Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

[alt.comp.virus] FAQ Part 2/4

( Part1 - Part2 - Part3 - Part4 )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Forum ]
Archive-name: computer-virus/alt-faq/part2
Posting-Frequency: Fortnightly
URL: http://www.sherpasoft.org.uk/acvFAQ/
Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel

See reader questions & answers on this topic! - Help others by sharing your knowledge
-----BEGIN PGP SIGNED MESSAGE-----

               alt.comp.virus (Frequently Asked Questions)
               *******************************************

                       Version 1.1 : Part 2 of 4
                      Last modified 19th August 1999


                    ("`-''-/").___..--''"`-._
                     `6_ 6  )   `-.  (     ).`-.__.`)
                     (_Y_.)'  ._   )  `._ `. ``-..-'
                   _..`--'_..-_/  /--'_.' ,'
                  (il),-''  (li),'  ((!.-'



ADMINISTRIVIA
=============

Disclaimer
- - ----------

This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects 
resulting from the use of any information contained in this document.

NB It is not claimed that this document is up-to-date in all respects.

Not all the views expressed in this document are those of the maintainers,
and those views which *are* those of the maintainers are not necessarily 
shared by their respective employers.

Copyright Notice
- - ----------------

Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit. B-)

It may not be reproduced for profit or distributed in part or as
a whole with any product or service for which a charge is made, except 
with the prior permission of the copyright holders. To obtain such 
permission, please contact one of the co-maintainers of the FAQ.

	 David Harley  <D.Harley@icrf.icnet.uk>
        George Wenzel <gwenzel@telusplanet.net>
        Bruce Burrell <bpb@umich.edu>

[Please check out the more detailed copyright notice at the beginning
of Part 1 of the FAQ]

- - --------------------------------------------------------------------

TABLE OF CONTENTS
=================

See Part 1 of this FAQ for the full Table of Contents

  Part 2
  ------

  (8)     What's the best anti-virus software
                      (and where do I get it)?
  (9)     Where can I get further information?
  (10)    Does anyone know about
            * Mac viruses?
            * UNIX viruses?
            * macro viruses?
            * the AOLGold virus?
            * the PKZip300 trojan virus?
            * the xyz PC virus?
            * the Psychic Neon Buddha Jesus virus?
            * the blem wit virus
		* the Irina virus
		* Ghost
		* General Info on Hoaxes/Erroneous Alerts
  (11)    Is it true that...?
  (12)    Favourite myths
            * DOS file attributes protect executable files from
              infection
            * I'm safe from viruses because I don't use bulletin
              boards/shareware/Public Domain software
            * FDISK /MBR fixes boot sector viruses
            * Write-protecting suspect floppies stops infection
            * The write-protect tab always stops a disk write
            * I can infect my system by running DIR on an infected
              disk
=================

(8)     What's the best anti-virus software
        (and where do I get it)?

In case it's not absolutely clear from the following, it simply isn't
possible to answer the first part of this question.  There are, however,
some suggestions for sources of software and of information on particular
packages, comparative reviews etc.  The danger of this approach is that
sites, servers, and packages come and go, and it isn't possible to 
keep track of all of them.  If URL's in this section have changed, 
please inform the maintainers so that they may be updated.

Most of the people who post here have their favourites: if you just
ask which is the best, you'll generally get either a subjective
"I like such and such", recommendation of a particular product by
someone who works for that company, or a request to be more specific
about your needs. Some of us who are heavily involved with virus
control favour using more than one package and keeping track of the
market. Don't trust anything you read in the non-technical press.
Don't accept uncritically reviews in the computing press, either:
even highly-regarded IT specialists often have little understanding
of virus issues, and many journalists are specialists only in
skimming and misinterpreting. Magazines like Virus Bulletin and
Secure Computing are much better informed and do frequent comparative
reviews, and are also informative about their testing criteria,
procedures and virus suites. Recently, a number of articles have been
posted here by people who've run their own tests on various packages.
These are often of interest, but should not be accepted uncritically.
(No-one's opinion should be accepted uncritically!)

Valid testing of antivirus software requires a lot of care and
thought, and not all those who undertake it have the resources,
knowledge or experience to do it properly.

