home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail
- Message-ID: <computer-virus/alt-faq/part2_953842042@rtfm.mit.edu>
- Supersedes: <computer-virus/alt-faq/part2_952514862@rtfm.mit.edu>
- Expires: 21 Apr 2000 20:07:22 GMT
- References: <computer-virus/alt-faq/part1_953842042@rtfm.mit.edu>
- X-Last-Updated: 2000/02/29
- Organization: none
- From: George Wenzel <gwenzel@telusplanet.net>
- Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers
- Followup-To: alt.comp.virus
- Subject: [alt.comp.virus] FAQ Part 2/4
- Approved: news-answers-request@MIT.EDU
- X-no-archive: yes
- Originator: faqserv@penguin-lust.MIT.EDU
- Date: 23 Mar 2000 20:09:05 GMT
- Lines: 957
- NNTP-Posting-Host: penguin-lust.mit.edu
- X-Trace: dreaderd 953842145 2960 18.181.0.29
- Xref: senator-bedfellow.mit.edu alt.comp.virus:101519 comp.virus:30977 alt.answers:47997 comp.answers:40196 news.answers:180075
-
- Archive-name: computer-virus/alt-faq/part2
- Posting-Frequency: Fortnightly
- URL: http://www.sherpasoft.org.uk/acvFAQ/
- Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- alt.comp.virus (Frequently Asked Questions)
- *******************************************
-
- Version 1.1 : Part 2 of 4
- Last modified 19th August 1999
-
-
- ("`-''-/").___..--''"`-._
- `6_ 6 ) `-. ( ).`-.__.`)
- (_Y_.)' ._ ) `._ `. ``-..-'
- _..`--'_..-_/ /--'_.' ,'
- (il),-'' (li),' ((!.-'
-
-
-
- ADMINISTRIVIA
- =============
-
- Disclaimer
- - - ----------
-
- This document is an honest attempt to help individuals with computer
- virus-related problems and queries. It can *not* be regarded as being
- in any sense authoritative, and has no legal standing. The authors
- accept no responsibility for errors or omissions, or for any ill effects
- resulting from the use of any information contained in this document.
-
- NB It is not claimed that this document is up-to-date in all respects.
-
- Not all the views expressed in this document are those of the maintainers,
- and those views which *are* those of the maintainers are not necessarily
- shared by their respective employers.
-
- Copyright Notice
- - - ----------------
-
- Copyright on all contributions to this FAQ remains with the authors
- and all rights are reserved. It may, however, be freely distributed
- and quoted - accurately, and with due credit. B-)
-
- It may not be reproduced for profit or distributed in part or as
- a whole with any product or service for which a charge is made, except
- with the prior permission of the copyright holders. To obtain such
- permission, please contact one of the co-maintainers of the FAQ.
-
- David Harley <D.Harley@icrf.icnet.uk>
- George Wenzel <gwenzel@telusplanet.net>
- Bruce Burrell <bpb@umich.edu>
-
- [Please check out the more detailed copyright notice at the beginning
- of Part 1 of the FAQ]
-
- - - --------------------------------------------------------------------
-
- TABLE OF CONTENTS
- =================
-
- See Part 1 of this FAQ for the full Table of Contents
-
- Part 2
- ------
-
- (8) What's the best anti-virus software
- (and where do I get it)?
- (9) Where can I get further information?
- (10) Does anyone know about
- * Mac viruses?
- * UNIX viruses?
- * macro viruses?
- * the AOLGold virus?
- * the PKZip300 trojan virus?
- * the xyz PC virus?
- * the Psychic Neon Buddha Jesus virus?
- * the blem wit virus
- * the Irina virus
- * Ghost
- * General Info on Hoaxes/Erroneous Alerts
- (11) Is it true that...?
- (12) Favourite myths
- * DOS file attributes protect executable files from
- infection
- * I'm safe from viruses because I don't use bulletin
- boards/shareware/Public Domain software
- * FDISK /MBR fixes boot sector viruses
- * Write-protecting suspect floppies stops infection
- * The write-protect tab always stops a disk write
- * I can infect my system by running DIR on an infected
- disk
- =================
-
- (8) What's the best anti-virus software
- (and where do I get it)?
-
- In case it's not absolutely clear from the following, it simply isn't
- possible to answer the first part of this question. There are, however,
- some suggestions for sources of software and of information on particular
- packages, comparative reviews etc. The danger of this approach is that
- sites, servers, and packages come and go, and it isn't possible to
- keep track of all of them. If URL's in this section have changed,
- please inform the maintainers so that they may be updated.
