home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail
- Message-ID: <computer-virus/alt-faq/part4_953842042@rtfm.mit.edu>
- Supersedes: <computer-virus/alt-faq/part4_952514862@rtfm.mit.edu>
- Expires: 21 Apr 2000 20:07:22 GMT
- References: <computer-virus/alt-faq/part1_953842042@rtfm.mit.edu>
- X-Last-Updated: 2000/02/29
- Organization: none
- From: George Wenzel <gwenzel@telusplanet.net>
- Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers
- Followup-To: alt.comp.virus
- Subject: [alt.comp.virus] FAQ Part 4/4
- Approved: news-answers-request@MIT.EDU
- X-no-archive: yes
- Originator: faqserv@penguin-lust.MIT.EDU
- Date: 23 Mar 2000 20:09:08 GMT
- Lines: 1003
- NNTP-Posting-Host: penguin-lust.mit.edu
- X-Trace: dreaderd 953842148 2960 18.181.0.29
- Xref: senator-bedfellow.mit.edu alt.comp.virus:101521 comp.virus:30979 alt.answers:47999 comp.answers:40198 news.answers:180077
-
- Archive-name: computer-virus/alt-faq/part4
- Posting-Frequency: Fortnightly
- URL: http://www.sherpasoft.org.uk/acvFAQ/
- Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- alt.comp.virus (Frequently Asked Questions)
- *******************************************
-
- Version 1.1 : Part 4 of 4
- Last modified 19th August 1999
-
-
- ("`-''-/").___..--''"`-._
- `6_ 6 ) `-. ( ).`-.__.`)
- (_Y_.)' ._ ) `._ `. ``-..-'
- _..`--'_..-_/ /--'_.' ,'
- (il),-'' (li),' ((!.-'
-
-
-
- ADMINISTRIVIA
- =============
-
- Disclaimer
- - ----------
-
- This document is an honest attempt to help individuals with computer
- virus-related problems and queries. It can *not* be regarded as being
- in any sense authoritative, and has no legal standing. The authors
- accept no responsibility for errors or omissions, or for any ill effects
- resulting from the use of any information contained in this document.
-
- You should not assume that all or any information in this document
- is up-to-date.
-
- Not all the views expressed in this document are those of the maintainers,
- and those views which *are* those of the maintainers are not necessarily
- shared by their respective employers.
-
- Copyright Notice
- - ----------------
-
- Copyright on all contributions to this FAQ remains with the authors
- and all rights are reserved. It may, however, be freely distributed
- and quoted - accurately, and with due credit.
-
- It may not be reproduced for profit or distributed in part or as a whole
- with any product or service for which a charge is made, except with
- the prior permission of the copyright holders. To obtain such permission,
- please contact one of the co-maintainers of the FAQ.
-
- David Harley <D.Harley@icrf.icnet.uk>
- George Wenzel <gwenzel@telusplanet.net>
- Bruce Burrell <bpb@umich.edu>
-
- [Please check out the more detailed copyright notice at the beginning
- of part 1 of the FAQ]
-
- - --------------------------------------------------------------------------
-
- TABLE OF CONTENTS
- *****************
-
- See Part 1 of this FAQ for the full Table of Contents
-
- Part 4
- ------
-
- (14) Miscellaneous
-
- Are there anti-virus packages which check zipped/archived files?
- What's the genb/genp virus?
- Where do I get VCL and an assembler, & what's the password?
- Send me a virus.
- It said in a review.....
- Is it viruses, virii or what?
- Where is alt.comp.virus archived?
- What about firewalls?
- Viruses on CD-ROM.
- Removing viruses.
- Can't viruses sometimes be useful?
- Do I have a virus, and how do I know?
- What should be on a (clean) boot disk?
- How do I know I have a clean boot disk?
- What other tools might I need?
- What are rescue disks?
- Are there CMOS viruses?
- How do I know I'm FTP-ing 'good' software?
- What is 386SPART.PAR?
- Can I get a virus to test my antivirus package with?
- When I do DIR | MORE I see a couple of files with funny names...
- Reasons NOT to use FDISK /MBR
- Why do people write/distribute viruses?
- Where can I get an Anti-Virus policy?
- Are there virus damage statistics?
- What is ICSA approval?
- What language should I write a virus in?
- No, seriously, what language are they written in?
- [DRD], Doren Rosenthal, the Universe and Everything
- What are CARO and EICAR?
-
- - -------------------------------------------------------------------
-
-
- (14) Miscellaneous
- ==================
-
- Are there anti-virus packages which check zipped/archived files?
- - -------------------------------------------------------
-
- More and more anti-virus programs are scanning within zipped,
- packed, or archived files. The specific archive formats supported
- will vary from product to product - check with the makers of the
- product for details. Some products will check recursively within
- archives, meaning they will scan (for example) a zip file within an
- arj file within another zip file, and so on. Scanning within zipped
- files is beneficial when scanning newly-downloaded files, but it
- is simply a convenience - a product that supports more archive formats
- may not be better suited to your needs, especially if you never use
- files archived with those formats. Products that scan lots of archive
- types are generally most useful for people who run software archives or
- other large collections of zipped/archived files.