You may get a more informed response if you specify what sort of system
you have - DOS, Windows, Win95, WinNT, Mac? XT, AT, 386 or better? 
Is the system networked, and are you asking about protecting the 
whole network? (What sort of network?) Are you running NT, OS/2 
or Win95, any of which involve special considerations?  Be aware 
that there is more than one way of judging the effectiveness of a 
package - the sheer number of viruses detected; speed; tendency 
to false alarms; size (can you run it from a single floppy when 
necessary?); types of virus detection & prevention (not at all the 
same thing) offered (command-line scanning, TSR scanning, behaviour 
blocking, checksumming, access-control, integrity shell etc.);
technical support etc.

One possible (but imperfect) measure of a package's efficiency in terms 
of virus detection is ICSA approval. Under the current testing protocol, 
a scanner must detect all viruses on the Wild List plus 90% of NCSA's
full test suite. See http://www.icsa.net/services/product_cert/ for 
details.

Comprehensive product reviews can sometimes be found at the following
sites, but are not necessarily the latest available.
   
   http://www.virusbtn.com/                        _Virus Bulletin_
   http://www.westcoast.com/                       _Secure Computing_
   http://www.uta.fi/laitokset/virus/              University of Tampere
   ftp://ftp.informatik.uni-hamburg.de/pub/virus/  Virus Test Center
    and  http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm
   http://victoria.tc.ca/int-grps/books/techrev/mnvr.html

and a number of reputable vendors include comparative reviews,
papers on testing etc. on their WWW/FTP servers.

Many anti-virus packages are available from the SimTel mirrors:
  http://www.simtel.net/simtel.net/msdos/virus.html
  ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/

For information on mirror sites, a regularly-updated listing can
be found at

  http://www.simtel.net/simtel.net/mirrors.html

Of course, such products can often be obtained direct from the
publisher's WWW site, too.  The following information is not intended
to be a totally comprehensive list; it is merely a reference to where
major anti-virus packages can be downloaded.

Please note that the maintainers have not tested or even seen all the 
packages listed here, and listing here does not imply recommendation 
(though we won't list anything we *know* is rubbish....).

- - ------------
AntiViral Toolkit Pro (commercial with evaluation versions)
Platform(s): DOS, Win3.x, Win95/98, NT, OS/2, NetWare. 
URL: http://www.avp.com
     http://www.avp.ch
     http://www.avp.tm
     http://www.avp.ru

- - ------------
AVAST!, AVAST32 (Commercial with evaluation versions)
Platform(s): DOS, Win3.x, Win95/98, NT.
URL: http://www.anet.cz/alwil/

- - ------------
Calluna Hardwall (Hardware-based virus protection)
Platform(s): Win3.x, Win95, NT.
URL: http://www.hardwall.com/

- - ------------
ChekMate (Integrity Checker; commercial w/ evaluation versions)
Platform(s): DOS, Win3.x, Win95/98, OS/2.
URL: http://chekware.simplenet.com/cmindex.htm

- - ------------
ESafe Protect
Platform(s): Win95/98, NT.
URL: http://www.esafe.com/

- - ------------
F-Prot (Free for personal, non-commercial use)
Platform(s): DOS with limited Windows support
URL: http://www.complex.is

- - ------------
F-Prot Professional (Commercial; distributed by both Command Software 
                     and DataFellows)
Platform(s): DOS, Win3.x, Win95/98, WinNT, NetWare
URL: http://www.commandcom.com/
     http://www.DataFellows.com/
More details inc. in PRO.DOC, supplied with the shareware version.

- - ------------
InoculateIT (formerly InocuLan) - Commercial with freeware version)
Platform(s): Win95/98, NT, Netware.
URL: http://www.cai.com/products/inoculateit.htm

- - ------------
Integrity Master (Commercial with evaluation versions)
Platform(s): DOS, Win3.x, Win95/98, NT, OS/2.
URL: http://www.stiller.com

- - ------------
Invircible (commercial with evaluation versions)  
Platform(s): DOS, Win3.x, Win95/98, NT.
URL: http://www.invircible.com/
Note: The creators of InVircible have marketed it as the be-all and
      end-all of anti-virus products.  As with any product, the buyer
      should beware such outlandish claims. 

