home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
faqs
/
alt
/
comp
/
virus
/
[alt.comp.virus]_FAQ_Part_2_4
< prev
next >
Wrap
Internet Message Format
|
1997-10-24
|
55KB
Path: senator-bedfellow.mit.edu!faqserv
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers
Subject: [alt.comp.virus] FAQ Part 2/4
Supersedes: <computer-virus/alt-faq/part2_876222027@rtfm.mit.edu>
Followup-To: alt.comp.virus
Date: 23 Oct 1997 09:38:26 GMT
Organization: none
Lines: 1591
Approved: news-answers-request@MIT.EDU
Expires: 21 Nov 1997 09:32:10 GMT
Message-ID: <computer-virus/alt-faq/part2_877599130@rtfm.mit.edu>
References: <computer-virus/alt-faq/part1_877599130@rtfm.mit.edu>
NNTP-Posting-Host: penguin-lust.mit.edu
X-Last-Updated: 1997/09/07
Originator: faqserv@penguin-lust.MIT.EDU
Xref: senator-bedfellow.mit.edu alt.comp.virus:51175 comp.virus:30100 alt.answers:29802 comp.answers:28645 news.answers:115221
Archive-name: computer-virus/alt-faq/part2
Posting-Frequency: Fortnightly
URL: http://www.webworlds.co.uk/dharley/
Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
alt.comp.virus (Frequently Asked Questions)
*******************************************
Version 1.04: Part 2 of 4
Last modified 6th Sept 1997
("`-''-/").___..--''"`-._
`6_ 6 ) `-. ( ).`-.__.`)
(_Y_.)' ._ ) `._ `. ``-..-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'
ADMINISTRIVIA
=============
Disclaimer
----------
This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects
resulting from the use of any information contained in this document.
Not all the views expressed in this document are mine, and those views
which *are* mine are not necessarily shared by my employer.
Copyright Notice
----------------
Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit. B-)
It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holders. To obtain such permission,
please contact one of the co-maintainers of the FAQ.
David Harley <D.Harley@icrf.icnet.uk>
Bruce Burrell <bpb@umich.edu>
George Wenzel <gwenzel@gpu.srv.ualberta.ca>
[Please check out the more detailed copyright notice at the beginning
of Part 1 of the FAQ]
--------------------------------------------------------------------
TABLE OF CONTENTS
=================
Part 1
------
(1) I have a virus - what do I do?
(2) Minimal glossary
(3) What is a virus (Trojan, Worm)?
(4) How do viruses work?
(5) How do viruses spread?
(6) How can I avoid infection?
(7) How does antivirus software work?
-----> Part 2
------
-----> (8) What's the best anti-virus software
(and where do I get it)?
-----> (9) Where can I get further information?
-----> (10) Does anyone know about
* Mac viruses?
* UNIX viruses?
* macro viruses?
* the AOLGold virus?
* the PKZip300 trojan virus?
* the xyz PC virus?
* the Psychic Neon Buddha Jesus virus?
* the blem wit virus
* the Irina virus
* Ghost
++ * General Info on Hoaxes/Erroneous Alerts
-----> (11) Is it true that...?
-----> (12) Favourite myths
* DOS file attributes protect executable files from
infection
* I'm safe from viruses because I don't use bulletin
boards/shareware/Public Domain software
* FDISK /MBR fixes boot sector viruses
* Write-protecting suspect floppies stops infection
* The write-protect tab always stops a disk write
* I can infect my system by running DIR on an infected
disk
Part 3
------
(13) What are the legal implications of computer viruses?
Part 4
------
(14) Miscellaneous
Are there anti-virus packages which check zipped files?
What's the genb/genp virus?
Where do I get VCL and an assembler, & what's the password?
Send me a virus.
It said in a review.....
Is it viruses, virii or what?
Where is alt.comp.virus archived?
++ What about firewalls?
Viruses on CD-ROM.
Removing viruses.
Can't viruses sometimes be useful?
Do I have a virus, and how do I know?
What should be on a (clean) boot disk?
How do I know I have a clean boot disk?
What other tools might I need?
What are rescue disks?
Are there CMOS viruses?
How do I know I'm FTP-ing 'good' software?
What is 386SPART.PAR?
Can I get a virus to test my antivirus package with?
When I do DIR | MORE I see a couple of files with funny names...
Reasons NOT to use FDISK /MBR
Why do people write/distribute viruses?
Where can I get an anti-virus policy?
Are there virus damage statistics?
What is NCSA approval?
What language should I write a virus in?
No, seriously, what language are they written in?
[DRD], Doren Rosenthal, the Universe and Everything
What are CARO and EICAR?
++ "Am I idle?" - Yellow Smiley in Win95 System Tray
Placeholders
Supplement: Virus-related FAQs vs. 1.02b
* The alt.comp.virus FAQ
* The comp.virus/Virus-L FAQ
* The macro-virus FAQ
* The alt.comp.virus mini-FAQ
* The Antiviral Software Evaluation FAQ
-------------------------------------------------------------------
(8) What's the best antivirus software (and where do I get it)?
===============================================================
In case it's not absolutely clear from the following, I can't
possibly answer the first part of this question! There are,
however, some suggestions following for sources of software
and of information on particular packages, comparative reviews etc.
The danger of this approach is that sites, servers, and packages
come and go, and I haven't time to keep track of all these
variables. Some of these URLs have been passed on by trusted
sources, but I haven't the time to check them all out regularly.
If you run into problems, please let me know (by e-mail, please).
Most of the people who post here have their favourites: if you just
ask which is the best, you'll generally get either a subjective
"I like such and such", recommendation of a particular product by
someone who works for that company, or a request to be more specific
about your needs. Some of us who are heavily involved with virus
control favour using more than one package and keeping track of the
market. Don't trust anything you read in the non-technical press.
Don't accept uncritically reviews in the computing press, either:
even highly-regarded IT specialists often have little understanding
of virus issues, and many journalists are specialists only in
skimming and misinterpreting. Magazines like Virus Bulletin and
Secure Computing are much better informed and do frequent comparative
reviews, and are also informative about their testing criteria,
procedures and virus suites. Recently, a number of articles have been
posted here by people who've run their own tests on various packages.
