home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
faqs
/
alt
/
comp
/
virus
/
[alt.comp.virus]_FAQ_Part_4_4
< prev
next >
Wrap
Internet Message Format
|
1997-10-24
|
55KB
Path: senator-bedfellow.mit.edu!faqserv
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers
Subject: [alt.comp.virus] FAQ Part 4/4
Supersedes: <computer-virus/alt-faq/part4_876222027@rtfm.mit.edu>
Followup-To: alt.comp.virus
Date: 23 Oct 1997 09:38:37 GMT
Organization: none
Lines: 1254
Approved: news-answers-request@MIT.EDU
Expires: 21 Nov 1997 09:32:10 GMT
Message-ID: <computer-virus/alt-faq/part4_877599130@rtfm.mit.edu>
References: <computer-virus/alt-faq/part1_877599130@rtfm.mit.edu>
NNTP-Posting-Host: penguin-lust.mit.edu
X-Last-Updated: 1997/09/07
Originator: faqserv@penguin-lust.MIT.EDU
Xref: senator-bedfellow.mit.edu alt.comp.virus:51177 comp.virus:30102 alt.answers:29804 comp.answers:28647 news.answers:115223
Archive-name: computer-virus/alt-faq/part4
Posting-Frequency: Fortnightly
URL: http://www.webworlds.co.uk/dharley/
Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
alt.comp.virus (Frequently Asked Questions)
*******************************************
Version 1.04: Part 4 of 4
Last modified 6th Sept 1997
("`-''-/").___..--''"`-._
`6_ 6 ) `-. ( ).`-.__.`)
(_Y_.)' ._ ) `._ `. ``-..-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'
ADMINISTRIVIA
=============
Disclaimer
----------
This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects
resulting from the use of any information contained in this document.
Not all the views expressed in this document are mine, and those views
which *are* mine are not necessarily shared by my employer.
Copyright Notice
----------------
Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holders. To obtain such permission,
please contact one of the co-maintainers of the FAQ.
David Harley <D.Harley@icrf.icnet.uk>
Bruce Burrell <bpb@umich.edu>
George Wenzel <gwenzel@gpu.srv.ualberta.ca>
[Please check out the more detailed copyright notice at the beginning
of part 1 of the FAQ]
--------------------------------------------------------------------------
TABLE OF CONTENTS
*****************
Part 1
------
(1) I have a virus - what do I do?
(2) Minimal glossary
(3) What is a virus (Trojan, Worm)?
(4) How do viruses work?
(5) How do viruses spread?
(6) How can I avoid infection?
(7) How does antivirus software work?
Part 2
------
(8) What's the best anti-virus software
(and where do I get it)?
(9) Where can I get further information?
(10) Does anyone know about
* Mac viruses?
* UNIX viruses?
* macro viruses?
* the AOLgold virus?
* the PKZip300 trojan virus?
* the xyz PC virus?
* the Psychic Neon Buddha Jesus virus?
* the blem wit virus?
* the Irina virus
* Ghost
++ * General Info on Hoaxes/Erroneous Alerts
(11) Is it true that...?
(12) Favourite myths
* DOS file attributes protect executable files from
infection
* I'm safe from viruses because I don't use bulletin
boards/shareware/Public Domain software
* FDISK /MBR fixes boot sector viruses
* Write-protecting suspect floppies stops infection
* The write-protect tab always stops a disk write
* I can infect my system by running DIR on an infected
disk
Part 3
------
(13) What are the legal implications of computer viruses?
-----> Part 4
------
-----> (14) Miscellaneous
-----> Are there anti-virus packages which check zipped files?
-----> What's the genb/genp virus?
-----> Where do I get VCL and an assembler, & what's the password?
-----> Send me a virus.
-----> It said in a review.....
-----> Is it viruses, virii or what?
-----> Where is alt.comp.virus archived?
++
-----> What about firewalls?
-----> Viruses on CD-ROM.
-----> Removing viruses.
-----> Can't viruses sometimes be useful?
-----> Do I have a virus, and how do I know?
-----> What should be on a (clean) boot disk?
-----> How do I know I have a clean boot disk?
-----> What other tools might I need?
-----> What are rescue disks?
-----> Are there CMOS viruses?
-----> How do I know I'm FTP-ing 'good' software?
-----> What is 386SPART.PAR?
++
-----> Can I get a virus to test my antivirus package with?
-----> When I do DIR | MORE I see a couple of files with funny names...
-----> Reasons NOT to use FDISK /MBR
-----> Why do people write/distribute viruses?
-----> Where can I get an Anti-Virus policy?
-----> Are there virus damage statistics?
-----> What is NCSA approval?
-----> What language should I write a virus in?
-----> No, seriously, what language are they written in?
-----> [DRD], Doren Rosenthal, the Universe and Everything
-----> What are CARO and EICAR?
++
-----> "Am I idle?" Yellow Smiley in Win95 System Tray
-----> Placeholders
Supplement: Guide to Virus-related FAQs vs. 1.02a
* The alt.comp.virus FAQ
* The comp.virus/Virus-L FAQ
* The macro-virus FAQ
* The alt.comp.virus mini-FAQ
* The Antiviral Software Evaluation FAQ
-------------------------------------------------------------------
(14) Miscellaneous
==================
Are there anti-virus packages which check zipped files?
-------------------------------------------------------
An increasing number of packages seem to support checking .ZIP and
other compression formats on the fly. DSAVTK, AVP and NAV 3.0/NAV95
support some formats. The number of formats supported may become as
big a selling point as the total number of viruses detected, but for
most of us it's only really an issue if we do a lot of scanning of
CDs, for instance. Even then, it becomes urgent only if you *unpack*
the archive and want to run programs. Compilers of CDs, however,
are *not* entitled to use this as an excuse for not scanning their
collections.