-
- Most of the people who post here have their favourites: if you just
- ask which is the best, you'll generally get either a subjective
- "I like such and such", recommendation of a particular product by
- someone who works for that company, or a request to be more specific
- about your needs. Some of us who are heavily involved with virus
- control favour using more than one package and keeping track of the
- market. Don't trust anything you read in the non-technical press.
- Don't accept uncritically reviews in the computing press, either:
- even highly-regarded IT specialists often have little understanding
- of virus issues, and many journalists are specialists only in
- skimming and misinterpreting. Magazines like Virus Bulletin and
- Secure Computing are much better informed and do frequent comparative
- reviews, and are also informative about their testing criteria,
- procedures and virus suites. Recently, a number of articles have been
- posted here by people who've run their own tests on various packages.
- These are often of interest, but should not be accepted uncritically.
- (No-one's opinion should be accepted uncritically!)
-
- Valid testing of antivirus software requires a lot of care and
- thought, and not all those who undertake it have the resources,
- knowledge or experience to do it properly.
-
- You may get a more informed response if you specify what sort of system
- you have - DOS, Windows, Win95, WinNT, Mac? XT, AT, 386 or better?
- Is the system networked, and are you asking about protecting the
- whole network? (What sort of network?) Are you running NT, OS/2
- or Win95, any of which involve special considerations? Be aware
- that there is more than one way of judging the effectiveness of a
- package - the sheer number of viruses detected; speed; tendency
- to false alarms; size (can you run it from a single floppy when
- necessary?); types of virus detection & prevention (not at all the
- same thing) offered (command-line scanning, TSR scanning, behaviour
- blocking, checksumming, access-control, integrity shell etc.);
- technical support etc.
-
- One possible (but imperfect) measure of a package's efficiency in terms
- of virus detection is ICSA approval. Under the current testing protocol,
- a scanner must detect all viruses on the Wild List plus 90% of NCSA's
- full test suite. See http://www.icsa.net/services/product_cert/ for
- details.
-
- Comprehensive product reviews can sometimes be found at the following
- sites, but are not necessarily the latest available.
-
- http://www.virusbtn.com/ _Virus Bulletin_
- http://www.westcoast.com/ _Secure Computing_
- http://www.uta.fi/laitokset/virus/ University of Tampere
- ftp://ftp.informatik.uni-hamburg.de/pub/virus/ Virus Test Center
- and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm
- http://victoria.tc.ca/int-grps/books/techrev/mnvr.html
-
- and a number of reputable vendors include comparative reviews,
- papers on testing etc. on their WWW/FTP servers.
-
- Many anti-virus packages are available from the SimTel mirrors:
- http://www.simtel.net/simtel.net/msdos/virus.html
- ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/
-
- For information on mirror sites, a regularly-updated listing can
- be found at
-
- http://www.simtel.net/simtel.net/mirrors.html
-
- Of course, such products can often be obtained direct from the
- publisher's WWW site, too. The following information is not intended
- to be a totally comprehensive list; it is merely a reference to where
- major anti-virus packages can be downloaded.
-
- Please note that the maintainers have not tested or even seen all the
- packages listed here, and listing here does not imply recommendation
- (though we won't list anything we *know* is rubbish....).
-
- - - ------------
- AntiViral Toolkit Pro (commercial with evaluation versions)
- Platform(s): DOS, Win3.x, Win95/98, NT, OS/2, NetWare.
- URL: http://www.avp.com
- http://www.avp.ch
- http://www.avp.tm
- http://www.avp.ru
-
- - - ------------
- AVAST!, AVAST32 (Commercial with evaluation versions)
- Platform(s): DOS, Win3.x, Win95/98, NT.
- URL: http://www.anet.cz/alwil/
-
- - - ------------
- Calluna Hardwall (Hardware-based virus protection)
- Platform(s): Win3.x, Win95, NT.
- URL: http://www.hardwall.com/
-
- - - ------------
- ChekMate (Integrity Checker; commercial w/ evaluation versions)
- Platform(s): DOS, Win3.x, Win95/98, OS/2.
- URL: http://chekware.simplenet.com/cmindex.htm
-
- - - ------------
- ESafe Protect
- Platform(s): Win95/98, NT.
- URL: http://www.esafe.com/
-
- - - ------------
- F-Prot (Free for personal, non-commercial use)
- Platform(s): DOS with limited Windows support
- URL: http://www.complex.is
-
- - - ------------
- F-Prot Professional (Commercial; distributed by both Command Software
- and DataFellows)
- Platform(s): DOS, Win3.x, Win95/98, WinNT, NetWare
- URL: http://www.commandcom.com/
- http://www.DataFellows.com/
- More details inc. in PRO.DOC, supplied with the shareware version.
