home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Simtel MSDOS - Coast to Coast
/
simteldosarchivecoasttocoast.iso
/
virus
/
virus_l.faq
< prev
next >
Wrap
Internet Message Format
|
1994-03-07
|
61KB
Date: Thu, 19 Mar 1992 15:00:07 EST
From: "The Moderator Kenneth R. van Wyk" <krvw@CERT.SEI.CMU.EDU>
Subject: VIRUS-L Digest V5 #70
Comments: To: VIRUS-L@ibm1.cc.lehigh.edu
VIRUS-L Digest Thursday, 19 Mar 1992 Volume 5 : Issue 70
Today's Topics:
VIRUS-L/comp.virus FAQ, 19 March 1992
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 19 Mar 92 14:07:05 -0500
From: Kenneth R. van Wyk <krvw@cert.sei.cmu.edu>
Subject: VIRUS-L/comp.virus FAQ, 19 March 1992
Frequently Asked Questions on VIRUS-L/comp.virus
Last Updated: 19 March 1992, 2:00 PM EST
====================
= Preface Section: =
====================
This document is intended to answer the most Frequently Asked
Questions (FAQs) about computer viruses. As you can see, there are
many of them! If you are desperately seeking help after recently
discovering what appears to be a virus on your computer, consider
skimming through sections A and B to learn the essential jargon, then
concentrate on section C.
If you may have found a new virus, or are not quite sure if some file
or boot sector is infected, it is important to understand the protocol
for raising such questions, e.g. to avoid asking questions that can be
answered in this document, and to avoid sending "live" viruses except
to someone who is responsible (and even then in a safe form!).
Above all, remember the time to really worry about viruses is BEFORE
your computer gets one!
The FAQ is a dynamic document, which changes as people's questions
change. Contributions are gratefully accepted -- please e-mail them
to me at krvw@cert.sei.cmu.edu. The most recent copy of this FAQ will
always be available on the VIRUS-L/comp.virus archives, including the
anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in the file:
pub/virus-l/FAQ.virus-l
Ken van Wyk, moderator VIRUS-L/comp.virus
Primary contributors (in alphabetical order):
Mark Aitchison <phys169@csc.canterbury.ac.nz>
Vaughan Bell <vaughan@computing-department.poly-south-west.ac.uk>
Matt Bishop <matt.bishop@dartmouth.edu>
Vesselin Bontchev <bontchev@fbihh.informatik.uni-hamburg.de>
Olivier M.J. Crepin-Leblond <umeeb37@vaxa.cc.ic.ac.uk>
David Chess <chess@watson.ibm.com>
John-David Childs <con_jdc@lewis.umt.edu>
Nick FitzGerald <cctr132@csc.canterbury.ac.nz>
Claude Bersano-Hayes <hayes@urvax.urich.edu>
John Kida <jhk@washington.ssds.COM>
A. Padgett Peterson <padgett%tccslr.dnet@mmc.com>
Rob Slade <rslade@sfu.ca>
Gene Spafford <spaf@cs.purdue.edu>
Otto Stolz <rzotto@nyx.uni-konstanz.de>
====================
Questions answered in this document
Section A: Sources of Information and Anti-viral Software
(Where can I find HELP..!)
A1) What is VIRUS-L/comp.virus?
A2) What is the difference between VIRUS-L and comp.virus?
A3) How do I get onto VIRUS-L/comp.virus?
A4) What are the guidelines for VIRUS-L?
A5) How can I get back-issues of VIRUS-L?
A6) What is VALERT-L?
A7) What are the known viruses, their names, major symptoms and
possible cures?
A8) Where can I get the latest free/shareware anti-virus programs?
A9) Where can I get more information on viruses, etc for my report?
Section B: Definitions
(What is ...?)
B1) What are computer viruses (and why should I worry about them) ?
B2) What is a trojan horse?
B3) What are "stealth" viruses (and what is special about them) ?
B4) What are "polymorphic" viruses (and what is special about them) ?
B5) What are "armored" viruses?
B6) What different types of PC viruses are there?
B7) Miscellaneous Abbreviations and jargon
Section C: Virus Detection
(Is my computer infected? What do I do?)
C1) What are the symptoms and indications of a virus infection?
C2) What steps should be taken in diagnosing and identifying viruses?
C3) What does the <insert name here> virus do?
C4) What are "false positive" (Type I) and "false negative" (Type II)
errors ?
C5) Could an anti-viral program be infected?
C6) Where can I get a virus scanner for my Unix system?
C7) Why does an antiviral scanner reports an infection only sometimes?
C8) Am I infected with the Stoned virus ?
C9) I think I have detected a new virus; what do I do?
Section D: Protection Plans
(What should I do to prepare against viruses?)
D1) What is the best protection policy for my computer?
D2) Is it possible to protect a computer system with only software?
D3) What can be done with hardware protection?
D4) Will setting MSDOS files' attributes to READ ONLY protect them from
viruses?
D5) Will password protection systems protect my files from viruses?
D6) Will the protection systems in DR-DOS work against viruses?
D7) Will a write-protect tab on a floppy disk prevent a virus from
infecting it?
D8) What is the best way to remove the virus?
D9) What other ways can I stop viruses before they enter my computer?
Section E: Facts and Fibs about computer viruses
(Can a virus...?)
E1) Can "boot sector" viruses like Stoned infect non-bootable floppy disks?
E2) Can a virus hide in a PC's battery-backed CMOS memory?
E3) Can viruses infect data files?
E4) Can viruses spread from one type of computer to another?
E5) Can mainframe computers be susceptible to computer viruses?
E6) Some people say that disinfecting viruses is a bad idea. Is that true?
E7) Can I avoid viruses by avoiding shareware/free software/games?
E8) Can MS-DOS Viruses run on Non-DOS machines (e.g., Mac, Amiga)?
Section F: Miscellaneous Questions
(I was just wondering...)
F1) How many different types of viruses are there?
F2) How do viruses spread so quickly?
F3) What is the plural of "virus"? "Viruses" or "viri" or "virii" or...
F4) When reporting a virus infection (and looking for assistance), what
information should be included?