What's the genb/genp virus?
---------------------------
This is McAfee-ese for "You may have an unrecognised ('generic')
boot-sector (genb) or partition-sector (genp) virus". Re-check
with a more recent version or the latest version of another
reputable package.
Where do I get VCL and an assembler, & what's the password?
-----------------------------------------------------------
Wrong FAQ. You don't learn anything about viruses, programming
or anything else from virus toolkits. You want rec.knitting. B-)
I can't believe there's anyone left on the Internet who doesn't
know the VCL password, but I'm not going to tell you anyway.
OK, maybe you want an assembler to learn assembly-language, not
just to rehash prefabricated code. Where do you get TASM?
You buy it from Borland or one of their agents, either stand-alone
or with one of their high-level languages. If you want freeware
or shareware, I guess you can still get the likes of CHASM and
A86 (SimTel mirror sites in SimTel/asm).
Send me a virus
---------------
Anti-virus researchers don't usually share viruses with people
they can't trust. Pro-virus types are often unresponsive to
freeloaders. And why would you *trust* someone who's prepared
to mail you a virus, bona-fide or otherwise? [A high percentage
of the 'viruses' available over the internet are non-replicating
junk.]
Requests for viruses by people 'writing a new anti-virus utility'
are usually not taken too seriously.
* We get rather a lot of such requests, which leads to a certain amount
of cynicism.
* Writing a utility to detect a single virus is one thing: writing a
usable, stable, reasonably fast scanner which detects all known
viruses is a considerable undertaking. There are highly experienced
and qualified people working more or less full time on adding routines
to do this to antivirus packages which are already mature, and unless
you have a distinctly novel approach, you don't have much chance of
keeping up with them.
* It may be that the research you're interested in has already been done.
Say what sort of information you're looking for, and someone may be able
to help.
* You can't afford to use junk 'viruses' for research, and the best
collections are largely in the hands of people who won't allow
access to them to anyone without cast-iron credentials.
If you want to test anti-virus software with live viruses, this
is *not* the way to get good virus samples.
Valid testing of antivirus software requires a lot of time, care
and thought and a valid virus test-set. Virus simulators are
unhelpful in this context: a scanner which reports a virus when it
finds one of these is actually false-alarming, which isn't
necessarily what you want from a scanner.
Read Vesselin Bontchev's paper on maintaining a virus library:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/virlib.zip
There have been one or two requests for source code. Assuming you have
the necessary knowledge of programming (especially x86 assembler) and the
PC, this is probably the wrong approach, unless you're a serious
antivirus researcher (in which case you need to sell yourself to the
antivirus research community, and asking for viruses here isn't the
way to earn their trust).
* How can you trust any source code you're sent? Antivirus researchers won't
send it to you, so you have to rely on the goodwill of a virus writer
or distributor: not always a good idea. Many so-called viruses picked up
from CDs, VX websites etc. aren't viruses at all.
* Are you going to examine all 8-9000(-ish) known viruses? Or all the 180-ish
listed in the WildList? If not, what are your selection criteria going to
be? How will you tell an insignificant variant from a completely different
virus type?
Your first task is to understand the general principles, and you won't get
those from snippets of code. If you still need low-level analysis afterwards,
you might like to try
http://www.virusbtn.com/VirusInformation/
where you can find analyses (without source code) of a number of common
viruses, analysed by experts.
It said in a review....
-----------------------
Reviews in the general computing press are rarely useful. Most
journalists don't have the resources or the knowledge to match
the quality of the reviews available in specialist periodicals like
Virus Bulletin or Secure Computing. Of course, it's possible to
produce a useful, if limited assessment of a package without
using live viruses based on good knowledge of the issues involved
(whether the package is NCSA-certified, for instance): unfortunately,
most journalists are unaware of how little they know and have a vested
interest in giving the impression that they know much more than they
do. Even more knowledgeable writers may not make clear the criteria
applied in their review.
Is it viruses, virii or what?
-----------------------------
The Latin root of virus has no plural form. Since the use of the
word virus is borrowed from biology, you might like to conform to
the usage normally favoured by biologists, doctors etc., which is
viruses. However, a number of people favour the terms virii/viri,
either to avoid confusion with the biological phenomenon (but what's
the point of distinguishing in the plural but not in the singular?),
or to avoid being mistaken for anti-virus researchers.....
Where is alt.comp.virus archived?
---------------------------------
It isn't, as far as anyone seems to know. No-one currently working on
the FAQ is likely to offer archiving, since a full archive would
include uploaded viruses. When the FAQ is established, I may do some
work on making an occasional digest available.
Tom Simondi points that there is an archive of sorts at dejanews. You
can search for several months of messages by subject at:
http://www.dejanews.com/
+++
Kevin Marcus has announced that he is archiving alt.comp.virus at:
ftp://ftp.infospace.com/pub/alt.comp.virus-archives
[Since postings are being archived manually, binaries, source code etc.
will not be available from this site.]
++What about firewalls?
---------------------
Firewalls don't generally screen computer viruses, though version 3
of Checkpoint's Firewall-1 can use a plug-in scanning module based
on Computing Associates/Cheyenne's Innoculan engine. However, there are
a number of products that scan for viruses at a point either before
or after a "normal" firewall to the Internet (or internally between post
offices.) These products can scan incoming and outgoing E-mail
attachments for viruses. MIMESweeper, by Integralis, uses your
favourite scanner (e.g. F-PROT, Thunderbyte, Dr. Solomon's, Sophos,
etc) for scanning the viruses after it has opened up the E-Mail
attachments in a secure area on the hard drive of the NT machine.
Obviously, the on-demand scanner is an additional cost.