-
- - - ------------
- InoculateIT (formerly InocuLan) - Commercial with freeware version)
- Platform(s): Win95/98, NT, Netware.
- URL: http://www.cai.com/products/inoculateit.htm
-
- - - ------------
- Integrity Master (Commercial with evaluation versions)
- Platform(s): DOS, Win3.x, Win95/98, NT, OS/2.
- URL: http://www.stiller.com
-
- - - ------------
- Invircible (commercial with evaluation versions)
- Platform(s): DOS, Win3.x, Win95/98, NT.
- URL: http://www.invircible.com/
- Note: The creators of InVircible have marketed it as the be-all and
- end-all of anti-virus products. As with any product, the buyer
- should beware such outlandish claims.
-
- - - ------------
- McAfee VirusScan (also Dr. Solomon's products) - eval versions available
- Platform(s): DOS, Windows, Win95, NetWare, Mac, NT, Lotus Notes,
- Groupware, Exchange, SunOS, Solaris, FreeBSD, SCO, Linux.
- URL: http://www.nai.com
-
- - - ------------
- Microsoft (Macro Virus fixes)
- URL: http://www.microsoft.com
- Note: Microsoft anti-virus (MSAV) is no longer supported. If you're using
- it, get something else (anything else). MSAV is not adequate
- protection as it does not protect against current viruses.
- There is a paper by Yisrael Radai which documents many of the other
- problems with MSAV and CPAV.
-
- ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip
-
- - - ------------
- MIMESweeper (Mail scanning 'firewall')
- Platform(s): Domino, SMTP, Exchange, Raptor
- URL: http://www.mimesweeper.com
-
- - - ------------
- NH&A (Distributors of various anti-virus products; see URL for details)
- Platform(s): Various, depends on the product
- URL: http://www.nha.com
-
- - - ------------
- Norman Virus Control
- Platform(s): DOS, Win3.x, Win95, NT, OS/2, NetWare, Lotus Domino, Exchange.
- URL: http://www.norman.com/
-
- - - ------------
- Norton Anti-virus, Symantec Anti-virus for Mac
- Platform(s): DOS, Win3.x, Win95/98, Mac (SAM), NT, NetWare, OS/2,
- Lotus Notes, Exchange.
- URL: http://www.symantec.com/
-
- - - ------------
- Panda Anti-Virus
- Platform(s): DOS, Win3.x, Win95/98, NT, OS/2.
- URL: http://www.pandasoftware.com
-
- - - ------------
- PC-Cillin, InterScan, Scanmail, Serverprotect
- Platform(s): Win95/98, NT, Lotus Notes, Exchange, Outlook, cc:mail.
- URL: http://www.antivirus.com/
-
- - - ------------
- Reflex Magnetics Ltd - DiskNet, Macro Interceptor, and Data Vault
- Platform(s): Win95/98, NT.
- URL: http://www.reflex-magnetics.co.uk/
-
- - - ------------
- ScanMaster for Novell/Vines (Uses McAfee VirusScan engine)
- URL: http://www.netpro.com
-
- - - ------------
- Sophos Sweep (commercial with evaluation versions)
- Platform(s): DOS, Win3.x, Win95/98, NT, Mac, OS/2, Netware, AIX, Linux,
- FreeBSD, HP-UX/HP-PA, SCO, Solaris, OpenVMS, Banyan VINES.
- URL: http://www.sophos.com/
-
- - - ------------
- VirusBUSTER, MacroVirusBUSTER, CyberBUSTER
- Platform(s): DOS, Win3.x, Win95/98, NT
- URL: http://www.leprechaun.com.au/
-
- - - ------------
- VirusNet
- Platform(s): DOS, Win3.x, Win95/98, NT
- URL: http://www.safetynet.com
-
- - - ------------
-
- In the event of a *real* tragedy, there are a number of firms which
- specialise in data recovery. Examples include:
-
- Ontrack Data Recovery, Inc.
- URL: http://www.ontrack.com
-
- DataRescue:
- URL: http://www.datarescue.com/
-
-
- (9) Where can I get further information?
- ========================================
-
- The following sites are not regularly checked. Please advise of
- any changes which aren't reflected in this document.
-
- ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/
- [mirror sites]
- ftp://ftp.uu.net/pub/security/virus/
- ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/
- http://www.SevenLocks.com/
-
- http://www.hitchhikers.net/av.shtml
- http://csrc.ncsl.nist.gov/virus
- http://www.nc5.infi.net/~wtnewton/vinfo/master.html
-
- Virus Bulletin Home Page - vendor contact info, comparative reviews,
- review protocol info etc.
