Each help topic will have a number of highlighted cross references. The get to the cross referenced topic, select it with a mouse click or use TAB or Shift+TAB to move to it and then press ENTER. Use the scrollbar or up/down arrow keys to scroll through the text. PgUp and PgDn move through the text more rapidly.
See also: Index
Index:
virus...
Boot
sector
Boot
sector
virus
Cold
Damage
Distributors
Dropper
programs
Failed
viruses
File
Allocation
Table
File
virus
FindVirus
Joke
programs
Overwriting
viruses
Packager
programs
Partition
sector
Partition
virus
Police
Polymorphic
virus
Power-off
Protecting
company
Protecting
floppy
Protecting
Protecting
Repairing
sector
virus
Repairing
virus
Repairing
partition
virus
Repairing
files
network
Rules
Sheep
computer
Stealth
viruses
Test
programs
Trojan
programs
Upgrades
Using
Virus
education
Virus
Encyclopaedia
VirusGuard
Virus Encyclopaedia:
The Toolkit Manual gives considerable detail on about 300 viruses, including all the ones that users are likely to encounter. However, there are several times as many viruses in existence and in order to document these the Toolkit uses an electronic format. D
For each virus, the Encyclopaedia gives the following information: u
How common is it?
How infectious is it?
How much damage does it do?
What is infected, and how much do files grow by?
What memory resident capabilities does it have?
Does it use stealth?
Is it encrypted?
Is it polymorphic?
What other effect does it have?
What other names are used for this virus?
How many variants are there?
Can it be repaired by the Toolkit?
On the right of the dialog there is a list of the viruses. A virus can be selected from the list by clicking on it with the mouse. Keyboard users can move the selection bar using the cursor keys.
Below the virus list there is a search box. As a virus name is entered in the box the Encyclopaedia performs an incremental search through its database. Often it is unnecessary to type the full name before the Encyclopaedia finds the correct entry.
About Viruses:
A virus is a program that copies itself without the knowledge of the computer user. Typically, a virus spreads from one computer to another by adding itself to an existing piece of executable code so that it is executed when its host code is run.
Viruses can be classified by their method of concealment. Some are called stealth viruses because of the way that they hide themselves, or polymorphic because of the way they change themselves to avoid scanners.
The most common classification, however, relates to the sort of executable code which the virus attaches itself to. These are: E
Boot
Viruses
File
Viruses
Partition
Viruses
Overwriting
Viruses
As well as replicating, a virus may carry a Damage routine.
There is also a set of programs that are related to viruses by virtue of their intentions, appearances, or users likely reactions: B
Droppers
Failed
viruses
Packagers
Trojans
Jokes
Test
files
Stealth Viruses:
If a stealth virus is in memory, any program attempting to read the file (or sector) containing the virus is fooled into believing that the virus is not there. The virus in memory filters out its own bytes, and only shows the original bytes to the program. )
There are three ways to deal with this:
1. Cold
Boot from a clean DOS floppy, and make sure that nothing on the hard disk is executed. Run any anti-virus software from floppy disk. Unfortunately, although this method is foolproof, relatively few people are willing to do it. c
2. Search for known viruses in memory. All the programs in the Toolkit do this when they are run.
3. Use advanced programming techniques to penetrate the fog that the virus throws up. The Toolkit uses "Anti-Stealth Technology" for this.
See also: About
Viruses
Polymorphic Viruses:
A polymorphic virus is one that is encrypted, and the decryptor/loader for the rest of the virus is very variable. With a polymorphic virus, two instances of the virus have no sequence of bytes in common. This makes it more difficult for scanners to detect them. D
The Toolkit uses "Fuzzy Logic" techniques to detect these viruses.
See also: About
Viruses
The Boot Sector and Boot Sector Viruses:
The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program.
When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and moves the original elsewhere on the disk. $
Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up. ?
See also: Removing
Virus
Sector About
Viruses
File Viruses:
File viruses append or insert themselves into executable files, typically .COM and .EXE programs. l
A direct action file virus infects another executable file on disk when its 'host' executable file is run.