The use of a "batch" file allows the scanning to use any switches or
commands that are available to the scanner program(s) and also allows
multiple scanners to be used with different switches, etc. which it
runs. If clean, it sends the E-Mail on. Files which it cannot scan
can be 'quarantined' in the secure area to be scanned 'by hand' or
otherwise disposed of.
MIMESweeper vs. 1.0 reads MIME attachments and recognises ZIP archives,
but does not read other compression formats or binary encoding
formats such as uuencode.
MIMESweeper ver. 2.1 reads MIME attachments, UUENCODE, and recognises
ZIP and recursive .ZIP archives, OLE, but does not yet read many other
compression or binary encoding formats. (CDA, BinHex, LHA and Stuffit
are expected in due course). It runs under NT Workstation and requires,
at minimum, a 486 with 24Mb RAM, 500Mb hard disk, and a CD-ROM drive (for
installation only). It works with cc:Mail, SMTP with MIME attachments,
Microsoft Mail, or MHS,
MIMESweeper 3.0 adds FTP/HTTP but not NNTP. Minimum requirement is
still a 486 with 24Mb, but medium to high volumes will require a
Pentium with 32Mb RAM. WEBSweeper requires NT version 4.0 (apply
Service Pack 4 if accessed via NetWare). MIMESweeper requires TCP/IP
for remote management
MIMESweeper has advanced content filtering abilities which go beyond
its capabilities (with assistance from other software) for detection
of file viruses and trojans.
Trend's InterScan VirusWall is similar to MIMEsweeper but uses Trend's
own scanning engine only as the scanner. Trend also scans FTP traffic.
Trend currently runs on SUN Solaris 2.4-5 and will be adding NT later.
These products do real scanning before the mail hits the hard drive but,
at least until the holes are filled in the above products, make sure your
mail attachments, WWW downloads etc. can't be automatically executed and
use a good TSR/VXD in combination with a good scanner. Note that scanning
FTP traffic is likely to add a heavy network overhead and probably won't
catch as many viruses as checking *all* files from *all* sources with a
desktop scanner
Current informed thinking tends to be that detection of viruses at
the firewall is acceptable (1) if you can afford the additional
hardware, software and latency (processing overhead), not to mention
the hidden administrative overheads of configuration and policy for
dealing with boundary conditions such as unusual 7-bit encoding formats,
encrypted files etc. (2) ss long as you appreciate that it can only be
supplementary to checking at the desktop, not a replacement. Mail
attachments, FTP and HTTP are more significant vectors for virus
transmission than formerly, especially with the near-exponential
boom in macro viruses, but other vectors (especially floppy disks)
are still of vital concern. System administrators are attracted by
the fact that it's easier to update server software than control
the use of scanning on individual workstations, but the fact remains
that in most environments, until the desktop is adequately protected
with good, up-to-date realtime (on-access) scanning and/or scheduled
on-demand scanning, virus scanning at the perimeter is a
semi-irrelevance.
McAfee's WebScan also addresses this market, but has detection only,
not disinfection: you need their on-demand scanner too. Dr. Solomon's
MailGuard is based on MIMESweeper. Norton AntiVirus for Firewalls is
due for release in June 1997.
For firewall-related information
comp.security
comp.security.firewalls
or, if you don't mind your mail by the ton, the firewalls mailing-lists.
mailto: majordomo@greatcircle.com
subject:
message: subscribe firewalls
mailto: majordomo@greatcircle.com
subject:
message: subscribe firewalls-digest
++GreatCircle Associates website with links to the GreatCircle mailing
list and archives and other security/firewall resources.
http://www.greatcircle.com/firewalls/
++Marcus Ranum's FAQ:
http://www.v-one.com/pubs/fw-faq/
Books:
Firewalls and Internet Security - Repelling the Wily Hacker
(Cheswick, Bellovin) - Addison-Wesley
Building Internet Firewalls (Chapman, Zwicky) - O'Reilly
Vendors:
http://www.integralis.com/
http://www.checkpoint.com/
http://www.trendmicro.com/
http://www.mcafee.com/
http://www.drsolomon.com/
Viruses on CD-ROM
-----------------
Viruses have been distributed on CD ROM (for instance, Microsoft
shipped Concept, the first (in the wild) macro virus, on a CD ROM called
"Windows 95 Software Compatability Test" in 1995). It is wise to scan CD
ROMs on arrival for viruses, just like floppies. If the CD ROM has
compressed or archived files it is wise to scan it with an anti-virus
package which can cope with large amounts of compressed and archived
files.
[If you scan all drives at every boot, though, you may find that this
gives you a good incentive to remove CDs from your CD drive before
you power down, especially if your scanner isn't set to allow you
to break out of a scan. B-)]
Removing viruses
----------------
It is always better from a security point of view to replace infected
files with clean, uninfected copies. However, in some circumstances this
is not convenient. For example, if an entire network were infected with
a fast-infecting file virus then it may be a lot quicker to run a quick
repair with a reliable anti-virus product than to find clean, backup copies
of the files. It should also be realised that clean backups are not
available. If a site has been hit by Nomenklatura, for example, it may
take a long time before it is realised that you have been infected. By
that time the data in backups has been seriously compromised.
There are virtually no circumstances under which you should need to reformat
a hard disk, however: in general, this is an attempt to treat the symptom
instead of the cause. Likewise re-partitioning with FDISK.
If you use a generic low-level format program, i.e. one which isn't
specifically for the make and model of drive you actually own, you
stand a good chance of trashing the drive more thoroughly than any
virus yet discovered.
Can't viruses sometimes be useful?
----------------------------------
Vesselin Bontchev wrote a respected paper on this subject:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Fred Cohen has done some heavy-duty writing in the other direction.
Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley).