-
- http://www.virusbtn.com
-
- Henri Delger's home page has much useful info and useful links
-
- http://pages.prodigy.net/henri_delger/index.htm
-
- Tom Simondi has written a freeware virus tutorial (VTUTOR11.ZIP).
-
- http://www.cknow.com/
-
- Some information is available from The Scanner, an on-line anti-virus
- newsletter. It may not be entirely current, however.
-
- http://diversicomm.com/scanner
-
- Doug Muth has not only AV links but geek code as well....
-
- http://www.claws-and-paws.com/
-
- Bob Rosenberger's Computer Virus Myths Page
-
- http://www.kumite.com/myths/
-
- A few Amiga links:
-
- http://ftp.uni-paderborn.de/aminet/dirs/util_virus.html
- [Antivirus info and programs]
- ftp://ftp.uni-paderborn.de/aminet/util/virus/
- According to Dennis Boon, trsivw65.lha has info about 100 or so viruses;
- VT_docfiles.lha has info on nearly all amiga viruses (in German);
- VIB9508.lha file contains info on all viruses up to August 1995
- (in English).
-
- The WildList (List of viruses currently 'in the wild' - doesn't
- include much description)
- http://www.wildlist.org
-
- Virus Descriptions
- - - ------------------
-
- http://www.avpve.com AVP Virus Encyclopedia
- http://www.datafellows.com/vir-info/ Data Fellows Virus
- Database
- http://www.symantec.com/avcenter/vinfodb.html Symantec Virus Database
- http://www.avertlabs.com McAfee Virus Database
-
- Virus demonstrations
- - - --------------------
-
- AVP includes some virus demonstrations, and other publishers have
- demos available.
-
- There are also virus simulators, which are not quite the same thing.
- These are sometimes advocated as a means of testing antivirus packages,
- but there are dangers to this approach: after all, a package which
- detects one of these simulators as the virus it detects is, technically,
- false-alarming.
-
- See section F6 of the Mark 2 Virus-L FAQ, which is rather good on
- types and uses of virus simulation.
-
- Books which may be of use:
-
- Robert Slade's Guide to Computer Viruses - Springer-Verlag
- Pretty good introduction & general resource. Currently
- in its second edition.
- Computers Under Attack (ed. Denning) - Addison-Wesley
- Aging, but some classic texts
- Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin
- Uneven, but includes useful stuff from Virus Bulletin
- Dr. Solomon's Virus Encyclopedia
- You may from time to time find copies of an older edition
- of this in bookshops, though it's better known as part of
- Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide
- to some of the older viruses.
- A Short Course on Computer Viruses (F. Cohen) - Wiley
- By the man who 'invented' the concept of computer viruses.
- Some aspects are controversial, but a good introduction to
- his work.
-
- The comp.virus FAQ includes pointers to some books.
-
- Useful (and expensive) periodicals:
-
- Virus Bulletin
- http://www.virusbtn.com
-
- Secure Computing
- http://www.westcoast.com
-
- Computers and Security
- Elsevier Advanced Technology
- PO Box 150
- Kidlington
- Oxford
- OX5 1AS
- 44 (0) 1865-843666
- a.verhoeven@elsevier.co.uk
-
- The Disaster Recovery Journal (more info & on-line articles)
- http://www.drj.com
-
-
- (10) Does anyone know about...
- ==============================
-
- ...Mac viruses?
- - - ---------------
-
- David Harley co-maintains (with Susan Lesch) a FAQ on Mac/virus
- issues, which can be found at:
-
- http://www.macvirus.com/
- http://www.sherpasoft.com/MacSupporters/
-
- Mac-specific virus information:
-
- http://www.symantec.com
- http://www.nai.com
- http://www.sherpasoft.com/MacSupporters/
- http://www.hyperactivesw.com
- http://ciac.llnl.gov/ciac/CIACVirusDatabase.html/
-
- ...UNIX viruses?
- - - ----------------
-
- In general, there are virtually no non-experimental UNIX viruses.
- There have been a few Worm incidents, most notably the Morris Worm
- (a.k.a. the Internet Worm) of 1988, and a couple of minor Linux
- viruses. Some Linux viruses exist, but are not widespread.
-
- There are products which scan some Unix systems for PC viruses,
- though any machine used as a file server (Novell, Unix etc.) can be
- scanned for PC viruses by a DOS scanner if it can be mounted as a
- logical drive on a PC running appropriate network client software
- such as PC-NFS.