-
- What's the genb/genp virus?
- - ---------------------------
-
- This is McAfee-ese for "You may have an unrecognised ('generic')
- boot-sector (genb) or partition-sector (genp) virus". Re-check
- with a more recent version or the latest version of another
- reputable package.
-
- Where do I get VCL and an assembler, & what's the password?
- - -----------------------------------------------------------
-
- Wrong FAQ. You don't learn anything about viruses, programming
- or anything else from virus toolkits. You want rec.knitting. B-)
-
- I can't believe there's anyone left on the Internet who doesn't
- know the VCL password, but I'm not going to tell you anyway.
-
- OK, maybe you want an assembler to learn assembly-language, not
- just to rehash prefabricated code. Where do you get TASM?
- You buy it from Borland or one of their agents, either stand-alone
- or with one of their high-level languages. If you want freeware
- or shareware, I guess you can still get the likes of CHASM and
- A86 (SimTel mirror sites in SimTel/asm).
-
- Send me a virus
- - ---------------
-
- Anti-virus researchers don't usually share viruses with people
- they can't trust. Pro-virus types are often unresponsive to
- freeloaders. And why would you *trust* someone who's prepared
- to mail you a virus, bona-fide or otherwise? [A high percentage
- of the 'viruses' available over the internet are non-replicating
- junk.]
-
- Requests for viruses by people 'writing a new anti-virus utility'
- are usually not taken too seriously.
-
- * We get rather a lot of such requests, which leads to a certain amount
- of cynicism.
- * Writing a utility to detect a single virus is one thing: writing a
- usable, stable, reasonably fast scanner which detects all known
- viruses is a considerable undertaking. There are highly experienced
- and qualified people working more or less full time on adding routines
- to do this to antivirus packages which are already mature, and unless
- you have a distinctly novel approach, you don't have much chance of
- keeping up with them.
- * It may be that the research you're interested in has already been done.
- Say what sort of information you're looking for, and someone may be able
- to help.
- * You can't afford to use junk 'viruses' for research, and the best
- collections are largely in the hands of people who won't allow
- access to them to anyone without cast-iron credentials.
-
- If you want to test anti-virus software with live viruses, this
- is *not* the way to get good virus samples.
-
- Valid testing of antivirus software requires a lot of time, care
- and thought and a valid virus test-set. Virus simulators are
- unhelpful in this context: a scanner which reports a virus when it
- finds one of these is actually false-alarming, which isn't
- necessarily what you want from a scanner.
-
- Read Vesselin Bontchev's paper on maintaining a virus library:
-
- ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/virlib.zip
-
- There have been one or two requests for source code. Assuming you have
- the necessary knowledge of programming (especially x86 assembler) and the
- PC, this is probably the wrong approach, unless you're a serious
- antivirus researcher (in which case you need to sell yourself to the
- antivirus research community, and asking for viruses here isn't the
- way to earn their trust).
-
- * How can you trust any source code you're sent? Antivirus researchers won't
- send it to you, so you have to rely on the goodwill of a virus writer
- or distributor: not always a good idea. Many so-called viruses picked up
- from CDs, VX websites etc. aren't viruses at all.
-
- * Are you going to examine all known viruses? Or all those listed in
- the current WildList? If not, what are your selection criteria going to
- be? How will you tell an insignificant variant from a completely different
- virus type?
-
- Your first task is to understand the general principles, and you won't get
- those from snippets of code. If you still need low-level analysis
- afterwards,
- you might like to try
- http://www.virusbtn.com/VirusInformation/
- where you can find analyses (without source code) of a number of common
- viruses, analysed by experts.
-
- It said in a review....
- - -----------------------
-
- Reviews in the general computing press are rarely useful. Most
- journalists don't have the resources or the knowledge to match
- the quality of the reviews available in specialist periodicals like
- Virus Bulletin or Secure Computing. Of course, it's possible to
- produce a useful, if limited assessment of a package without
- using live viruses based on good knowledge of the issues involved
- (whether the package is ICSA-certified, for instance): unfortunately,
- most journalists are unaware of how little they know and have a vested
- interest in giving the impression that they know much more than they
- do. Even more knowledgeable writers may not make clear the criteria
- applied in their review.
-
-
- Is it viruses, virii or what?
- - -----------------------------
-
- The Latin root of virus has no commonly used plural form. Since the
- use of the word virus is borrowed from biology, you might like to conform
- to the usage normally favoured by biologists, doctors etc., which is
- viruses. However, a number of people favour the terms virii/viri,
- either to avoid confusion with the biological phenomenon (but what's
- the point of distinguishing in the plural but not in the singular?),
- or to avoid being mistaken for anti-virus researchers.....
-
- Bottom line, 'viruses' is the correct English plural for the singular
- 'virus'. Viri, virii, and so on are all slang.
-
- Where is alt.comp.virus archived?
- - ---------------------------------
-
- It isn't, as far as anyone seems to know. No-one currently working on
- the FAQ is likely to offer archiving, since a full archive would
- include uploaded viruses.
