home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
faqs
/
alt
/
comp
/
virus
/
[alt.comp.virus]_FAQ_Part_1_4
next >
Wrap
Internet Message Format
|
1997-10-24
|
35KB
Path: senator-bedfellow.mit.edu!faqserv
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers
Subject: [alt.comp.virus] FAQ Part 1/4
Supersedes: <computer-virus/alt-faq/part1_876222027@rtfm.mit.edu>
Followup-To: alt.comp.virus
Date: 23 Oct 1997 09:38:22 GMT
Organization: none
Lines: 798
Approved: news-answers-request@MIT.EDU
Expires: 21 Nov 1997 09:32:10 GMT
Message-ID: <computer-virus/alt-faq/part1_877599130@rtfm.mit.edu>
NNTP-Posting-Host: penguin-lust.mit.edu
X-Last-Updated: 1997/09/07
Originator: faqserv@penguin-lust.MIT.EDU
Xref: senator-bedfellow.mit.edu alt.comp.virus:51174 comp.virus:30099 alt.answers:29801 comp.answers:28644 news.answers:115220
Archive-name: computer-virus/alt-faq/part1
Posting-Frequency: Fortnightly
URL: http://www.webworlds.co.uk/dharley/
Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
alt.comp.virus (Frequently Asked Questions)
*******************************************
Version 1.04: Part 1 of 4
Last modified 6th Sept 1997
("`-''-/").___..--''"`-._
`6_ 6 ) `-. ( ).`-.__.`)
(_Y_.)' ._ ) `._ `. ``-..-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'
ADMINISTRIVIA
=============
New or modified entries are now flagged with two plus symbols at the
beginning of the line. Sorry if I missed any on this update.
@@ Amendments between official upgrades are now flagged with two
ampersands (@@) in the first two columns rather than three plus
signs (+++). This is because I usually edit this document from home,
and +++ has a specific meaning to Hayes-compatible modems which I
invariably forget about.
Maintenance of this FAQ is now shared between the following:
David Harley <D.Harley@icrf.icnet.uk>
Bruce Burrell <bpb@umich.edu>
George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Exactly how (not to mention if) this will work in practice has yet to
be determined. For the moment, it will work as follows.
George will do the real work, like making sure the darn thing is posted
regularly and organizing archiving, posting automagically etc., keeping
an eye on whether URLs are still current etc. Bruce and I will
concentrate on doing what we do best: Bruce will keep an eye open for
sloppy grammar and general imprecision; I'll sit here claiming credit
for the work of others and make the final decision in the event of any
contention. All three of us will refer to ourselves as "co-maintainer"
rather than "maintainer".
Any of us may choose to suggest edits, additions and subtractions to/from
the FAQ, but, with effect from the next revision, all edits will be
agreed between the three of us before inclusion in the FAQ. If anyone
else wishes to contribute a suggestion, alteration or addition, they
can send it to any or all of the above, and it will be used subject to
the agreement of all three of us.
@@
For the present, the authoritative version of the FAQ remains the one
at http://webworlds.co.uk/dharley/. Administration of the <Guide to
AntiVirus FAQs> remains with David Harley alone. The <Viruses and the
Macintosh> FAQ is now co-maintained by David Harley and Susan Lesch.
Disclaimer
----------
This document is primarily concerned with defending the integrity of
computing systems and preventing damage caused by viruses or other
malicious and/or other unauthorized software. It attempts to address
many of the issues which are frequently discussed on alt.comp.virus,
but does not claim to represent all shades of opinion among the users of
a.c.v. - in particular, it does not include information which, in my
estimation, is likely to be of more help to those interested in the
spreading of unauthorized and/or malicious software than to those
who wish to be protected from it.
This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects
resulting from the use of any information contained in this document.
Not all the views expressed in this document are mine, and those views
which *are* mine are not necessarily shared by my employer.
David Harley
------------
Copyright Notice
----------------
Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holders. To obtain such permission,
please contact David Harley or one of the other co-maintainers of the FAQ.