These are often of interest, but should not be accepted uncritically.
(No-one's opinion should be accepted uncritically!)
Valid testing of antivirus software requires a lot of care and
thought, and not all those who undertake it have the resources,
knowledge or experience to do it properly.
You may get a more informed response if you specify what sort of system
you have - DOS, Windows, Win95? XT, AT, 386 or better? Is the system
networked, and are you asking about protecting the whole network?
(What sort of network?) Are you running NT, OS/2 or Win95, any of which
involve special considerations? Be aware that there is more than one way
of judging the effectiveness of a package - the sheer number of viruses
detected; speed; tendency to false alarms; size (can you run it from a
single floppy when necessary?); types of virus detection & prevention
(not at all the same thing) offered (command-line scanning, TSR scanning,
behaviour blocking, checksumming, access-control, integrity shell etc.);
technical support etc.
One possible measure of a package's efficiency in terms of virus
detection is NCSA approval. Under the current testing protocol, a
scanner must detect all viruses on the Wild List plus 90% of NCSA's
full test suite.
DOS packages available from SimTel etc. include
F-Prot
AVP Lite
McAfee
TBAV
Most Shareware/Freeware packages can be obtained from SimTel or SimTelNet
via anonymous FTP or WWW, e.g.
http://www.coast.net/SimTel/msdos/virus
ftp://ftp.coast.net/SimTel/msdos/virus/
ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/
For information on mirror sites, a regularly-updated listing can
be found at
http://www.SimTel.net/simtel.net/mirrors.txt
Mirror sites include:
USA:-
ftp.cdrom.com
uiarchive.cso.uiuc.edu
oak.oakland.edu
wuarchive.wustl.edu
ftp.uoknor.edu
ftp.pht.com
UK:-
micros.hensa.ac.uk
src.doc.ic.ac.uk
ftp.demon.co.uk
as well as other sites in many other parts of the world.
There is some confusion at present regarding SimTel: you may find that
some mirrors are still pointing to the Coast to Coast collection while
others are pointing to SimTelnet (Walnut Creek).
Of course, such products can often be obtained direct from the
publisher's WWW or FTP sites too.
There is a shareware program for Win95 called the Doctor.
Compuserve - GO NCSAVIRUS
ftp://thomnet.com/
http://www.tucows.com/files/doc9509.zip
ftp://ftp.mindspring.com/users/rogert
TNS BBS +1 (404) 971 8886
Finding an up-to-date version may be a problem, though, according to
reports.
ftp://ftp.mcafee.com/pub/antivirus/
http://thunderbyte.com/ftp/thunderbyte/
ftp://ftp.thunderbyte.com/
ChekMate is described by its author as a targeted integrity checker.
It's a potentially useful shareware supplement to a good virus scanner.
Via anonymous ftp at:
ftp.coast.net/SimTel/msdos/virus/cm211.zip
ftp.demon.co.uk/pub/simtel/msdos/virus/cm211.zip
ftp.demon.co.uk/antivirus/ibmpc/av-progs/cm211.zip
ftp.gate.net/pub/users/ris1/cm211.zip
At the World-Wide Web site:
http://www.psnw.com/~joe/avdos.html
Commercial
----------
[vendors are invited to supply full contact details and indicate the range
of platforms their product range covers. Let's not overdo the hype, though,
guys.]
There is a pretty comprehensive list of anti-virus developers at
http://www.virusbtn.com/AVLinks/
(NB Some of the following, though not shareware, can be obtained for
evaluation via anon FTP or WWW.
Please note, I have not tested or even seen all the packages listed
here, or all the contact data, come to that, and listing here does not
imply recommendation (though I won't list anything I *know* is
rubbish....).
DSAVTK (Dr Solomon's Anti-Virus ToolKit)
[DOS; DOS & Windows; DOS & Win95; NetWare; NT; OS/2; Unix; Mac]
Virus handling workshops.
Access-control, software audit and other packages.
UK Support: support@uk.drsolomon.com
US Support: support@us.drsolomon.com
UK Tel: +44 (0)1296 318700
USA Tel: +1 617-273-7400
CompuServe: GO DRSOLOMON
Web: http://www.drsolomon.com
FTP: ftp://ftp.drsolomon.com
Evaluation copy of Findvirus Dos scanner available via the Web.
*************
F-Prot Pro (DOS, Windows 3.x, Win95, WinNT, NetWare)
There are two flavours, though I gather that Command Software and
Data Fellows are currently doing joint development.
Command Software Systems Inc.
1+407-575 3200
ftp://ftp.commandcom.com
Data Fellows Ltd.
f-prot@DataFellows.com
ftp://ftp.DataFellows.com
http://www.DataFellows.com
http://www.Europe.DataFellows.com
UK:
Portcullis (for Data Fellows) 44-181-868-0098
Command Software UK 44-171-259-5710
command@command.co.uk
More details inc. in ORDER-2.DOC, supplied with the shareware version.
[The filename is now PRO.DOC in recent versions]
************
IBM AntiVirus:
http://www.brs.ibm.com/ibmav.html
800-551-3579 (US only)
800-465-7999
fax: 800-267-5185
************
McAfee Associates
2710 Walsh Ave
Santa Clara, CA 95051
95054-3107 USA
Voice (408) 988-3832
FAX (408) 970-9727
BBS (408) 988-4004
CompuServe ID: 76702,1714 or GO MCAFEE
mcafee@netcom.com
ftp://ftp.mcafee.com/pub/antivirus/
http://www.mcafee.com/
[DOS, Windows, Win95, NetWare, Unix, Mac, NT]
************
NAV (Norton AntiVirus) [DOS, Windows, Win95, Mac (SAM), NT, NetWare]
http://www.symantec.com/ ftp://ftp.symantec.com
US Support: 541-465-8420 AOL: SYMANTEC
European Support: 31-71-353-111 Australian Support: 61-2-879-6577
************
AntiViral Toolkit Pro
AVP LITE
(1) USA
Central Command Inc.