F5) How often should we upgrade our anti-virus tools to minimize
software and labor costs and maximize our protection?
Section G: Specific Virus and Anti-viral software Questions...
G1) I was infected by the Jerusalem virus and disinfected the infected
files with my favorite anti-virus program. However, Wordperfect and
some other programs still refuse to work. Why?
G2) I was told that the Stoned virus displays the text "Your PC is now
Stoned" at boot time. I have been infected by this virus several
times, but have never seen the message. Why?
================================================================
= Section A. Sources of Information and Anti-viral Software. =
================================================================
A1) What is VIRUS-L/comp.virus?
It is a discussion forum with a focus on computer virus issues. More
specifically, VIRUS-L is an electronic mailing list and comp.virus is
a USENET newsgroup. Both groups are moderated; all submissions are
sent to the moderator for possible inclusion in the group. For more
information, including a copy of the posting guidelines, see the file
virus-l.README, available by anonymous FTP on cert.sei.cmu.edu in the
pub/virus-l directory. (FTP is the Internet File Transfer Protocol,
and is described in more detail in the monthly VIRUS-L/comp.virus
archive postings - see below.)
Note that there have been, from time to time, other USENET
cross-postings of VIRUS-L, including the bit.listserv.virus-l. These
groups are generally set up by individual site maintainers and are not
as globally accessible as VIRUS-L and comp.virus.
A2) What is the difference between VIRUS-L and comp.virus?
As mentioned above, VIRUS-L is a mailing list and comp.virus is a
newsgroup. In addition, VIRUS-L is distributed in digest format (with
multiple e-mail postings in one large digest) and comp.virus is
distributed as individual news postings. However, the content of the
two groups is identical.
A3) How do I get onto VIRUS-L/comp.virus?
Send e-mail to LISTSERV@IBM1.CC.LEHIGH.EDU (or LISTSERV@LEHIIBM1 for
you Bitnetters) stating: "SUB VIRUS-L your-name". To "subscribe" to
comp.virus, simply use your favorite USENET news reader to read the
group (assuming that your site receives USENET news).
A4) What are the guidelines for VIRUS-L?
The list of posting guidelines is available by anonymous FTP on
cert.sei.cmu.edu. See the file pub/virus-l/virus-l.README for the
most recent copy. In general, however, the moderator requires that
discussions are polite and non-commercial. (Objective postings of
product availability, product reviews, etc., is fine, but commercial
advertising is not.) Also, requests for viruses (binary or
disassembly) are not allowed. Technical discussions are encouraged,
however, within reason.
A5) How can I get back-issues of VIRUS-L?
VIRUS-L/comp.virus includes a series of archive sites that carry all
the back issues of VIRUS-L, as well as public anti-virus software (for
various computers) and documents. The list of archive sites is
updated monthly and distributed to the group; it includes a complete
listing of the sites, what they carry, access instructions, as well as
information on how to access FTP sites by e-mail. The anonymous FTP
archive at cert.sei.cmu.edu carries all of the VIRUS-L back issues, as
does the LISTSERV at LEHIIBM1 (on BITNET). See the file
pub/virus-l/README for more information on the cert.sei.cmu.edu
archive site.
A6) What is VALERT-L?
VALERT-L is a sister group to VIRUS-L, but is intended for virus
alerts and warnings only -- NO DISCUSSIONS. There is no direct USENET
counterpart to VALERT-L; it is a mailing list only. All VALERT-L
postings are re-distributed to VIRUS-L/comp.virus later. This group
is also moderated, but on a much higher priority than VIRUS-L. The
group is monitored during business hours (East Coast, U.S.A.,
GMT-5/GMT-4); high priority off-hour postings can be made by
submitting to the group and then telephoning the CERT/CC hotline at +1
412 268 7090 -- leave instructions to call Ken van Wyk.
Subscriptions to VALERT-L are handled identically to VIRUS-L --
contact the LISTSERV.
A7) What are the known viruses, their names, major symptoms and
possible cures?
There are several major sources of information about viruses.
Probably the biggest one is Patricia Hoffman's hypertext VSUM. It
describes only MS-DOS viruses, but almost all of them. Unfortunately,
it tends to be too verbose and is regarded by many in the field as
being inaccurate, so we do not advise people to rely on it. It can be
downloaded from most major archive sites -except- SIMTEL20.
The second one is the Computer Virus Catalog, published by the Virus
Test Center in Hamburg. It contains a highly technical description of
computer viruses for several platforms: MS-DOS, Mac, Amiga, Atari ST,
Unix. Unfortunately, the MS-DOS section is somewhat incomplete. The
CVC is available for anonymous ftp from ftp.informatik.uni-hamburg.de
(IP=134.100.4.42), directory pub/virus/texts/catalog.
A third source of information is the monthly Virus Bulletin. It
regularly publishes very detailed technical information about viruses.
Unfortunately it is -very- expensive (the subscription is about $350
per year; US subscriptions can be obtained by calling 203-431-8720).
A fourth good source of information on MS-DOS viruses is the "Computer
Viruses" report of the National Computer Security Association. This
is updated regularly, and is fairly complete. Copies cost
approximately $75, and can be ordered by calling +1 202-244-7875.
Another source of information is the documentation of Dr. Solomon's
Anti-Virus ToolKit. It is more complete than the CVC list, just as
accurate (if not more), but lists only MS-DOS viruses. However, it is
not available electronically; you must buy his anti-virus package and
the virus information is part of the documentation.
Yet another source of information is "Virus News International",
published by S & S International. And, while not entirely
virus-related, "Computers & Security" provides information on many
aspects of computer security, including viruses.
The best source of information available on Apple Macintosh viruses is
the on-line documentation provided with the freeware Disinfectant
program by John Norstad. This is available at most Mac archive sites.
A8) Where can I get the latest free/shareware anti-virus programs?
The VIRUS-L/comp.virus archive sites carry publicly distributable
anti-virus software products. See a recent listing of the archive
sites (or ask the moderator for a recent listing) for more information
on these sites.