-
- Tom Simondi points that there is an archive of sorts at Dejanews. You
- can search for several months of messages by subject at:
-
- http://www.deja.com/
-
- What about firewalls?
- - ---------------------
-
- Firewalls don't generally screen computer viruses, though some firewall
- products may allow for virus-scanning plug-ins. There are also
- "viruswalls" that scan for viruses at the Internet gateway.
- Some such products can scan incoming and outgoing E-mail
- attachments, ftp'd or http'd files etc. for viruses. MIMESweeper,
- uses yout favourite scanner for scanning the viruses after it has
- opened up the E-Mail attachments in a secure area on the hard drive
- of the NT machine. Obviously, the on-demand scanner is an additional
- cost.
-
- MIMESweeper has advanced content filtering abilities which go beyond
- its capabilities (with assistance from other software) for detection
- of file viruses and trojans.
-
- These products do real scanning before the mail hits the workstation
- hard drive but make sure your mail attachments, WWW downloads etc. can't
- be automatically executed and use a good TSR/VXD in combination with a
- good on-demand scanner.
-
- Note that realtime virus scanning at the gateway can add a heavy network
- overhead and probably won't catch as many viruses as checking *all*
- files from *all* sources with a desktop scanner.
-
- Current informed thinking tends to be that detection of viruses at
- the firewall is acceptable (1) if you can afford the additional
- hardware, software and latency (processing overhead), not to mention
- the hidden administrative overheads of configuration and policy for
- dealing with boundary conditions such as unusual 7-bit encoding formats,
- encrypted files etc. (2) as long as you appreciate that it can only be
- supplementary to checking at the desktop, not a replacement. Mail
- attachments, FTP and HTTP are more significant vectors for virus
- transmission than formerly, especially with the near-exponential
- boom in macro viruses, but other vectors (especially floppy disks)
- are still of vital concern. System administrators are attracted by
- the fact that it's easier to update server software than control
- the use of scanning on individual workstations, but the fact remains
- that in most environments, until the desktop is adequately protected
- with good, up-to-date realtime (on-access) scanning and/or scheduled
- on-demand scanning, virus scanning at the perimeter is a
- semi-irrelevance.
-
- For firewall-related information see the newsgroups
-
- comp.security
- comp.security.firewalls
-
- or, if you don't mind your mail by the ton, the firewalls mailing-lists.
-
- mailto: info@lists.gnac.net
- http://lists.gnac.net/
-
- Marcus Ranum's firewalls FAQ:
-
- http://www.clark.net/pub/mjr/pubs/fwfaq/
- http://www.interhack.net/pubs/fwfaq/
-
- Books:
-
- Firewalls and Internet Security - Repelling the Wily Hacker
- (Cheswick, Bellovin) - Addison-Wesley
-
- Building Internet Firewalls (Chapman, Zwicky) - O'Reilly
-
- Viruses on CD-ROM
- - -----------------
-
- Viruses have been distributed on CD ROM (for instance, Microsoft
- shipped Concept, the first (in the wild) macro virus, on a CD ROM called
- "Windows 95 Software Compatability Test" in 1995). It is wise to scan CD
- ROMs on arrival for viruses, just like floppies. If the CD ROM has
- compressed or archived files it is wise to scan it with an anti-virus
- package which can cope with large amounts of compressed and archived
- files.
-
- If you scan all drives at every boot, though, you may find that this
- gives you a good incentive to remove CDs from your CD drive before
- you power down, especially if your scanner isn't set to allow you
- to break out of a scan. B-)
-
- Removing viruses
- - ----------------
-
- It is always better from a security point of view to replace infected
- files with clean, uninfected copies. However, in some circumstances this
- is not convenient. For example, if an entire network were infected with
- a fast-infecting file virus then it may be a lot quicker to run a quick
- repair with a reliable anti-virus product than to find clean, backup copies
- of the files. It should also be realised that clean backups are not
- always available. If a site has been hit by Nomenklatura, for example,
- it may take a long time before it is realised that you have been infected.
- By that time the data in backups has been seriously compromised.
-
- There are virtually no circumstances under which you should need to reformat
- a hard disk, however: in general, this is an attempt to treat the symptom
- instead of the cause. Likewise, re-partitioning with FDISK is unnecessary.
-
- If you use a generic low-level format program, i.e. one which isn't
- specifically for the make and model of drive you actually own, you
- stand a good chance of trashing the drive more thoroughly than any
- virus yet discovered.
-
- Can't viruses sometimes be useful?
- - ----------------------------------
-
- Vesselin Bontchev wrote a respected paper on this subject:
- ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
- Fred Cohen has done some heavy-duty writing in the other direction.
- Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley).
-
- In general, it's hard to imagine a situation where (e.g.) a
- maintenance virus is the *only* option. I have yet to see a convincing
- example of a potentially useful virus which *needs* to be a virus.
- Such a program would have to be *much* better written and error-trapped
- than viruses usually are.
-
- Do I have a virus, and how do I know?