- - ------------
McAfee VirusScan (also Dr. Solomon's products) - eval versions available
Platform(s): DOS, Windows, Win95, NetWare, Mac, NT, Lotus Notes, 
             Groupware, Exchange, SunOS, Solaris, FreeBSD, SCO, Linux.
URL: http://www.nai.com

- - ------------
Microsoft (Macro Virus fixes) 
URL: http://www.microsoft.com
Note: Microsoft anti-virus (MSAV) is no longer supported.  If you're using
      it, get something else (anything else).  MSAV is not adequate 
      protection as it does not protect against current viruses.
There is a paper by Yisrael Radai which documents many of the other
problems with MSAV and CPAV.

   ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/

- - ------------
MIMESweeper (Mail scanning 'firewall')
Platform(s): Domino, SMTP, Exchange, Raptor
URL: http://www.mimesweeper.com

- - ------------
NH&A (Distributors of various anti-virus products; see URL for details)
Platform(s): Various, depends on the product
URL: http://www.nha.com

- - ------------
Norman Virus Control
Platform(s): DOS, Win3.x, Win95, NT, OS/2, NetWare, Lotus Domino, Exchange.
URL: http://www.norman.com/

- - ------------
Norton Anti-virus, Symantec Anti-virus for Mac
Platform(s): DOS, Win3.x, Win95/98, Mac (SAM), NT, NetWare, OS/2,
             Lotus Notes, Exchange.
URL: http://www.symantec.com/ 

- - ------------
Panda Anti-Virus
Platform(s): DOS, Win3.x, Win95/98, NT, OS/2.
URL: http://www.pandasoftware.com

- - ------------
PC-Cillin, InterScan, Scanmail, Serverprotect
Platform(s): Win95/98, NT, Lotus Notes, Exchange, Outlook, cc:mail.
URL: http://www.antivirus.com/

- - ------------
Reflex Magnetics Ltd - DiskNet, Macro Interceptor, and Data Vault
Platform(s): Win95/98, NT.
URL: http://www.reflex-magnetics.co.uk/

- - ------------
ScanMaster for Novell/Vines (Uses McAfee VirusScan engine)
URL: http://www.netpro.com

- - ------------
Sophos Sweep (commercial with evaluation versions)
Platform(s): DOS, Win3.x, Win95/98, NT, Mac, OS/2, Netware, AIX, Linux, 
             FreeBSD, HP-UX/HP-PA, SCO, Solaris, OpenVMS, Banyan VINES.
URL: http://www.sophos.com/ 

- - ------------
VirusBUSTER, MacroVirusBUSTER, CyberBUSTER
Platform(s): DOS, Win3.x, Win95/98, NT 
URL: http://www.leprechaun.com.au/

- - ------------
VirusNet
Platform(s): DOS, Win3.x, Win95/98, NT 
URL: http://www.safetynet.com

- - ------------

In the event of a *real* tragedy, there are a number of firms which
specialise in data recovery. Examples include:

Ontrack Data Recovery, Inc.
URL: http://www.ontrack.com

DataRescue:
URL: http://www.datarescue.com/


(9) Where can I get further information?
========================================

The following sites are not regularly checked. Please advise of
any changes which aren't reflected in this document.

 ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/
  [mirror sites]
 ftp://ftp.uu.net/pub/security/virus/
 ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/
 http://www.SevenLocks.com/

 http://www.hitchhikers.net/av.shtml
 http://csrc.ncsl.nist.gov/virus
 http://www.nc5.infi.net/~wtnewton/vinfo/master.html

Virus Bulletin Home Page - vendor contact info, comparative reviews,
review protocol info etc.

        http://www.virusbtn.com

Henri Delger's home page has much useful info and useful links

        http://pages.prodigy.net/henri_delger/index.htm

Tom Simondi has written a freeware virus tutorial (VTUTOR11.ZIP).

	http://www.cknow.com/

Some information is available from The Scanner, an on-line anti-virus
newsletter.  It may not be entirely current, however. 

	http://diversicomm.com/scanner

Doug Muth has not only AV links but geek code as well....

	http://www.claws-and-paws.com/

Bob Rosenberger's Computer Virus Myths Page 

	http://www.kumite.com/myths/

A few Amiga links:

	http://ftp.uni-paderborn.de/aminet/dirs/util_virus.html
[Antivirus info and programs]
	ftp://ftp.uni-paderborn.de/aminet/util/virus/
According to Dennis Boon, trsivw65.lha has info about 100 or so viruses;
VT_docfiles.lha has info on nearly all amiga viruses (in German);
VIB9508.lha file contains info on all viruses up to August 1995 
(in English).