If you need an MS-DOS anti-virus program urgently, chances are that
you can find it via anonymous FTP on WSMR-SIMTEL20.ARMY.MIL
(192.88.110.20), in the directory PD1:<MSDOS.TROJAN-PRO>. (Note that
the SIMTEL20 archives are also mirrored at many other anonymous FTP
sites, including oak.oakland.edu (141.210.10.117) and
wuarchive.wustl.edu (128.252.135.4).
Likewise, Macintosh anti-virus programs can be found on SIMTEL20 in
the PD3:<MACINTOSH.VIRUS> directory.
A9) Where can I get more information on viruses, etc for my report?
There are three excellent books on computer viruses available that
should cover most of the introductory and technical questions you
might have:
* "Computers Under Attack: Intruders, Worms and Viruses," edited by
Peter J. Denning, ACM Press/Addison-Wesley, 1990. This is a book of
collected readings that discuss computer viruses, computer worms,
break-ins, legal and social aspects, and many other items related to
computer security and malicious software. A very solid, readable
collection that doesn't require a highly-technical background.
* "Rogue Programs: Viruses, Worms and Trojan Horses," edited by
Lance J. Hoffman, Van Nostrand Reinhold, 1990. This is a book of
collected readings describing in detail how viruses work, where they
come from, what they do, etc. It also has material on worms, trojan
horse programs, and other malicious software programs. This book
focuses more on mechanism and relatively less on social aspects than
does the Denning book; however, there is an excellent piece by Anne
Branscomb that covers the legal aspects.
* "A Pathology of Computer Viruses," by David Ferbrache,
Springer-Verlag, 1992. This is a recent, in-depth book on the
history, operation, and effects of computer viruses. It is one of the
most complete books on the subject, with an extensive history section,
a section on Macintosh viruses, networks worms, and Unix viruses (if
they were to exist).
A somewhat dated, but still useful, high-level description of viruses,
suitable for a complete novice without extensive computer background
is in "Computer Viruses: Dealing with Electronic Vandalism and
Programmed Threats," by Eugene H. Spafford, Kathleen A. Heaphy, and
David J. Ferbrache, ADAPSO (Arlington VA), 1989. ADAPSO is a
computer industry service organization, and not a publisher, so the
book cannot be found in bookstores; copies can be obtained directly
from ADAPSO @ +1 703-522-5055). There is a discount for ADAPSO
members, educators, and law enforcement personnel. Many people have
indicated they find this a very understandable reference; portions of
it have been reprinted many other places, including Denning &
Hoffman's books (above).
======================================================
= Section B. Definitions and General Information =
======================================================
B1) What are computer viruses (and why should I worry about them) ?
The term "computer virus" tends to be used to cover many sorts of computer
programs that hide their true (malicious) function and try to spread onto as
many computers as possible. While the definitions of the various types of
computer virus (and other malicious software) in this document are certainly
useful, it can still be worth keeping something a "fuzzy" definition of
"computer virus", since pre-conceived notions as to what a virus is, and what
it exactly does, can lead to a false sense of security.
These software "pranks" are very serious; they are spreading faster than they
are being stopped, and even the least harmful of viruses can have serious
consequences. For example, a virus that stops your computer and displays a
message, in the context of a hospital life-support computer, could be fatal.
Even those who created the viruses could not stop them if they wanted to; it
requires a concerted effort from computer users to be "virus-aware", rather
than the ignorance and ambivalence that have allowed them to grow to such a
problem.
B2) What is a trojan horse?
It is a program that does something the programmer intended, but that
the user would not approve of if he knew about it. Thus, a virus is a
particular case of a Trojan horse, which is able to spread to other
programs (i.e., it turns them into trojans, too).
B3) What are "stealth" viruses (and what is special about them) ?
Every virus makes changes to executable code; hence every virus can be
detected by checking all executable code in a system for discrepancies
between presumed and actual contents. A stealth virus camouflages the
changes it has made from detection by other programs, usually by
monitoring the system functions used by programs to read files or
physical blocks from storage media, and forging the results of such
system functions suitably. However, in order to practise "stealth,"
the virus must be resident in memory. In every "stealth" virus seen
so far, this residence is detectable, often easily.
Example: One of the oldest MS-DOS Viruses, Brain, a boot sector
infector, monitors physical disk-I/O and re-directs any attempt to
read a Brain-infected boot sector to the disk area where the original
boot sector is stored.
Countermeasures: To gain unadulterated access to storage media, a
"clean" system is needed so that no virus is present to interfere with
its operation. Thus, the system should be built from a trusted,
clean master copy before any virus-checking is attempted; this is "The
Golden Rule of the Trade." With MS-DOS, (1) boot from original DOS
diskettes (i.e. DOS Startup/Program diskettes from a major vendor that
have been write-protected since their creation), (2) use only tools
from original diskettes until virus-checking has completed.
B4) What are polymorphic viruses (and what is special about them) ?
In order to eradicate a virus infection, all instances of this
particular virus in various places (program files, boot records, etc.)
have to be found and identified. A program to accomplish this task is
called a Virus Scanner.
A polymorphic virus tries to escape virus scanners by producing varied
(yet fully operational) copies of itself.
One method to evade signature-driven virus scanners is self-encryption
with a variable key; however these viruses (e.g. Cascade) are not
termed "polymorphic," as their decryption code is always the same and
thus can be used as a virus signature even by the simplest, signature-
driven virus scanners.
One method for a polymorphic virus is choosing amongst a variety of
different encryption schemes requiring different decryption routines:
only one of these routines would be plainly visible in any instance of
the virus (e.g. the Whale virus). A signature-driven virus scanner
would have to exploit several signatures (one for each possible
encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the
sequence of instructions in its copies, by interspersing it with
"noise" instructions (e.g. a No Operation instruction, or an
instruction to load a currently unused register with an arbitrary
value), by interchanging mutually independent instructions, or even by
using various instruction sequences with identical net effects (e.g.
Subtract A from A, and Move 0 to A). A simple-minded, signature-based
virus scanner would not be able to reliably identify this sort of
virus; rather, a sophisticated "scanning engine" has to be constructed
after thorough research into the particular virus.
