plenty of PD or shareware alternatives to ANSI.SYS that don't support keyboard redefinition, or allow it to be turned off.
The term mail bomb is usually applied to the intentional bombardment of an e-mail address with multiple copies of a (frequently abusive) message, rather than to the above.
See SimTel/keyboard on sites carrying a SimTel mirror.
(4) There is no known way in which a virus could sensibly be spread by a graphics file such as a JPEG or .GIF file, which does not contain executable code. Macro viruses work because the files to which they are attached are not 'pure' data files.
(5) In general, software cannot physically damage hardware - this includes viruses. There is a possibility that specific hardware may be damaged by specific code: however, a virus which drops a particular payload on the offchance that it's running on a system with a particular type of obsolete video card seems more than usually futile.
This also applies to other software mechanisms such as simulating hardware write-protection on a hard disk.
However, file protection rights in NetWare can help to contain virus infections, if set up properly, as can trustee rights. [Trustee assignments govern whether an individual user has right of access to a subdirectory: the Inherited Rights Mask governs the protection rights of individual files and (sub)directories.]
Basically, a file virus has the same rights of access as the user who happens to inadvertantly activate it.
Setting up these levels of security is really a function of the network Administrator, but you might like to check (politely) that yours is not only reassuringly paranoid but also knowledgeable about viruses as well as networks, since a LAN which is not, in this respect, securely configured, can result in very rapid infection and reinfection of files across the whole LAN. In particular, accounts with supervisor equivalence can, potentially, be the unwitting cause of very rapid dissemination of viruses.
[See also the comp.virus FAQ (version 2) section D]
In brief, don't use FDISK /MBR unless you're very sure of what you're doing, as you may lose data. Note also that if you set up the drive with a disk manager such as EZDrive, you won't be able to access the drive until and unless you can reinstall it.
[It does sometimes, and when it does it us usually fatal (for the common user, anyway). FDISK /MBR will wipe the partition table data if the last two bytes of the MBR are not 55 AA.]
When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code.
Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it.
[Unless one assembles into memory]
Floppy disks do not have a partition sector.
FDISK /MBR will change the code in a hard disk partition sector.
When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and usually moves the original elsewhere on the disk.
Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up.
FDISK /MBR will not change the code in a hard disk boot sector. Most boot sector viruses infect the partition sector of hard disks and floppy disk boot sectors: most do not infect the boot sector of a hard disk - Form virus is an exception.
Most effective anti-virus products will be able to remove a virus from a partition sector, but some have difficulties under certain circumstances. In these cases the user may decide to use FDISK /MBR.
Unless you know precisely what you are doing this is unwise. You may lose access to the data on your hard disk if the infection was done by a virus such as Monkey or OneHalf.
[Clarification: FORMAT alters the DOS partition, but leaves the partition sector, aka MBR, alone.]
If you boot with a disk in drive A which is infected with a boot-sector virus, the fact that the diskette is write-protected will make no difference at all.
Write-protecting a clean floppy will indeed prevent it from being infected (but see below!).
However, it is possible for the hardware to fail: it's not common, but it happens. Thus when I do a cleanup, I try to create a file on a sacrificial floppy before risking my R/O boot disk. Sometimes, I even remember....
Other caveats: a disk which you receive write-protected could have been de-protected, infected, and re-protected. Even a 3.5" disk with the write-enable tab removed can be written to by covering the hole with (e.g.) masking tape. And, of course, shrink-wrapped software could have been infected before the duplication process.
DIR A:It is possible to have a scanner report a virus in memory after a DIR of a floppy with an infected boot sector. The distinction here is that the virus is not actually loaded into memory, so the PC has not been infected.
In many countries, writing of viruses is not an offence in itself, whereas in others, not only is this not the case, but distribution, even the sharing of virus code between antivirus researchers is, at least technically, also an offence.
Once a virus is released 'into the wild', it is likely to cross national boundaries, making the writer and/or distributor answerable for his/her actions under a foreign legal system, in a country he/she may never have visited.
Where virus writing and distribution may not apply locally in a particular case, the individual may nevertheless be subject to civil action: in other words, where you may be held to have committed no offence, you may still be sued for damage.