Such permission will normally be forthcoming as long as
(1) reproduced text is quoted accurately
(2) it is made clear that such text is derived from the FAQ
(3) it is made clear that the latest version of the FAQ is available
from the newsgroup and from the official home of the FAQ on
the world-wide web, which is currently
http://webworlds.co.uk/dharley
(4) the e-mail addresses of all three of the co-maintainers
of the FAQ are included as a contact point.
Availability
------------
The latest version of this document is available from:
(1)
http://www.webworlds.co.uk/dharley/
(this is the primary source)
http://www.totalweb.co.uk/dharley/anti-virus/
(2)
Thanks to the efforts of Ed Fenton, the FAQ is now available
as a hypertext electronic document (DOS). This will be
available from ftp.gate.net (see below).
ftp.gate.net/pub/users/ris1/acvfaqht.zip
ftp.gate.net/pub/users/ris1/acvfaq.zip
Derek Giroulle has offered to make the FAQ available in
French and Dutch. More details in due course. If there's any
interest in other non-English versions, perhaps people would
let me know and I'll see what I can do.
A number of individuals and sites have agreed to make it available
via anonymous FTP and/or WWW. These include:
FTP://ftp.gate.net/pub/users/ris1/acvfaq.zip
http://www.drsolomon.com/
http://www.innet.net/~ewillems/
http://www.agora.stm.it/N.Ferri/infos.htm
http://emt.doit.wisc.edu/acvfaq/acvFAQ.html
It is no longer available on AOL in the Macintosh Virus Information
Center, which is no longer being updated. I note that it -is- being
used, without due credit, by the PC Virus Information Center. This is
quite against the spirit -and- the letter of this copyrighted document,
and is being checked out now.
----------------------------------------------------------------------
PREFACE
=======
(i) What is the FAQ, and whom is it for?
-----------------------------------
This FAQ is intended to make available answers to questions which
are repeatedly asked on alt.comp.virus, and tries to gather the most
useful information regarding this group and the issues discussed here
into a relatively short document. The hope is to produce (eventually)
an easily-digested document for newcomers, as a means of saving those
who regularly reply to posted questions having to re-invent the wheel
each time.
I recommend that you read this FAQ in conjunction with the comp.virus
(VIRUS-L)FAQ, which gives more detailed information regarding some
issues which are, inevitably, covered in both FAQs.
The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus
newsgroup. The latest version should be available as:
ftp://cert.org/pub/virus-l/FAQ.virus-l
You can get the Mk. 2 version at
ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip
ftp://cs.ucr.edu/pub/virus-l/
which is very long and very thorough. This document is subject to
revision, so the file name may change.
A very terse mini-FAQ maintained by George Wenzel is posted more or
less daily to alt.comp.virus. I am now regularly posting a guide to
virus-related FAQs (contact details and digest of contents), which I
plan to extend to other security areas eventually, as a supplement
to this FAQ. Both these resources will eventually be available by
FTP/WWW.
++ The guide to virus-related FAQs is withdrawn for the present,
due to the need for extensive updating
(ii) Credits/Acknowledgements
------------------------
The following have contributed text and/or ideas and/or
proofreading/corrections and/or URLs to the a.c.v. FAQ.
Vesselin Bontchev
Dennis Boon
Bruce Burrell
Graham Cluley
Henri Delger
Edward Fenton
Nicola Ferri
Sarah Gordon
David Harley
R. Wallace Hale
Norman Hirsch
Matthew Holtz
Mikko H. Hypponen
Douglas A. Kaufman
Tom Kelchner
Paul Kerrigan
Chengi Jimmy Kuo
Susan Lesch
Gerard Mannig
Martin Overton
Mike Ramey
Perry Rovers
Megan Skinner
Fridrik Skulason
Robert Slade
Alan Solomon
Ken Stieers
Hector Ugalde
George Wenzel
Caroline Wilson
Tarkan Yetiser
Acknowledgement is also due to the work of Ken Van Wyk, former
moderator of VIRUS-L/comp.virus, and the contributors to the
comp.virus FAQ (both versions).