An indirect action (or TSR) file virus installs itself into memory when its 'host' is executed, and infects other files when they are subsequently accessed. @
See also: Removing
Virus
Infected
File About
Viruses
The Partition and Partition Viruses:
The partition sector is the first sector on a hard disk. It contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The partition sector is also called the "Master Boot Record" (MBR).
When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code.
Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it. .
Floppy disks do not have a partition sector. E
See also: Removing
Virus
Partition
Sector. About
Viruses
Overwriting Viruses:
Overwriting viruses overwrite all or part of the original program - as a result, the original program doesn't run. Overwriting viruses are not, therefore, a real problem - they are extremely obvious, and so cannot spread effectively.
See also: About
Viruses
Damage:
Damage is defined as something that you would prefer not to have happened. It is measured by the amount of time it takes to reverse the damage.
Trivial damage happens when all you have to do is get rid of the virus. There may be some audio or visual effect; often there is no effect at all.
Minor damage occurs when you have to replace some or all of your executable files from clean backups, or by re-installing. Remember to run FindVirus again afterwards.
Moderate damage is done when a virus trashes the hard disk, scrambles the FAT, or low level formats the drive. This is recoverable from your last backup. If you take backups every day you lose, on average, half a day's work.
Major damage is done by a virus that gradually corrupts data files, so that you are unaware of what is happening. When you discover the problem, these corrupted files are also backed up, and you might have to restore a very old backup to get valid data.
Severe damage is done by a virus that gradually corrupts data files, but you cannot see the corruption (there is no simple way of knowing whether the data is good or bad). And, of course, your backups have the same problem.
Unlimited damage is done by a virus that gives a third party access to your network, by stealing the supervisor password. The damage is then done by the third party, who has control of the network. 1
See also: Virus
Encyclopaedia and About
Viruses
File Allocation Table:
The FAT is the area on the disk that contains the information about what part of the disk belongs to which file. If the FAT is zeroed or corrupted, then the hard disk is like the pages of a book, without any binding, in a random order, and no page numbers. U
A number of viruses zero, overwrite, or (much worse) make small changes to the FAT.
See also: Damage
Droppers:
Droppers are programs that have been written to perform some apparently useful job but, while doing so, write a virus out to the disk. In some cases, all that they do is install the virus (or viruses). u
A typical example is a utility that formats a floppy disk, complete with Stoned virus installed on the boot
sector.
See also: About
Viruses
Failed Viruses:
Sometimes a file is found that contains a 'failed virus'. This is the result of either a corrupted 'real' virus or simply a result of bad programming on the part of an aspiring virus writer. The virus does not work - it hangs when run, or fails to infect.
Many viruses have severe bugs that prevent their design goals - some will not reproduce successfully or will fail to perform their intended final actions (such as corrupt the hard disk). /
Many virus authors are very poor programmers.
See also: About
Viruses
Packagers:
Packagers are programs that in some way wrap something around the original program. This could be as an anti-virus precaution, or for file compression. Packagers can mask the existence of a virus inside.
See also: About
Viruses
Trojans and Jokes:
A Trojan is a program that deliberately does unpleasant things, as well as (or instead of) its declared function. They are not capable of spreading themselves and rely on users copying them.
A Joke is a harmless program that does amusing things, perhaps unexpectedly. We include the detection of a few jokes in the Toolkit, where people have found particular jokes that give concern or offence.
See also: About
Viruses
Test files:
Test files, in the context of viruses, are used to test and demonstrate anti-virus software such as FindVirus and VirusGuard. They are not viruses - simply small files that are recognised by the software and cause it to simulate what would happen if it had found a virus. This allows users can see what happens when it is triggered, without needing a live virus.
A test file for FindVirus and VirusGuard can be made by creating a small text file, at least 50 characters long, which has the following sequence of characters at the very beginning:
ZQZXJVBVT
Findvirus will exit with an errorlevel of 2 when it finds this file, and Guard will pop up if an attempt is made to run this file. Note that the test file should have an executable extension (.COM or .EXE) for this to work correctly.