P.O. Box 856
Brunswick, Ohio 44212
Phone: 330-273-2820
FAX: 330-220-4129
BBS: 330-220-4036
WWW: www.command-hq.com/command
ftp: ftp.command-hq.com pub/command/avp
email: sales@command-hq.com
support@command-hq.com
(2) Switzerland
E-Mail: info@avp.ch
WWW: http://www.avp.ch/
AVP Virus Encyclopedia: http://www.avp.ch/avpve/
AVP Updates & News: http://www.avp.ch/E/avp-news.htm
AVP Distributors List: http://www.avp.ch/E/distrib.htm
BBS: +41 (0)31 348 1331
FAX: +41 (0)31 348 1335
************
Sweep http://www.sophos.com/ ftp://ftp.sophos.com
************
Thunderbyte http://thunderbyte.com/ftp/thunderbyte/software/
ftp://ftp.thunderbyte.com (?)
************
Invircible ftp://ftp.invircible.com
ftp://ftp.datasrv.co.il/pub/usr/netz/
http://invircible.com/
There is a growing tendency in the UK press to push InVircible as
a one-fits-all solution which renders known-virus scanning obsolete,
while Zvi Netiv and those who support his product have a tendency to
promote it by attacking the better-known scanners as being a
security risk. While my personal view is that there is a place for
both known-virus scanning and generic solutions, I would suggest
reading a couple of papers which take an opposing view before putting
all your eggs in the InVircible basket.
http://www.primenet.com/~mwest/iv-toc.htm
http://www.primenet.com/~mwest/iv-bill.txt
Discussion on these issues has generated a great deal of heat and
personal abuse. I have to advise caution when considering using a
product whose proponents are apt to descend to mudslinging and
unethical advertising practices.
************
Reflex Magnetics Ltd
31-33 Priory Park Road
London
NW6 7UP
United Kingdom
Tel+44 (0)171 372 6666
Fax+44 (0)171 372 2507
BBS+44 (0)171372 2584
Emailsales@reflex-magnetics.co.uk
http://www.reflex-magnetics.co.uk/
Disknet access-control/virus control
Diskette duplication.
Security/Virus-control training.
************
Reflex Magnetics Ireland
Unit 24 Johnstown Industrial Centre, Waterford, Ireland.
tel: +353-(0)51-841051 J fax: +353-(0)51-841052
http://www.reflex.ie/
************
NH&A
577 Isham St. # 2-B
New York, NY 10034
Phone: 212-304-9660
Fax: 212-304-9759
CompuServe: 72115,661
Internet: nhirsch@nha.com
URL: http://www.nha.com
BBS: 212-304-9759,,,,,,,3
************
Microsoft (Macro Virus fixes) - http://www.microsoft.com
For updates to MSAV, contact Symantec (but better to get a more
up-to-date package). CPAV updates from the same source.
There is a paper by Yisrael Radai which documents many of the problems
with MSAV.
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip
************
ViruSafe, ViruSafe-95
I believe a version of this program was at one time marketed by
Xtree.
They also maintain a Virus Hot Line via their WWW site or
E-mail (virus@eliashim.co.il).
-------------------------------------------------------------
EliaShim, LTD. Computer Security Specialists
5 Haganim st. Haifa 35022 Tel: +972-4-8516111
ISRAEL Fax: +972-4-8528613
Email: shimon@eliashim.co.il BBS: +972-4-8516113
URL: http://www.eliashim.com
-------------------------------------------------------------
----------------------------------------------------------------------------
VirusNet PC (DOS, Win3.x, Win95) - (File: VNPC.EXE)
VirusNet LAN (DOS, Win3.x, Win95, All Networks) - (File: VNLAN.EXE)
StopLight PC (DOS, Win3.x) - (File: SLELS.EXE)
StopLight for Win95 (Win95, Win3.x, DOS) - (File: Check Site)
StopLight for OS/2 (OS/2, Dual Boot to DOS and Win3.x) - (File: sltmos2.exe)
Safetynet, Inc.
140 Mountain Ave.
Springfield, NJ 07081
201-467-1024 (Sales and Support)
800-OS2-SAFE (Sales and Support in US and Canada)
201-467-1611 (Fax)
201-467-1581 (BBS 28800,n,8,1)
Web: http://www.safe.net/safety/
FTP: ftp.safe.net /pub/safetynet/
EMail: support@safe.net
CompuServe: GO CIS:SAFE
AntiVirus and security software evals and product updates are available from
the Safetynet Web, FTP, BBS and CompuServe sites.
*****************
MIMESweeper (Mail scanning 'firewall')
Integralis Ltd.
10 Brewery Court
Theale
Berkshire
RG7 5AH
+44(0) 1734 306060
Fax +44(0) 1734 302143
info@integralis.co.uk
US Office in Kirkland, WA.
Phone 206-889-4724.
--------------------------------------
Cybersoft have antivirus products for a variety of Unix
platforms including detection for DOS, Mac and Amiga
malware.
CyberSoft, Inc.
1508 Butler Pike
Conshohoken, Pennsylvania 19428-1322 USA
Voice: +1 (610) 825-4748
Fax +1 (610) 825-6785
Info@cyber.com
http://www.cyber.com
--------------------------------------
NetPro Computing
7150 E Camelback Rd, Suite 100
Scottsdale, AZ 85251 USA
Products:
* PC ScanMaster for Novell/Vines
* Server ScanMaster for Banyan Vines
(Use McAfee VirusScan engine)
General Office: 602.941.3600
Sales: 800.998.5090
International Sales: 602.941.3630
DS Expert Info Line: 800.998.1550
Technical Support: 602.941.3670
FAX: 602.941.3610
On Line:
BBS: 602.941.3620
FTP: ftp.netpro.com
HTTP: www.netpro.com
e-mail: info@netpro.com or 70524,2670@compuserve.com
-----------------------------------------------------------------------------
F/Win is a scanner which is intended as a supplement to your main
scanner: it detects Windows/macro viruses. There is a shareware version
available. More information at:
http://www.gen.com/fwin/
-----------------------------------------------------------------------------
There is a comprehensive set of product reviews at:
http://www.first.org/virus/virrevws/
and a number of reputable vendors include comparative reviews,
papers on testing etc. on their WWW/FTP servers.