-
- Unix servers running as webserver, ftp servers, intranet servers
- etc. should be considered as a potential source of files infected
- with viruses specific to other platforms, even if they are not
- directly infectable themselves. This problem is sometimes referred
- to as the 'latent virus problem', or 'heterogeneous virus
- transmission'.
-
- Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.)
- can also be infected by a DOS boot-sector virus if booted from an
- infected disk. The same goes for other PC-hosted operating systems
- such as NetWare.
-
- While viruses are not a major risk on Unix platforms, integrity
- checkers and audit packages are frequently used by system administrators
- to detect file changes made by other kinds of attack. However, Unix
- security is outside the scope of this FAQ (see comp.security.unix).
-
- In fact, such packages generally target PC viruses more than the
- handful of Unix viruses.
-
- See also the Unix section in the Virus-L/comp.virus FAQ.
-
- A useful book:
-
- Practical Unix Security & Internet Security
- (Garfinkel, Spafford) - O'Reilly
-
- ...macro viruses?
- - - -----------------
-
- Macro viruses and trojans are specific to certain
- applications which use sophisticated macro languages,
- rather than being specific to a particular operating
- system. Macro viruses comprise a high percentage of
- the viruses now in the wild.
-
- Most current macro viruses and trojans are specific to
- Microsoft Word and Excel: however, many applications,
- not all of them Windows applications, have potentially
- damaging and/or infective macro capabilities too.
-
- Macro languages such as WordBasic and Visual Basic for
- Applications (VBA) are powerful programming languages in
- their own right. Word and Excel are particularly vulnerable
- to this threat, due to the way in which the macro language
- is bound to the command/menu structure in vulnerable versions
- of Word, the way in which macros and data can exist in the
- same file, and the eccentricities of OLE-2.
-
- For further info on macro viruses, you might like to try
- the main antivirus vendor sites.
-
- ...The AOLgold virus
- - - --------------------
-
- This was actually a trojan. Information is available on the
- CIAC archive:
-
- You can get this and other CIAC notices from the CIAC Computer Security
- Archive.
-
- World Wide Web: http://ciac.llnl.gov/
-
- ...the PKZip trojan virus?
- - - --------------------------
-
- Most of us prefer to distinguish between trojans and viruses (see Part
- 1). The threat described in recent warnings is definitely not a virus,
- since it doesn't replicate by infection.
-
- There have been at least two attempts to pass off Trojans as an upgrade
- to PKZip, the widely used file compression utility. A recent example was
- of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading
- on the Internet. An earlier Trojan passed itself off as version 2.0.
- For this reason, PKWare have never released a version 2.0 of PKZip:
- presumably, if they ever do release another DOS version (unlikely, at
- this date, in my opinion), it will not be numbered version 3.0(0).
- In fact, there are hardly any known cases of someone downloading and
- being hit by this Trojan, which few people have seen (though most
- reputable virus scanners will detect it). As far as I know, this Trojan
- was only ever seen on warez servers (specialising in pirated software).
-
- There are recorded instances of a fake PKZIP vs. 3 found infected with
- a real live in-the-wild file virus, but this too is very rare.
- To the best of my knowledge, the latest version of PKZip is 2.04g,
- or 2.50 for Windows.
-
- There was a version 2.06 put together specifically for IBM internal
- use only (confirmed by PKWare). If you find it in circulation, avoid
- it. It's either illicit or a potentially damaging fake.
-
- The recent rash of resuscitated warnings about this is at least in part
- a hoax. It's not a virus, it's a trojan. It doesn't (and couldn't)
- damage modems, V32 or otherwise, though I suppose a virus or trojan might
- alter the settings of a modem - if it happened to be on and connected....
- I don't want to get into hypothetical arguments about programmable
- modems right now. It appears to delete files, not destroy disks irrevocably.
-
- It's certainly a good idea to avoid files claiming to be PKZip vs. 3,
- but the real risk hardly justifies the bandwidth this alert has occupied.
-
- ...xyz PC virus?
- - - ----------------
-
- There are several thousand known PC viruses, and the number 'in the
- wild' is in the hundreds. It is not practical to include information
- about all of these in this FAQ.
-
- There are rarely enquiries about viruses on other computing platforms
- raised in alt.comp.virus, but there is some information concerning
- viruses on most platforms available at the Virus Test Center in Hamburg.
-
- See the section above on Virus Descriptions for sites where information
- is available.
-
- ...the Psychic Neon Buddha Jesus virus?