- - -------------------------------------
-
- Almost anything odd a computer may do can (and has been)
- blamed on a computer "virus," especially if no other
- explanation can readily be found. In most cases, when an
- anti-virus program is then run, no virus is found.
-
- A computer virus can cause unusual screen displays, or
- messages - but most don't do that. A virus may slow the
- operation of the computer - but many times that doesn't
- happen. Even longer disk activity, or strange hardware
- behaviour can be caused by legitimate software, harmless
- "prank" programs, or by hardware faults. A virus may cause
- a drive to be accessed unexpectedly (and the drive light to
- go on) - but legitimate programs can do that also.
-
- One usually reliable indicator of a virus infection is
- a change in the length of executable (*.com/*.exe) files, a
- change in their content, or a change in their file date/time
- in the Directory listing. But some viruses don't infect
- files, and some of those which do can avoid showing changes
- they've made to files, especially if they're active in RAM.
-
- Another common indication of a virus infection is a
- change to interrupt vectors or the reassignment of system
- resources. Unaccounted use of memory or a reduction in the
- amount normally shown for the system may be significant.
-
- In short, observing "something funny" and blaming it on
- a computer virus is less productive than scanning regularly
- for potential viruses, and not scanning, because "everything
- is running OK" is equally inadvisable.
-
- What should be on a (clean) boot disk?
- - --------------------------------------
-
- A boot floppy is one which contains the basic operating system, so that
- if the hard disk becomes inaccessible, you can still boot the machine
- to attempt some repairs. All formatted floppies contain a boot sector,
- but only floppies which contain the necessary system files can be used
- as boot floppies. A clean boot disk is one which is known not to be
- virus-infected. It's best to use a clean boot disk before routine
- scans of your hard disk(s). Some antivirus packages will refuse to run
- if there is a virus in memory. It is usually better and sometimes
- mandatory to disinfect a system without the virus in memory, and an
- undetected file virus may actually spread faster during a scan, since
- scanners normally open all executable files in all directories.
-
- To make an emergency bootable floppy disk, put a disk in drive A and type
- FORMAT A: /S
- Be careful to avoid 'cross-formatting', i.e. formatting a double-density
- disk as high-density or vice versa, if you system allows this. (You should
- avoid this all the time, not just when creating a boot disk. I'd also
- recommend avoiding single-density and quad-density disks, and there may
- be problems writing to double-density 5.25" disks on a different machine
- to the one on which they were formatted, if one machine is an XT and the
- other an AT or better.)
-
- You can also make a pre-formatted floppy into a boot disk by typing
- SYS A:
- I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB,
- CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and
- RESTORE (or whatever backup program you use, if it will fit). They may
- come in handy if you can't access the hard disk, or it won't boot up.
-
- You may be aware that if there is a problem with your boot sequence, you
- can boot from the hard disk on a DOS 6/7/Win95 system while bypassing
- AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot:
- it won't help at all if you have a boot sector/partition sector infector,
- or if any or all of the basic operating system files have been infected
- by a file virus.
-
- The boot disk should have been created with the same version of DOS as
- you have on your hard disk. It should also include any drivers necessary
- to access your hard disk and other devices (such as a CD-ROM). If, for
- some reason, you can't obtain a clean boot disk with the same version
- of DOS, you can often get away with booting from a (clean) disk using
- a different version, though: indeed, there are viruses which exploit a
- bug in recent versions of MS-DOS which will prevent a clean boot from
- DOS vs. 4-6. If you *do* use a different version, remember that you
- won't be able to use many of the standard DOS system utilities on the
- hard disk, which will simply return a message like 'Wrong DOS version'
- when you try to run them, and avoid the use of FORMAT or FDISK.
-
- If you become virus-infected it can be very helpful to have backup of your
- hard disk's boot sector and partition sector (also known as MBR). Some
- anti-virus and disk utilities can do this. Other useful tools to include are
- a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so
- forth), a copy of the DOS commands COMP or FC (for comparing files),
- FDISK and SYS (make sure they are from the same version of DOS as you are
- booting). There is a school of thought that your boot disk should also
- include your anti-virus software. The problem with this is that
- anti-virus software should be updated frequently, and you may forget to
- update (and re-write-protect) your boot disk each time. Ideally you will
- have been sent a clean, write-protected copy of the latest version of your
- anti-virus software by your vendor/supplier.
-
- If you want to use the DOS program EDIT, remember that you need both
- EDIT.* and QBASIC.* on the same disk.
-
- When you have everything you need on your boot floppy and any supplementary
- floppies (see below), make sure they're all *write-protected*!
-
- How do I know I have a clean boot disk?
- - ---------------------------------------
-
- You can't usually make up a clean boot disk on a system which has been
- booted from an infected floppy or hard disk. So how do you know you're
- booting clean? Actually, you can never be 100% sure. If you buy a PC
- with the system already installed, you can't be sure the supplier
- didn't format it with an infected disk. If you get a set of system
- disks, can you assume that Microsoft or the disk duplicator
- didn't somehow release a contaminated disk image? (Yes, something rather
- like this has indeed happened...) However, you can be better than 99%
- sure.