Virus Bulletin comparative reviews are available from
http://www.virusbtn.com/Comparatives/
and information is also available on their testing protocols.
Product reviews and other kewl stuff from Robert Slade:
telnet://freenet.victoria.bc.ca
login as guest, give the command "go virus"
@@ http://www.freenet.victoria.bc.ca/techrev/mnvr.html
For a list of scanners that have received the "NCSA Approved" rating
of the National Computer Security Association in the U.S.A. see
http://www.ncsa.com/avpdcert.html
The page also explains the certification procedure.
There are links to just about every anti-virus site you ever heard of at
http://www.club.innet.net/~ewillems/
In the event of a *real* tragedy, there are a number of firms which
specialise in data recovery. In the UK, there is
Ontrack Data Recovery Europe (0800-243996) - see below
Authentec (formerly Dr. Solomon's) - 0800-581263/fax 01296-318813
Vogon International - 0118-989-0042/fax 0118-989-0042
++In the US, there's Ontrack Computer Systems (parent company of Ontrack
...Europe).
++
Ontrack Data Recovery, Inc.
6321 Bury Drive, Suites 13-21
Eden Prairie, MN 55346
Phone: 612-937-5161
FAX: 612-937-5750
BBS: 612-937-0860
Toll free: 1-800-872-2599
++
UK
The Pavilions
1 Weston Road, Kiln Lane
Epsom
Surrey KT17 1JG
Toll Free: 0800 24 39 96 (UK only)
>From France: 05 90 72 42
International: +44(0)181 974 5522
Fax: 011-441-372-741-441
Tech Support: 011-441-372-747-414
++
Japan:
Ontrack Data Recovery Japan
182 Shinkoh, Iruma,
Saitama, 358 Japan
Phone: 81 429 32-6365
Fax: 81 429 32-6370
Toll-Free From Japan: 0120-413-374
++
***NEW OFFICE***
Germany:
Ontrack Data Recovery GmbH
Hanns-Klemm-Strasse 5
71034 Boeblingen
Germany
Toll free: 0130.815.198
International: 011-49-7031-644-00
Fax: 011-49-7031-644-100
++
Compuserve: GO DATARECOVERY
W3: http://www.ontrack.com
Email: sales@ontrack.com
DataRescue:
http://www.datarescue.com/
info@datarescue.com
Anti-virus/security training/workshops in the UK:
S&S International (see above) - live virus workshops
Sophos - 01235-544028 http://www.sophos.com
Precise Publishing Ltd. 01384-560527
Reflex Magnetics (see above) - live virus workshops,
Internet security/hacking, DTI codes of practice.
Information on similar resources in the US or elsewhere
would be gratefully received.
(9) Where can I get further information?
========================================
[I haven't checked all these: please mail me if you find any errors]
I'm now intermittently posting details of virus-related FAQs to
alt.comp.virus. This will eventually be available by FTP/WWW
and include other security resources.]
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/
[mirror sites]
ftp://ftp.uu.net/pub/security/virus/
ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/
+++http://www.SevenLocks.com/
Lots of virus descriptions and other security information. Well
worth a look.
http://all.net:8000/cgi-bin/all-search-2
Virus Text Search
Search engine to check out documents in the following archives:
VIRUS-L Forum, 40Hex Archives, Risks Forum, Privacy Forum, CERT Advisories,
Internet RFCs, State Computer Crime Laws, The Telecom Privacy Digest,
CIAC Advisories, Firewalls Digest.
http://lipsmac.acs.unt.edu/Virus/virinfo.html
http://www.psnw.com/~joe/avinfo.html
http://www.primenet.com/~mwest/av.htm
http://csrc.ncsl.nist.gov/virus
http://www.jumbo.com/home/dos/virus
http://www.psnw.com/~joe/top10.html
ftp://ftp.uu.net/pub/virus/progs/virlab15.zip
http://www.infi.net/~wtnewton/vinfo/master.html
@@ http://www.nc5.infi.net/~wtnewton/vinfo/master.html
Virus-List Archive (you can also pick up the Virus-L FAQ from here):
ftp://cs.ucr.edu/pub/virus-l/
Virus Bulletin Home Page - vendor contact info, comparative reviews,
review protocol info etc.
http://www.virusbtn.com
Dr. Solomon's Software: evaluation copy of FindVirus, product info,
virus encyclopedia on-line, papers, links to other sites etc.
http://www.drsolomon.com/
ftp://ftp.drsolomon.com/
ftp://ftp.sophos.com/
http://www.sophos.com/
Dr.Solomon's History of PC Viruses:
http://dbweb.agora.stm.it/webforum/virus/solomhis.htm
Robert Slade's Virus History:
http://dbweb.agora.stm.it/webforum/virus/sladehis.htm
http://www.club.innet.net/~ewillems/
http://www.thenet.ch/metro/
Nic Ferri has an expansive home page with many useful links
http://www.agora.stm.it/htbin/wwx?fi^N.Ferri
Henri Delger's home page has much useful info and useful links
HTTP://pages.prodigy.com/virushelp/
Norman De Forest has some antivirus links, among other nice
stuff.
http://www.chebucto.ns.ca/~af380/Profile.html
http://www.DataFellows.com/
http://www.Europe.DataFellows.com/
http://www.datarescue.com/
VSUM (not highly-rated for its accuracy)
(Try SimTel mirrors, McAfee sites)
Tom Simondi has written a freeware virus tutorial (VTUTOR11.ZIP).
http://www.cknow.com/
The Scanner is an AV newsletter also available online at
http://diversicomm.com/scanner
Try antivirus online at
http://www.av.ibm.com/current/FrontPage/
Doug Muth has not only AV links but geek code as well....
http://www.ot.com/~dmuth/
Bob Rosenberger's Computer Virus Myths Page
http://www.kumite.com/myths/
@@ A few Amiga links:
http://www.cybercity.dk/users/ccc2452/antivirus.html
http://www.xs4all.nl/~keesh/virushelp.html
[You can pick up the latest VirusScanList from either link]
http://ftp.uni-paderborn.de/aminet/dirs/util_virus.html
[Antivirus info and programs]
ftp://ftp.uni-paderborn.de/aminet/util/virus/
According to Dennis Boon, trsivw65.lha has info about 100 or so viruses;
VT_docfiles.lha has info on nearly all amiga viruses (in German);
VIB9508.lha file contains info on all viruses up to August 1995
(in English).