The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more search
strings to simple scanners will not adequately deal with these
viruses.
B5) What are "armored" viruses?
Armored viruses use special tricks to make the tracing, disassembling
and understanding of their code more difficult. A good example is the
Whale virus.
B6) What different types of PC viruses are there?
Generally, there are two main classes of viruses: the first describes
file infectors which attach themselves to individual programs that
are easily copied/transferred between computers. These attack .COM
and .EXE programs though some will infect other classes of program
capable of execution (e.g. .DB* and .WK* files). Still others can
infect any program for which execution is requested such as .SYS,
.OVL, .PRG, & .MNU programs. Generally though, all file infector
viruses will infect either .COM or .EXE programs or both. Common
examples are Jerusalem, Sunday, Vienna, 4096, or Whale.
The second category is System Infectors: those viruses which infect
executable code found in specific locations either on a disk or in
memory. On DOS systems, for example, most of these viruses infect the
Master Boot Record on fixed disks, the DOS Boot Record on both fixed
and floppy disks, or the system files (IO.SYS or MSDOS.SYS). Examples
include Brain, Stoned, Empire, Azusa, & Michelangelo.
Finally, a few viruses are able to infect both (the Tequila
virus is one example).
B7) Miscellaneous Jargon and Abbreviations...
BSI = Boot Sector Infector: the most common PC viruses belong to this
family, which take over control when the computer attempts to boot.
DOS = Diskette Operating System: We use DOS to mean MS-DOS, PC-DOS, or
DR-DOS even though there are operating systems called DOS on unrelated
hardware.
MBR = Master Boot Record: the first sector on a PC hard disk, that
usually contains the partition table (but may simply contain a DOS
boot sector).
RAM = Random Access Memory: the place programs are loaded into to
execute; the significance for viruses is that, to be active, they must
grab some of this for themselves. However, some virus scanners may
declare a virus is active simply when it is found in RAM - even though
it might be in a disk's buffer area of RAM rather than truly being
executed.
TOM = Top Of Memory: (this is particularly significant in PC's) The
amount of RAM is recorded in the computer; viruses or other software)
may try to tell the software that follows there is less memory than
there really is, so the virus can hide there.
TSR = Terminate but Stay Resident: these are PC programs that stay in
memory while you continue to use the computer for other programs; they
include pop-up utilities, network software, and (unfortunately) some
viruses. These can often be seen using utilities such as MEM and PMAP
and INFOPLUS.
=================================
= Section C. Virus Detection =
=================================
C1) What are the symptoms and indications of a virus infection?
There are all kinds of symptoms which virus authors have written into
their programs, such as messages, music and graphical displays. These
"payloads" may include deleting files, or other destruction. Viruses
try to do a lot of spreading before they deliver their payload, but
there can be symptoms of virus infection before this, and it is
important to use this opportunity to spot and eradicate the virus
before any destruction.
The main indications are changes to file sizes and contents, changing
of interrupt vectors (on a PC), and the unaccounted use of RAM (but,
of course, viruses try to hid such effects). On a PC it can be very
worthwhile looking at the amount of RAM known to the CHKDSK program,
which should be 655360 bytes (or at least a multiple of 16384 bytes);
and boot sector infections are often easily identified to the trained
eye (or heuristic checkers such as CHECKOUT). These symptoms, along
with longer disk activity and strange behavior from the hardware, can
also be caused by genuine software, or by harmless "prank" programs,
or by hardware faults, unfortunately.
The only foolproof way to determine that a virus is present is for an
expert to analyze the assembly code contained in all programs and
system areas, but this is usually impracticable. Virus scanners go
some way towards that by looking in that code for known viruses; some
will even try to use artificial intelligence means to spot viral
activity, but this is usually only reliable for boot sectors. It is
wise to arm yourself with the latest anti-viral software, but also to
pay close attention to your system... look particularly for any change
in the memory map or configuration as soon as you start the computer.
For users of MS-DOS 5.0, the MEM program with the /C switch is very
handy for this. If you have DRDOS, use MEM with the /A switch; if you
have an earlier version use CHKDSK or the commonly-available PMAP or
MAPMEM utilities. You don't have to know what all the numbers mean,
only that they change.
C2) What steps should be taken in diagnosing and identifying viruses?
Most of the time, a virus scanner program will take care of that for
you. Running it often and on new disks will help identify problems
early! If you run into one that the scanner doesn't identify, or
doesn't properly clean up for you, first verify that the version that
you are using is the most recent, and then get in touch with one of
the reputable antivirus researchers and send a copy of the infected
file to them, after they ask you to send it. See also question C9.
C3) What does the <insert name here> virus do?
If an anti-virus program has detected a virus on your computer, don't
rush to post a question to this list asking what it does. First, it
might be a false positive alert (especially if the virus is found only
in one file), and second, some viruses are extremely common, so the
question "What does the Stoned virus do?" or "What does the Jerusalem
virus do?" is asked here repeatedly. While this list is monitored by
several anti-virus experts, they get tired of perpetually answering
the same questions over and over again. In any case, if you really
*need* to know what a particular virus does (as opposed to knowing
enough to get rid of it), you will need a longer treatise than could
reasonably be given to you.
For example, the Stoned virus replaces the disk's boot sector with its
own, relocating the original to a sector on the disk that may (or may
not) occur in an unused portion of the root directory of a DOS
diskette; when active, it sits in an area a few kilobytes below the
top of memory. All this description could apply to a number of common
viruses; but the important points of where the original boot sector
goes - and what effect that has on networking software, non-DOS
partitions, and so on are all major questions in themselves.
Therefore, it is better if you first try to answer your question
yourself. There are several sources of information about the known
computer viruses, so please consult one of them before requesting
information publicly. Chances are that your virus is rather well known
and that it is already described in detail in at least one of these
sources. (See the answers to questions A7 and A9, for instance.)
C4) What are "false positive" (Type I) and "false negative"
(Type II) errors?