- * If you have (and use) a reputable, up-to-date virus scanner, it will
- almost invariably detect a known virus in memory (scanners can't be
- relied on to detect an unknown virus, in memory or not). If a good
- scanner doesn't ring an alarm bell, you've *almost* certainly booted
- clean. What constitutes a good scanner is another question, however.
- * If you have a set of original system disks which you received
- shrinkwrapped *and* which you've never used *or* which have only been
- used write-protected, you can probably use Disk 1 as a boot disk and
- it *probably* isn't infected - after all, Microsoft doesn't use MSAV
- for jobs like this..... It has been reported, though, that DOS
- systems disks have been distributed infected, and the fact that
- they're often distributed write-enabled doesn't inspire confidence.
- * You could always contact the supplier of your most-trusted anti-virus
- utility and ask whether you can send them a boot floppy to check. Of
- course, even anti-virus gurus sometimes make mistakes, but a boot
- disk verified in this way would still be worth paying for,
- especially for organizations with mission-critical systems.
-
-
- What other tools might I need?
- - ------------------------------
-
- Other suggestions have included a sector editor, and Norton Utilities
- components such as Disk Doctor (NDD). These are not suitable for use by
- the technically-challenged - any tool which can manipulate disks at a
- low-level is potentially dangerous. If you do use tools like this, make
- sure they're good quality and up-to-date. If you attack a 1Gb disk with
- a package that thinks 32Mb is the maximum for a partition and MFM disk
- controllers are leading edge, you're in for trouble....
-
- A copy of PKZIP/PKUNZIP or similar compression/decompression utility may
- be useful both for retrieving data and for cleaning (some) stealth viruses.
- The MSD diagnostic tool supplied with recent versions of DOS and Windows
- is a useful addition. Heavy duty diagnostic packages like CheckIt! may
- be of use. There are some useful shareware/freeware diagnostic packages,
- too.
-
- Obviously, these are not all going to go on one bootdisk. When you
- prepare a toolkit like this, make sure *all* the disks are
- write-protected!
-
- Tech support types are likely to find that an assortment of bootable
- disks including various versions of DOS comes in useful on occasion.
- If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS
- or PC-DOS), they can be a useful addition. DoubleSpaced or similar
- drives will need DOS 6.x; Stacked drives will need appropriate
- drivers loaded.
-
- My understanding of the copyright position is that Microsoft does
- not encourage you to *distribute* bootable disks (even if they contain
- only enough files to minimally boot the system) *unless* the target
- system is loaded with the same version of MS-DOS as the boot floppy.
- Support engineers will need to ensure that they are legally entitled
- to all DOS versions for which they have bootable disks.
-
- What are rescue disks?
- - ----------------------
-
- Many antivirus and disk repair utilities can make up a (usually
- bootable) rescue disk for a specific system. This needs a certain
- amount of care and maintenance, especially if you make up more than
- one of these for a single PC with more than one utility. Make sure
- you update *all* your rescue disks when you make a significant
- change, and that you understand what a rescue disk does and how it
- does it before you try to use it. Don't try to use a rescue disk
- made up on one PC on another PC, unless you're very sure of what
- you're doing: you may lose data.
-
- Are there CMOS viruses?
- - -----------------------
-
- Although a virus CAN write to (and corrupt) a PC's CMOS memory,
- it can NOT "hide" there. The CMOS memory used for system
- information (and backed up by battery power) is not "addressable,"
- and requires Input/Output ("I/O") instructions to be usable.
-
- Data stored there are not loaded from there and executed, so virus
- code written to CMOS memory would still need to infect an
- executable program in order to load and execute whatever it wrote.
-
- A virus could use CMOS memory to store part of its code,
- and some tamper with the CMOS Setup's values. However,
- executable code stored there must first be first moved to
- DOS memory in order to be executed. Therefore, a virus
- can NOT spread from, or be hidden in CMOS memory. No known
- viruses store code in CMOS memory.
-
- There are also reports of a trojanized AMI BIOS - this is
- not a virus, but a 'joke' program which does not replicate.
- The malicious program is not on the disk, nor in CMOS, but
- was directly coded into the BIOS ROM chip on the system board.
- by a rogue programmer at American Megatrends Inc., the
- manufacturers.
-
- If the date is 13th of November, it stops the bootup process
- and plays 'Happy Birthday' through the PC speaker. In this
- case, the only cure is a new BIOS (or motherboard) - contact
- your dealer. The trojanized chip run was BIOS version M82C498
- Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy
- Kuo's "What is NOT a virus" paper.
-
- - From time to time there are reports from Mac users that the
- message 'welcome datacomp' appears in their documents without
- having been typed. This appears to be the result of using a
- trojanised 3rd-party Mac-compatible keyboard with this 'joke'
- hard-coded into the keyboard ROM. It's not a virus - it can't
- infect anything - and the only cure is to replace the keyboard.
-
- How do I know I'm FTP-ing 'good' software?