Thanks also to ked@intac.com (aka Phreex), who mailed me a copy of the FAQ
he posted to a.c.v. some months before this one was begun, David J. Loundy
for assistance regarding legal issues, and to Nick FitzGerald, the
moderator of comp.virus and maintainer of the Mk. II comp.virus FAQ.
And especially to George Wenzel and Lucky the Cat.
(iii) Guide to posting etiquette
--------------------------
Messages asking for help posted to alt.comp.virus are more likely to
receive a useful response if they conform to accepted standards of
civility. The newsgroup news.announce.newusers includes information
on good newsgroup etiquette, or try
ftp://rtfm.mit.edu/pub/usenet/news.answers
http://www.fau.edu/rinaldi/netiquette.html
However, adhering to the following guidelines would be particularly
helpful:
* Keep your lines short (say 72 characters per line), so that anyone
who follows up doesn't have to reformat quoted text to keep it
readable).
* Don't quote all or most of a message you're following up unless it's
either very short, or necessary in order to address each point made.
In the latter case, please put the point you're answering close to
your answer and try to format it so that it's readable. Remember that
some people have to pay for connection/download time.
* On the other hand, a message which says something like 'I totally
agree' without including enough of the original for us to tell what
you're agreeing with is a waste of bandwidth.
* Keep it polite. It's unlikely that anyone who replies to your
posting is being paid to do so, and it wouldn't excuse bad manners if
they were. Of course, the cut and thrust of debate may be a different
matter altogether....
* Asking for a reply by direct e-mail may be reasonable if you need
an urgent solution or are using a borrowed account. It isn't
reasonable if you simply can't be bothered to check newsgroups.
At least try to think up a good excuse, and be prepared to offer a
summary to the group.
* Check that there isn't already a thread on the subject you're
asking about before posting yet another 'Has anyone heard of the GOOD
TIMES virus?' message. If there is, check it first: the answer to
your question may already be there (if it isn't in this document!).
Please remember that many people have to pay for connect time, and
don't appreciate duplicate postings or uuencoded binaries.
* If you want to follow up a message which doesn't seem particularly
relevant to alt.comp.virus, check the 'Newsgroups:' header: there
have been a lot of responses to spammings recently which have made
increased the bandwidth used, often quite unnecessarily.
* Please don't post test messages here unless you really need to:
use one of the newsgroups intended for the purpose: there is probably
one local to your news server - ask your Systems Administrator,
provider or local helpdesk. If you must post to the entire Internet,
use misc.test - if you do, put the word IGNORE in your Subject: field,
or you'll get auto-responder messages in your mail for weeks
afterwards. Look through the postings in news.announce.newusers
for relevant guidelines before you post.
* If you get into an exchange of E-mail, please remember that
not everyone can handle all forms of E-mail attachment (uuencoded,
MIME format etc. - if it's text, *send* it as text. NB also that
(uu)encoding text makes it longer as well as unreadable, so don't!
(iv) How to ask on the alt.comp.virus newsgroup for help
---------------------------------------------------
The more relevant information you give us, the more we can help you.
It helps to tell us the following:
* What you think the problem is (you might think it's a virus, but
maybe it isn't)
* What the symptoms are. If you ran some software that gave you a
message, tell us which package, version number, and the exact wording
of the message.
* Please be as accurate as possible about the order in which events
happened.
* If just one file is infected, give the filename.
* If you're running more than one anti-virus product, please list
them (including version number), and say what each one said about
the possible virus.
* Which version of which operating system you are running.
* Any other configuration information which you think may have a bearing.
Don't take action, then ask if that was the right action - if it
wasn't, it's too late.
Don't just ask "I've got xyz virus, can anyone help me".
-------------------------------------------------------------------------
Table of Contents
*****************
-----> Part 1
------
-----> (1) I have a virus - what do I do?
-----> (2) Minimal glossary
-----> (3) What is a virus (Trojan, Worm)?
-----> (4) How do viruses work?
-----> (5) How do viruses spread?
-----> (6) How can I avoid infection?
-----> (7) How does antivirus software work?
Part 2
------
(8) What's the best anti-virus software
(and where do I get it)?
