                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful

       The purpose   of this bulletin is to give you some basic information
    about viruses and  trojans  so  that    you   might   be  able to avoid
    contracting one.  If  you do contract one, there is information here on
    how you might recover.

       While this  information  might  be  interesting  to  a non-technical
    person, in order  to  apply  this information  it  is assumed  that the
    reader is comfortable with DOS.  If you're not comfortable with DOS and
    you've contracted a virus, this information  might  help  give you some
    ideas on how you can avoid the situation to begin with!

       Let's define two important terms:

          1. Trojan:  a  trojan is a program that once  run  will
             immediately do  some  harm to your system.  It might
             be something  like formatting  your  disk,  deleting
             files, or some other immediate damage.

          2. Virus:  A virus will usually NOT immediately  do
             any harm.   It  will hide itself somewhere  on  your
             disk, and  begin  duplicating  itself   by infecting
             other programs on your system.  As time goes by, the
             virus will  begin  to  make   itself  known  in  any
             number of  evil ways (most common is the  scrambling
             of  information   on  the  disk,  printing  annoying
             messages, causing  problems   during   the   boot-up
             process, or slowing down the apparent  speed  of the
             computer so that it is crawling-slow.)

         If it  isn't  obvious, while neither of these two items is good, a
    trojan is  not  as bad as a virus,  because  it  is   pretty  simple to
    identify the culprit, and (attempt at least) to recover  and go on with
    your life.  A   virus is very bad, because it will have probably worked
    its way into your backups, and if it  is a subtle virus, it may do only
    slight harm (changing a few characters here and there).


       Here are some simple things you  can to do help reduce  your chances
    of catching a  computer  virus,  and/or  make  your  recovery much more
    simple:

          1. Make  frequent  backups.   I  recommend   you  do  a
             complete backup  once  a  month (that's  everything,
             programs, data,  utilities, etc.).  Then backup your
             data as often as  makes  sense.   The  best   way to
             gage how often you should backup your  system  is to
             ask yourself  the  question:  "If  my system crashed
             now, how much would I lose?"  If the answer  to this
             question makes  you cringe, then it is  time  for  a
             backup.  If  you  use  your system a lot, the backup
             should probably be daily, or at least weekly.

          2. Have more  than  one  generation   of  backup.   For



                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful

             example, have  a backup for each day of the week, so
             if it is Friday and something  happened  (lost data,
             virus struck,  or  whatever)  you  can  go  back  to
             Thursday.  If  Thursday's  backup  is either bad, or
             didn't have what you wanted  maybe Wednesday's will,
             etc.

          3. Keep  your   original  disks write protected.   Keep
             them in  a  safe  place,  and don't put them in your
             machine unless  you  FIRST  scan  your   system  for
             known viruses   (more  on  this later).   This  will
             help insure   that   your    original    disks   are
             virusfree.

          4. Use a virus protection program  on  a regular basis.
             There are several commercial systems, but one of
             the best ones available is shareware,  it  is called
             SCAN and  is  available on any decent Bulletin Board
             System (BBS).  These programs will check your entire
             system for KNOWN viruses.  While this is good... the
             keyword is "known" viruses.   New  ones are born all
             the time,  don't  assume  you are absolutely  "safe"
             because you use a virus program.

          5. Always scan  new  software  before you install it in
             your computer.   It  takes   only  a  few moments to
             do, and can save you a lot of pain and suffering.

          6. Before running a batch file, type it out and look at
             it.  If the batch file "INSTALL.BAT"  says:  "FORMAT
             C:" running  it  could be a bad thing to do.  Always
             look for programs on the  disk  such  as: "REM .EXE"
             (ideally look for such files that are hidden using a
             program that will show hidden files,  like  PCTools,
             Norton, XTGold, or similar programs).  I've heard of
             a batch file that looked like this:

                    REM  Install on drive C:
                    COPY *.* C:

             The the sneaky thing about this program, is that the
             space following  the "M" in "REM" was really the dos
             character "ALT-255" which LOOKS like a space, but is
             not.  On the disk was a  program  called:   REM .EXE
             (Where that  space  was  the special character  that
             looked like a space).

          7. Before any   holiday  Christmas,  famous  birthdays,
             famous dates (July 4th, etc.), significant celestial
             events, for example, summer  solstice, etc. set your
             computer's date  to  the  day AFTER the  significant
             date.  For  example,  on   July 3rd, set the date to
             July 5th, then after the  date has passed, reset the

                                     - 2 -

                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful

             date to the current date.

          8. You should  have  a  bootable  disk  with  the  same
             version of DOS you use on  your computer.  This disk
             should have the FORMAT command,  FDISK, and possibly
             DEBUG on it.  It is a good idea to put  PKUNZIP  (or
             whatever  archive   program   you  might use) if you
             use an archive program.   Another  disk  should have
             ALL the DOS programs on it.  To make a  system  disk
             BEFORE trouble    strikes,  use  the  "FORMAT  A:/S"
             command, and copy over the  files  specified in this
             step.  Write protect this disk, and put it in a SAFE
             place.