The WildList (List of viruses currently 'in the wild'
maintained by Joe Wells - doesn't include much description)
ftp://ftp.ncsa.com/pub/virus/wildlist
http://www.drsolomon.com/
http://www.symantec.com/virus/wl.html
http://www.innet.net/~ewillems/vwild.htm
AV Software Update Auto-Notification:
http://www.primenet.com/~Emwest/up-form.htm
Most anti-virus packages include some information on common
viruses, too.
Virus Descriptions
------------------
Dr Solomon's Virus Encyclopedia:
http://www.drsolomon.com/virus/enc/enc.htm
free-form searches from the datafellows F-Prot virus description database:
http://www.datafellows.com/v-descs/
The AVP database:
http://www.datarescue.com/avpbase/
http://www.metro.ch/avpve/
http://www.datafellows.com/vir-info/ Data Fellows Virus Database
http://www.symantec.com/avcenter/vinfodb.html Symantec Virus Database
http://www.mcafee.com/support/techdocs/vinfo/#top McAfee Virus Database
also ftp://mcafee.com/pub/3rdparty/vsumx603.zip
[VSUM - not highly-rated for its accuracy]
Virus demonstrations
--------------------
ftp://ftp.uu.net/pub/virus/progs/virsim1.zip
(I haven't checked this one out yet).
AVP also includes some virus demonstrations, and I know that other
publishers have demos available.
There are also virus simulators, which are not quite the same thing.
These are sometimes advocated as a means of testing antivirus packages,
but there are dangers to this approach: after all, a package which
detects one of these simulators as the virus it detects is, technically,
false-alarming.
See section F6 of the Mark 2 Virus-L FAQ, which is rather good on
types and uses of virus simulation.
Books which may be of use:
Robert Slade's Guide to Computer Viruses - Springer-Verlag
Pretty good introduction & general resource. Watch out
for the 2nd Edition.
Computers Under Attack (ed. Denning) - Addison-Wesley
Aging, but some classic texts
Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin
Uneven, but includes useful stuff from Virus Bulletin
Dr. Solomon's Virus Encyclopedia
You may from time to time find copies of an older edition
of this in bookshops, though it's better known as part of
Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide
to some of the older viruses.
A Short Course on Computer Viruses (F. Cohen) - Wiley
By the man who 'invented' the concept of computer viruses.
Some aspects are controversial, but a good introduction to
his work.
The comp.virus FAQ includes pointers to some books.
Useful (but expensive) periodicals:
Virus Bulletin
Virus Bulletin Ltd
21 The Quadrant
Abingdon
Oxfordshire
OX14 3YS
44 (0) 1234 555139
Compuserve 100070,1340
Computers and Security
Elsevier Advanced Technology
PO Box 150
Kidlington
Oxford
OX5 1AS
44 (0) 1865-843666
a.verhoeven@elsevier.co.uk
Rather cheaper (though still expensive for the non-corporate
non-specialist in security) is the magazine Secure Computing.
West Coast are launching a corporate licence scheme which may
be of interest to corporate users
Secure Computing
West Coast Publishing Ltd.
William Knox House
Britannic Way
Llandarcy
Swansea
SA10 6EL
UK
44 (0) 1792 324000
Compuserve 70007,5406
Doubts have been expressed concerning the impartiality or otherwise
of Virus Bulletin, which is a sister company to Sophos, who market
Sweep and other antivirus/security products. VB uses an advisory board
of anti-virus experts from a wide variety of vendors and other
organisations, and its virus statistics are collated monthly from a
variety of sources, not only from Sophos.
Secure Computing, though formerly associated with S&S International, who
market Dr.Solomon's AntiVirus ToolKit and other security products, is
now an independent organization. SC also has input from experts associated
with various vendors and other organisations.
***************************************************************************
* As a regular and reasonably knowledgeable reader of both publications, *
* I'm personally satisfied that neither displays editorial bias, nor do *
* I believe that either publication intentionally weights its methodology *
* to the unfair advantage of an affiliated product [DH] *
***************************************************************************
The Disaster Recovery Journal (more info & on-line articles)
http://www.drj.com
(10) Does anyone know about...
==============================
...Mac viruses?
---------------
I have put together an FAQ on Mac/virus issues, now co-maintained
with Susan Lesch, which can be found at:
http://www.macvirus.com/
http://www.webworlds.co.uk/dharley/
It's much more up-to-date than this section.
There are around 35 Mac-specific viruses that I know of, though
Apple are, I've heard, quoting 2-300 hundred. I don't know if these
include every minor variant, hypercard infectors, trojans and
macro viruses, but I'll try to find out. There are virtually no
macro viruses which have a Mac-specific payload, but every one I know
of can infect on Macs (and any other platform which runs Word 6.x or
better).
The best single source of information on Mac viruses is the online
help included in the freeware package Disinfectant, which can be
obtained from
ftp://ftp.acns.nwu.edu/pub/disinfectant
CompuServe
GEnie
America Online
Calvacom
Delphi
BIX
sumex-aim.stanford.edu
rascal.ics.utexas.edu
comp.binaries.mac
Information on Mac viruses is also available from the AntiVirus Catalog/
CARObase (see above).
Mac-specific virus information:
www.datawatch.com
www.symantec.com
www.mcafee.com
www.webworlds.co.uk/dharley/
www.hyperactivesw.com
ciac.llnl.gov/ciac/CIACVirusDatabase.html/
Disinfectant is an excellent anti-virus package: however, it doesn't catch
much in the way of hypercard infectors or trojans, nor does it detect
Word 6 macro viruses. McAfee have a scanner for the Mac which is based on
Disinfectant: version 2, however, includes detection of trojans, macro
viruses etc. You can get a 30-day evaluation copy from
http://www.mcafee.com/
For other mac packages, try Info-Mac mirrors like:
ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/
The University of Texas holds the latest versions of Disinfectant and
Gatekeeper, and some documentation on Mac viruses.