(9) Where can I get further information?
(10) Does anyone know about
* Mac viruses?
* UNIX viruses?
* macro viruses?
* the AOLGold virus?
* the PKZip300 trojan virus?
* the xyz PC virus?
* the Psychic Neon Buddha Jesus virus?
* the blem wit virus
* The Irina Virus
* Ghost
++ * General Info on Hoaxes/Erroneous Alerts
(11) Is it true that...?
(12) Favourite myths
* DOS file attributes protect executable files from
infection
* I'm safe from viruses because I don't use bulletin
boards/shareware/Public Domain software
* FDISK /MBR fixes boot sector viruses
* Write-protecting suspect floppies stops infection
* The write-protect tab always stops a disk write
* I can infect my system by running DIR on an infected
disk
Part 3
------
(13) What are the legal implications of computer viruses?
Part 4
------
(14) Miscellaneous
Are there anti-virus packages which check zipped files?
What's the genb/genp virus?
Where do I get VCL and an assembler, & what's the password?
Send me a virus.
It said in a review......
Is it viruses, virii or what?
Where is alt.comp.virus archived?
++ What about firewalls?
Viruses on CD-ROM.
Removing viruses.
Can't viruses sometimes be useful?
Do I have a virus, and how do I know?
What should be on a (clean) boot disk?
How do I know I have a clean boot disk?
What other tools might I need?
What are rescue disks?
Are there CMOS viruses?
How do I know I'm FTP-ing 'good' software?
What is 386SPART.PAR?
++ Can I get a virus to test my antivirus package with?
When I do DIR | MORE I see a couple of files with funny names...
Reasons NOT to use FDISK /MBR
Why do people write/distribute viruses?
Where can I get an anti-virus policy?
Are there virus damage statistics?
What is NCSA approval?
++ What language should I write a virus in?
++ No, seriously, what language are they written in?
++ [DRD], Doren Rosenthal, the Universe and Everything
++ What are CARO and EICAR?
Placeholders
Supplement: Virus-related FAQs vs. 1.02b
* The alt.comp.virus FAQ
* The comp.virus/Virus-L FAQ
* The macro-virus FAQ
* The alt.comp.virus mini-FAQ
* The Antiviral Software Evaluation FAQ
-------------------------------------------------------------------------
(1) I have a virus problem - what do I do?
==========================================
The following guidelines will, one hopes, be of assistance. However,
you may get better use out of them if you read the rest of this
document before acting rashly...
If you think you may have a virus infection, *stay calm*. Once
detected, a virus will rarely cause (further) damage, but a
panic action might. Bear in mind that not every one who thinks s/he
has a virus actually does (and a well-documented, treatable virus
might be preferable to some problems!). Reformatting your hard disk
is almost certainly unnecessary and very probably won't kill the
virus.
If you've been told you have something exotic, consider the
possibility of a false alarm and check with a different package.
If you have a good antivirus package, use it. Better still, use more
than one. If there's a problem with the package, use the publisher's
tech support and/or try an alternative package. If you don't have a
package, get one (see section on sources below). If you're using
Microsoft's package (MSAV) get something less out-of-date.
Follow the guidelines below as far as is practicable and applicable
to your situation.
Try to get expert help *before* you do anything else. If the problem
is in your office rather than at home there may be someone whose job
includes responsibility for dealing with virus incidents.
Follow the guidelines below as far as is practicable and applicable.
* Do not attempt to continue to work with an infected system, or let
other people do so.
* Generally, it's considered preferable to switch an infected
system off until a competent person can deal with it: don't allow
other people to use it in the meantime. If possible, close down
applications, Windows etc. properly and allow any caches/buffers
to flush, rather than just hit the power switch.
* If you have the means of checking other office machines for
infection, you should do so and take appropriate steps if an
infection is found.
* If you are unable to check other machines, assume that all
machines are infected and take all possible steps to avoid
spreading infection any further.
* If there are still uninfected systems in the locality, don't use
floppy disks on them [except known clean write-protected DOS boot
floppies]
* users of infected machines should not *under any circumstances *
trade disks with others until their systems and disks are cleaned.
