Preface

Questions answered in this document

Section A: Sources of Information and Anti-viral Software (Where can I find HELP..!)

  1. What is VIRUS-L/comp.virus?
  2. What is the difference between VIRUS-L and comp.virus?
  3. How do I get onto VIRUS-L/comp.virus?
  4. What are the guidelines for VIRUS-L?
  5. How can I get back-issues of VIRUS-L?
  6. What is VALERT-L?
  7. What are the known viruses, their names, major symptoms and possible cures?
  8. Where can I get free or shareware anti-virus programs?
  9. Where can I get more information on viruses, etc.?
Section B: Definitions (What is ...?)

  1. What are computer viruses (and why should I worry about them)?
  2. What is a Trojan Horse?
  3. What are the main types of PC viruses?
  4. What is a stealth virus?
  5. What is a polymorphic virus?
  6. What are fast and slow infectors?
  7. What is a sparse infector?
  8. What is a companion virus?
  9. What is an armored virus?
  10. Miscellaneous Jargon and Abbreviations
Section C: Virus Detection (Is my computer infected? What do I do?)

  1. What are the symptoms and indications of a virus infection?
  2. What steps should be taken in diagnosing and identifying viruses?
  3. What is the best way to remove a virus?
  4. What does the (insert name here) virus do?
  5. What are "false positives" and "false negatives"?
  6. Could an anti-viral program itself be infected?
  7. Where can I get a virus scanner for my Unix system?
  8. Why does an antiviral scanner report an infection only sometimes?
  9. Is my disk infected with the Stoned virus?
  10. I think I have detected a new virus; what do I do?
  11. CHKDSK reports 639K (or less) total memory on my system; am I infected?
  12. I have an infinite loop of sub-directories on my hard drive; am I infected?
Section D: Protection Plans (What should I do to prepare against viruses?)

  1. What is the best protection policy for my computer?
  2. Is it possible to protect a computer system with only software?
  3. Is it possible to write-protect the hard disk with only software?
  4. What can be done with hardware protection?
  5. Will setting DOS file attributes to READ ONLY protect them from viruses?
  6. Will password/access control systems protect my files from viruses?
  7. Will the protection systems in DR DOS work against viruses?
  8. Will a write-protect tab on a floppy disk stop viruses?
  9. Do local area networks (LANs) help to stop viruses or do they facilitate their spread?
  10. What is the proper way to make backups?
Section E: Facts and Fibs about computer viruses (Can a virus...?)

  1. Can boot sector viruses infect non-bootable floppy disks?
  2. Can a virus hide in a PC's CMOS memory?
  3. Can a virus hide in Extended or in Expanded RAM?
  4. Can a virus hide in Upper Memory or in High Memory?
  5. Can a virus infect data files?
  6. Can viruses spread from one type of computer to another?
  7. Can DOS viruses run on non-DOS machines (e.g. Mac, Amiga)?
  8. Can mainframe computers be susceptible to computer viruses?
  9. Some people say that disinfecting files is a bad idea. Is that true?
  10. Can I avoid viruses by avoiding shareware/free software/games?
  11. Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk?
  12. Is there any risk in copying data files from an infected floppy disk to a clean PC's hard disk?
  13. Can a DOS virus survive and spread on an OS/2 system using the HPFS file system?
  14. Under OS/2 2.0, could a virus infected DOS session infect another DOS session?
  15. Can normal DOS viruses work under MS Windows?
Section F: Miscellaneous Questions (I was just wondering...)

  1. How many viruses are there?
  2. How do viruses spread so quickly?
  3. What is the plural of "virus"? "Viruses" or "viri" or "virii" or...
  4. When reporting a virus infection (and looking for assistance), what information should be included?
  5. How often should we upgrade our anti-virus tools to minimize software and labor costs and maximize our protection?
Section G: Specific Virus and Anti-viral software Questions...

  1. I was infected by the Jerusalem virus and disinfected the infected files with my favorite anti-virus program. However, Wordperfect and some other programs still refuse to work. Why?
  2. I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why?
  3. I was infected by both Stoned and Michelangelo. Why has my computer became unbootable? And why, each time I run my favorite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there?

Back to top

Preface Section:

This document is intended to answer the most Frequently Asked Questions (FAQs) about computer viruses. As you can see, there are many of them! If you are desperately seeking help after recently discovering what appears to be a virus on your computer, consider skimming through sections A and B to learn the essential jargon, then concentrate on section C.

If you may have found a new virus, or are not quite sure if some file or boot sector is infected, it is important to understand the protocol for raising such questions, e.g. to avoid asking questions that can be answered in this document, and to avoid sending "live" viruses except to someone who is responsible (and even then in a safe form!).

Above all, remember the time to really worry about viruses is BEFORE your computer gets one!

The FAQ is a dynamic document, which changes as people's questions change. Contributions are gratefully accepted -- please e-mail them to me at krvw@cert.org. The most recent copy of this FAQ will always be available on the VIRUS-L/comp.virus archives, including the anonymous FTP on cert.org (192.88.209.5) in the file: pub/virus-l/FAQ.virus-l ftp://cert.org/pub/virus-l/FAQ.virus-l"

Ken van Wyk, moderator VIRUS-L/comp.virus

Primary contributors (in alphabetical order):

Mark Aitchison (phys169@csc.canterbury.ac.nz), Vaughan Bell (vaughan@computing-department.poly-south-west.ac.uk), Matt Bishop (matt.bishop@dartmouth.edu), Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de), Olivier M.J. Crepin-Leblond (umeeb37@vaxa.cc.ic.ac.uk), David Chess (chess@watson.ibm.com), John-David Childs (con_jdc@lewis.umt.edu), Nick FitzGerald (cctr132@csc.canterbury.ac.nz), Claude Bersano-Hayes (hayes@urvax.urich.edu), John Kida (jhk@washington.ssds.COM), Donald G. Peters (Peters@Dockmaster.NCSC.Mil), A. Padgett Peterson (padgett%tccslr.dnet@mmc.com), Y. Radai (radai@hujivms.huji.ac.il), Rob Slade (rslade@sfu.ca), Gene Spafford (spaf@cs.purdue.edu), Otto Stolz (rzotto@nyx.uni-konstanz.de)

Composed by: Kenneth R. van Wyk (krvw@cert.org), CERT (Computer Emergency Response Team) Coordination Center

HTML'd by: Doug Peterman, (doug@umcc.umich.edu, dpeterma@pt8000.pto.ford.com), University of Michigan Computing Club (UMCC), Ford Motor Company, Powertrain Operations Systems Group