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html
Commercial packages include SAM (Symantec AntiVirus for Mac), Virex, and
Dr. Solomon's AntiVirus ToolKit for Macintosh. Dr. Solomon's for Mac has
the unusual capacity for detecting PC boot-sector viruses on DOS floppies,
which could be useful in a mixed environment.
++ ...UNIX viruses?
----------------
In general, there are virtually no non-experimental UNIX viruses.
There have been a few Worm incidents, most notably the Morris Worm
(a.k.a. the Internet Worm) of 1988.
There are products which scan some Unix systems for PC viruses,
though any machine used as a file server (Novell, Unix etc.) can be
scanned for PC viruses by a DOS scanner if it can be mounted as a
logical drive on a PC running appropriate network client software
such as PC-NFS.
Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.)
can also be infected by a DOS boot-sector virus if booted from an
infected disk. The same goes for other PC-hosted operating systems
such as NetWare.
While viruses are not a major risk on Unix platforms, integrity
checkers and audit packages are frequently used by system administrators
to detect file changes made by other kinds of attack. However, Unix
security is outside the scope of this FAQ (see comp.security.unix).
In fact, such packages generally target PC viruses more than the
handful of Unix viruses.
CyberSoft sell products for a number of Unix platforms which include
scanning (VFInd) and cryptographic integrity checking. Scanning
includes PC, Mac and Amiga viruses.
http://www.cyber.com/
Dr. Solomon's Software Ltd. (formerly S&S) have a scanner
which detects (primarily) DOS viruses on SCO Unix.
http://www.drsolomon.com/
McAfee have a scanner for SunOS, Solaris, FreeBSD and Linux, and
offer downloadable evaluation copies.
http://www.mcafee.com/
Sophos' Intercheck client-server technology requires a Unix
which is capable of running DOS emulation.
http://www.sophos.com/
Some other out-and-out DOS scanners may work to some extent on a PC
running emulation, but this is not recommended unless the package is
specifically configurable to run under these circumstances.
[See also the Unix section in the Virus-L/comp.virus FAQ]
A useful book:
Practical Unix Security (Garfinkel, Spafford) - O'Reilly
Make sure you get the 2nd edition (retitled "Practical Unix and
Internet Security")
...macro viruses?
-----------------
Macro viruses spread from files in applications which use
macros capable of being infected, and are limited to the
specific applications for which they were written.
The macro viruses which are receiving attention currently
are specific to Word 6/WordBasic and Excel: however, many
applications, not all of them Windows applications, have
potentially damaging and/or infective macro capabilities
too.
One, now widespread, infects macros attached to Word
6.0 for Windows, Word 6.0.1 for Macintosh, Word 6.0 for
Windows NT, and Word for Windows 95 documents.
What makes such a virus possible is that the macros
are created by WordBASIC, a program language which links
features used in Word to macros, and even allows DOS
commands to be run.
This virus, named "Concept," has no destructive
payload; it merely spreads, after a document containing the
virus is opened, copying itself to other documents as they
are saved, without affecting the contents of documents.
However, other macro viruses have been discovered, and some
of them contain destructive routines.
Microsoft suggests opening files without macros, to
prevent macro viruses from spreading, unless the user can
verify that the macros contained in the document will not
cause damage. (This does NOT work for all macro viruses.)
For further info on macro viruses, you might like to try
http://www.drsolomon.com/
http://www.datafellows.com/macrovir.htm
Richard Martin is working on an FAQ on this subject.
ftp.gate.net/pub/users/ris1/word.faq
http://learn.senecac.on.ca/~jeashe/hsdemonz.htm
or mail to
Bd326@TorFree.Net
Subject: PLEASE SEND FAQ
...The AOLgold virus
--------------------
This is actually a trojan. The following is extracted from the CIAC
bulletin (Number G-03).
Apparently, an e-mail message is being circulated that contains an attached
archive file named AOLGOLD.ZIP. A README file that is in the archive
describes it as a new and improved interface for the AOL online service.
Note that there is no such program as AOLGOLD. Also, simply reading an
e-mail message or even downloading an included file will not do damage to
your machine. You must execute (or run) the downloaded file to release
the Trojan and have it cause damage.
If you unzip the archive, you get two files: INSTALL.EXE and README.TXT.
The README.TXT file again describes AOLGOLD as a new and improved interface
to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP
archive. When you run the install program, it extracts 18 files onto your
hard drive.
The Trojan program is started by running the INSTALL.BAT file. The
INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to
VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that
starts deleting the contents of several critical directories on your C:
drive.
When the batch file completes, it prints a crude message on the screen and
attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent
the DOOMDAY.EXE program from running. Other bugs in the file cause it to
delete itself if it is run from any drive but the C: drive. The programming
style and bugs in the batch file indicates that the Trojan writer appears
to have little programming experience.
You can get this and other CIAC notices from the CIAC Computer Security
Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
++...the PKZip trojan virus?
--------------------------
Most of us prefer to distinguish between trojans and viruses (see Part
1). The threat described in recent warnings is definitely not a virus,
since it doesn't replicate by infection.
There have been at least two attempts to pass off Trojans as an upgrade
to PKZip, the widely used file compression utility. A recent example was
of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading
on the Internet. An earlier Trojan passed itself off as version 2.0.
For this reason, PKWare have never released a version 2.0 of PKZip:
presumably, if they ever do release another DOS version (unlikely, at
this date, in my opinion), it will not be numbered version 3.0(0).
In fact, there are hardly any known cases of someone downloading and
being hit by this Trojan, which few people have seen (though most
reputable virus scanners will detect it). As far as I know, this Trojan
was only ever seen on warez servers (specialising in pirated software).
There are recorded instances of a fake PKZIP vs. 3 found infected with
a real live in-the-wild file virus, but this too is very rare.
To the best of my knowledge, the latest version of PKZip is 2.04g,
or 2.50 for Windows.
.
+++There was a version 2.06 put together specifically for IBM internal
use only (confirmed by PKWare). If you find it in circulation, avoid
it. It's either illicit or potentially damaging.