    Virus Facts:

          1. The virus is 100% harmless...until you run it.  This
             means you can put a virus infected disk in drive A:,
             but unless you run something from that disk it can't
             hurt you.  BUT the instant you run anything  on that
             disk (that  is  infected  with  a virus) essentially
             anything is possible from that moment forward.

          2. I  forget  the  exact statistic,  but something like
             75%+  of  all   viruses  are  spread via  COMMERCIAL
             software,   NOT   through  Bulletin  Board  Systems!
             When you think about this, it starts to make sense.

                a) Who would suspect   a  commercial program like
                   Lotus  of   having   a   virus?   Most  people
                   would not even bother to check to see if it is
                   clean.

                b) Files   on  a  BBS are downloaded by dozens of
                   people all  the  time.   Some  of these people
                   won't bother to see  if  the file is safe,
                   but MANY     will    and    report    problems
                   immediately  to  the  Sysop (System Operator).
                   When you consider the millions of people using
                   thousands of   BBSs   all over the world, word
                   travels fast  about  infected  files,  and  so
                   their life-span  is  very  short  in  the  BBS
                   community.  Commercial files get infected from
                   three main places:

                         I. At    the    source   (rare)  by   an
                            employee  who   is   unhappy with the
                            company.

                        II. At  a  computer store  who  opens the
                            software  package   to  demo it...but
                            it turns out  they were infected by a

                                     - 3 -

                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful

                            virus,  and  they  put  the  software
                            back in the  box, it also has a virus
                            on it.

                       III. Computer stores, that allow  exchange
                            of software.   Someone  accidently or
                            intentionally  infects   a  piece  of
                            software, and  returns  it   to   the
                            store.  They  shrink-wrap it, and put
                            it on the shelf.

     How would you know if you're infected (or might be)?

          1. You'd discover the virus while scanning your machine
             for viruses using some kind of virus detection soft-
             ware.

          2. You'd get some message that  is  "out  of the blue",
             (such as: 'legalize marijuana' or 'your  computer is
             stoned').

          3. You'd  get   some kind of message informing you that
             you are a victim  of a   virus,   or   your  machine
             would do very odd  things on  holidays  (April Fools
             Day, etc.).

          4. Your computer would suddenly no longer boot anymore,
             or would  crash without warning in ways it has never
             done before.

          5. Data files  that were trashed,  programs  that  gave
             strange errors  when  you run them, or  any  message
             about the  File  Allocation Table or partition table
             are bad signs too.

          6. Your  computer   suddenly   started  operating  much
             slower than ever before -- for no apparent reason.

          7. Your screen spits  up  split-pea  soup and the
             monitor spins around when turned on.


     Ok, you think your infected...now what?

          1. If you still have access to your hard disk,  attempt
             to copy  off the following information...  under  no
             circumstances  should you  overlay  an older backup.
             Create a new backup, and CLEARLY MARK IT as POSSIBLE
             VIRUS.

               a) CONFIG.SYS,  AUTOEXEC.BAT, and any  significant
                  batch files  or  configuration files that would
                  be difficult to duplicate.

                                     - 4 -

                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful


               b) Any critical data files (word processing files,
                  spread sheets, databases, text files, etc.).

               c) Look  at,  and ideally print the screen of your
                  CMOS setup (on most  decent  computers when you
                  boot the system a message comes up for  a brief
                  instant that says something like:   "Press  DEL
                  for setup".    Do   this,   and   capture  this
                  information, because  you  don't   want to lose
                  this.  In  fact,  you  should  do  this  BEFORE
                  anything goes   wrong,    so  you'll  have  it!
                  (Specifying a wrong  drive  type  in  your CMOS
                  setup can  ruin files on your system!)

               d) Note your directory structure  (try using
                  the TREE  command  and  print  it out, or
                  sketch it out).   This will make recovery
                  of any potential loss much easier.

          2. Immediately notify anybody who you  have given
             any software,  bootable  disks,  or  even read
             their disks on your  computer.   If  you have
             uploaded any  programs  to  a BBS  notify the
             Sysop of that system immediately!

          3. Quarantine your computer.  Any disks that have
             been in  your  computer  should  be ASSUMED to
             have the virus on them.  By assuming the worst
             case situation, you  are  possibly saving many
             others from  getting and spreading  the virus
             even further.

          4. Bulletin Board users can be helpful,  if  you  are a
             member of  a   BBS,  contact the system and describe
             your situation, someone might be able to help you.

          5. Try to identify if you  were  hit  by  a trojan or a
             virus.  If it was a trojan,  there is   no danger of
             it "spreading",  if  it  is  a virus you're problems
             might just be beginning.