The WildList (List of viruses currently 'in the wild' - doesn't 
include much description)
      http://www.wildlist.org

Virus Descriptions
- - ------------------

http://www.avpve.com                              AVP Virus Encyclopedia
http://www.datafellows.com/vir-info/              Data Fellows Virus
Database
http://www.symantec.com/avcenter/vinfodb.html     Symantec Virus Database
http://www.avertlabs.com                          McAfee Virus Database

Virus demonstrations
- - --------------------

AVP includes some virus demonstrations, and other publishers have 
demos available.  

There are also virus simulators, which are not quite the same thing.
These are sometimes advocated as a means of testing antivirus packages,
but there are dangers to this approach: after all, a package which
detects one of these simulators as the virus it detects is, technically,
false-alarming.

See section F6 of the Mark 2 Virus-L FAQ, which is rather good on
types and uses of virus simulation.

Books which may be of use:

        Robert Slade's Guide to Computer Viruses - Springer-Verlag
                Pretty good introduction & general resource. Currently
	 	in its second edition.
        Computers Under Attack (ed. Denning) - Addison-Wesley
                Aging, but some classic texts
        Survivors' Guide to Computer Viruses (ed. Lammer) - Virus Bulletin
                Uneven, but includes useful stuff from Virus Bulletin
        Dr. Solomon's Virus Encyclopedia
                You may from time to time find copies of an older edition
                of this in bookshops, though it's better known as part of
                Dr. Solomon's AntiVirus ToolKit. It's a pretty good guide
                to some of the older viruses.
        A Short Course on Computer Viruses (F. Cohen) - Wiley
                By the man who 'invented' the concept of computer viruses.
                Some aspects are controversial, but a good introduction to
                his work.

The comp.virus FAQ includes pointers to some books.

Useful (and expensive) periodicals:

        Virus Bulletin
          http://www.virusbtn.com

        Secure Computing
          http://www.westcoast.com

        Computers and Security
          Elsevier Advanced Technology
          PO Box 150
          Kidlington
          Oxford
          OX5 1AS
          44 (0) 1865-843666
          a.verhoeven@elsevier.co.uk

        The Disaster Recovery Journal (more info & on-line articles)
          http://www.drj.com


(10) Does anyone know about...
==============================

...Mac viruses?
- - ---------------

David Harley co-maintains (with Susan Lesch) a FAQ on Mac/virus 
issues, which can be found at:

	http://www.macvirus.com/
	http://www.sherpasoft.com/MacSupporters/

Mac-specific virus information:

	http://www.symantec.com
	http://www.nai.com
	http://www.sherpasoft.com/MacSupporters/
	http://www.hyperactivesw.com
	http://ciac.llnl.gov/ciac/CIACVirusDatabase.html/

...UNIX viruses? 
- - ----------------

In general, there are virtually no non-experimental UNIX viruses.
There have been a few Worm incidents, most notably the Morris Worm
(a.k.a. the Internet Worm) of 1988, and a couple of minor Linux
viruses. Some Linux viruses exist, but are not widespread.

There are products which scan some Unix systems for PC viruses,
though any machine used as a file server (Novell, Unix etc.) can be
scanned for PC viruses by a DOS scanner if it can be mounted as a
logical drive on a PC running appropriate network client software
such as PC-NFS.

Unix servers running as webserver, ftp servers, intranet servers
etc. should be considered as a potential source of files infected
with viruses specific to other platforms, even if they are not
directly infectable themselves. This problem is sometimes referred
to as the 'latent virus problem', or 'heterogeneous virus 
transmission'.

Intel-based PCs running Unix (e.g. Linux, 386BSD, SCO Unix etc.)
can also be infected by a DOS boot-sector virus if booted from an
infected disk. The same goes for other PC-hosted operating systems
such as NetWare.