The recent rash of resuscitated warnings about this is at least in part
a hoax. It's not a virus, it's a trojan. It doesn't (and couldn't)
damage modems, V32 or otherwise, though I suppose a virus or trojan might
alter the settings of a modem - if it happened to be on and connected....
I don't want to get into hypothetical arguments about programmable
modems right now. It appears to delete files, not destroy disks irrevocably.
It's certainly a good idea to avoid files claiming to be PKZip vs. 3,
but the real risk hardly justifies the bandwidth this alert has
occupied over the last year or so.
...xyz PC virus?
----------------
There are several thousand known PC viruses, and the number 'in the
wild' is in the hundreds. It is not practical to include information
about all of these in this FAQ. However, information about some or
most of those which regularly get asked about may shortly (Real Soon
Now) be available in a separate document. Meanwhile, sources of
information on specific viruses are included in the preceding sections.
There are rarely enquiries about viruses on other computing platforms
raised in alt.comp.virus, but there is some information concerning
viruses on most platforms available at the Virus Test Center in Hamburg.
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
The following sites also have virus descriptions listed alphabetically:
http://www.DataFellows.com/
http://www.drsolomon.com
...the Psychic Neon Buddha Jesus virus?
---------------------------------------
This is an allegedly humorous bit of javascript programming that found
its way onto a website. On clicking on a particular button, you may be
told that this virus has been detected.Javascript has many interesting
properties, but virus detection is not one of them. It's a joke.
...the blem wit virus?
----------------------
See the Virus-L FAQ. Basically, it's a mangled message that may come
up with older Novell drivers "[pro]blem wit[h]....."
++ The Irina Virus?
----------------
Publicity stunt generated by Penguin Books to promote their
'interactive novel'. More info in the 'Viruses and the Mac'
FAQ, a CIAC bulletin on hoax and semi-hoax viruses, the
Computer Virus Myths website, www.drsolomon.com and many other
sources.
++ GHOST
-----
Just a screensaver...... More info in the CIAC bulletin
mentioned above. I'll fill in some details on Ghost and
Irina when time allows.
+++
General Info on Hoaxes/Erroneous Alerts
---------------------------------------
The CIAC updated bulletion mentioned several times above is
at:
http://ciac.llnl.gov/ciac/bulletins/h-05.shtml
It includes info on the alerts mentioned below, some historical
background, and suggestions on validating hoaxes rather than
passing them on uncritically.
CIAC have now set up a hoaxes web page at:
http://ciac.llnl.gov/ciac/CIACHoaxes.html
-----------------extract-------------------------------
INFORMATION BULLETIN
H-05 Internet Hoaxes: PKZ300, Irina,
Good Times, Deeyenda, Ghost
November 20, 1996 16:00 GMT
PROBLEM: This bulletin addresses the following hoaxes and erroneous
warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
Ghost.exe
PLATFORM: All, via e-mail
DAMAGE: Time lost reading and responding to the messages
SOLUTION: Pass unvalidated warnings only to your computer security
department or incident response team. See below on how to
recognize validated and unvalidated warnings and hoaxes.
VULNERABILITY New hoaxes and warnings have appeared on the Internet and old
ASSESSMENT: hoaxes are still being cirulated.
---------------------end extract--------------------------------
++
Mini-paper on "Dealing with Internet hoaxes":
http://webworlds.co.uk/dharley/
(11) Is it true that....?
=========================
(*or* some favourite hoaxes...)
(1) There is *no* Good Times virus that trashes your hard disk
and launches your CPU into an nth-complexity binary loop when
you read mail with "Good Times" in the Subject: field.
You can get a copy of Les Jones' FAQ on the Good Times Hoax from:
Via FTP:
ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt
On the World Wide Web:
[The URL at http://www.tcp.co.uk/etc. no longer works]
http://www.nsm.smcm.edu/News/GTHoax.html
There's a Mini-FAQ available as:
ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ.txt
There *is* at least one file virus christened Good Times
by the individual who posted it in an attempt to cause
confusion. It is more commonly referred to as GT-spoof.
(2) There is no modem virus that spreads via an undocumented
subcarrier - whatever that means....
(3) Any file virus can be transmitted as an E-mail attachment.
However, the virus code has to be executed before it actually
infects. Sensibly configured mailers don't usually allow this
by default and without prompting, but certainly some mailers
can support this: for instance, cc:mail can, it seems, launch
attachments straight into AmiPro.
[further information on this or other potentially dangerous
associations would be gratefully received]
There's room for a lot of discussion here. The jury is still
out on web browsers: Netscape can certainly be set up to do
things I don't approve of, such as opening a Word document in
Word without asking.
Microsoft have made available a Word viewer which reads Word
files, but doesn't run attached macros. If possible, use this
instead.
The term 'ANSI bomb' usually refers to a mail message or other
text file that takes advantage of an 'enhancement' to the MS-DOS
ANSI.SYS driver which allows keys to be redefined with an
escape sequence, in this case to echo some potentially
destructive command to the console. In fact, few systems
nowadays run programs which need ANSI terminal emulation to run,
and there's no guarantee that the program reading the file would
pass such an escape sequence unfiltered to the console anyway.
There are plenty of PD or shareware alternatives to ANSI.SYS that
don't support keyboard redefinition, or allow it to be turned off.
The term mail bomb is usually applied to the intentional
bombardment of an e-mail address with multiple copies of a
(frequently abusive) message, rather than to the above.
See SimTel/keyboard on sites carrying a SimTel mirror.
(4) There is no known way in which a virus could sensibly be spread
by a graphics file such as a JPEG or .GIF file, which does not
contain executable code. Macro viruses work because the files to
which they are attached are not 'pure' data files.
(5) In general, software cannot physically damage hardware - this
includes viruses. There is a possibility that specific hardware
may be damaged by specific code: however, a virus which drops
a particular payload on the offchance that it's running on a
system with a particular type of obsolete video card seems more
than usually futile.
(12) Favourite myths
====================
* DOS file attributes protect executable files from infection
File attributes are set by software, and can therefore be
changed by software, including viruses. Many viruses reset a
ReadOnly/System/Hidden file to Read/Write, infect it, and
often reset it to the original attributes afterwards.