Some of the grounds on which virus writing or distribution may be found to be illegal (obviously I'm not stating that all these grounds will apply at all times in all states or countries!) include:
Since the law does vary widely from country to country (and even within countries), it is entirely possible for one to break the law of another country, state, province, or whatever, without ever leaving your own, and since extradition treaties do exist, perhaps it's best to assume that any act that might be construed as being or causing wilful and malicious damage to a computer or computer system could get you a roommate with undesirable tendencies and no social graces. :)
The best advice to give to any one contemplating a possibly illegal act would be to contact their local Crown Prosecutor, Crown Attorney, District Attorney, or whatever label the local government prosecutor wears. Acting on the advice of one's own attorney doesn't render one immune from prosecution, and the cost of defence can be high, even if successful.
An extremely biased opinion is that very often attorneys attempt to provide the answer they believe the client wishes to hear, or give an opinion in areas where they have no real expertise. Prosecutors, on the other hand, tend to look at a particular action in the light of whether a successful prosecution can be mounted. If the local Crown Prosecutor were to suggest that something was a Bad Thing, I should be extremely nervous about doing it. :)
Many thanks to David J. Loundy for his assistance with the legalities regarding computer crime. A valuable source of information on this topic can be found in his E-Law paper, which can be accessed via the URL:
The question regarding the writing of malevolent computer viruses being illegal isn't really that hard to answer: It is illegal to write and spread a virus that infects a government system. Federal law is unclear as to whether this extends to private computer systems as well, but State statutes are frequently unequivocal about defining virus-related crimes against property.
The question has come up, however, about the distribution of viruses and virus-related programs. A general guideline is that it is legal to distribute viruses, for example, on a BBS, as long as the people who are downloading the virus know EXACTLY what they are getting. If you intentionally infect a file and make it available for downloading, you may be subject to prosecution. Your conscience should be your guide in this kind of a situation. If a virus distributed by you is used to damage or otherwise modify a major system, you can be held accountable.
The reason that the explanations in this section are vague is that the laws in various states, provinces, etc., are different, and you should check with your local police before you decide you want to distribute viruses.
If you spread a virus unknowingly, you generally cannot be prosecuted unless it can be proven that you spread the virus due to pure carelessness. The definition of carelessness has not been tested in a court of law, as far as I know at the date of writing (9/22/95)
If an action is a crime, then encouraging that action can also be a crime ("incitement").
If you spread a virus unwittingly, then it isn't a crime, as you don't have "intent".
If someone is negligent, and so spreads a virus (even unwittingly), then there could be a civil action for damages through negligence.
No mention is made in the Code (as of 1993) of computer viruses as such, but it would seem that prosecution under Sec. 430 would be appropriate.
Quoting from the Code:-
Section 342.1
(1) Every one who, fraudulently and without color of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or
any other device, intercepts or causes to be intercepted,
directly or indirectly, any function of a computer system, or
(c) uses or causes to be used, directly or indirectly, a
computer system with intent to commit an offence under
paragraph (a) or (b) or an offence under section 430 in
relation to data or a computer system
is guilty of an indictable offence and liable to imprisonment for a
term not exceeding ten years, or is guilty of an offence punishable
on summary conviction.
(2) In this section,
"computer program" means data representing instructions or statements
that, when executed in a computer system, causes the computer system
to perform a function;
"computer service" includes data processing and the storage or
retrieval of data;
"computer system" means a device that, or a group of interconnected
or related devices one or more of which,
(a) contains computer programs or other data, and
(b) pursuant to computer programs,
(i) performs logic and control, and
(ii) may perform other functions;
"data" means representation of information or of concepts that are
being prepared or have been prepared in a form suitable for use in a
computer system;
"electro-magnetic, acoustic, mechanical or other device" means any
device or apparatus that is used or is capable of being used to
intercept any function of a computer system, but does not include a
hearing aid used to correct subnormal hearing of the user to not
better than normal hearing;
"function" includes logic, control, arithmetic, deletion, storage
and retrieval and communication or telecommunication to, from or
within a computer system;
"intercept" includes listen to or record a function of a computer
system, or acquire the substance, meaning or purport thereof.