* if the infected system is connected to a Novell network, Appleshare
etc., it should be logged off all remote machines unless someone
knowledgeable says different. If you're not sure how to do this,
contact whoever is responsible for the administration of the
network. You should in any case ensure that the network administrator
or other responsible and knowledgeable individual is fully aware of
the situation.
* No files should be exchanged between machines by any other means
until it's established that this can be done safely.
* Ensure that all people in your office and anyone else at risk are
aware of the situation.
* Get *all* floppy disks together for checking and check every one.
This includes write-protected floppies and program master disks.
Check all backups too (on tape or file servers as well as on floppy).
(2) Minimal Glossary
====================
[There is room for improvement and expansion here. Contributions
will be gratefully accepted.]
* AV - AntiVirus. Sometimes applied as a shorthand term for
anti-virus researchers/programmers/publishers - may include
those whose work is not AV research, but includes
virus-control. (See also Vx.)
* BSI - Boot Sector Infector (= BSV - Boot Sector Virus)
* BIOS - Basic Input Output System
* CMOS - Memory used to store hardware configuration information
* DBR - DOS Boot Record
* DBS - DOS Boot Sector
* False Positive - When an antivirus program incorrectly reports a
virus in memory or infecting a file. Scanners in
heuristic mode and integrity checkers are, by
definition, somewhat more prone to these.
* False Negative - Essentially, a virus undetected by an antivirus
program.
* In-the-wild - describes viruses known to be spreading
uncontrolled to real-life systems, as opposed to
those which exist only in controlled situations
such as anti-virus research labs. Virus code
which has been published but not actually found
spreading out of control is not usually regarded
as being in-the-wild.
* MBR - Master Boot Record (Partition Sector)
* TSR - A memory-resident DOS program, i.e one which remains in
memory while other programs are running. A good TSR should
at least detect all known in-the-wild viruses and a good
percentage of other known viruses. Generally, TSRs are not
so good with polymorphic viruses, and should not be relied on
exclusively.
* vx - Those who study, exchange and write viruses, not necessarily
with malicious intentions (So I'm frequently told here...) B-)
* VxD - A Windows program which can run in the background. A scanner
implemented as a VxD has all the advantages of a DOS TSR, but
can have additional advantages: for instance, a good VxD will
scan continuously *and* for all the viruses detected by a
command-line scanner.
* Zoo - suite of viruses used for testing.
See the comp.virus FAQ for fuller definitions of some of these terms and
others which aren't addressed here.
Here are some commonly referred to anti-virus packages, including
acronyms (hence their inclusion in this section). [Suggestions for
expansion are, again, welcomed.]
* AVP - AntiViral Toolkit Pro
* AVTK - Dr. Solomon's AntiVirus ToolKit
* CPAV - Central Point AntiVirus
* The Doctor (Not Dr. Solomon!)
* Disinfectant (Mac)
* DSAVTK - Dr. Solomon's AntiVirus ToolKit
* F-Prot
* FindViru(s) - DSAVTK scanner
* Gatekeeper (Mac)
* Invircible
* MSAV - MicroSoft AntiVirus
* McAfee
* NAV - Norton AntiVirus
* SCAN - ViruScan (McAfee's scanner)
* Sweep - Scanner by Sophos
* TBAV - Thunderbyte AntiVirus
* VET
(3) What is a virus (and what are Trojans and Worms)?
=====================================================
A (computer) virus is a program (a block of executable code) which
attaches itself to, overwrites or otherwise replaces another program
in order to reproduce itself without the knowledge of the PC user.
Most viruses are comparatively harmless, and may be present for
years with no noticeable effect: some, however, may cause random
damage to data files (sometimes insidiously, over a long period)
or attempt to destroy files and disks. Others cause unintended
damage. Even benign viruses (apparently non-destructive viruses)
cause significant damage by occupying disk space and/or main
memory, by using up CPU processing time, and by the time and expense
wasted in detecting and removing them.
A Trojan Horse is a program intended to perform some covert
and usually malicious act which the victim did not expect or want.