In general, it's hard to imagine a situation where (e.g.) a
maintenance virus is the *only* option. I have yet to see a convincing
example of a potentially useful virus which *needs* to be a virus.
Such a program would have to be *much* better written and error-trapped
than viruses usually are.
Do I have a virus, and how do I know?
-------------------------------------
Almost anything odd a computer may do can (and has been)
blamed on a computer "virus," especially if no other
explanation can readily be found. In most cases, when an
anti-virus program is then run, no virus is found.
A computer virus can cause unusual screen displays, or
messages - but most don't do that. A virus may slow the
operation of the computer - but many times that doesn't
happen. Even longer disk activity, or strange hardware
behaviour can be caused by legitimate software, harmless
"prank" programs, or by hardware faults. A virus may cause
a drive to be accessed unexpectedly (and the drive light to
go on) - but legitimate programs can do that also.
One usually reliable indicator of a virus infection is
a change in the length of executable (*.com/*.exe) files, a
change in their content, or a change in their file date/time
in the Directory listing. But some viruses don't infect
files, and some of those which do can avoid showing changes
they've made to files, especially if they're active in RAM.
Another common indication of a virus infection is a
change to interrupt vectors or the reassignment of system
resources. Unaccounted use of memory or a reduction in the
amount normally shown for the system may be significant.
In short, observing "something funny" and blaming it on
a computer virus is less productive than scanning regularly
for potential viruses, and not scanning, because "everything
is running OK" is equally inadvisable.
What should be on a (clean) boot disk?
--------------------------------------
A boot floppy is one which contains the basic operating system, so that
if the hard disk becomes inaccessible, you can still boot the machine
to attempt some repairs. NB All formatted floppies contain a boot sector,
but only floppies which contain the necessary system files can be used
as boot floppies. A clean boot disk is one which is known not to be
virus-infected. It's best to use a clean boot disk before routine
scans of your hard disk(s). Some antivirus packages will refuse to run
if there is a virus in memory. It is usually better and sometimes
mandatory to disinfect a system without the virus in memory, and an
undetected file virus may actually spread faster during a scan, since
scanners normally open all executable files in all directories.
To make an emergency bootable floppy disk, put a disk in drive A and type
FORMAT A: /S
Be careful to avoid 'cross-formatting', i.e. formatting a double-density
disk as high-density or vice versa, if you system allows this. (You should
avoid this all the time, not just when creating a boot disk. I'd also
recommend avoiding single-density and quad-density disks, and there may
be problems writing to double-density 5.25" disks on a different machine
to the one on which they were formatted, if one machine is an XT and the
other an AT or better.)
You can also make a pre-formatted floppy into a boot disk by typing
SYS A:
I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB,
CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and
RESTORE (or whatever backup program you use, if it will fit). They may
come in handy if you can't access the hard disk, or it won't boot up.
You may be aware that if there is a problem with your boot sequence, you
can boot from the hard disk on a DOS 6/7/Win95 system while bypassing
AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot:
it won't help at all if you have a boot sector/partition sector infector,
or if any or all of the basic operating system files have been infected
by a file virus.
The boot disk should have been created with the same version of DOS as
you have on your hard disk. It should also include any drivers necessary
to access your hard disk and other device. If, for some reason, you
can't obtain a clean boot disk with the same version of DOS, you can
often get away with booting from a (clean) disk using a different
version, though: indeed, there are viruses which exploit a bug in
recent versions of MS-DOS which will prevent a clean boot from DOS vs.
4-6. If you *do* use a different version, remember that you won't be able
to use many of the standard DOS system utilities on the hard disk, which
will simply return a message like 'Wrong DOS version' when you try to run
them, and avoid the use of FORMAT or FDISK.
If you become virus-infected it can be very helpful to have backup of your
hard disk's boot sector and partition sector (also known as MBR). Some
anti-virus and disk utilities can do this. Other useful tools to include are
a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so
forth), a copy of the DOS commands COMP or FC (for comparing files),
FDISK and SYS (make sure they are from the same version of DOS as you are
booting). There is a school of thought that your boot disk should also
include your anti-virus software. The problem with this is that
anti-virus software should be updated frequently, and you may forget to
update (and re-write-protect) your boot disk each time. Ideally you will
have been sent a clean, write-protected copy of the latest version of your
anti-virus software by your vendor/supplier.
If you want to use the DOS program EDIT, remember that you need both
EDIT.* and QBASIC.* on the same disk.
When you have everything you need on your boot floppy and any supplementary
floppies (see below), make sure they're all *write-protected*!
How do I know I have a clean boot disk?
---------------------------------------
You can't usually make up a clean boot disk on a system which has been
booted from an infected floppy or hard disk. So how do you know you're
booting clean? Actually, you can never be 100% sure. If you buy a PC
with the system already installed, you can't be sure the supplier
didn't format it with an infected disk. If you get a set of system
disks, can you assume that Microsoft or the disk duplicator
didn't somehow release a contaminated disk image? (Yes, something rather
like this has indeed happened...) However, you can be better than 99%
sure.
* If you have (and use) a reputable, up-to-date virus scanner, it will
almost invariably detect a known virus in memory (scanners can't be
relied on to detect an unknown virus, in memory or not). If a good
scanner doesn't ring an alarm bell, you've *almost* certainly booted
clean. What constitutes a good scanner is another question....
* If you have a set of original system disks which you received
shrinkwrapped *and* which you've never used *or* which have only been
used write-protected, you can probably use Disk 1 as a boot disk and
it *probably* isn't infected - after all, Microsoft doesn't use MSAV
for jobs like this..... It has been reported, though, that DOS
systems disks have been distributed infected, and the fact that
they're often distributed write-enabled doesn't inspire confidence.