- - - ---------------------------------------
-
- This is an allegedly humorous bit of javascript programming that found
- its way onto a website. On clicking on a particular button, you may be
- told that this virus has been detected.Javascript has many interesting
- properties, but virus detection is not one of them. It was a joke,
- and it's long gone, though others like it pop up from time to time.
-
- ...the blem wit virus?
- - - ----------------------
-
- See the Virus-L FAQ. Basically, it's a mangled message that may come
- up with older Novell drivers "[pro]blem wit[h]....."
-
- The Irina Virus?
- - - ----------------
-
- Publicity stunt generated by Penguin Books to promote their
- 'interactive novel'. More info in the 'Viruses and the Mac'
- FAQ, a CIAC bulletin on hoax and semi-hoax viruses, the
- Computer Virus Myths website (http://www.kumite.com/myths/)
- and many other sources.
-
- GHOST
- - - -----
-
- Just a screensaver...... More info in the CIAC bulletin
- mentioned above and/or the Computer Virus myths website.
-
- General Info on Hoaxes/Erroneous Alerts
- - - ---------------------------------------
-
- The CIAC updated bulletion mentioned several times above is
- at:
-
- http://ciac.llnl.gov/ciac/bulletins/h-05.shtml
-
- It includes info on the alerts mentioned below, some historical
- background, and suggestions on validating hoaxes rather than
- passing them on uncritically.
-
- CIAC have now set up a hoaxes web page at:
-
- http://ciac.llnl.gov/ciac/CIACHoaxes.html
-
- There's also a page on chain letters which includes relevant
- material.
-
- There are lots of useful links at:
-
- http://www.kumite.com/myths
-
-
- - - -----------------extract-------------------------------
-
- INFORMATION BULLETIN
- H-05 Internet Hoaxes: PKZ300, Irina,
- Good Times, Deeyenda, Ghost
-
- November 20, 1996 16:00 GMT
-
-
- PROBLEM: This bulletin addresses the following hoaxes and erroneous
- warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
- Ghost.exe
- PLATFORM: All, via e-mail
- DAMAGE: Time lost reading and responding to the messages
- SOLUTION: Pass unvalidated warnings only to your computer security
- department or incident response team. See below on how to
- recognize validated and unvalidated warnings and hoaxes.
-
- VULNERABILITY New hoaxes and warnings have appeared on the Internet and
- old
- ASSESSMENT: hoaxes are still being cirulated.
-
- - - ---------------------end extract--------------------------------
-
- (11) Is it true that....?
- =========================
-
- (*or* some favourite hoaxes...)
-
- (1) There is *no* Good Times virus that trashes your hard disk
- and launches your CPU into an nth-complexity binary loop when
- you read mail with "Good Times" in the Subject: field.
-
- You can get a copy of Les Jones' FAQ on the Good Times Hoax from:
-
- http://www.public.usit.net/lesjones/goodtimes.html
-
- There *is* at least one file virus christened Good Times
- by the individual who posted it in an attempt to cause
- confusion. It is more commonly referred to as GT-spoof.
-
- (2) There is no modem virus that spreads via an undocumented
- subcarrier - whatever that means....
-
- (3) Any file virus can be transmitted as an E-mail attachment.
- However, the virus code has to be executed before it actually
- infects. Sensibly configured mailers don't usually allow this
- by default and without prompting, but certainly some mailers
- can support this: for instance, cc:mail can, it seems, launch
- attachments straight into AmiPro.
-
- There's room for a lot of discussion here. The jury is still
- out on web browsers: Netscape can certainly be set up to do
- things I don't approve of, such as opening a Word document in
- Word without asking.
-
- Microsoft have made available a Word viewer which reads Word
- files, but doesn't run attached macros. If possible, use this
- instead. If you have both Word and the Word Viewer, it is a good
- idea to set the Word Viewer as the default association instead
- of Word itself. This protects you from macro viruses to a certain
- extent, while not preventing you from using Word to edit documents
- (just use file/open instead of double-clicking on the file).
-
- The term 'ANSI bomb' usually refers to a mail message or other
- text file that takes advantage of an 'enhancement' to the MS-DOS
- ANSI.SYS driver which allows keys to be redefined with an
- escape sequence, in this case to echo some potentially
- destructive command to the console. In fact, few systems
- nowadays run programs which need ANSI terminal emulation to run,
- and there's no guarantee that the program reading the file would
- pass such an escape sequence unfiltered to the console anyway.
- There are plenty of PD or shareware alternatives to ANSI.SYS that
- don't support keyboard redefinition, or allow it to be turned off.