     What can be, and cannot be infected?

          1. Programs can be infected,  that's  all.   Data files
             cannot be infected.  Programs are anything that have
             an extension of:  EXE, COM, BAT, SYS, BIN, DRV, OVL,
             and of course the two hidden system files  that  ARE
             DOS.

          2. Data files  certainly  can be corrupted, damaged, or
             completely  destroyed,  but  they cannot be infected
             For  example,  if you recover a  Lotus   spreadsheet

                                     - 5 -

                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful

             (.WK1 file), it cannot contain a virus.

          3. It is  not  impossible  to infect programs inside an
             archive (such  as  .ZIP,   .ARC,  .ARJ,  .LZH, .ZOO,
             etc)  but   it  is EXTREMELY  unlikely...   since  a
             virus does   not   want   you  to  know  it's  there
             duplicating...and  to expand  an  archive,  infect a
             file, and recompress the  file is not something that
             is too likely.  Because of this ASSUMPTION you might
             want  to consider  all archive files  "safe".   Like
             data files,  they  could  be  corrupted,  but  it is
             highly  unlikely that they'd be infected.  Note that
             the file may have already  been infected when it was
             placed into the archive.  Be sure to scan  all files
             after uncompressing  an  archived file -- especially
             if you have been struck by a virus.

          4. Your partition table can  be infected, which is very
             bad by  the  way,  because this  could  destroy  all
             the information  on  your  disk.  What some  viruses
             (such as  the  stoned  virus)  do  is  to  move  the
             partition table,  and  replace  it with  the  virus.
             While  you might be able to strip out the virus, you
             will probably  lose everything in  the process...not
             too bad IF you have backups.  But "end of the world"
             stuff if you don't.

          5. The file "command.com"  is  a  dos  file  that  your
             machine loads automatically when it starts.  Because
             it is a program (notice  the .COM extension) it  can
             (and  often is) infected.  This means just  starting
             the machine means the virus is active.   In order to
             start  the  machine  without  any  risk of the virus
             being in effect, you must   boot  your machine  from
             a KNOWN  virus-free  bootable  diskette   (the  same
             version as   you   use  is  ideal,  and  potentially
             required.) You might try  copying the command.com to
             drive C:, and using the SYS command from drive A: to
             reinstall DOS on drive  C: if it  was "lost".   This
             is a temporary solution that MIGHT make your machine
             useable  long  enough  to  copy off files  mentioned
             above.

          6. Use an anti-virus  program (like the shareware
             "CLEAN") to  help  remove  a virus.  Keep  in
             mind, the  cure is some times almost as bad as
             the virus.   Salvaging   as   much stuff  as
             possible BEFORE using a program  like CLEAN is
             highly recommended.   If  you  can access the
             hard disk try to copy  off  files, when you've
             gotten all   you  can,  or  you   cannot get
             anything, THEN look to the virus-killers.


                                     - 6 -

                             By:  Charles R. Hague
                          How to avoid a virus/trojan
                    and what to do if you're not successful


     Final thoughts...

          1. There are  many different kinds of viruses.  They do
             so many different things  that it is best summarized
             when I say, once your infected anything is possible.
             Just asking  for  a  DIRectory  of a diskette  might
             infect it.

          2. Some viruses  will  create  "bad  spots" on the hard
             disk and hide in them.  Only a low-level format will
             reclaim these phoney bad spots... seriously consider
             performing a low-level format  after  contracting  a
             virus...  especially if you have ANY  bad  spots  on
             the disk.

          3. Doing a  regular  format  will probably zap most all
             viruses (so  long  as you  are  not  using  a  virus
             infected format program).

          4. Because viruses   are  hard  to  detect   WHEN   you
             contracted them, remember that your backups MIGHT be
             infected.  Soon  as  you  have  restored your backup
             (using a KNOWN clean boot  from  DOS,  using a known
             clean version of the backup program) SCAN  your disk
             for a  virus,  using  a KNOWN clean version of SCAN.
             If it  detects an infected  file,  do   NOT   panic,
             unless you run that file  you are safe,  delete  the
             offending file, and reinstall from the original disk
             (if possible, or  obtain  a copy from somewhere).
             Rescan your  system,   if  it's  clean,  cross  your
             fingers, if not, perhaps  you  were not careful, and
             ran an infected file by mistake.

          5. Final note.  There has been rumor of  a  virus  that
             could  live   in   a  tiny  bit  of memory preserved
             via battery.   To  the   best  of   my  knowledge no
             such  thing  exists   in   the IBM world.   But   if
             you've tried  everything  else,  unplug your battery
             after you've  done  everything   else.     Leave  it
             unplugged for 24 hours, reset your CMOS,  and  start
             again.












                                     - 7 -