Apparently the laws governing trespass have not been considered as
having any application in cyberspace. Offenders under the above
section would be charged with mischief, which covers a multitude
of sins under Canadian law. The penalties stipulated in Sec. 342.1
are the same as the penalties for sabotage, just as a point of
interest.
Mischief is covered by Sec. 430:-
Section 430
(1) Every one commits mischief who wilfully
(a) destroys or damages property;
(b) renders property dangerous, useless, inoperative or
ineffective;
(c) obstructs, interrupts or interferes with the lawful use,
enjoyment or operation of property, or
(d) obstructs, interrupts or interferes with any person in
the lawful use, enjoyment or operation of property.
(1.1) Every one commits mischief who wilfully
(a) destroys or alters data;
(b) renders data meaningless, useless or ineffective;
(c) obstructs, interrupts or interferes with the lawful use
of data; or
(d) obstructs, interrupts or interferes with any person in
the lawful use of data or denies access to data to any person
who is entitled to access thereto.
(2) Every one who commits mischief that causes actual danger
to life is guilty of an indictable offence and liable to imprisonment
for life.
(3) Every one who commits mischief in relation to property
that is a testamentary instrument or the value of which exceeds one
thousand dollars
(a) is guilty of an indictable offence and liable to
imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
(4) Every one who commits mischief in relation to property,
other than property described in subsection (3),
(a) is guilty of an indictable offence and liable for
imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.
(5) Every one who commits mischief in relation to data
(a) is guilty of an indictable offence and liable to
imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
(5.1) Every one who wilfully does an act or wilfully omits
to do an act that it is his duty to do, if that act or omission is
likely to constitute mischief causing actual danger to life, or to
constitute mischief in relation to property or data,
(a) is guilty of an indictable offence and liable to
imprisonment for a term not exceeding five years; or
(b) is guilty of an offence punishable on summary conviction.
(6) No person commits mischief within the meaning of this
section by reason only that
(a) he stops work as a result of the failure of his employer
and himself to agree on any matter relating to his
employment;
(b) he stops work as a result of his employer and a
bargaining agent acting on his behalf to agree on any matter
relating to his employment; or
(c) he stops work as a result of his taking part in a
combination of workmen or employees for their own reasonable
protection as workmen or employees.
(7) No person commits mischief within the meaning of this
section by reason that he attends at or near or approaches a
dwelling-house or place for the purpose only of obtaining or
communicating information.
(8) In this section, "data" has the same meaning as in
section 342.1.
For the record, from Sec. 785:-
Section 785 (1)
"summary conviction court" means a person who has jurisdiction in the
territorial division where the subject-matter of the proceedings is
alleged to have arisen and who
(a) is given jurisdiction over the proceedings by the
enactment under which the proceedings are taken,
(b) is a justice or provincial court judge, where the
enactment under which the proceedings are taken does not
expressly give jurisdiction to any person or class of
persons, or
(c) is a provincial court judge, where the enactment under
which the proceedings are taken gives jurisdiction in respect
thereof to two or more justices;
To the best of my limited knowledge, the Canadian Criminal Code only
uses the term "incitement" in Sec. 319 (Public incitement of hatred)
and Sec. 53 (incitement to commit a traitorous or mutinous act).
A prosecutor would probably deal with incitement under Sec. 21
(Parties to offence), Sec. 463 (Attempts), or Sec. 465 (Conspiracy).
Section 21
(1) Every one is a party to an offence who
(a) actually commits it;
(b) does or omits to do anything for the purpose of aiding
any person to commit it; or
(c) abets any person in committing it.
(2) Where two or more persons form an intention in common to
carry out an unlawful purpose and to assist each other therein and
any one of them, in carrying out the common purpose, commits an
offence, each of them who knew or ought to have known that the
commission of the offence would be a probable consequence of carrying
out the common purpose is a party to that offence.
"Incite" does get mentioned in Sec. 22:-
Section 22
(1) Where a person counsels another person to be a party to
an offence and that other person is afterwards a party to that
offence, the person who counselled is a party to that offence,
notwithstanding that the offence was committed in a way different
from that which was counselled.
(2) Every one who counsels another person to be a party to
an offence is a party to every offence that the other commits in
consequence of the counselling that the person who counselled knew or
ought to have known was likely to be committed in consequence of the
counselling.