- - ------------------------------------------
-
- Reputable sites like SimTel and Garbo check uploaded utilities for
- viruses before making them publicly available. However, it makes
- sense not to take anything for granted. I'm aware of at least one
- instance of a virus-infected file being found on a SimTel mirror:
- you can't scan a newly-uploaded file for a virus your scanner
- doesn't know about. Good A/V packages include self-checking code,
- though it's unsafe to depend even on this 100%. Be paranoid: you
- know it makes sense....
-
- In general, don't run *anything* downloaded from the Internet,
- BBSs etc. until it's been checked with at least one reputable
- and up-to-date antivirus scanner.
-
- What is 386SPART.PAR?
- - ---------------------
-
- People are sometimes alarmed at finding they have a hidden file
- with this name. It is, in fact, created by Windows 3.x when you
- configure it to use a permanent swap file (a way of allowing Windows
- to work as if you had more memory than you really do. On no account
- should you delete it, as it will upset your configuration. If you wish
- to remove it or adjust the size, do so via the 386 Enhanced
- setting in Control Panel. However, a permanent swap file usually
- improves performance on a machine with relatively little memory.
- The file is not executable as such, and reports of virus infection
- are usually false positives.
-
- Can I get a virus to test my antivirus package with?
- - ----------------------------------------------------
-
- Well, I won't send you one... Most packages have some means of allowing
- you to trigger a test alert. There is a standard EICAR test file which
- is recognized by some packages.
-
- Most reputable, current anti-virus products will now alert on the EICAR
- anti-virus test file. See the following site for background on this file:
-
- http://www.eicar.org/
-
- To make use of the EICAR test string, type or copy/paste the
- following text into a file called EICAR.COM, or TEST.COM or whatever.
-
- X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
-
- Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".
-
- The EICAR file isn't an indication of a scanner's -efficiency- at
- detecting viruses, since (1) it isn't a virus and (2) detecting
- a single virus or non-virus isn't a useful test of the number of
- viruses detected. It's a (limited) check on whether the program
- is installed, but I'm not sure it's a measure of whether it's installed
- correctly. For instance, the fact that a scanner reports correctly that a
- file called EICAR.COM contains the EICAR string, doesn't tell you
- whether it will detect macro viruses, for example. In fact, if I wanted
- to be really picky, I'd have to say that it doesn't actually tell you
- anything except that the scanner detects the EICAR string in files with
- a particular extension.
-
- The string is supposed to trigger an alarm only when detected at
- the beginning of the file. Some products are known to 'false alarm'
- by triggering on files which contain the string elsewhere.
-
- [I have Chengi Jimmy Kuo's permission to reproduce the following, a
- propos of the last-but-one paragraph]:
-
- "The purpose of the EICAR test file is for the user to test all the
- bells and whistles associated with detecting a virus. And, if given
- that one platform detects it, is everything else working? It is to
- enable such things as:
-
- Is the alert system working correctly?
- Does the beeper work?
- Does the network alert work?
- Does it log correctly?
- What does it say?
- Is the NLM working? For inbound? For outbound?
- Is compressed file scanning working?
-
- Surprise MIS testing of AV security placements.
-
- The file serves no purpose in testing whether one product is better
- than another. Previously, every product had to supply its own test
- methods. This allows for an independent standard.'
-
-
- When I do DIR | MORE I see a couple of files with funny names...
- - ----------------------------------------------------------------
-
- Actually, this is in the Virus-L FAQ. Read that and post the question
- to comp.virus or alt.comp.virus if you're still worried. Basically,
- the answer is that MORE creates a couple of temporary files, being
- considerably less efficient than the Unix utility it attempts to
- emulate. Most versions of DOS since the Middle Ages support the
- syntax DIR /P, which does the same job less messily. In fact,
- if you have a version of DOS later than 5, you might consider
- incorporating it into the environment variable DIRCMD, so that it
- becomes your default on directory listings which exceed 1 screenful.
-
- Of course, other utilities such as ATTRIB can also be filtered through
- MORE like this, which may result in similar symptoms.
-
- - ------------------------------------------------------------
-
- Reasons NOT to use FDISK /MBR
- - -----------------------------
-
- See Section 12 in part 2 of this FAQ for further information about FDISK
- with the undocumented /MBR switch. However, people with virus problems
- are frequently advised, out of ignorance or maliciousness, to use this
- switch in circumstances where it can lead to an inability to access your
- disk drive and possible loss of data (not to mention hair and sanity).
-
- Essentially, you should avoid using FDISK /MBR unless you have it on good
- authority that it's safe and necessary to do so. In most circumstances, it's
- safer to clean a partition sector with a good anti-virus program.
-
- You should avoid FDISK /MBR at all costs under the following circumstances:
-
- 1. Under an infection of viruses that don't preserve the Partition Table
- e.g., Monkey, reported at 7.2% of the infections reported to _Virus
- Bulletin_ for December '95, the last report for which I have data
- 2. Under an infection that encrypts data on the hard drive and keeps
- the key in the MBR, e.g, One_half -- reported at 0.8% worldwide
- 3. When security software, e.g., PC-DACS is in use
- 4. When a driver like Disk Manager or EZDrive is installed
- 5. When a controller that stores data in (0,0,1) is in use
- 6. When more than one BSI virus is active, in some conditions
- 7. When a data diddler is active, e.g. Ripper, accountable for 3.8% of
- the infections reported in the study cited above (N.B.: while this
- case won't be fixed by AV utilities, at least one will know why
- there are problems with the drive)
-
- - ------------------------------------------------------------
-
- Why do people write/spread viruses?