See also: About
Viruses
If you find a virus...
1. Don't panic.
2. Don't be in a hurry.
3. Work systematically. Don't rush.
4. Inform your company, via the usual chain of reporting.
The company should then arrange to:
1. If appropriate, inform the Police
Computer
Crime
Department.
2. Check all the surrounding computers.
3. Check all floppy diskettes that could have become infected.
4. Call S&S, or the local distributor, for technical support, if needed.
5. Review anti-virus policy to try and prevent a recurrence.
Removing
Partition
Virus
Removing
Sector
Virus
Removing
Virus
clean
network
virus...
Boot Sector Repair:
Many viruses place part of their code in a location on a floppy or hard disk called the boot
sector. The code in this location is some of the first executed when your PC starts up. Infecting this area allows a virus to install itself in memory before DOS has loaded. Boot sector repair works by replacing this code with a clean copy. /
How to Remove a Boot Virus from a Hard Disk:
1. Cold
Boot from a clean DOS diskette.
2. Type: SYS C: at the DOS prompt. (if C is infected)
The Clean DOS diskette should be the same version of DOS that is on the hard disk. To find out which version is running, type: VER at the DOS prompt. ,
How to Remove a Boot Virus from a Floppy:
1. Cold
Boot from a clean DOS diskette.
2. Type: CLEANBOO at the DOS prompt
3. Choose the drive letter and capacity of diskette.
4. Feed your infected diskettes in one at a time.
5. Follow the instructions.
To clean diskettes of a different size or capacity, run CLEANBOO again. If a diskette appears to have no files on it, or the directory appears to be garbage, then it has been cleaned with the wrong capacity. Run CLEANBOO again with the correct capacity and the files will reappear. "
See also: If
virus...
File Repair:
In the majority of cases FindVirus can reverse the damage to executable files caused by a virus infection. FindVirus removes the virus code from each infected file and restores the file to its original state. The virus code is then overwritten with zeroes to ensure that it is completely removed.
Where a virus has caused irreparable damage, FindVirus gives you the option to rename the file (so that it cannot be run accidentally), or delete the file. The file is overwritten with zeroes before it is deleted to ensure that it cannot be Undeleted.
How to Remove a File Virus:
1. Cold
Boot from a clean DOS diskette.
2. Type: FINDVIRU /REPAIR at the DOS prompt.
3. Select the drive letter of the disk containing infected files.
Any files that FindVirus cannot repair will be renamed from .COM to .VOM, and from .EXE to .VXE, so that they cannot accidentally be run. Alternatively, FindVirus can delete such files if the /DELETE option is specified. "
See also: If
virus...
Partition Sector Repair:
Viruses can place part of their code in a location on a hard disk called the partition
sector (also known as the master boot sector). The code in this location is some of the first executed when your PC starts up. Infecting this area allows a virus to install itself in memory before DOS has loaded. v
Partition Repair removes the virus code from a partition sector by replacing it with clean code. Some viruses actually move the old partition sector elsewhere on the disk when they replace it with their own code. CLEANPART can search for this old partition and replace it. Before it does this, however, it makes a backup of the old partition sector on a blank floppy disk. #
How to Remove a Partition Virus:
1. Prepare a blank formatted floppy disk.
2. Cold
Boot from a clean DOS diskette.
3. Type: CLEANPAR at the DOS prompt.
4. Follow the instructions.
See also: If
virus...
How to Clean a Network:
Cleaning a network can only be done by someone who has access to all the files on the network.
1. Remove
Viruses
Local
2. Run VirusGuard from the hard disk.
3. Log in to the network.
Try to avoid running any LOGIN script.
4. Clean the network, by typing
FINDVIRU /ALLDRIVES /REPAIR
5. Use FindVirus to check that the network is clean
Step 2 means that VirusGuard will prevent any infected files on the server from being executed by any login script. "
See also: If
virus...
If you find a new virus...