(3) For the purpose of this Act, "counsel" includes procure,
solicit or incite.
Section 23 deals with an accessory after the fact, and I've already
quoted too much, and more to come, but Sections 23.1 and 24 are
interesting.....
Section 23.1
For greater certainty, sections 21 to 23 apply in respect of
an accused notwithstanding the fact that the person whom the accused
aids or abets, counsels or procures or receives, comforts or assists
cannot be convicted of the offence.
Section 24
(1) Every one who, having an intent to commit an offence,
does or omits to do anything for the purpose of carrying out the
intention is guilty of an attempt to commit the offence whether or
not it was possible under to circumstances to commit the offence.
(2) The question whether an act or omission by a person who
has an intent to commit an offence is or is not mere preparation to
commit the offence, and too remote to constitute an attempt to commit
the offence, is a question of law.
Under Sec. 465 (1)(c) and 465 (1)(d), conspiring to commit an offence
carries the same penalties as the actual commission of the crime.
Under certain circumstances, laws in other countries may be applicable in cyberspace, where there are no formal territorial boundaries. For instance, Sec. 465 (4) of the Canadian Criminal Code stipulates that every one, "while in a place outside Canada" conspires to commit an offence in Canada "shall be deemed to have conspired in Canada to do that thing."
I can't believe there's anyone left on the Internet who doesn't know the VCL password, but I'm not going to tell you anyway.
OK, maybe you want an assembler to learn assembly-language, not just to rehash prefabricated code. Where do you get TASM? You buy it from Borland or one of their agents, either stand-alone or with one of their high-level languages. If you want freeware or shareware, I guess you can still get the likes of CHASM and A86 (SimTel mirror sites in SimTel/asm).
Requests for viruses by people 'writing a new anti-virus utility' are usually not taken too seriously.
Valid testing of antivirus software requires a lot of time, care and thought and a valid virus test-set. Virus simulators are unhelpful in this context: a scanner which reports a virus when it finds one of these is actually false-alarming, which isn't necessarily what you want from a scanner.
Read Vesselin Bontchev's paper on maintaining a virus library:
Tom Simondi points that there is an archive of sorts at dejanews. You can search for several months of messages by subject at:
The use of a "batch" file allows the scanning to use any switches or commands that are available to the scanner program(s) and also allows multiple scanners to be used with different switches, etc. which it runs. If clean, it sends the E-Mail on. Files which it cannot scan can be 'quarantined' in the secure area to be scanned 'by hand' or otherwise disposed of.
MIMESweeper vs. 1.0 reads MIME attachments and recognises ZIP archives, but does not read other compression formats or binary encoding formats such as uuencode.
MIMESweeper ver. 2.1 reads MIME attachments, UUENCODE, and recognises ZIP and recursive .ZIP archives, OLE, but does not yet read many other compression or binary encoding formats. (CDA, BinHex, LHA and Stuffit are expected in due course). It runs under NT Workstation and requires, at minimum, a 486 with 24Mb RAM, 500Mb hard disk, and a CD-ROM drive (for installation only). It works with cc:Mail, SMTP with MIME attachments, Microsoft Mail, or MHS,
MIMESweeper 3.0 adds FTP/HTTP but not NNTP. Minimum requirement is still a 486 with 24Mb, but medium to high volumes will require a Pentium with 32Mb RAM. WEBSweeper requires NT version 4.0 (apply Service Pack 4 if accessed via NetWare). MIMESweeper requires TCP/IP for remote management
MIMESweeper has advanced content filtering abilities which go beyond its capabilities (with assistance from other software) for detection of file viruses and trojans.
Trend's InterScan VirusWall is similar to MIMEsweeper but uses Trend's own scanning engine only as the scanner. Trend also scans FTP traffic. Trend currently runs on SUN Solaris 2.4-5 and will be adding NT later.
