ALT.COMP.VIRUS Mini-FAQ
(version 1.12)
Last updated April 20, 1997
Maintained by George Wenzel
Messages asking for help posted to alt.comp.virus are more likely to
receive a useful response if they conform to accepted standards of
civility. The news group news.announce.newusers includes information
on good news group etiquette.
When asking for help, the more relevant information you give, the more
help can be returned. It helps to:
- Run more than one anti-virus program. Some do make mistakes.
- When reporting the output of anti-virus programs, please list
them (name and version number), and say what each one said about
the possible virus. Posting the exact output can be helpful.
- Say what the symptoms are. You cannot be too detailed. Include
things like CPU, RAM (size), Disk (size), BIOS (name and date),
and operating System. Be as specific as possible.
- Please consider the possibility that whatever you are seeing might
_not_ be a virus. Many system problems are not virus related.
- Note that you cannot catch a virus simply by reading certain e-mail
or news group messages. For a virus to spread, infected code must
be run.
- If you want an e-mail reply to your post, be sure to state that
you will post a summary of the responses to the group.
Don't reformat, low-level format, or use FDISK before posting: it's
most unlikely that this will be necessary. Especially do not use
FDISK unless you know EXACTLY what you're doing -- you could lose
access to your hard drive.
Please, don't just ask "I've got a virus, can anyone help me?"
Basic answers to common questions:
- The following "viruses" are in fact hoaxes: "Good Times", "Deeyenda",
"Irina", and "Penpal Greetings". Information about these hoaxes and
more can be found at
http://www.kumite.com/myths/
- Many people have asked why alt.comp.virus is decidedly anti-virus in
nature. Because of the large proportion of anti-virus producers and
end-users in the group, viruses are considered to be poor use of
computer resources, and the open distribution of them to be
irresponsible.
Binaries are not welcome in UseNet discussion newsgroups.
Alt.comp.virus is a discussion newsgroup, so the posting of
binaries is often met with opposition and complaints to ISPs.
In addition, the majority of a.c.v. readers do not want virus source
code or binaries to be posted in this newsgroup. Should you
post such material, you should be aware that some of those readers
will complain to your ISP about it. For your own sake, check your
ISP's policies regarding posting such material to newsgroups before
risking your account.
- We can't tell you definitively which is the best anti-virus software.
Everybody has different criteria for quality, and different products
excel in different areas. It is more important to get a reasonably
good anti-virus product and to use it often than it is to worry about
having the absolute best anti-virus product. For maximum protection,
it is generally recommended that more than one kind of anti-virus
program be used. Scanners are generally used as a front-line defense,
but they must be updated regularly. Generic anti-virus programs can
be of use since they do not need updating as often, and they can catch
new viruses that a scanner might miss.
There are vendor contacts and comparative reviews at:
http://www.virusbtn.com/
- Before claiming that a "good" virus exists or could exist, it would be
wise to read Vesselin Bontchev's paper "Are 'good' Computer Viruses
Still A Bad Idea", available at:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
- There are no viruses which damage hardware by modifying how the
mechanical parts run or their electro-magnetic characteristics.
There *are* reported instances of specific hardware being damaged
by the misuse of specific software. A virus which exploited such
a problem would have to be so selective and complex that it would
be unlikely to survive in the real world.
- Testing your anti-virus program with a real virus is not generally a
good idea. Most reputable PC anti-virus packages will now trigger an
alert if tested with a file containing the following text:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
and given a filename with a .COM extension (note that this does not work
on a Macintosh). Running the file displays the text
"EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Most people in the anti-virus
community consider virus simulators unnecessary and unsuitable for this
task.
- There are answers to other frequently asked questions and more details
in the other virus FAQs. They are available at
http://www.webworlds.co.uk/dharley/
- Before you ask about what a specific virus does, try:
http://www.drsolomon.com/vircen/enc/
http://www.datafellows.com/v-descs/
http://www.datarescue.com/avpbase/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/
http://www.metro.ch/avpve/
http://www.mcafee.com/support/techdocs/vinfo/index.html
all of which carry virus databases and links to other sites.
Disclaimer:
The authors accept no responsibility for errors or omissions, or for any
ill effects resulting from the use of any information contained in this
document.
Copyright Notice
We made this information freely available, and maintain it. Please don't
abuse our work by using it for profit without getting permission from the
FAQ maintainer.
Copyright © 1997 by the contributors. Copyright remains with the authors.
Contributors:
Bruce Burrell <bpb@umich.edu>
Graham Cluley <gcluley@uk.drsolomon.com>
David Harley <harley@icrf.icnet.uk>
Gerard Mannig <mannig@world-net.sct.fr>
A. Padgett Peterson <padgett@goat.orl.mmc.com>
Robert Slade <roberts@decus.ca or rslade@vcn.bc.ca>
Dr. Alan Solomon <drsolly@ibmpcug.co.uk>
Pierre Vandevenne <pierre@datarescue.com>