If you have .COM or .EXE files that are growing in size, send a sample of the files to your distributor, with a letter explaining the situation. =
If you have some symptoms that you think are a virus, then:
1. Format a floppy disk in the infected computer.
2. Copy any infected files to that floppy.
3. Copy your FORMAT and CHKDSK programs too.
If you include a letter, explaining any symptoms you have encountered, we can often tell you what the problem is, even if it is not a virus. We cannot reply if we receive an anonymous diskette with no return address. If possible, include a fax and phone number as well as an address. "
See also: If
virus...
How to do a Cold (Power-off) Boot:
1. Switch off the computer.
2. Wait for 10 seconds for the power supply to reset.
3. Put a known clean DOS diskette in drive A.
4. Switch the computer back on again.
Make sure that nothing on the diskette runs any software on the hard disk. For example, there might be the command "C:\KEYB ..." in the AUTOEXEC.BAT.
If you do a warm boot, using Ctrl+Alt+Del, that might not reboot the computer. Joshi virus, for example, fakes a reboot if you do a Ctrl+Alt+Del.
Some computers have a reset button which appears to do a cold boot, and some programs can also do a cold boot. However, what really happens when these features are used depends on how the manufacturer implemented them. A power-off boot always clears memory. "
See also: If
virus...
Sheepdip:
A sheepdip is a computer used for checking incoming diskettes for viruses. This could be a dedicated machine used for nothing else, or it could simply be one of a few designated machines that are also used for other purposes.
Near to the sheepdip (perhaps pinned to the wall) there should be an explanation of the procedures to be followed in using it.
How to protect a floppy disk:
If you want to protect a clean floppy disk against viruses, use the write protect facility. If a diskette is write protected, it cannot be written to by any software, including a virus. The write protection is done by hardware and so cannot be overridden by software. In order to write to a write protected floppy diskette, a special diskette drive is required.
On a 5
" diskette, cover the slot on the side with an opaque tab (these are provided with each box of diskettes). Do not use transparent tape as many disk drives cannot detect it.
In the case of a 3
" diskette, there is a slider in one of the corners of the diskette. Move that slider so that the hole is open.
How to protect a hard disk:
It is possible to write protect a hard disk, either in software or in hardware. However, write protecting hard disk generally limits its usefulness too much for most applications. The alternative is to use software to actively detect virus activity. 3
FindVirus finds known viruses and can be run whenever the computer is started up by placing it in the AUTOEXEC.BAT file. However, FindVirus needs upgrading regularly. On a single computer, this is not a problem but if there are a many computers to protect, ViVerify should be considered as an alternative.
ViVerify finds changes in files, partitions and boot
sectors. A virus must make a change in some executable code in order to replicate, and it is this which is detected. Viverify never needs upgrading although, if new software added to a machine, ViVerify must be informed so that it can be included in its check. Note: ViVerify detects all changes, not just those due to viruses, so any change should be investigated before assuming the worst.
Memory
resident versions of FindVirus and ViVerify are provided in the Toolkit. These are VirusGuard and Certify respectively.
The choice of protection depends largely on the your particular situation and personal taste. In practice, we find that most people use Virus Guard.
How to protect a LAN:
Protecting a LAN is a complex task. Not only must the LAN itself be protected but also the individual workstations. The following points should be noted: g
1. A boot sector virus cannot get on to a file server since boot sector viruses do not work that way. u
2. To prevent file viruses from infecting the LAN, make all the executables READONLY, using the network privileges.
3. The important part of the LAN is the data. To protect data from interference viruses must be kept off the workstations. If the user has write access to the data, so does any virus running on their machine. For details on protecting workstations, see How
protect
disk.
4. Once per day, scan the file servers for known viruses by logging in and running FindVirus. Viverify can be used to protect the LAN from new viruses by running it at the same time.
A convenient time to perform these tasks would be when the daily backup is made. Virus checking can be made part of the backup procedure under DOS (by including it in a batch file) or under Windows.
How to protect a Company:
You must protect the local
disks and the LAN, but the key to a successful anti-virus policy is getting the users to do the right things. /
A Corporate Virus Protection Policy requires: t
Rules: What must be done
Procedures: How to do it
Education: Why it must be done
Tools: What to do it with
Rules:
Corporate users should learn one Golden Rule: F
WHEN THE ANTI-VIRUS PROGRAM SAYS YOU HAVE A VIRUS, CALL PC SUPPORT.