-
- The term mail bomb is usually applied to the intentional
- bombardment of an e-mail address with multiple copies of a
- (frequently abusive) message, rather than to the above.
-
- (4) There is no known way in which a virus could sensibly be spread
- by a graphics file such as a JPEG or .GIF file, which does not
- contain executable code. Macro viruses work because the files to
- which they are attached are not 'pure' data files.
-
- (5) In general, software cannot physically damage hardware - this
- includes viruses. There is a possibility that specific hardware
- may be damaged by specific code: however, a virus which drops
- a particular payload on the offchance that it's running on a
- system with a particular type of obsolete video card seems more
- than usually futile.
-
- At least one virus (named CIH, AKA Chernobyl) contains code that
- can overwrite BIOS code on some machines. This does not constitute
- hardware damage, since the chip involved is still intact. Problem
- is, without the appropriate software on that chip, the system won't
- boot. Repair from this payload generally involves reprogramming the
- BIOS chip, which can be more expensive than just buying a new
- motherboard.
-
-
- (12) Favourite myths
- ====================
-
- * DOS file attributes protect executable files from infection
-
- File attributes are set by software, and can therefore be
- changed by software, including viruses. Many viruses reset a
- ReadOnly/System/Hidden file to Read/Write, infect it, and
- often reset it to the original attributes afterwards.
-
- This also applies to other software mechanisms such as
- simulating hardware write-protection on a hard disk.
-
- However, file protection rights in NetWare *can* help to
- contain virus infections, if set up properly, as can
- trustee rights. [Trustee assignments govern whether an
- individual user has right of access to a subdirectory: the
- Inherited Rights Mask governs the protection rights of
- individual files and (sub)directories.]
-
- Basically, a file virus has the same rights of access as the
- user who happens to inadvertantly activate it.
-
- Setting up these levels of security is really a function
- of the network Administrator, but you might like to check
- (politely) that yours is not only reassuringly paranoid but
- also knowledgeable about viruses as well as networks, since a
- LAN which is not, in this respect, securely configured, can
- result in very rapid infection and reinfection of files
- across the whole LAN. In particular, accounts with supervisor
- equivalence can, potentially, be the unwitting cause of very
- rapid dissemination of viruses.
-
- [See also the comp.virus FAQ (version 2) section D]
-
- * I'm safe from viruses because I don't use bulletin boards/shareware/
- Public Domain software.
-
- Many of the most widely-spread viruses are Boot Sector Infectors,
- which can't normally infect over a serial or network connection.
- Writers of shareware, freeware etc. are no more prone to accidental
- infection than commercial publishers, and possibly less. The only
- 'safe' PC is still in it's original wrapping (which doesn't mean
- it isn't already infected...) And don't forget that shrinkwrapped
- software may have been rewrapped.
-
- As well, the most common viruses today are macro viruses, which depend
- on you running a commercial application (usually MS Word or Excel).
- They spread via documents exchanged between computers, which is a common
- occurrance on many systems, regardless of how 'connected' they are.
-
- * FDISK /MBR fixes boot sector viruses.
-
- The mark II comp.virus FAQ is worth reading on this (see Part 1
- of this FAQ as well as Part 4, section 14).
-
- In brief, don't use FDISK /MBR *unless* you're *very* sure of what
- you're doing, as you may lose data. Note also that if you set up the
- drive with a disk manager such as EZDrive, you won't be able to access
- the drive until and unless you can reinstall it.
-
- ******************************************************************
-
- (i) What does FDISK /MBR do?
- ------------------------
-
- It places "clean" partition code onto the partition of your hard disk.
- It does not necessarily change the partition information, however.
- [It does sometimes, and when it does it us usually fatal (for the
- common user, anyway). FDISK /MBR will wipe the partition table data if
- the last two bytes of the MBR are not 55 AA.]
-
- The /MBR command-line switch is not officially documented in all
- DOS versions and was introduced in DOS 5.0
-
- (ii) What is the partition?
- ----------------------
-
- The partition sector is the first sector on a hard disk. It contains
- information about the disk such as the number of sectors in each
- partition, where the DOS partition starts, plus a small program. The
- partition sector is also called the "Master Boot Record" (MBR).
-
- When a PC starts up it reads the partition sector and executes the
- code it finds there. Viruses that use the partition sector modify
- this code.
-
- Since the partition sector is not part of the normal data storage
- part of a disk, utilities such as DEBUG will not allow access to it.
- [Unless one assembles into memory]
-
- Floppy disks do not have a partition sector.
-
- FDISK /MBR will change the code in a hard disk partition sector.
-
-
- (iii) What is a boot sector?