Most virus scanners do not identify viruses exactly. What they do is
to use a characteristic sequence of bytes from the virus code, called
"scan string" and to scan the files for this string. While the authors
of most scanners do their best to select good scan strings, it is
possible that the same string happens to be present in a benign
program. If a non-virus program is flagged as a virus by the scanner,
this is called a "false positive" error.
On the other hand, a virus scanner searches only for known viruses.
Most probably it will miss a completely new or a heavily modified
virus. If the scanner does not detect a program, which in fact
contains a virus, this is called a "false negative" error.
Obviously the false negative errors are more dangerous than the false
positive ones. Therefore, producers of virus scanners usually attempt
to minimize both kinds of errors, but they are more concerned with the
false negative ones.
One other serious problem could occur: A "positive" that is
misdiagnosed. E.g., a scanner that detects the Empire virus in a boot
record but reports it as the Stoned. In the case of a boot sector
infector, use of a Stoned specific "cure" to recover from the Empire
could result in an unreadable disk or loss of extended partitions.
Similarly, sometimes "generic" recovery can result in unusable files.
"Second generation" products store information about "clean" programs
to allow verification of recovery processes.
C5) Could an anti-viral program itself be infected?
Yes, so it is important to obtain this software from good sources, and
to only trust results after running scanners from a "clean" system.
But there are situations where one scanner appears to be infected when
it isn't.
Most antiviral programs try very hard to identify only viral
infections, but sometimes they give false alarms. If two different
antiviral programs are both of the "scanner" type, they will contain
"signature strings" to identify viral infections. If the strings are
not "encrypted", then they will be identified as a virus by another
scanner type program. Also, if the scanner does not remove the
strings from memory after they are run, then another scanner may
detect the virus string "in memory".
Note that a recent example of this type of false alarm regards F-PROT
"detecting" viruses in two Central Point Anti-Virus (CPAV) files.
Some "change detection" type antiviral programs add a bit of code or
data to a program when "protecting" it. This might be detected by
another "change detector" as a change to a program, and therefore
suspicious.
It is good practice to use more than one antiviral program. Do be
aware, however, that antiviral programs, by their nature, may confuse
each other.
C6) Where can I get a virus scanner for my Unix system?
Basically, you shouldn't bother scanning for Unix viruses at this
point in time. Although it is possible to write Unix-based viruses,
we have yet to see any instance of a non-experimental virus in that
environment. Someone with sufficient knowledge and access to write an
effective virus would be more likely to conduct other activities than
virus-writing. Furthermore, the typical form of software sharing in
an Unix environment would not support virus spread.
This answer is not meant to imply that viruses are impossible, or that
there aren't security problems in a typical Unix environment -- there
are. However, true viruses are highly unlikely and should be found
quite readily with normal Unix file integrity procedures. For more
information on Unix security, see the book "Practical Unix Security"
by Garfinkel and Spafford, O'Reilly & Associates, 1991 (it can be
ordered via e-mail from nuts@ora.com).
However, there are special cases for which scanning Unix systems for
non-Unix viruses does make sense. For example, a Unix system which is
acting as a file server (e.g., PC-NFS) for PC systems is quite capable
of containing PC file infecting viruses that are a danger to PC clients.
Note that, in this example, the UNIX system would be scanned for PC
viruses, not UNIX viruses.
Another example is in the case of a 386/486 PC system running Unix,
since this system is still vulnerable to infection by BIOS infectors
such as Stoned and Michelangelo, which are operating system
independent. (Note that an infection on such a Unix PC system would
probably result in disabling the Unix disk partition(s) from booting.)
In addition, a file integrity checker (to detect unauthorized changes
in executable files) on Unix systems is a very good idea. (One free
program which can do this test, as well as other tests, is the COPS
package, available by anonymous FTP on cert.sei.cmu.edu.) Unauthorized
file changes on Unix systems are very common, although they usually
are not due to virus activity.
C7) Why does my anti-viral scanner report an infection only sometimes?
There are circumstances where part of a virus exists in RAM without
being active; if your scanner reports a virus in memory only sometimes
it could be due to the operating system buffering disk reads, keeping
disk contents that include a virus in memory (harmlessly) - in which
case it should also find it on disk, or after running another scanner
there may be scan strings left (again harmlessly) in memory.
C8) Is my disk infected with the Stoned virus ?
Of course the answer to this, and many similar questions, is to obtain
a good virus detector. However, the Stoned virus is one that occurs
often and you may spend a lot of time going through disks looking for
it. Also, there are several versions of this virus (and similar ones)
that may just possibly escape detection by conventional scanners.
Since it is so easy to detect "by hand", it is worth using the CHKDSK
method (mentioned in C2) to make sure it isn't in memory, then looking
at the first 11 bytes in diskettes using your favorite hex disk
editor; what you should look for is the third byte should be "90" hex
for a good diskette, and "00" for an infected diskette (anything else
may or may not imply an infection). There are even better methods of
determining the presence of such a virus, e.g. contained in the
freeware CHECKOUT program and the shareware SCANBOOT program, but this
is good enough for a quick check. The advantage of the system is that
it can be a lot faster than running some scanners over the disk, if
there are many to check. There are disadvantages - the main one being
that a few "good" diskettes, such as "immunized" ones, may show up as
having a virus - in which case you refer them to a better scan before
disinfecting them.
A more time-efficient method is to load the SCANBOOT TSR and let it
check diskettes automatically as you access them in the normal way
(e.g. when listing their files).
C9) I think I have detected a new virus; what do I do?
Whenever there is doubt over a virus, you should obtain the latest
versions of several (not just one) major virus scanner. If you use
F-PROT, which has several methods of scanning, try each method in
turn. The "heuristic" methods in one of these scan methods, and in
several other programs (CHECKOUT and SCANBOOT, for example), can
report a disk or file as being possibly infected, when it is, in fact
perfectly safe (odd, perhaps, but not infected). If no
string-matching scan finds a virus, but a heuristic program does (or
there are other reasons to suspect the file, e.g. change in size of
files) then it is possible that you have found a new virus, although
the chances are probably greater that it is an odd-but-okay disk or
file. Start by looking in recent VIRUS-L postings about "known" false
positives, then contact the author of the anti-virus software that
reports it as virus-like. Read the section explaining what to do if
you think you have found a new virus, and consider using the BOOTID or
CHECKOUT programs to calculate the "hashcode" of the diskette, in the
case of boot sector infectors.