The other important rules are: c
1. All incoming diskettes must be checked for viruses.
2. Only authorised software must be run.
"Authorised" might mean that software is acquired through approved channels, or that it is installed by PC Support. However, it must be clearly defined. w
To enable users to obey these rules there must be well defined procedures for carrying out the tasks described above.
See also: Protecting
Company
Procedures:
Give company users a set of procedures to follow.
For example, there will be procedures for checking all incoming floppy disks, using a sheepdip computer. These should describe how to check incoming floppies with the anti-virus software and what to do if a virus is found. ~
There must also be procedures for users to obtain new software, in a controlled way, so that new software can be authorised.
See also: Protecting
Company
Education:
Viruses are not important to most users - getting their job done is the main priority. Education is required to raise virus awareness from zero to an appropriate level. If people understand the damage which viruses can cause, they are more likely to take notice of the Corporate Virus Protection Policy.
See also: Protecting
Company
Tools:
Company users should be provided with the means for carrying out the necessary procedures. ;
One set of anti-virus tools amongst a thousand users is not sufficient. Users will find it awkward and time consuming to track down the tools to carry out the anti-virus procedures. In any case, if the problem only warrants a single set of tools, users will not perceive it as a significant threat to the company. J
A company should always maintain an adequate supply of up-to-date tools.
See also: Protecting
Company
Upgrades:
Upgrades for the virus-specific parts of the Toolkit are available quarterly or monthly (or more often, if necessary), to keep up with the appearance of new viruses.
If a filled-in registration card is returned, the upgrades should arrive automatically. If this does not happen, contact the appropriate Distributor. V
Upgrades of the drivers are also available for download from the S&S Bulletin Board.
In an emergency, it is also possible to get a field-upgrade by fax. Contact your local distributor if you have a problem with a particular virus that your Toolkit version doesn't cover. +
See also: FindVirus, VirusGuard and Tools
Memory Resident (TSR) Anti-virus Programs:
These programs can be installed in memory when the computer starts up, to provide virus protection for the whole time the computer is in operation. However, these programs do take up memory space and can slow down some operations as they perform their functions. There are three kinds of memory resident programs which can be used for dealing with viruses:
The first kind is a memory-resident version of FindVirus which can stop code infected with known viruses from being run, or even copied. In the Toolkit, VirusGuard does this, requiring about 5 kb of memory.
The second kind is a memory resident version of ViVerify, which checks for changes to code which may be cause by a virus. That is what Certify does.
The third kind is a behaviour blocker, which prevents or signals any activity which is suspicious. The problem with this approach is that it is extremely difficult to create a blocker which does not give numerous false alarms. After all, a virus is just a program, so anything a virus can do, can be done by a perfectly legitimate program. Therefore, the Toolkit does not include a behaviour blocker.
FindVirus:
FindVirus is used to check for known viruses. It can be used to check incoming files and diskettes on a sheepdip computer and is also used as part of a clean-up operation to repair
files.
FindVirus knows how to find existing viruses and, if upgraded regularly, it can be used for routinely scanning the hard disk. It is extremely fast, and so suitable for being used every day.
VirusGuard is a TSR version of FindVirus which scans files for viruses as they are executed. A Test
file can be prepared to simulate the effect of a virus on the programs.
VirusGuard
This is the program that many people run all the time. If a diskette infected with a Boot
sector
virus is inserted into any drive, then VirusGuard will pop up with an alarm. If an attempt is made to copy or run an infected file, Virus Guard will prevent it, and pop up an alarm.
The alarm message that VirusGuard displays can be cutomised, and speed can be improved by using using the EMS or XMS, if expanded or extended memory is available. It can also be loaded high. For more details on installing VirusGuard and its options, please see the manual. o
Virus Guard cannot be unloaded or switched off by the user, since if the user can disable it, so can a virus. ,
See also: Memory
resident
virus
protection
Computer Crime:
Deliberately writing and deliberately spreading a virus is a crime in many countries. In some, there are specific computer crime laws - in others, it is classified as criminal damage. z
In many of these countries, the police are actively seeking to prosecute the criminals who write and distribute viruses.