These products do real scanning before the mail hits the hard drive but, at least until the holes are filled in the above products, make sure your mail attachments, WWW downloads etc. can't be automatically executed and use a good TSR/VXD in combination with a good scanner. Note that scanning FTP traffic is likely to add a heavy network overhead and probably won't catch as many viruses as checking *all* files from *all* sources with a desktop scanner
Current informed thinking tends to be that detection of viruses at the firewall is acceptable (1) if you can afford the additional hardware, software and latency (processing overhead), not to mention the hidden administrative overheads of configuration and policy for dealing with boundary conditions such as unusual 7-bit encoding formats, encrypted files etc. (2) ss long as you appreciate that it can only be supplementary to checking at the desktop, not a replacement. Mail attachments, FTP and HTTP are more significant vectors for virus transmission than formerly, especially with the near-exponential boom in macro viruses, but other vectors (especially floppy disks) are still of vital concern. System administrators are attracted by the fact that it's easier to update server software than control the use of scanning on individual workstations, but the fact remains that in most environments, until the desktop is adequately protected with good, up-to-date realtime (on-access) scanning and/or scheduled on-demand scanning, virus scanning at the perimeter is a semi-irrelevance.
McAfee's WebScan also addresses this market, but has detection only, not disinfection: you need their on-demand scanner too. Dr. Solomon's MailGuard is based on MIMESweeper. Norton AntiVirus for Firewalls is due for release in June 1997.
For firewall-related information
mailto: majordomo@greatcircle.com
subject:
message: subscribe firewalls-digest
Building Internet Firewalls (Chapman, Zwicky) - O'Reilly
[If you scan all drives at every boot, though, you may find that this gives you a good incentive to remove CDs from your CD drive before you power down, especially if your scanner isn't set to allow you to break out of a scan. B-)]
There are virtually no circumstances under which you should need to reformat a hard disk, however: in general, this is an attempt to treat the symptom instead of the cause. Likewise re-partitioning with FDISK.
If you use a generic low-level format program, i.e. one which isn't specifically for the make and model of drive you actually own, you stand a good chance of trashing the drive more thoroughly than any virus yet discovered.
In general, it's hard to imagine a situation where (e.g.) a maintenance virus is the only option. I have yet to see a convincing example of a potentially useful virus which needs to be a virus. Such a program would have to be much better written and error-trapped than viruses usually are.
A computer virus can cause unusual screen displays, or messages - but most don't do that. A virus may slow the operation of the computer - but many times that doesn't happen. Even longer disk activity, or strange hardware behaviour can be caused by legitimate software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be accessed unexpectedly (and the drive light to go on) - but legitimate programs can do that also.
One usually reliable indicator of a virus infection is a change in the length of executable (*.com/*.exe) files, a change in their content, or a change in their file date/time in the Directory listing. But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM.
Another common indication of a virus infection is a change to interrupt vectors or the reassignment of system resources. Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant.
In short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable.
To make an emergency bootable floppy disk, put a disk in drive A and type
FORMAT A: /SBe careful to avoid 'cross-formatting', i.e. formatting a double-density disk as high-density or vice versa, if you system allows this. (You should avoid this all the time, not just when creating a boot disk. I'd also recommend avoiding single-density and quad-density disks, and there may be problems writing to double-density 5.25" disks on a different machine to the one on which they were formatted, if one machine is an XT and the other an AT or better.)
You can also make a pre-formatted floppy into a boot disk by typing
SYS A:I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB, CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and RESTORE (or whatever backup program you use, if it will fit). They may come in handy if you can't access the hard disk, or it won't boot up.
You may be aware that if there is a problem with your boot sequence, you can boot from the hard disk on a DOS 6/7/Win95 system while bypassing AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot: it won't help at all if you have a boot sector/partition sector infector, or if any or all of the basic operating system files have been infected by a file virus.
The boot disk should have been created with the same version of DOS as you have on your hard disk. It should also include any drivers necessary to access your hard disk and other device. If, for some reason, you can't obtain a clean boot disk with the same version of DOS, you can often get away with booting from a (clean) disk using a different version, though: indeed, there are viruses which exploit a bug in recent versions of MS-DOS which will prevent a clean boot from DOS vs. 4-6. If you do use a different version, remember that you won't be able to use many of the standard DOS system utilities on the hard disk, which will simply return a message like 'Wrong DOS version' when you try to run them, and avoid the use of FORMAT or FDISK.