* You could always contact the supplier of your most-trusted anti-virus
utility and ask whether you can send them a boot floppy to check. Of
course, even anti-virus gurus sometimes make mistakes, but a boot
disk verified in this way would still be worth paying for,
especially for organizations with mission-critical systems.
* S&S are now distributing a 'Magic Bullet' disk with future versions
of their Dr. Solomon product, which will boot a PC with just enough
functionality to enable users to run their scanning software without
infringing Microsoft's copyright (as they would be doing if they
distributed a boot-able DOS floppy). This strikes me as an excellent
idea, though it won't work on every system.
* When the unit I work for approached Microsoft to check on the legal
position as regards distributing a clean boot disk with anti-virus
software updates within the organization, we were told that this was
OK as long as the boot floppy was made with the same version of DOS as
the version on the target machine. Any organization wishing to do
this might like to check with Microsoft that this is still their formal
position.
What other tools might I need?
------------------------------
Other suggestions have included a sector editor, and Norton Utilities
components such as Disk Doctor (NDD). These are not suitable for use by
the technically-challenged - any tool which can manipulate disks at a
low-level is potentially dangerous. If you do use tools like this, make
sure they're good quality and up-to-date. If you attack a 1Gb disk with
a package that thinks 32Mb is the maximum for a partition and MFM disk
controllers are leading edge, you're in for trouble....
A copy of PKZIP/PKUNZIP or similar compression/decompression utility may
be useful both for retrieving data and for cleaning (some) stealth viruses.
The MSD diagnostic tool supplied with recent versions of DOS and Windows
is a useful addition. QEMM includes a useful diagnostic tool called
Manifest. Heavy duty diagnostic packages like CheckIt! may be of use.
There are some useful shareware/freeware diagnostic packages, too.
Obviously, these are not all going to go on one bootdisk. When you
prepare a toolkit like this, make sure *all* the disks are
write-protected!
Tech support types are likely to find that an assortment of bootable
disks including various versions of DOS comes in useful on occasion.
If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS
or PC-DOS), they can be a useful addition. DoubleSpaced or similar
drives will need DOS 6.x; Stacked drives will need appropriate
drivers loaded.
My understanding of the copyright position is that Microsoft does
not encourage you to *distribute* bootable disks (even if they contain
only enough files to minimally boot the system) *unless* the target
system is loaded with the same version of MS-DOS as the boot floppy.
Support engineers will need to ensure that they are legally entitled
to all DOS versions for which they have bootable disks.
What are rescue disks?
----------------------
Many antivirus and disk repair utilities can make up a (usually
bootable) rescue disk for a specific system. This needs a certain
amount of care and maintenance, especially if you make up more than
one of these for a single PC with more than one utility. Make sure
you update *all* your rescue disks when you make a significant
change, and that you understand what a rescue disk does and how it
does it before you try to use it. Don't try to use a rescue disk
made up on one PC on another PC, unless you're very sure of what
you're doing: you may lose data.
Are there CMOS viruses?
-----------------------
Although a virus (e.g. antiCMOS) CAN write to (and corrupt) a
PC's CMOS memory, it can NOT "hide" there. The CMOS memory
used for system information (and backed up by battery power) is
not "addressable," and requires Input/Output ("I/O") instructions
to be usable.
Data stored there are not loaded from there and executed, so virus
code written to CMOS memory would still need to infect an
executable program in order to load and execute whatever it wrote.
A virus could use CMOS memory to store part of its code,
and some tamper with the CMOS Setup's values. However,
executable code stored there must first be first moved to
DOS memory in order to be executed. Therefore, a virus
can NOT spread from, or be hidden in CMOS memory.
++
There are also reports of a trojanized AMI BIOS - this is
not a virus, but a 'joke' program which does not replicate.
The malicious program is not on the disk, nor in CMOS, but
was directly coded into the BIOS ROM chip on the system board.
by a rogue programmer at American Megatrends Inc., the
manufacturers.
++
If the date is 13th of November, it stops the bootup process
and plays 'Happy Birthday' through the PC speaker. In this
case, the only cure is a new BIOS (or motherboard) - contact
your dealer. The trojanized chip run was BIOS version M82C498
Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy
Kuo's "What is NOT a virus" paper.
++
>From time to time there are reports from Mac users that the
message 'welcome datacomp' appears in their documents without
having been typed. This appears to be the result of using a
trojanised 3rd-party Mac-compatible keyboard with this 'joke'
hard-coded into the keyboard ROM. It's not a virus - it can't
infect anything - and the only cure is to replace the keyboard.
How do I know I'm FTP-ing 'good' software?
------------------------------------------
Reputable sites like SimTel and Garbo check uploaded utilities for
viruses before making them publicly available. However, it makes
sense not to take anything for granted. I'm aware of at least one
instance of a virus-infected file being found on a SimTel mirror:
you can't scan a newly-uploaded file for a virus your scanner
doesn't know about. Good A/V packages include self-checking code,
though it's unsafe to depend even on this 100%. Be paranoid: you
know it makes sense....
In general, don't run *anything* downloaded from the Internet,
BBSs etc. until it's been checked with at least one reputable
and up-to-date antivirus scanner.
What is 386SPART.PAR?
---------------------
People are sometimes alarmed at finding they have a hidden file
with this name. It is, in fact, created by Windows 3.x when you
configure it to use a permanent swap file (a way of allowing Windows
to work as if you had more memory than you really do. On no account
should you delete it, as it will upset your configuration. If you wish
to remove it or adjust the size, do so via the 386 Enhanced
setting in Control Panel. However, a permanent swap file usually
improves performance on a machine with relatively little memory.
The file is not executable as such, and reports of virus infection
are usually false positives.
+++Can I get a virus to test my antivirus package with?