- - -----------------------------------
-
- - From postings which have appeared in alt.comp.virus in the past:
-
- * they don't understand or prefer not to think about the consequences
- for other people
- * they simply don't care
- * they don't consider it to be their problem if someone else is
- inconvenienced
- * they draw a false distinction between creating/publishing viruses
- and distributing them
- * they consider it to be the responsibility of someone else to protect
- systems from their creations
- * they get a buzz, acknowledged or otherwise, from vandalism
- * they consider they're fighting authority
- * they like 'matching wits' with antivirus vendors
- * it's a way of getting attention, getting recognition from their peers
- and their names (or at least that of their virus) in the papers and
- the Wild List
- * they're keeping the antivirus vendors in a job
-
-
- - ------------------------------------------------------------
-
- Where can I get an anti-virus policy?
- - -------------------------------------
-
- There is some relevant material in the Virus-L FAQ document, but you'll
- need to do most of the work specific to your own environment. It's worth
- doing some general reading on security policies generally and getting
- the distinctions straight between policies, strategies, standards,
- procedures and protocols. I'm working on this in other contexts: some of
- that material may eventually seep back into here.
-
- The ICSA have a Corporate Virus Prevention Policy disk/document which can
- be ordered via their web page (www.icsa.net) for around $20, or downloaded
- from Compuserve.
-
- In the UK, the British Standards Institution have a Code of Practice for
- Information Security Management which includes virus-management (BS7799).
- [It's not necessarily well-regarded by practitioners, though.]
-
- BSI
- 389 Chiswick High Road
- London W4 4AL
-
- DTI (Dept. of Trade & Industry)
- IT Security Policy Unit
- 151 Buckingham Palace Road
- London SW1W 9SS
-
- The Dr. Solomon's web page (www.drsolomon.com) has a paper on Guidelines
- for an Anti-Virus Policy by David Emm which is a reasonable starting
- point, though a comprehensive virus management policy is no small
- undertaking. The Dr. Solomon's page may be moved to the www.nai.com
- site in the near future, as Dr. Solomon's has been purchased by NAI.
-
- - ------------------------------------------------------------
-
- Are there virus damage statistics?
- - ----------------------------------
-
- Some, possibly even less reliable than the average survey on general
- security breaches. Why?
-
- * Many reported virus incidents aren't, in fact, virus incidents, as
- many a PC support specialist will confirm. There is a tendency to
- attribute any PC anomaly to a virus, among those who are not well
- acquainted with the virus arena. Unfortunately, this includes
- virtually the entire press corps and many security consultants. Also,
- some widely-used packages are noticeably prone to false alarms.
- * Many actual virus incidents and other security breaches are not
- reported, due to the intervention of top management or Public
- Relations, out of fear of losing competitive advantage because of
- being perceived as badly-managed and insecure.
- * Many other virus incidents and security breaches aren't reported
- because they're simply not recognised as such, or at all.
- * There are no standards for reporting and assessing damage from
- viruses and other security breaches. Take the case of Christopher
- Pile (the Black Baron), who was convicted in the UK under the
- Computer Misuse Act: I have seen estimates in the UK press of
- the damage sustained by the company most affected by the viruses
- Pile spread ranging from #40,000 to #500,000, and this is an
- unusually well-documented incident. How can the average survey
- respondent be expected to make an accurate assessment?
-
- The trouble is, there's a lot more to 'damage' than the figures
- estimated for a particular outbreak.
-
- Cost of maintaining virus protection
- Training and maintaining a response team
- Management costs
- Cost of software licences
- Cost in time/productivity/money of maintaining upgrades etc.
- Formulating and enforcing policy
- Educating users in the issues and good hygienic practice
- Cost in time of routine anti-virus measures
- Cost in money and time of servicing false alarms
- Cost of sheepdip systems
- Cost of having part-time A/V people taking time off
- from their 'real' jobs
- Alternatively, the cost of having full-time A/V personnel
- Cost of tracking the product market, technological changes
- Formulating and enforcing a backup policy
- Development of protective systems
- Resource utilisation by undetected viruses
-
- Cost of specific outbreaks
- Loss of productivity
- Workstation/Server downtime
- Damage to reputation of the organization
- Damage to involved personnel
- Psychological damage - witch hunts
- Damage limitation
- Time spent cleaning up, examining floppies etc.
- Restoration of backups/reinstallation
- Replacing unrecoverable data
- Time and money spent increasing virus protection.....
-
- However, the Poor Bloody Infantry often have to spend time and effort
- persuading the Generals of the need to expend money on ammunition.