While viruses are not a major risk on Unix platforms, integrity
checkers and audit packages are frequently used by system administrators
to detect file changes made by other kinds of attack. However, Unix
security is outside the scope of this FAQ (see comp.security.unix).

In fact, such packages generally target PC viruses more than the 
handful of Unix viruses.

See also the Unix section in the Virus-L/comp.virus FAQ.

A useful book:

        Practical Unix Security & Internet Security 
             (Garfinkel, Spafford) - O'Reilly

...macro viruses?
- - -----------------

Macro viruses and trojans are specific to certain 
applications which use sophisticated macro languages,
rather than being specific to a particular operating
system. Macro viruses comprise a high percentage of 
the viruses now in the wild.

Most current macro viruses and trojans are specific to 
Microsoft Word and Excel: however, many applications, 
not all of them Windows applications, have potentially 
damaging and/or infective macro capabilities too.

Macro languages such as WordBasic and Visual Basic for 
Applications (VBA) are powerful programming languages in
their own right. Word and Excel are particularly vulnerable
to this threat, due to the way in which the macro language
is bound to the command/menu structure in vulnerable versions
of Word, the way in which macros and data can exist in the
same file, and the eccentricities of OLE-2.

For further info on macro viruses, you might like to try
the main antivirus vendor sites.

...The AOLgold virus
- - --------------------

This was actually a trojan. Information is available on the
CIAC archive:

You can get this and other CIAC notices from the CIAC Computer Security
Archive.

   World Wide Web:      http://ciac.llnl.gov/

...the PKZip trojan virus? 
- - --------------------------

Most of us prefer to distinguish between trojans and viruses (see Part
1). The threat described in recent warnings is definitely not a virus,
since it doesn't replicate by infection.

There have been at least two attempts to pass off Trojans as an upgrade
to PKZip, the widely used file compression utility. A recent example was
of the files PKZ300.EXE and PKZ300B.ZIP made available for downloading
on the Internet.  An earlier Trojan passed itself off as version 2.0.
For this reason, PKWare have never released a version 2.0 of PKZip:
presumably, if they ever do release another DOS version (unlikely, at
this date, in my opinion), it will not be numbered version 3.0(0).
In fact, there are hardly any known cases of someone downloading and
being hit by this Trojan, which few people have seen (though most
reputable virus scanners will detect it). As far as I know, this Trojan
was only ever seen on warez servers (specialising in pirated software).

There are recorded instances of a fake PKZIP vs. 3 found infected with
a real live in-the-wild file virus, but this too is very rare.
To the best of my knowledge, the latest version of PKZip is 2.04g,
or 2.50 for Windows.

There was a version 2.06 put together specifically for IBM internal
use only (confirmed by PKWare). If you find it in circulation, avoid
it. It's either illicit or a potentially damaging fake.

The recent rash of resuscitated warnings about this is at least in part
a hoax. It's not a virus, it's a trojan. It doesn't (and couldn't)
damage modems, V32 or otherwise, though I suppose a virus or trojan might
alter the settings of a modem - if it happened to be on and connected....
I don't want to get into hypothetical arguments about programmable 
modems right now. It appears to delete files, not destroy disks irrevocably.

It's certainly a good idea to avoid files claiming to be PKZip vs. 3,
but the real risk hardly justifies the bandwidth this alert has occupied.

...xyz PC virus?
- - ----------------

There are several thousand known PC viruses, and the number 'in the
wild' is in the hundreds. It is not practical to include information
about all of these in this FAQ. 

There are rarely enquiries about viruses on other computing platforms
raised in alt.comp.virus, but there is some information concerning
viruses on most platforms available at the Virus Test Center in Hamburg.

See the section above on Virus Descriptions for sites where information
is available.

...the Psychic Neon Buddha Jesus virus?
- - ---------------------------------------

This is an allegedly humorous bit of javascript programming that found
its way onto a website. On clicking on a particular button, you may be
told that this virus has been detected.Javascript has many interesting
properties, but virus detection is not one of them. It was a joke,
and it's long gone, though others like it pop up from time to time.

...the blem wit virus?
- - ----------------------

See the Virus-L FAQ. Basically, it's a mangled message that may come
up with older Novell drivers "[pro]blem wit[h]....."