This also applies to other software mechanisms such as
simulating hardware write-protection on a hard disk.
However, file protection rights in NetWare *can* help to
contain virus infections, if set up properly, as can
trustee rights. [Trustee assignments govern whether an
individual user has right of access to a subdirectory: the
Inherited Rights Mask governs the protection rights of
individual files and (sub)directories.]
Basically, a file virus has the same rights of access as the
user who happens to inadvertantly activate it.
Setting up these levels of security is really a function
of the network Administrator, but you might like to check
(politely) that yours is not only reassuringly paranoid but
also knowledgeable about viruses as well as networks, since a
LAN which is not, in this respect, securely configured, can
result in very rapid infection and reinfection of files
across the whole LAN. In particular, accounts with supervisor
equivalence can, potentially, be the unwitting cause of very
rapid dissemination of viruses.
[See also the comp.virus FAQ (version 2) section D]
* I'm safe from viruses because I don't use bulletin boards/shareware/
Public Domain software.
Many of the most widely-spread viruses are Boot Sector Infectors,
which can't normally infect over a serial or network connection.
Writers of shareware, freeware etc. are no more prone to accidental
infection than commercial publishers, and possibly less. The only
'safe' PC is still in it's original wrapping (which doesn't mean
it isn't already infected...) And don't forget that shrinkwrapped
software may have been rewrapped.
* FDISK /MBR fixes boot sector viruses.
The mark II comp.virus FAQ is worth reading on this (see Part 1
of this FAQ).
In brief, don't use FDISK /MBR *unless* you're *very* sure of what
you're doing, as you may lose data. Note also that if you set up the
drive with a disk manager such as EZDrive, you won't be able to access
the drive until and unless you can reinstall it.
******************************************************************
(i) What does FDISK /MBR do?
------------------------
It places "clean" partition code onto the partition of your hard disk.
It does **not change the partition information, however. The /MBR
command-line switch is not officially documented and was introduced in
DOS 5.0
[It does sometimes, and when it does it us usually fatal (for the
common user, anyway). FDISK /MBR will wipe the partition table data if
the last two bytes of the MBR are not 55 AA.]
(ii) What is the partition?
----------------------
The partition sector is the first sector on a hard disk. It contains
information about the disk such as the number of sectors in each
partition, where the DOS partition starts, plus a small program. The
partition sector is also called the "Master Boot Record" (MBR).
When a PC starts up it reads the partition sector and executes the
code it finds there. Viruses that use the partition sector modify
this code.
Since the partition sector is not part of the normal data storage
part of a disk, utilities such as DEBUG will not allow access to it.
[Unless one assembles into memory]
Floppy disks do not have a partition sector.
FDISK /MBR will change the code in a hard disk partition sector.
(iii) What is a boot sector?
----------------------
The boot sector is the first sector on a floppy disk. On a hard disk
it is the first sector of a partition. It contains information about
the disk or partition, such as the number of sectors, plus a small
program.
When the PC starts up it attempts to read the boot sector of a disk in
drive A:. If this fails because there is no disk it reads the boot
sector of drive C:. A boot sector virus replaces this sector with its
own code and usually moves the original elsewhere on the disk.
Even a non-bootable floppy disk has executable code in its boot sector.
This displays the "not bootable" message when the computer attempts to
boot from the disk. Therefore, non-bootable floppies can still contain
a virus and infect a PC if it is inserted in drive A: when the PC
starts up.
FDISK /MBR will not change the code in a hard disk boot sector. Most
boot sector viruses infect the partition sector of hard disks and
floppy disk boot sectors: most do not infect the boot sector of a hard
disk - Form virus is an exception.
(iv) How can I remove a virus from my hard disk's partition sector?
--------------------------------------------------------------
There are two main alternatives: run an anti-virus product, or use
FDISK /MBR.
Most effective anti-virus products will be able to remove a virus from
a partition sector, but some have difficulties under certain
circumstances. In these cases the user may decide to use FDISK /MBR.
Unless you know precisely what you are doing this is unwise. You may
lose access to the data on your hard disk if the infection was done by
a virus such as Monkey or OneHalf.
(v) Won't formatting the hard disk help?
------------------------------------
No. Formatting the hard disk can result in everything being wiped
from the drive *apart* from the virus. Format leaves the partition
sector untouched. There is always a better way of removing a
virus infection than formatting the hard disk.
[Clarification: FORMAT alters the DOS partition, but leaves the
*partition sector*, aka MBR, alone.]
******************************************************************
* Write protecting suspect floppies stops infection.
This sounds so silly I hesitate to include it. I've never seen it said
on a.c.v., but I've heard it so often in other contexts, I've included
it anyway. Write-protecting a suspect floppy will only protect that
diskette from *re-infection*, if it's already infected. It won't stop
an infected floppy from infecting other (write-enabled) drives.
If you boot with a disk in drive A which is infected with a boot-sector
virus, the fact that the diskette is write-protected will make no
difference at all.
Write-protecting a *clean* floppy will indeed prevent it from being
infected (but see below!).
* The write protect tab always stops a disk write
Briefly, write protection is built into the hardware on the Mac and
on the PC (and most other systems, of course, but we can't cover
everything), and can't be circumvented in software.
However, it is possible for the hardware to fail: it's not common,
but it happens. Thus when I do a cleanup, I try to create a file on a
sacrificial floppy before risking my R/O boot disk. Sometimes, I
even remember....
Other caveats: a disk which you receive write-protected could have
been de-protected, infected, and re-protected. Even a 3.5" disk with
the write-enable tab removed can be written to by covering the hole
with (e.g.) masking tape. And, of course, shrink-wrapped software
could have been infected before the duplication process.
* I can infect my system by running DIR on an infected disk
If you have a clean PC system, you can't contract a boot sector virus
*or* a file virus just by listing the files on an infected floppy.
Of course, if your PC is infected, you may well infect a *clean* floppy
by using
DIR A:
It *is* possible to have a scanner report a virus in memory after a
DIR of a floppy with an infected boot sector. The distinction here is
that the virus is *not* actually loaded into memory, so the PC has
*not* been infected.
-----------------------------------------------------------------------
End of a.c.v. FAQ part 2