----------------------------------------------------
Well, I won't send you one... Most packages have some means of allowing
you to trigger a test alert. There is a standard EICAR test file which
is recognized by some packages.
George Wenzel recently reported that recent versions of the following
should recognise it. Well done George for promoting the EICAR file among
vendors who hadn't been taking notice!
"AVAST!
AVP
AVScan
Dr. Solomon's
Dr. Web
F-Prot
McAfee
Norton
Norman
Sophos Sweep
ThunderByte
Virus ALERT!
VET will be adding detection in November.
ViruSafe will be adding detection in their next version.
Don't know about Virus Buster yet, though.. "
To make use of the EICAR test string, type or copy/paste the
following text into a file called EICAR.COM, or TEST.COM or whatever.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".
Scanning the file with one of the components of these packages should
trigger an alert.
The EICAR file isn't an indication of a scanner's -efficiency- at
detecting viruses, since (1) it isn't a virus and (2) detecting
a single virus or non-virus isn't a useful test of the number of
viruses detected. It's a (limited) check on whether the program
is installed, but I'm not sure it's a measure of whether it's installed
correctly. For instance, the fact that a scanner reports correctly that a
file called EICAR.COM contains the EICAR string, doesn't tell you
whether it will detect macro viruses, for example. In fact, if I wanted
to be really picky, I'd have to say that it doesn't actually tell you
anything except that the scanner detects the EICAR string in files with
a particular extension.
B-)
[I have Chengi Jimmy Kuo's permission to reproduce the following, a
propos of the preceding paragraph]:
"The purpose of the EICAR test file is for the user to test all the
bells and whistles associated with detecting a virus. And, if given
that one platform detects it, is everything else working? It is to
enable such things as:
Is the alert system working correctly?
Does the beeper work?
Does the network alert work?
Does it log correctly?
What does it say?
Is the NLM working? For inbound? For outbound?
Is compressed file scanning working?
Surprise MIS testing of AV security placements.
The file serves no purpose in testing whether one product is better
than another. Previously, every product had to supply its own test
methods. This allows for an independent standard.'
There have been long threads recently on whether the Rosenthal
Simulator is useful for this sort of job. This will be considered
at length here when I have the time to look at it in more detail,
but it should be noted that many anti-virus researchers have
expressed considerable scepticism. Certainly, having looked at
an earlier incarnation, I see no urgent need to research this
further.
When I do DIR | MORE I see a couple of files with funny names...
----------------------------------------------------------------
Actually, this is in the Virus-L FAQ. Read that and post the question
to comp.virus or alt.comp.virus if you're still worried. Basically,
the answer is that MORE creates a couple of temporary files, being
considerably less efficient than the Unix utility it attempts to
emulate. Most versions of DOS since the Middle Ages support the
syntax DIR /P, which does the same job less messily. In fact,
if you have a version of DOS later than 5, you might consider
incorporating it into the environment variable DIRCMD, so that it
becomes your default on directory listings which exceed 1 screenful.
Of course, other utilities such as ATTRIB can also be filtered through
MORE like this, which may result in similar symptoms.
------------------------------------------------------------
Reasons NOT to use FDISK /MBR
-----------------------------
See Section 12 in part 2 of this FAQ for further information about FDISK
with the undocumented /MBR switch. However, people with virus problems
are frequently advised, out of ignorance or maliciousness, to use this
switch in circumstances where it can lead to an inability to access your
disk drive and possible loss of data (not to mention hair and sanity).
Essentially, you should avoid using FDISK /MBR unless you have it on good
authority that it's safe and necessary to do so. In most circumstances, it's
safer to clean a partition sector with a good anti-virus program.
You should avoid FDISK /MBR at all costs under the following circumstances:
1. Under an infection of viruses that don't preserve the Partition Table
e.g., Monkey, reported at 7.2% of the infections reported to _Virus
Bulletin_ for December '95, the last report for which I have data
2. Under an infection that encrypts data on the hard drive and keeps
the key in the MBR, e.g, One_half -- reported at 0.8% worldwide
3. When security software, e.g., PC-DACS is in use
4. When a driver like Disk Manager or EZDrive is installed
5. When a controller that stores data in (0,0,1) is in use
6. When more than one BSI virus is active, in some conditions
7. When a data diddler is active, e.g. Ripper, accountable for 3.8% of
the infections reported in the study cited above (N.B.: while this
case won't be fixed by AV utilities, at least one will know why
there are problems with the drive)
------------------------------------------------------------
Why do people write/spread viruses?
-----------------------------------
>From postings which have appeared in alt.comp.virus in the past:
* they don't understand or prefer not to think about the consequences
for other people
* they simply don't care
* they don't consider it to be their problem if someone else is
inconvenienced
* they draw a false distinction between creating/publishing viruses
and distributing them
* they consider it to be the responsibility of someone else to protect
systems from their creations
* they get a buzz, acknowledged or otherwise, from vandalism
* they consider they're fighting authority
* they like 'matching wits' with antivirus vendors
* it's a way of getting attention, getting recognition from their peers
and their names (or at least that of their virus) in the papers and
the Wild List
* they're keeping the antivirus vendors in a job
How seriously you take some of these assertions is up to you....
------------------------------------------------------------
Where can I get an anti-virus policy?
-------------------------------------
There is some relevant material in the Virus-L FAQ document, but you'll
need to do most of the work specific to your own environment. It's worth
doing some general reading on security policies generally and getting
the distinctions straight between policies, strategies, standards,
procedures and protocols. I'm working on this in other contexts: some of
that material may eventually seep back into here.
The NCSA have a Corporate Virus Prevention Policy disk/document which can
be ordered via their web page (www.ncsa.com) for around $20, or downloaded
from Compuserve.