You can help with this effort. All you have to do is report the crime to the appropriate authority. As each virus author is arrested, all the outbreaks of his virus can be added to the prosecution.
Of course, if no-one complains about his virus, then as far as the law is concerned, he has done no damage, and will suffer no penalty. That is why it is important that you make a formal complaint to the police. `
It is probably a good idea to inform the police department that deals with such things, rather than the local police station. Below is a list of the police officers in various countries that we have found to be seriously interested in a virus author prosecution. If you find more keen police officers, please let us know their name and phone number. 7
Country: Belgium
Officer: De Coch
Tel: 025 087 289
Country: Canada
Officer: Neily
Tel: 613 991 6706
Country: Denmark
Officer: Groenning
Tel: 033 141 448
Country: Holland
Officer: Weerd
Tel: 070 310 2477 or 070 310 2506
Country: Malta
Officer: Mifsud
Tel: 235 764
Country: Scotland
Officer: Lyons
Tel: 031 311 3178
Country: Rest of UK
Officer: Bonczoszek
Tel: 071 230 1176
See also: If
virus...
Distributors:
The Toolkit is available from a number of sources. If your country does not appear on this list, please contact S&S International in the UK. 2
Argentina
Australia
Austria
Bahrain
Belgium
Brazil
Brunei
Bulgaria
Canada
Chile
Colombia
Czechoslovakia
Denmark
Finland
France
Germany
Ghana
Hong
Hungary
India
Indonesia
Iran
Ireland
Italy
Ivory
Coast
Kenya
Korea
Kuwait
Luxembourg
Madagascar
Malaysia
Malta
Mauritius
Mexico
Netherlands
Zealand
Nigeria
Norway
Oman
Pakistan
Philippines
Poland
Portugal
Qatar
Reunion
Saudi
Arabia
Singapore
South
Africa
Spain
Sweden
Switzerland
Taiwan
Thailand
United
Kingdom
United
States
Venezuela
Zimbabwe
If you have any problems contacting your local distributor, call S&S International on +44 442 877877, or fax us on +44 442 877882.
See also: Upgrades ;
Distribution in: Argentina & Columbia 8
Economic Data sl
Ponzano, 39-3o
28003 Madrid
Spain
Tel: +34 1 442 2800
Fax: +34 1 442 2294
Back
Distributors
Distribution in: Australia & New Zealand \
Loadplan Australasia Pty Ltd
215 Moray Street
South Melbourne
Victoria 3205
Australia
Tel: +61 3 690 0455
Fax: +61 3 690 7349
Back
Distributors
Distribution in: Germany & Austria b
Markt & Technik Software Partners International GmbH
Hans-Pinsel Stra
8013 Haar
Germany
Tel: +49 89 46 09 00 92
Fax: +49 89 46 09 00 98
Back
Distributors
Distribution in: Bahrain, Kuwait, Oman, Qatar, Saudi Arabia & UAE Y
LBI International, Inc.
No 2 Torri Katur
Lourdes Lane
St Georges
St Julians
Malta
Tel: +356 344257
Fax: +356 340761
Back
Distributors
Distribution in: Belgium, Luxembourg & Netherlands Q
Data Alert International
Postbus 64850
2506-CG's-Gravenhage
The Netherlands
Tel: +31 70 323 0021
Fax: +31 70 323 7891
Back
Distributors
Distribution in: Brazil ]
PC Software e Consultoria Ltda
Av. Almte. Barroso 91/415
20031 Rio de Janeiro RJ
Brazil
Tel: +55 21 220 5371
Fax: +55 21 240 5819
Back
Distributors
Distribution in: South East Asia, Korea U
(Brunei, Hong Kong, Indonesia, Malaysia, Philippines, Singapore, Taiwan & Thailand) <
(.txt)