The Irina Virus?
- - ----------------

Publicity stunt generated by Penguin Books to promote their 
'interactive novel'. More info in the 'Viruses and the Mac'
FAQ, a CIAC bulletin on hoax and semi-hoax viruses, the
Computer Virus Myths website (http://www.kumite.com/myths/) 
and many other sources.

GHOST
- - -----

Just a screensaver...... More info in the CIAC bulletin 
mentioned above and/or the Computer Virus myths website.

General Info on Hoaxes/Erroneous Alerts
- - ---------------------------------------

The CIAC updated bulletion mentioned several times above is
at:

      http://ciac.llnl.gov/ciac/bulletins/h-05.shtml

It includes info on the alerts mentioned below, some historical
background, and suggestions on validating hoaxes rather than
passing them on uncritically.

CIAC have now set up a hoaxes web page at:

	http://ciac.llnl.gov/ciac/CIACHoaxes.html

There's also a page on chain letters which includes relevant
material. 

There are lots of useful links at:

	http://www.kumite.com/myths


- - -----------------extract-------------------------------

INFORMATION BULLETIN
H-05 Internet Hoaxes: PKZ300, Irina,
Good Times, Deeyenda, Ghost

November 20, 1996 16:00 GMT


PROBLEM:       This bulletin addresses the following hoaxes and erroneous
               warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
               Ghost.exe
PLATFORM:      All, via e-mail
DAMAGE:        Time lost reading and responding to the messages
SOLUTION:      Pass unvalidated warnings only to your computer security
               department or incident response team. See below on how to
               recognize validated and unvalidated warnings and hoaxes.

VULNERABILITY   New hoaxes and warnings have appeared on the Internet and
old
ASSESSMENT:     hoaxes are still being cirulated.

- - ---------------------end extract--------------------------------

(11) Is it true that....?
=========================

  (*or* some favourite hoaxes...)

(1) There is *no* Good Times virus that trashes your hard disk
    and launches your CPU into an nth-complexity binary loop when
    you read mail with "Good Times" in the Subject: field.

 You can get a copy of Les Jones' FAQ on the Good Times Hoax from:

  http://www.public.usit.net/lesjones/goodtimes.html

    There *is* at least one file virus christened Good Times
    by the individual who posted it in an attempt to cause
    confusion. It is more commonly referred to as GT-spoof.

(2) There is no modem virus that spreads via an undocumented
    subcarrier - whatever that means....

(3) Any file virus can be transmitted as an E-mail attachment.
    However, the virus code has to be executed before it actually
    infects. Sensibly configured mailers don't usually allow this
    by default and without prompting, but certainly some mailers
    can support this: for instance, cc:mail can, it seems, launch
    attachments straight into AmiPro.

    There's room for a lot of discussion here. The jury is still
    out on web browsers: Netscape can certainly be set up to do
    things I don't approve of, such as opening a Word document in
    Word without asking.

    Microsoft have made available a Word viewer which reads Word
    files, but doesn't run attached macros. If possible, use this
    instead.  If you have both Word and the Word Viewer, it is a good
    idea to set the Word Viewer as the default association instead
    of Word itself.  This protects you from macro viruses to a certain
    extent, while not preventing you from using Word to edit documents
    (just use file/open instead of double-clicking on the file).

    The term 'ANSI bomb' usually refers to a mail message or other
    text file that takes advantage of an 'enhancement' to the MS-DOS
    ANSI.SYS driver which allows keys to be redefined with an
    escape sequence, in this case to echo some potentially
    destructive command to the console. In fact, few systems
    nowadays run programs which need ANSI terminal emulation to run,
    and there's no guarantee that the program reading the file would
    pass such an escape sequence unfiltered to the console anyway.
    There are plenty of PD or shareware alternatives to ANSI.SYS that
    don't support keyboard redefinition, or allow it to be turned off.

    The term mail bomb is usually applied to the intentional
    bombardment of an e-mail address with multiple copies of a
    (frequently abusive) message, rather than to the above.

(4) There is no known way in which a virus could sensibly be spread
    by a graphics file such as a JPEG or .GIF file, which does not
    contain executable code. Macro viruses work because the files to
    which they are attached are not 'pure' data files.