It differs from a destructive virus in that it doesn't reproduce,
(though this distinction is by no means universally accepted).
A dropper is a program which installs a virus or Trojan, often
covertly.
A worm is a program which spreads (usually) over network
connections. Unlike a virus, it does not attach itself to a
host program. In practice, worms are not normally associated
with personal computer systems. There is an excellent
and considerably longer definition in the Mk. 2 version of the
Virus-L FAQ.
(The following is a slightly academic diversion)
A lot of bandwidth is spent on precise definitions of some of
the terms above. I have Fridrik Skulason's permission to include
the following definition of a virus, which I like because it
demonstrates most of the relevant issues.
#1 A virus is a program that is able to replicate - that is, create
(possibly modified) copies of itself.
#2 The replication is intentional, not just a side-effect.
#3 At least some of the replicants are also viruses, by this
definition.
#4 A virus has to attach itself to a host, in the sense that execution
of the host implies execution of the virus.
--
#1 is the main definition, which distinguishes between viruses and Trojans
and other non-replicating malware.
#2 is necessary to exclude for example a disk-copying program copying a
disk, which contains a copy of itself.
#3 is necessary to exclude "intended" not-quite-viruses.
#4 is necessary to exclude "worms", but at the same time it has to be broad
enough to include companion viruses and .DOC viruses.
(4) How do viruses work?
========================
A file virus attaches itself to a file (but see the section below
or the comp.virus FAQ on the subject of companion viruses), usually
an executable application (e.g. a word processing program or a DOS
program). In general, file viruses don't infect data files. However,
data files can contain embedded executable code such as macros, which
may be used by virus or trojan writers. Text files such as batch files,
postscript files, and source code which contain commands that can be
compiled or interpreted by another program are potential targets for
malware (malicious software), though such malware is not at present
common.
Boot sector viruses alter the program that is in the first sector
(boot sector) of every DOS-formatted disk. Generally, a boot
sector infector executes its own code (which usually infects the boot
sector or partition sector of the hard disk), then continues the PC
bootup (start-up) process. In most cases, all write-enabled floppies
used on that PC from then on will become infected.
Multipartite viruses have some of the features of both the above
types of virus. Typically, when an infected *file* is executed, it
infects the hard disk boot sector or partition sector, and thus
infects subsequent floppies used or formatted on the target system.
The following virus types are more fully defined in the
comp.virus FAQs (see preamble):
* STEALTH VIRUSES - viruses that go to some length to
conceal their presence from programs which might notice.
* POLYMORPHIC VIRUSES - viruses that cannot be detected by
searching for a simple, single sequence of bytes in a
possibly-infected file, since they change with every
replication.
* COMPANION VIRUSES - viruses that spread via a file which
runs instead of the file the user intended to run, and
then runs the original file. For instance, the file
MYAPP.EXE might be 'infected' by creating a file called
MYAPP.COM. Because of the way DOS works, when the user
types MYAPP at the C> prompt, MYAPP.COM is run instead of
MYAPP.EXE. MYAPP.COM runs its infective routine, then
quietly executes MYAPP.EXE. N.B. this is not the *only*
type of companion (or 'spawning') virus.
* ARMOURED VIRUSES - viruses that are specifically written
to make it difficult for an antivirus researcher to find
out how they work and what they do.
(5) How do viruses spread?
==========================
A PC is infected with a boot sector virus (or partition sector
virus) if it is (re-)booted (usually by accident) from an infected
floppy disk in drive A. Boot Sector/MBR infectors are the most
commonly found viruses, and cannot normally spread across a network.
These (normally) spread by accident via floppy disks which may come
from virtually any source: unsolicited demonstration disks,
brand-new software (even from reputable sources), disks used on
your PC by salesmen or engineers, new hardware, or repaired hardware.
A file virus infects other files when the program to which it is
attached is run, and so *can* spread across a network (often very
quickly). They may be spread from the same sources as boot sector
viruses, but also from sources such as Internet FTP sites and
bulletin boards. (This applies also to Trojan Horses.)