===================================
= Section D. Protection plans =
===================================
D1) What is the best protection policy for my computer?
There is no "best" anti-virus program. In fact, there is no program
that can magically protect you against all viruses. But you can design
a whole anti-virus protection strategy and build multiple layers of
defense. There are three main kinds of anti-virus detectors, plus
several other means of protection (such as hardware write-protect
methods).
1) Monitoring programs; these look for viral activity when it happens,
such as attempts to write to another executable, reformat the disk,
etc, etc. Examples: FluShot+ (PC), and GateKeeper (Macintosh).
2) Scanners. Most look for known virus strings (byte sequences known
to occur in certain viruses, but hopefully not in good software), but
some use AI or heuristic techniques to recognize viral code. They may
also include virus removers. Examples: Dr Solomon's Anti-Virus Toolkit,
FRISK's F-Prot, McAfee's VIRUSCAN (all PC), Disinfectant (Macintosh).
3) Integrity (change-of-state) checkers. These take a "snapshot" of code,
and periodically compare code with the original and (what is supposed
to be) uninfected snapshot. Examples: V-Analyst (commercial, BRM
Technologies, Israel) and Integrity Master (shareware), both for the PC.
Plus, there are mixtures and variations on these approaches, such as
resident scanners (e.g. VShield, VIRSTOP) and heuristic search
versions (e.g. SCANBOOT). Of course, only a few examples of each type
were given. All of them can find their place in the protection
against the computer viruses, but you should appreciate the
limitations of each method, along with system-supplied security
measures that may or may not be helpful in defeating viruses. Ideally,
you would arrange a combination of methods that cover the loopholes
between them.
A typical PC installation might include a protection system on the
hard disk's MBR to protect against viruses at load time (ideally this
would be hardware or in BIOS, but software methods such as DiskSecure
and PanSoft's Immunise are pretty good). This would be followed by
resident virus detectors loaded as part of the machine's startup
(config.sys or autoexec.bat), such as FluShot+ and/or VirStop together
with ScanBoot. A scanner such as F-Prot or McAfee's scan should be
put into autoexec.bat to look for viruses as you start up, but this
may be a problem if you have a large disk to check (or don't reboot
often enough). Most importantly, new files should be scanned as they
arrive on the system. If your system has DR-DOS installed, you should
use the password command to write-protect all system executables and
utilities. If you have Stacker or SuperStore, you can get some
improved security from these compressed drives, but also a risk that
those viruses stupid enough to directly write to the disk could do
much more damage than normal; using a software write-protect system
(such as provided with Disk Manager or Norton Utilities) may help, but
the best solution (if possible) is to put all executables on a disk of
their own, protected by a hardware read-only system that sounds an
alarm if a write is attempted.
If you do use a resident BSI detector or a scan-while-you-copy
detector, it is important to trace back any infected diskette to its
source; the reason why viruses survive so well is that usually you
cannot do this, because the infection is found long after the
infecting diskette has been forgotten with most people's lax scanning
policies.
Organizations should devise and implement a careful policy, that may
include a system of vetting new software brought into the building and
free virus detectors for home machines of employees/students/etc who
take work home with them.
D2) Is it possible to protect a computer system with only software?
Not perfectly, however, software defenses can significantly reduce
your risk of being affected by viruses WHEN APPLIED APPROPRIATELY.
All virus defense systems are tools - each with their own capabilities
and limitations. Learn how your system works and be sure to work
within its limitations.
From a software standpoint, a very high level of protection/detection
can be achieved with only software, using a layered approach.
1) ROM Bios - password (access control) and selection of boot
disk. (some may consider this hardware)
2) Boot sectors - integrity management and change detection
3) OS programs - integrity management of existing programs,
scanning of unknown programs. Requirement of authentication
values for any new or transmitted software.
4) Locks that prevent writing to a fixed or floppy disk.
As each layer is added, invasion without detection becomes more
difficult. However complete protection against any possible attack
cannot be provided without dedicating the computer to pre-existing or
unique tasks. The international standardization of the world on the
IBM PC architecture is both its greatest asset and its greatest
vulnerability.
D3) What can be done with hardware protection?
Hardware protection can accomplish various things, including: write
protection for hard disk drives, memory protection, monitoring and
trapping unauthorized system calls, etc. Again, no tool is foolproof.
The popular idea of write-protection (see D6) may stop viruses
spreading to the disk that is protected, but doesn't, in itself,
prevent a virus from running.
D4) Will setting DOS file attributes to READ ONLY protect them from viruses?
No. While the Read Only attribute will protect your files from a few
viruses, most simply override it, and infect normally. So, while
setting executable files to Read Only is not a bad idea, it is
certainly not a thorough protection against viruses!
D5) Will password/access control systems protect my files from viruses?
Some will, some won't. Many file access control systems for PCs will
do a great deal to guard against existing PC viruses. A good
operating system (not wishing to start a "Unix vs MSDOS" war!)
combined with use of memory management hardware is best. But they are
not foolproof.
The important thing is that they be properly installed and
administered. (There's a recurring theme here...)
D6) Will the protection systems in DR-DOS 5 or 6 work against viruses ?
Partially. Neither the password file/directory protection available
from DRDOS version 5 onwards, nor the secure disk partitions
introduced in DRDOS 6 are intended to combat viruses, but they do to
some extent. If you have DRDOS, it is very wise to password-protect
your files (to stop accidental damage too), but don't depend on it as
the only means of defense.
The use of the password command (e.g. PASSWORD/W:MINE *.EXE *.COM)
will stop more viruses than the plain DOS attribute facility, but that
isn't saying much! The combination of the password system plus a disk
compression system may be more secure (because to bypass the password
system they must access the disk directly, but under SuperStore or
Stacker the physical disk is meaningless to the virus). There may be
some viruses which, rather than invisibly infecting files on
compressed disks in fact very visibly corrupt the disk.