(5) In general, software cannot physically damage hardware - this
    includes viruses. There is a possibility that specific hardware
    may be damaged by specific code: however, a virus which drops
    a particular payload on the offchance that it's running on a
    system with a particular type of obsolete video card seems more
    than usually futile.  

    At least one virus (named CIH, AKA Chernobyl) contains code that 
    can overwrite BIOS code on some machines.  This does not constitute 
    hardware damage, since the chip involved is still intact.  Problem 
    is, without the appropriate software on that chip, the system won't 
    boot.  Repair from this payload generally involves reprogramming the 
    BIOS chip, which can be more expensive than just buying a new 
    motherboard.  


(12) Favourite myths
====================

* DOS file attributes protect executable files from infection

  File attributes are set by software, and can therefore be
  changed by software, including viruses. Many viruses reset a
  ReadOnly/System/Hidden file to Read/Write, infect it, and
  often reset it to the original attributes afterwards.

  This also applies to other software mechanisms such as
  simulating hardware write-protection on a hard disk.

  However, file protection rights in NetWare *can* help to
  contain virus infections, if set up properly, as can
  trustee rights. [Trustee assignments govern whether an
  individual user has right of access to a subdirectory: the
  Inherited Rights Mask governs the protection rights of
  individual files and (sub)directories.]

  Basically, a file virus has the same rights of access as the
  user who happens to inadvertantly activate it.

  Setting up these levels of security is really a function
  of the network Administrator, but you might like to check
  (politely) that yours is not only reassuringly paranoid but
  also knowledgeable about viruses as well as networks, since a
  LAN which is not, in this respect, securely configured, can
  result in very rapid infection and reinfection of files
  across the whole LAN. In particular, accounts with supervisor
  equivalence can, potentially, be the unwitting cause of very
  rapid dissemination of viruses.

  [See also the comp.virus FAQ (version 2) section D]

* I'm safe from viruses because I don't use bulletin boards/shareware/
  Public Domain software.

  Many of the most widely-spread viruses are Boot Sector Infectors,
  which can't normally infect over a serial or network connection.
  Writers of shareware, freeware etc. are no more prone to accidental
  infection than commercial publishers, and possibly less. The only
  'safe' PC is still in it's original wrapping (which doesn't mean
  it isn't already infected...) And don't forget that shrinkwrapped
  software may have been rewrapped.

  As well, the most common viruses today are macro viruses, which depend
  on you running a commercial application (usually MS Word or Excel). 
  They spread via documents exchanged between computers, which is a common
  occurrance on many systems, regardless of how 'connected' they are.

* FDISK /MBR fixes boot sector viruses.

  The mark II comp.virus FAQ is worth reading on this (see Part 1
  of this FAQ as well as Part 4, section 14).

  In brief, don't use FDISK /MBR *unless* you're *very* sure of what
  you're doing, as you may lose data. Note also that if you set up the
  drive with a disk manager such as EZDrive, you won't be able to access
  the drive until and unless you can reinstall it.

******************************************************************

(i) What does FDISK /MBR do?
    ------------------------

  It places "clean" partition code onto the partition of your hard disk.
  It does not necessarily change the partition information, however.  
  [It does sometimes, and when it does it us usually fatal (for the
  common user, anyway). FDISK /MBR will wipe the partition table data if
  the last two bytes of the MBR are not 55 AA.]

  The /MBR command-line switch is not officially documented in all
  DOS versions and was introduced in DOS 5.0

(ii) What is the partition?
     ----------------------

  The partition sector is the first sector on a hard disk.  It contains
  information about the disk such as the number of sectors in each
  partition, where the DOS partition starts, plus a small program. The
  partition sector is also called the "Master Boot Record" (MBR).

  When a PC starts up it reads the partition sector and executes the
  code it finds there.  Viruses that use the partition sector modify
  this code.

  Since the partition sector is not part of the normal data storage
  part of a disk, utilities such as DEBUG will not allow access to it.
  [Unless one assembles into memory]

  Floppy disks do not have a partition sector.

  FDISK /MBR will change the code in a hard disk partition sector.


(iii) What is a boot sector?
      ----------------------

  The boot sector is the first sector on a floppy disk.  On a hard disk
  it is the first sector of a partition. It contains information about
  the disk or partition, such as the number of sectors, plus a small
  program.