A multipartite virus infects boot sectors *and* files. Often,
an infected file is used to infect the boot sector: thus, this is
one case where a boot sector infector could spread across a network.
(6) How can I avoid infection?
==============================
There is no way to guarantee that you will avoid infection. However,
the potential damage can be minimized by taking the following
precautions:
* make sure you have a clean boot disk - test with whatever (up-to-date!)
antivirus software you can get hold of and make sure it is (and stays)
write-protected. Boot from it and make a couple of copies.
* use reputable, up-to-date and properly-installed anti-virus
software regularly. (See below) If you use a shareware package
for which payment and/or registration is required, do it. Not only
does it encourage the writer and make you feel virtuous, it means
you can legitimately ask for technical support in a crisis.
* do some reading (see below). If you're a home user, you may well
get an infection sooner or later. If you're a business user, it'll
be sooner. Either way you'll benefit from a little background.
If you're a business user you (or your enterprise) need a policy.
* don't rely *solely* on newsgroups like this to get you out of
trouble: it may be a while before you get a response (especially
from a moderated group like comp.virus), and the first response
you act upon may not offer the most appropriate advice for your
particular problem.
* if you use a shareware/freeware package, make sure you have hard
copy of the documentation *before* your system falls apart!
* always run a memory-resident scanner to monitor disk access and
executable files before they're run.
* if you run Windows, a reputable anti-virus package which includes
DOS *and* Windows components is likely to offer better protection
than a DOS only package. If you run Windows 95, you need a proper
Win95 32-bit package for full protection.
* make sure your home system is protected, as well as your work PC.
* check all new systems and all floppy disks when they're brought
in (from *any* source) with a good virus-scanning program.
* acquire software from reputable sources: 2nd-hand software is
frequently unchecked and sometimes infected. Bear in mind that
shrinkwrapped software isn't necessarily unused. In any case,
reputable firms have shipped viruses unknowingly.
* once formatted, keep floppies write-disabled except when you need
to write a file to them: then write-disable them again.
* make sure your data is backed up regularly and that the procedures
for restoring archived data *work* properly.
* scan pre-formatted diskettes before use.
* Get to know all the components of the package you're using and
consider which bits to use and how best to use them. Different
packages have different strengths: diversifying and mixing and
matching can, if carefully and properly done, be a good antivirus
strategy, especially in a corporate environment
* if your PC can be prevented with a CMOS setting from booting with a
disk in drive A, do it (and re-enable floppy booting temporarily when
you need to clean-boot).
CMOS settings
-------------
Some CMOSes come with special anti-virus settings. These are normally
vague about what they do but typically they write-protect your hard
disk's boot sector and partition sector (MBR). This can be some use
against boot sector viruses but may false alarm when you upgrade your
operating system.
One sensible setting to make (if your CMOS allows) is to adjust the
boot sequence of your PC. Changing the default boot-up drive order
from A: C: to C: will mean that the PC will attempt to boot from drive
C: even if a floppy disk has been left in drive A:. This way boot
sector virus infection can often be avoided. Remember, however, to set
your CMOS back temporarily if you ever *do* want to boot clean from
floppy (for example, when running a cryptographical checksummer
after a cold boot).
SCSI controllers have their own BIOS. On some systems, this will
override the boot sequence set in CMOS. It's always a good idea
to check with a (known clean) bootable floppy after you've
disabled floppy booting that it really is disabled. I don't think
it's necessary to use the Rosenthal Simulator to do this, thank
you, Doren.
(7) How does antivirus software work?
-------------------------------------
* Scanner (conventional scanner, command-line scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
'signatures').
* TSR scanner - a TSR (memory-resident program) that checks for
viruses while other programs are running. It may have some of
the characteristics of a monitor and/or behaviour blocker.
* VxD scanner - a scanner that works under Windows or perhaps under
Win 95, or both), which checks for viruses continuously while
you work.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on
a system and check for changes which might signify an attack by
an unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus which targets that particular
checksummer.
---------------------------------------------------------------------
End of a.c.v. FAQ Part 1 of 4