If you become virus-infected it can be very helpful to have backup of your hard disk's boot sector and partition sector (also known as MBR). Some anti-virus and disk utilities can do this. Other useful tools to include are a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so forth), a copy of the DOS commands COMP or FC (for comparing files), FDISK and SYS (make sure they are from the same version of DOS as you are booting). There is a school of thought that your boot disk should also include your anti-virus software. The problem with this is that anti-virus software should be updated frequently, and you may forget to update (and re-write-protect) your boot disk each time. Ideally you will have been sent a clean, write-protected copy of the latest version of your anti-virus software by your vendor/supplier.
If you want to use the DOS program EDIT, remember that you need both EDIT.* and QBASIC.* on the same disk.
When you have everything you need on your boot floppy and any supplementary floppies (see below), make sure they're all write-protected!
A copy of PKZIP/PKUNZIP or similar compression/decompression utility may be useful both for retrieving data and for cleaning (some) stealth viruses. The MSD diagnostic tool supplied with recent versions of DOS and Windows is a useful addition. QEMM includes a useful diagnostic tool called Manifest. Heavy duty diagnostic packages like CheckIt! may be of use. There are some useful shareware/freeware diagnostic packages, too.
Obviously, these are not all going to go on one bootdisk. When you prepare a toolkit like this, make sure all the disks are write-protected!
Tech support types are likely to find that an assortment of bootable disks including various versions of DOS comes in useful on occasion. If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS or PC-DOS), they can be a useful addition. DoubleSpaced or similar drives will need DOS 6.x; Stacked drives will need appropriate drivers loaded.
My understanding of the copyright position is that Microsoft does not encourage you to distribute bootable disks (even if they contain only enough files to minimally boot the system) unless the target system is loaded with the same version of MS-DOS as the boot floppy. Support engineers will need to ensure that they are legally entitled to all DOS versions for which they have bootable disks.
Data stored there are not loaded from there and executed, so virus code written to CMOS memory would still need to infect an executable program in order to load and execute whatever it wrote.
A virus could use CMOS memory to store part of its code, and some tamper with the CMOS Setup's values. However, executable code stored there must first be first moved to DOS memory in order to be executed. Therefore, a virus can NOT spread from, or be hidden in CMOS memory.
++ There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. by a rogue programmer at American Megatrends Inc., the manufacturers.
++ If the date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC speaker. In this case, the only cure is a new BIOS (or motherboard) - contact your dealer. The trojanized chip run was BIOS version M82C498 Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy Kuo's "What is NOT a virus" paper.
++ From time to time there are reports from Mac users that the message 'welcome datacomp' appears in their documents without having been typed. This appears to be the result of using a trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it can't infect anything - and the only cure is to replace the keyboard.
In general, don't run anything downloaded from the Internet, BBSs etc. until it's been checked with at least one reputable and up-to-date antivirus scanner.
George Wenzel recently reported that recent versions of the following should recognise it. Well done George for promoting the EICAR file among vendors who hadn't been taking notice!
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".
Scanning the file with one of the components of these packages should trigger an alert.
The EICAR file isn't an indication of a scanner's efficiency at detecting viruses, since (1) it isn't a virus and (2) detecting a single virus or non-virus isn't a useful test of the number of viruses detected. It's a (limited) check on whether the program is installed, but I'm not sure it's a measure of whether it's installed correctly. For instance, the fact that a scanner reports correctly that a file called EICAR.COM contains the EICAR string, doesn't tell you whether it will detect macro viruses, for example. In fact, if I wanted to be really picky, I'd have to say that it doesn't actually tell you anything except that the scanner detects the EICAR string in files with a particular extension.
B-)
[I have Chengi Jimmy Kuo's permission to reproduce the following, a propos of the preceding paragraph]:
"The purpose of the EICAR test file is for the user to test all the bells and whistles associated with detecting a virus. And, if given that one platform detects it, is everything else working? It is to enable such things as:There have been long threads recently on whether the Rosenthal Simulator is useful for this sort of job. This will be considered at length here when I have the time to look at it in more detail, but it should be noted that many anti-virus researchers have expressed considerable scepticism. Certainly, having looked at an earlier incarnation, I see no urgent need to research this further.Is the alert system working correctly?