  When the PC starts up it attempts to read the boot sector of a disk in
  drive A:.  If this fails because there is no disk it reads the boot
  sector of drive C:.  A boot sector virus replaces this sector with its
  own code and usually moves the original elsewhere on the disk.

  Even a non-bootable floppy disk has executable code in its boot sector.
  This displays the "not bootable" message when the computer attempts to
  boot from the disk.  Therefore, non-bootable floppies can still contain
  a virus and infect a PC if it is inserted in drive A: when the PC
  starts up.

  FDISK /MBR will not change the code in a hard disk boot sector (as
  opposed to the partition sector).  Most boot sector viruses infect the 
  partition sector of hard disks and floppy disk boot sectors: most do 
  not infect the boot sector of a hard disk - the Form virus is an 
  exception.

(iv) How can I remove a virus from my hard disk's partition sector?
     --------------------------------------------------------------

  There are two main alternatives: run an anti-virus product, or use
  FDISK /MBR.

  Most effective anti-virus products will be able to remove a virus from
  a partition sector, but some have difficulties under certain
  circumstances.  In these cases the user may decide to use FDISK /MBR.

  Unless you know precisely what you are doing this is unwise.  You may
  lose access to the data on your hard disk if the infection was done by
  a virus such as Monkey or OneHalf.  Part 4, section 14 of this FAQ 
  contains details as to how losing data might happen.

(v) Won't formatting the hard disk help?
    ------------------------------------

  Not necessarily.  Formatting the hard disk can result in everything 
  being wiped from the drive *apart* from the virus.  Format alters the
  DOS partition, but leaves the partition sector (AKA the MBR) untouched.  
  There is usually a better way of removing a virus infection than 
  formatting the hard disk.

******************************************************************

* Write protecting suspect floppies stops infection.

This sounds so silly I hesitate to include it. I've never seen it said
on a.c.v., but I've heard it so often in other contexts, I've included
it anyway. Write-protecting a suspect floppy will only protect that
diskette from *re-infection*, if it's already infected. It won't stop
an infected floppy from infecting other (write-enabled) drives.

If you boot with a disk in drive A which is infected with a boot-sector
virus, the fact that the diskette is write-protected will make no
difference at all.

Write-protecting a *clean* floppy will indeed prevent it from being
infected (but see below!).

* The write protect tab always stops a disk write

Briefly, write protection is built into the hardware on the Mac and
on the PC (and most other systems, of course, but we can't cover
everything), and can't be circumvented in software.

However, it is possible for the hardware to fail: it's not common,
but it happens. Thus when I do a cleanup, I try to create a file on a
sacrificial floppy before risking my R/O boot disk. Sometimes, I
even remember....

Other caveats: a disk which you receive write-protected could have
been de-protected, infected, and re-protected. Even a 3.5" disk with
the write-enable tab removed can be written to by covering the hole
with (e.g.) masking tape. And, of course, shrink-wrapped software
could have been infected before the duplication process.

* I can infect my system by running DIR on an infected disk

If you have a clean PC system, you can't contract a boot sector virus
*or* a file virus just by listing the files on an infected floppy.
Of course, if your PC is infected, you may well infect a *clean* floppy
by using

        DIR A:

It *is* possible to have a scanner report a virus in memory after a
DIR of a floppy with an infected boot sector. The distinction here is
that the virus is not actually loaded into memory, so the PC has
*not* been infected.

- - -----------------------------------------------------------------------

End of a.c.v. FAQ part 2

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
Comment: PGP Key ID 0xDCC35C75 available on Keyservers

iQCVAwUBOD6h4bcpzG7cw1x1AQEQRwP+LJoYLFvcBlzMVGJdrxJRPLh1z6YPdPst
mx1uEM0x3VEq4frRqhN9O4zVaaeJ+XaK3KwI3z5TsT/se2ccwiWWQZ0P+Svy9U4J
UO/vgVh6P+oHxA/SnymmgWuggvY1+tM12y/kADVMSg24yzRNWpOg3XmwjMj8sUNK
9Z0JkvkPeWs=
=vek1
-----END PGP SIGNATURE-----

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Part1 - Part2 - Part3 - Part4

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
George Wenzel <gwenzel@telusplanet.net>





Last Update March 27 2014 @ 02:11 PM