- ----------------------
-
- The boot sector is the first sector on a floppy disk. On a hard disk
- it is the first sector of a partition. It contains information about
- the disk or partition, such as the number of sectors, plus a small
- program.
-
- When the PC starts up it attempts to read the boot sector of a disk in
- drive A:. If this fails because there is no disk it reads the boot
- sector of drive C:. A boot sector virus replaces this sector with its
- own code and usually moves the original elsewhere on the disk.
-
- Even a non-bootable floppy disk has executable code in its boot sector.
- This displays the "not bootable" message when the computer attempts to
- boot from the disk. Therefore, non-bootable floppies can still contain
- a virus and infect a PC if it is inserted in drive A: when the PC
- starts up.
-
- FDISK /MBR will not change the code in a hard disk boot sector (as
- opposed to the partition sector). Most boot sector viruses infect the
- partition sector of hard disks and floppy disk boot sectors: most do
- not infect the boot sector of a hard disk - the Form virus is an
- exception.
-
- (iv) How can I remove a virus from my hard disk's partition sector?
- --------------------------------------------------------------
-
- There are two main alternatives: run an anti-virus product, or use
- FDISK /MBR.
-
- Most effective anti-virus products will be able to remove a virus from
- a partition sector, but some have difficulties under certain
- circumstances. In these cases the user may decide to use FDISK /MBR.
-
- Unless you know precisely what you are doing this is unwise. You may
- lose access to the data on your hard disk if the infection was done by
- a virus such as Monkey or OneHalf. Part 4, section 14 of this FAQ
- contains details as to how losing data might happen.
-
- (v) Won't formatting the hard disk help?
- ------------------------------------
-
- Not necessarily. Formatting the hard disk can result in everything
- being wiped from the drive *apart* from the virus. Format alters the
- DOS partition, but leaves the partition sector (AKA the MBR) untouched.
- There is usually a better way of removing a virus infection than
- formatting the hard disk.
-
- ******************************************************************
-
- * Write protecting suspect floppies stops infection.
-
- This sounds so silly I hesitate to include it. I've never seen it said
- on a.c.v., but I've heard it so often in other contexts, I've included
- it anyway. Write-protecting a suspect floppy will only protect that
- diskette from *re-infection*, if it's already infected. It won't stop
- an infected floppy from infecting other (write-enabled) drives.
-
- If you boot with a disk in drive A which is infected with a boot-sector
- virus, the fact that the diskette is write-protected will make no
- difference at all.
-
- Write-protecting a *clean* floppy will indeed prevent it from being
- infected (but see below!).
-
- * The write protect tab always stops a disk write
-
- Briefly, write protection is built into the hardware on the Mac and
- on the PC (and most other systems, of course, but we can't cover
- everything), and can't be circumvented in software.
-
- However, it is possible for the hardware to fail: it's not common,
- but it happens. Thus when I do a cleanup, I try to create a file on a
- sacrificial floppy before risking my R/O boot disk. Sometimes, I
- even remember....
-
- Other caveats: a disk which you receive write-protected could have
- been de-protected, infected, and re-protected. Even a 3.5" disk with
- the write-enable tab removed can be written to by covering the hole
- with (e.g.) masking tape. And, of course, shrink-wrapped software
- could have been infected before the duplication process.
-
- * I can infect my system by running DIR on an infected disk
-
- If you have a clean PC system, you can't contract a boot sector virus
- *or* a file virus just by listing the files on an infected floppy.
- Of course, if your PC is infected, you may well infect a *clean* floppy
- by using
-
- DIR A:
-
- It *is* possible to have a scanner report a virus in memory after a
- DIR of a floppy with an infected boot sector. The distinction here is
- that the virus is not actually loaded into memory, so the PC has
- *not* been infected.
-
- - - -----------------------------------------------------------------------
-
- End of a.c.v. FAQ part 2
-
- -----BEGIN PGP SIGNATURE-----
- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
- Comment: PGP Key ID 0xDCC35C75 available on Keyservers
-
- iQCVAwUBOD6h4bcpzG7cw1x1AQEQRwP+LJoYLFvcBlzMVGJdrxJRPLh1z6YPdPst
- mx1uEM0x3VEq4frRqhN9O4zVaaeJ+XaK3KwI3z5TsT/se2ccwiWWQZ0P+Svy9U4J
- UO/vgVh6P+oHxA/SnymmgWuggvY1+tM12y/kADVMSg24yzRNWpOg3XmwjMj8sUNK
- 9Z0JkvkPeWs=
- =vek1
- -----END PGP SIGNATURE-----
-
-