The "secure disk partitions" system introduced with DRDOS 6 may be of
some help against a few viruses that look for DOS partitions on a
disk. The main use is in stopping people fiddling with (and
infecting) your hard disk while you are away.
D7) Will a write-protect tab on a floppy disk stop viruses ?
In general, yes. The write-protection on IBM PC (and compatible) and
Macintosh floppy disk drives is implemented in hardware, not software,
so viruses cannot infect a diskette with a properly-functioning
write-protection mechanism is functioning properly.
But remember:
(a) A computer may have a faulty write-protect system (this happens!)
- you can test it by trying to copy a file to the diskette.
(b) Someone may have removed the tab for a while, allowing a virus on.
(c) The files may have been infected before the disk was protected.
Even some diskettes "straight from the factory" have been known to be
infected in the production processes.
So, it is worthwhile to scan even write-protected disks for viruses.
D8) What is the best way to remove the virus so that downtime is short
and losses are low?
Do the minimum that you must to restore the system to a normal state,
starting with booting the system from a clean diskette. It is very
unlikely you need to "low level reformat" the hard disk!
If a disinfecting program will remove the virus, do that. If not, and
the virus is a program (or file) infector, remove the infected file
and reinstall the software from the original (write-protected) disks.
If the virus is a boot sector infector, you can continue using the
computer with relative safety if you boot it from a clean system
diskette, but it is wise to go through all your diskettes removing
infection, since sooner or later you may be careless and leave a
diskette in the machine when it reboots. Boot sector infectors on PC's
can be cured by a two-step approach of replacing the MBR then using
the SYS command.
=======================================================
= Section E. Facts and Fibs about computer viruses =
=======================================================
E1) Can "boot sector" viruses like Stoned infect non-bootable floppy disks?
Any diskette that has been properly formatted contains an executable
program in the boot sector. If the diskette is not "bootable," all
that boot sector does is print a message like "Non-system disk or disk
error; replace and strike any key when ready" but it's still
executable and still vulnerable to infection. If you accidentally
turn your machine on with a "non-bootable" diskette in the drive, and
see that message, it means that any boot virus that may have been on
that diskette *has* run, and has had the chance to infect your hard
drive, or whatever. So when thinking about viruses, the word
"bootable" (or "non-bootable") is really misleading. All formatted
diskettes are capable of carrying a virus.
E2) Can a virus hide in a PC's battery-backed CMOS memory?
No. The CMOS RAM in which system information is stored and backed up
by batteries is ported, not addressable. That is, in order to get
anything out, you use I/O commands. So anything stored there is not
directly sitting in memory. Nothing in a normal machine loads the
data from there and executes it, so a virus that "hid" in the CMOS RAM
would still have to infect an executable object of some kind, in order
to load and execute whatever it had written to CMOS. A malicious
virus can of course *alter* values in the CMOS as part of its payload,
but it can't spread through, or "hide" itself in, the CMOS.
E3) Can a virus infect data files?
Several viruses (Frodo, Cinderella) contain bugs, which make them
infect non-executable programs. However, in order to spread, the virus
must be executed. Therefore, the "infected" non-executable files
cannot be sources of infection.
However, note that it is not always possible to make a distinct
difference between executable and non-executable files. One man's code
is another man's data and vice versa. Several files that are not
directly executable contain code or data, which is at some time
executed or interpreted.
Some examples from the IBM PC world are .OBJ files, libraries, device
drivers, source files for any compiler or interpreter, macro files
for some packages like MS Word and Lotus 1-2-3, and many others.
Currently there are viruses that infect boot sectors, master boot
sectors, COM files, EXE files, BAT files, and device drivers, although
any of the objects mentioned above can theoretically be used as an
infection carrier. PostScript files can also be used to carry a virus,
although no currently known virus does that.
E4) Can viruses spread from one type of computer to another? (e.g.,
Amiga to PC), even if they can both read the same format disks,
like the Atari ST reading MS-DOS format disks.
The simple answer is that no currently known viruses can do that.
Although the disk formats may be the same, the different machines
interpret the code differently. For example, the Stoned virus cannot
infect an ST as the ST cannot execute the virus code in the
bootsector. The Stoned virus contains instructions for the 80x86
family of CPU's that the 680x0-family CPU (Atari ST) can't understand
or execute.
The more general answer is that such viruses are possible, but
unlikely. Such a virus would be quite a bit larger than current
viruses and might well be easier to find. Additionally, the low
incidence of cross-machine sharing of software means that any such
virus would be unlikely to spread -- it would be a poor environment
for virus growth.
E5) Can mainframe computers be susceptible to computer viruses?
Yes. Numerous experiments have shown that computer viruses spread
very quickly and effectively on mainframe systems. However, to our
knowledge, no non-research computer virus has been seen on mainframe
systems. (The Internet worm of November 1988 was not a computer virus
by most definitions, although it definitely had some virus-like
characteristics.)
Computer viruses are actually a special case of something else called
"malicious logic", and other forms of malicious logic -- notably
Trojan horses -- are far quicker, more effective, and harder to detect
than computer viruses. Hence those tend to be used to attack
mainframe systems, rather than computer viruses.
For further information on malicious programs on multi-user systems,
see Matt Bishop's paper, "An Overview of Malicious Logic in a Research
Environment". The paper is available via anonymous FTP on
Dartmouth.edu (129.170.16.4) as "pub/security/mallogic.ps".
E6) Some people say that disinfecting viruses is a bad idea. Is that true?
Disinfecting a virus is completely "safe" only if the disinfecting
process restores the non-infected state of the object completely. That
is, not only the virus must be removed from the file, but the original
length of the file must be restored exactly, as well as its time and
date of last modification, all fields in the header, etc. Sometimes,
it is necessary to to be sure that the file is placed on the same
clusters of the disk that it occupied prior to infection. If this is
not done, then a program, which uses some kind of self-checking or
copy protection may stop functioning properly, if at all.
None of the currently available disinfecting programs do all this. For
instance, because of the bugs that exist in many viruses, some of the
information of the original file is destroyed and cannot be recovered.