In the UK, the British Standards Institution have a Code of Practice for
Information Security Management which includes virus-management (BS7799).
[It's not necessarily well-regarded by practitioners, though.]
BSI
389 Chiswick High Road
London W4 4AL
DTI (Dept. of Trade & Industry)
IT Security Policy Unit
151 Buckingham Palace Road
London SW1W 9SS
The last time I looked at the S&S International web page (www.drsolomon.com)
they had a paper on Guidelines for an Anti-Virus Policy by David Emm which
is a reasonable starting point, though a comprehensive virus management
policy is no small undertaking.
------------------------------------------------------------
Are there virus damage statistics?
----------------------------------
Some, possibly even less reliable than the average survey on general
security breaches. Why?
* Many reported virus incidents aren't, in fact, virus incidents, as
many a PC support specialist will confirm. There is a tendency to
attribute any PC anomaly to a virus, among those who are not well
acquainted with the virus arena. Unfortunately, this includes
virtually the entire press corps and many security consultants. Also,
some widely-used packages are noticeably prone to false alarms.
* Many actual virus incidents and other security breaches are not
reported, due to the intervention of top management or Public
Relations, out of fear of losing competitive advantage because of
being perceived as badly-managed and insecure.
* Many other virus incidents and security breaches aren't reported
because they're simply not recognised as such, or at all.
* There are no standards for reporting and assessing damage from
viruses and other security breaches. Take the case of Christopher
Pile (the Black Baron), who was convicted in the UK under the
Computer Misuse Act: I have seen estimates in the UK press of
the damage sustained by the company most affected by the viruses
Pile spread ranging from #40,000 to #500,000, and this is an
unusually well-documented incident. How can the average survey
respondent be expected to make an accurate assessment?
The trouble is, there's a lot more to 'damage' than the figures
estimated for a particular outbreak.
Cost of maintaining virus protection
Training and maintaining a response team
Management costs
Cost of software licences
Cost in time/productivity/money of maintaining upgrades etc.
Formulating and enforcing policy
Educating users in the issues and good hygienic practice
Cost in time of routine anti-virus measures
Cost in money and time of servicing false alarms
Cost of sheepdip systems
Cost of having part-time A/V people taking time off
from their 'real' jobs
Alternatively, the cost of having full-time A/V personnel
Cost of tracking the product market, technological changes
Formulating and enforcing a backup policy
Development of protective systems
Resource utilisation by undetected viruses
Cost of specific outbreaks
Loss of productivity
Workstation/Server downtime
Damage to reputation of the organization
Damage to involved personnel
Psychological damage - witch hunts
Damage limitation
Time spent cleaning up, examining floppies etc.
Restoration of backups/reinstallation
Replacing unrecoverable data
Time and money spent increasing virus protection.....
However, the Poor Bloody Infantry often have to spend time and effort
persuading the Generals of the need to expend money on ammunition.
You might care to check out:
* The Information Security Breaches Survey 1996 [UK]
[National Computing Centre, ICL, ITSEC, Dept. of Trade & Industry]
NCC
Oxford House
Oxford Road
Manchester
M1 7ED
(voice) +44(0) 161 228 6333
(fax) +44(0) 161 242 2171
enquiries@ncc.co.uk
http://www.ncc.co.uk/
This came up with the highly suspect but much quoted average of about
#4000 per virus incident.
* Computer Virus & Security Survey 1995 [Ireland]
[Price Waterhouse, Priority Data Systems]
Price Waterhouse
Wilton Place
Dublin 2
(353 1) 6606700
* You might also care to check out the NCSA virus survey
(ftp://isrecon.ncsa.com/ncsavsrv.zip.) which is free, and the
different but related virus study, which costs $95.
http://www.ncsa.com/
------------------------------------------------------------
++ What is NCSA Approval?
----------------------
[NCSA has a certification program for PC virus scanners which offers
a measure of the detection capabilities of specific version numbers.
In the past, NCSA's modus operandi was the subject of much
scepticism within the antivirus community, but the current
procedures are much improved. The text that follows is a very
lightly edited version of mail I received from an analyst at NCSA,
so it's not altogether impartial, but is nevertheless a fair summary
of their activities [but not quite accurate]. By the way, NCSA has a
somewhat similar program for firewalls, too (which is also somewhat
controversial). I'm leaving this in pending an opportunity to
edit it more thoroughly, but I must advise against giving NCSA
certification quite as much weight as some vendors would like.
- DH]
For a list of scanners that have received the "NCSA Approved" rating
of the National Computer Security Association in the U.S.A. see
http://www.ncsa.com/avpdcert.html
The page also explains the certification procedure.
The National Computer Security Association in Carlisle, Pennsylvania,
U.S.A., sponsors an Anti-Virus Product Developers consortium. The NCSA
and consortium members have created standards for anti-virus products
and the NCSA Anti-virus lab in Carlisle tests new versions of scanners
that are submitted to it and issues an "NCSA Approved" seal for those
products which past the test.
++
To pass, a scanner must detect all
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
viruses (more than 400) on the "Wild List" kept by Joe Wells of IBM
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Actually, this isn't the case: detection of all viruses on -both-
parts of the Wild List isn't required for certification, as the
information on NCSA's website makes clear. In fact, it looks as
if the implementation of NCSA certification has somewhat slipped
from its promising inception. I'll be returning to this issue and
other schemes (VSUM, Secure Computing) when time allows. There are
one or two other points in this item which I didn't check because
of their source: checking is now a priority. - DH]
and 90 percent of the viruses in a suite of about 11,000 kept by NCSA
(these represent not only viruses, but variations created by polymorphic
viruses as well.)