Does the beeper work?
Does the network alert work?
Does it log correctly? What does it say?
Is the NLM working? For inbound? For outbound?
Is compressed file scanning working?Surprise MIS testing of AV security placements.
The file serves no purpose in testing whether one product is better than another. Previously, every product had to supply its own test methods. This allows for an independent standard.'
Of course, other utilities such as ATTRIB can also be filtered through MORE like this, which may result in similar symptoms.
Essentially, you should avoid using FDISK /MBR unless you have it on good authority that it's safe and necessary to do so. In most circumstances, it's safer to clean a partition sector with a good anti-virus program.
You should avoid FDISK /MBR at all costs under the following circumstances:
The NCSA have a Corporate Virus Prevention Policy disk/document which can be ordered via their web page (www.ncsa.com) for around $20, or downloaded from Compuserve.
In the UK, the British Standards Institution have a Code of Practice for Information Security Management which includes virus-management (BS7799). [It's not necessarily well-regarded by practitioners, though.]
DTI (Dept. of Trade & Industry)
IT Security Policy Unit
151 Buckingham Palace Road
London SW1W 9SS
Cost of maintaining virus protection:
The Information Security Breaches Survey 1996 [UK]
[National Computing Centre, ICL, ITSEC, Dept. of Trade & Industry]
(voice) +44(0) 161 228 6333
(fax) +44(0) 161 242 2171
enquiries@ncc.co.uk
http://www.ncc.co.uk/
Computer Virus & Security Survey 1995 [Ireland]
[Price Waterhouse, Priority Data Systems]
For a list of scanners that have received the "NCSA Approved" rating of the National Computer Security Association in the U.S.A. see
The National Computer Security Association in Carlisle, Pennsylvania, U.S.A., sponsors an Anti-Virus Product Developers consortium. The NCSA and consortium members have created standards for anti-virus products and the NCSA Anti-virus lab in Carlisle tests new versions of scanners that are submitted to it and issues an "NCSA Approved" seal for those products which past the test.
++ To pass, a scanner must detect all viruses (more than 400) on the "Wild List" kept by Joe Wells of IBM
[Actually, this isn't the case: detection of all viruses on both parts of the Wild List isn't required for certification, as the information on NCSA's website makes clear. In fact, it looks as if the implementation of NCSA certification has somewhat slipped from its promising inception. I'll be returning to this issue and other schemes (VSUM, Secure Computing) when time allows. There are one or two other points in this item which I didn't check because of their source: checking is now a priority. - DH]
and 90 percent of the viruses in a suite of about 11,000 kept by NCSA (these represent not only viruses, but variations created by polymorphic viruses as well.)
++ [The exact make-up of that test suite is one of the things I'd like to check - DH]
For more information about the NCSA or for links to the members of the AVPD consortium:
NCSA is a provider of security, reliability, and ethics information and services. NCSA provides information security: training, testing, research, product certification, underground reconnaissance, help-desk and consulting services. NCSA delivers information through publications, conferences, forums, and seminars -- in both traditional and electronic formats. NCSA also hosts private on-line training and seminars on CompuServe in addition to public forums and libraries and which address hundreds of information and communications security issues. NCSA's InfoSecurity Resource Catalog provides one-stop-shopping for books, guides, training and tools.
++ [I should observe here that I've received material from NCSA in the past which advertises a book I would personally avoid recommending on grounds of ethics and accuracy. As there was some fuss about this, I don't suppose it's in their catalogue any longer, but this is another point I'd quite like to check. - DH]
NCSA AVPD Members (July, 1996)
Members of the NCSA Anti-Virus Product Developers consortium.
EICAR - European Institute for Computer AntiVirus Research. Membership comprises academic, commercial, media, governmental organisations etc, with experts in security, law etc., combining in the pursuit of the control of the spread of malicious software and computer misuse. Membership is more open, but members are expected to subscribe to a code of conduct. And yes, this is the origin of the EICAR test file.
("`-''-/").___..--''"`-._
`6_ 6 ) `-. ( ).`-.__.`)
(_Y_.)' ._ ) `._ `. ``-..-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'
End of alt.comp.virus FAQ