Other times, it is even impossible to detect that this information has
been destroyed and to warn the user. Furthermore, some viruses
corrupt information very slightly and in a random way (Nomenklatura,
Phoenix), so that it is even not possible to tell which files have
been corrupted.
Therefore, it is always better to determine the infected objects, and
to destroy them by replacing them with clean backups. You should try
to disinfect files only if they contain some valuable data that
cannot be restored from backups or compiled from their original
source.
E7) Can I avoid viruses by avoiding shareware/free software/games?
No. There are many documented instances in which commercial "shrink
wrap" software was inadvertently distributed containing viruses.
Avoiding shareware, freeware, games, etc., only isolates you from a
vast collection of software (some of it very good, some of it very
bad, most of it somewhere in between...).
The important thing is not to avoid a certain type of software, but to
be cautious of ANY AND ALL newly acquired software. Simply scanning
all new software media for known viruses would be rather effective at
preventing virus infections, especially when combined with some other
prevention/detection strategy such as integrity management of
programs.
E8) Can MS-DOS Viruses run on Non-DOS machines (e.g., Mac, Amiga)?
In general, no. However, on machines running DOS emulators (either
hardware or software based), DOS viruses - just like any DOS program -
may function. These viruses would be subject to the file access
controls of the host operating system. An example is when running a
DOS emulator such as VP/ix under a 386 UNIX environment, DOS
programs are not permitted access to files which the host UNIX system
does not allow them to. Thus, it is important to administer these
systems carefully.
=========================================
= Section F. Miscellaneous Questions =
=========================================
F1) How many different types of viruses are there?
It is not possible to give an exact number because new viruses are
being created literally every day. Furthermore, the different
anti-virus researchers use different criteria to decide whether two
viruses are different or one and the same. Some count two viruses as
two different ones if they differ by at least one bit in their
non-variable code. Others group the viruses in families and do not
count the closely related variants in one family as different viruses.
As of March 1992, there were about 1,200 different IBM PC viruses,
about 150 Amiga viruses, about 30 Macintosh viruses, several Atari ST
viruses and a few Apple II viruses.
F2) How do viruses spread so quickly?
This is a very complex issue. Most viruses don't spread very quickly.
Those that do spread widely are able to do so for a variety of
reasons. A large target population (i.e., millions of compatible
computers) helps... A large virus population helps... Vendors whose
quality assurance mechanisms rely on, for example, outdated scanners
help... Users who gratuitously insert new software into their systems
without making any attempt to test for viruses help... All of these
things are factors.
F3) What is the plural of "virus"? "Viruses" or "viri" or "virii" or...
The correct English plural of "virus" is "viruses." The Latin word is
a mass noun (like "air"), and there is no correct Latin plural.
Please use "viruses," and if people use other forms, please don't use
VIRUS-L/comp.virus to correct them.
F4) When reporting a virus infection (and looking for assistance), what
information should be included?
People frequently post messages to VIRUS-L/comp.virus requesting
assistance on a suspected virus problem. Quite often, the information
supplied is not sufficient for the various experts on the list to be
able to help out. Also note that any such assistance from members of
the list is provided on a volunteer basis; be grateful for any help
received. Try to provide the following information in your requests
for assistance:
- The name of the virus (if known);
- The name of the program that detected it;
- The version of the program that detected it;
- Any other anti-virus software that you are running and
whether it has been able to detect the virus or not, and if yes, by
what name did it call it;
- Your software and hardware configuration (computer type,
kinds of disk(ette) drives, amount of memory and configuration
(extended/expanded/conventional), TSR programs and device drivers
used, OS version, etc.)
F5) How often should we upgrade our anti-virus tools to minimize
software and labor costs and maximize our protection?
This is a difficult question to answer. Antiviral software is a kind
of insurance, and those type of calculations are difficult.
There are two things to watch out for here: the general "style" of the
software, and the signatures which scanners use to identify viruses.
Scanners should be updated more frequently than other software, and it
is probably a good idea to have a new set of signatures at least every
two to three months.
Some antiviral software looks for changes to programs or specific
types of viral "activity," and these programs generally claim to be
good for "all current and future viral programs." However, even these
programs cannot guarantee to protect against all future viruses, and
should probably be upgraded once per year.
Of course, not every anti-virus product is effective against all (or
any!) viruses, even if upgraded regularly. Thus, do *not* depend on
the fact that you have upgraded your product recently as a guarantee
that your system is free of viruses!
=====================================================================
= Section G. Specific Virus and Anti-viral software Questions... =
=====================================================================
G1) I was infected by the Jerusalem virus and disinfected the infected
files with my favorite anti-virus program. However, Wordperfect and
some other programs still refuse to work. Why?
The Jerusalem virus and Wordperfect program combination is an example
of a virus and program that cannot be completely disinfected by an
anti-virus tool. In some cases such as this one, the virus will
destroy file header information by overwriting it. The only solution
is to re-install the programs from clean (non-infected) backups or
distribution media. (See question C4.)
G2) I was told that the Stoned virus displays the text "Your PC is now
Stoned" at boot time. I have been infected by this virus several
times, but have never seen the message. Why?
The "original" Stoned message was ".Your PC is now Stoned!", where the
"." represents the "bell" character (ASCII 7 or "PC speaker beep").
The message is displayed with a probability of 1 in 8 only when a PC is
booted from an infected diskette -- when booting from an infected hard
disk Stoned never displays this message.
Recently, versions of Stoned with -no message whatsover- or only the
leading bell character have become very common. These versions of
Stoned are likely to go unnoticed by all but the most observant, even
when regularly booting from infected diskettes.
Contrary to the information in Patricia Hoffman's VSUM and derivative
works (apparently including the Central Point Anti-Virus ad's in
PC-Magazine, et al.), the Stoned virus -does NOT- display the message
"LEGALISE MARIJUANA", although such a string is quite clearly visible
in the boot sectors of diskettes infected with the "original" version
of Stoned in "standard" PC's.
====================
[End of VIRUS-L/comp.virus FAQ]
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 70]
*****************************************