++[The exact make-up of that test suite is one of the things I'd like
to check - DH]
For more information about the NCSA or for links to the members of the
AVPD consortium:
http://www.ncsa.com/
NCSA also maintains an Anti-Virus Vendor's Forum on CompuServe (GO NCSA)
with message sections and libraries devoted to anti-virus products and
issues.
NCSA is a provider of security, reliability, and ethics information
and services. NCSA provides information security: training, testing,
research, product certification, underground reconnaissance,
help-desk and consulting services. NCSA delivers information through
publications, conferences, forums, and seminars -- in both traditional
and electronic formats. NCSA also hosts private on-line training and
seminars on CompuServe in addition to public forums and libraries and
which address hundreds of information and communications security
issues. NCSA's InfoSecurity Resource Catalog provides one-stop-shopping
for books, guides, training and tools.
++
[I should observe here that I've received material from NCSA in the
past which advertises a book I would personally avoid recommending
on grounds of ethics -and- accuracy. As there was some fuss about
this, I don't suppose it's in their catalogue any longer, but this
is another point I'd quite like to check. - DH]
NCSA AVPD Members (July, 1996)
Members of the NCSA Anti-Virus Product Developers consortium.
-- Best, S.A., Miami, FL (call 305-470-9051)
-- Cheyenne Software, Roslyn Heights, NY, U.S.A.
-- Command Software Systems Inc, Jupiter, FL, U.S.A.
-- Cybec, New South Wales, Australia
-- EliaShim, Pembroke Pines, FL, U.S.A.
-- IBM, Sterling Forest, NY, U.S.A.
-- INTEL, American Fork, UT, U.S.A.
-- IRIS Software & Computers, River Edge, NJ, U.S.A.
-- Jade Corp Ltd, Shizuoka City, Japan
-- McAfee Associates, Santa Clara, CA, U.S.A.
-- Norman Data Defense Systems Inc, Fairfax, VA, U.S.A.
-- ON Technology, Morrisville, NC, U.S.A.
-- Pioneer Micro Systems, India
-- Quantum Leap Innovations, Briarcliff Manor, NY, U.S.A.
-- Stiller Research Inc., Colorado Springs, CO, U.S.A.
-- S&S International, Burlington, MA, U.S.A.
-- Symantec, Santa Monica, CA, U.S.A.
-- ThunderByte, Massena, NY, U.S.A.
-- Trend Micro Inc, Los Alamitos, CA, U.S.A.
------------------------------------------------------------
+++
What language should I write a virus in?
----------------------------------------
Choose your own squelch:
* ANSI COBOL
* LOGO
* Karel the Robot
* PL/I
* dBase II
* Get a life
* Or my personal favourite (thanks, Bruce!)
"Hey, man; where can I get a copy of
Visual English to write some hot new virii?!?"
If you need to ask this question, you'd be better off collecting
tazos than trying to write viruses.
No, seriously, what language are they written in?
-------------------------------------------------
The simple answer is "Assembler, mostly (on the PC)". High-level
languages such as C and Pascal are sometimes used, as are various
flavours of command shells on various systems (Unix shell scripts,
DCL scripts etc.). Macro viruses are written in macro languages,
surprisingly....... B-)
+++[DRD], Doren Rosenthal, the Universe and Everything
---------------------------------------------------
Doren Rosenthal offers a shareware utilities suite including a
virus simulator. Many of the AV pros in this group have a low
opinion of the Rosenthal utilities, and regard their author as
more of a virus writer than an anti-virus researcher, and are
annoyed by his habit of offering his utilities as a solution
for problems to which their relevance is not always obvious. As
discussions on Rosenthal-related topics sometimes generate
much heat and bandwidth, some people have taken to adding [DRD]
to the subject header when posting to these threads, to make it
easier to avoid them.
++What are CARO and EICAR?
------------------------
CARO - Computer Anti-Virus Researchers Organisation. Invitation-only
group of techie researchers, mostly representing AV vendors. CARO
approves 'standard' names for viruses. Some people tend to mistrust
the fact that CARO members often share virus samples: however, CARO
membership is a convenient yardstick by which other members can
judge whether an individual can be trusted with samples. In general,
users at large benefit: this way, AV vendors with CARO members can
include most known viruses in their definitions databases.
EICAR - European Institute for Computer AntiVirus Research. Membership
comprises academic, commercial, media, governmental organisations etc,
with experts in security, law etc., combining in the pursuit of the
control of the spread of malicious software and computer misuse.
Membership is more open, but members are expected to subscribe to a
code of conduct. And yes, this is the origin of the EICAR test file.
------------------------------------------------------------------
++ "Am I idle?" - Yellow Smiley in Win95 System Tray
-------------------------------------------------
Q. I have a small yellow happy face in the Win 95 system tray next to
the clock? The tooltip for it is "Am I idle?" Is it a virus?
A. No, you have installed Microsoft Internet Explorer 4.0, release
version or one of the Preview versions.
To disable (remove it from your system tray) it, simply follow
these steps:
1. Right-click on the 'The Internet' icon on your Windows 95
desktop, and select the 'Properties' menu option. This will
display the 'Internet Properties' dialogue box.
2. Click on the 'Advanced' tab on the 'Internet Properties' dialogue
box.
3. The last 'Tick Box' in the 'Browsing' section of the displayed
dialogue box should be 'Display idle detection tray icon'.
4. Simply un-tick this by clicking on the text label or the tick box.
5. Click the OK button.
6. Restart the computer, the icon will now not show in the system
tray.
Placeholders
------------
Errrr... gone. I don't have much time to polish the FAQ at present,
and leaving placeholders implied there was a likelihood of my addressing
those issues in the near future. If you have suggestions for further
items, I'd be glad to see them, especially if you care to do the
writing. I can't guarantee a quick response, though.
End of a.c.v. FAQ Part 4 of 4