- You might care to check out:
-
- * The Information Security Breaches Survey 1996 [UK]
-
- [National Computing Centre, ICL, ITSEC, Dept. of Trade & Industry]
-
- NCC
- Oxford House
- Oxford Road
- Manchester
- M1 7ED
-
- (voice) +44(0) 161 228 6333
- (fax) +44(0) 161 242 2171
- enquiries@ncc.co.uk
- http://www.ncc.co.uk/
-
- This came up with the highly suspect but much quoted average of about
- #4000 per virus incident.
-
- * Computer Virus & Security Survey 1995 [Ireland]
-
- [Price Waterhouse, Priority Data Systems]
-
- Price Waterhouse
- Wilton Place
- Dublin 2
- (353 1) 6606700
-
- ++Added August 18th.
-
- * ICSA have published surveys for some years. The 1999 survey is the
- best to date.
-
- <http://www.icsa.net/>
-
- - ------------------------------------------------------------
-
- What is ICSA Approval?
- - ----------------------
-
- The ICSA has a certification program for PC virus scanners which offers
- a measure of the detection capabilities of specific versions.
- In the past, ICSA's modus operandi was the subject of much
- scepticism within the antivirus community, but the current
- procedures are much improved (but not perfect, but nothing is).
- The specific criteria are available at:
-
- http://www.icsa.net/services/consortia/anti-virus/certification.shtml
-
- A list of the certified products is available at:
-
- http://www.icsa.net/services/consortia/anti-virus/certified_products.shtml
-
- The ICSA sponsors an Anti-Virus Product Developers consortium. The ICSA
- and consortium members have created standards for anti-virus products
- and the ICSA Anti-virus lab in Carlisle tests new versions of scanners
- that are submitted to it and issues an "NCSA Approved" seal for those
- products which past the test.
-
- For more information about the NCSA or for links to the members of the
- AVPD consortium:
-
- http://www.icsa.net/
-
- - ------------------------------------------------------------
-
- What language should I write a virus in?
- - ----------------------------------------
-
- Choose your own squelch:
-
- * ANSI COBOL
- * LOGO
- * Karel the Robot
- * PL/I
- * dBase II
- * Get a life
- * Or my personal favourite (thanks, Bruce!)
- "Hey, man; where can I get a copy of
- Visual English to write some hot new virii?!?"
-
- If you need to ask this question, you'd be better off collecting
- tazos than trying to write viruses.
-
- No, seriously, what language are they written in?
- - -------------------------------------------------
-
- The simple answer is "Assembler, mostly (on the PC)". High-level
- languages such as C and Pascal are sometimes used, as are various
- flavours of command shells on various systems (Unix shell scripts,
- DCL scripts etc.). Macro viruses are written in macro languages,
- surprisingly....... B-)
-
- [DRD], Doren Rosenthal, the Universe and Everything
- - ---------------------------------------------------
-
- Doren Rosenthal offers a shareware utilities suite including a
- virus simulator. Many of the AV pros in this group have a low
- opinion of the Rosenthal utilities, and regard their author as
- more of a virus writer than an anti-virus researcher, and are
- annoyed by his habit of offering his utilities as a solution
- for problems to which their relevance is not always obvious. As
- discussions on Rosenthal-related topics sometimes generate
- much heat and bandwidth, some people have taken to adding [DRD]
- to the subject header when posting to these threads, to make it
- easier to avoid them.
-
- What are CARO and EICAR?
- - ------------------------
-
- CARO - Computer Anti-Virus Research Organisation. Invitation-only
- group of techie researchers, mostly representing AV vendors. CARO
- approves 'standard' names for viruses. Some people tend to mistrust
- the fact that CARO members often share virus samples: however, CARO
- membership is a convenient yardstick by which other members can
- judge whether an individual can be trusted with samples. In general,
- users at large benefit: this way, AV vendors with CARO members can
- include most known viruses in their definitions databases.
-
- EICAR - European Institute for Computer AntiVirus Research. Membership
- comprises academic, commercial, media, governmental organisations etc,
- with experts in security, law etc., combining in the pursuit of the
- control of the spread of malicious software and computer misuse.
- Membership is more open, but members are expected to subscribe to a
- code of conduct. And yes, this is the origin of the EICAR test file.
-
- EICAR has a web page at http://www.eicar.org/
-
- - ------------------------------------------------------------------
-
- End of a.c.v. FAQ Part 4 of 4
-
- -----BEGIN PGP SIGNATURE-----
- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
- Comment: PGP Key ID 0xDCC35C75 available on Keyservers
-
- iQCVAwUBN7xqtLcpzG7cw1x1AQHFoAQAiHNzI9neRiEFc/Q6sgU/iWGDiXaLCsD3
- 516p05bQNX8vSQfCZGPbLteKjwXpFyttbnYjJF/WBZzpmkkyD35BU14m2ZcAJsPL
- G5Gk17mQ6NDKcpNiV7LVD1SxmtIZfXtXOjmdB+wKFrk9GspzltWDGoGVnT6c5lOR
- W/iCyi+DrFU=
- =FpZ4
- -----END PGP SIGNATURE-----
-
-