Archive-name: computer-virus/mini-faq
Posting-Frequency: Every 10 days

                 ALT.COMP.VIRUS Mini-FAQ (version 1.02)

   Maintained by George Wenzel <gwenzel@gpu.srv.ualberta.ca>

**Copyright notice: This document is copyrighted and may not be 
modified in any way or sold.  It may be freely distributed providing 
all sections are intact and complete.**

When asking for help, the more relevant information you give, the more
help can be returned.  It helps to:
* Run more than one anti-viral scanning program.  Some do make mistakes.
* If you're running more than one anti-virus product, please list 
  them (including version number), and say what each one said about 
  the possible virus. 
* Say what the symptoms are. If you ran some software that gave you a 
  message, tell us which package, version number, and the exact wording 
  of the message.  You *cannot* be too detailed.
* Please be as accurate as possible about the order in which events 
  happened. 
* Give any other configuration information which you think may have a bearing.
* Please consider the possibility that whatever you are seeing might *not*
  be a virus.  Not all system problems are due to viruses.  
* Note that you cannot catch a virus simply by reading certain e-mail or 
  newsgroup messages.  For a virus to spread, infected code must be run.
* Expect your reply to be posted to the newsgroup, not sent to you via e-mail.

  Don't reformat, low-level format, or use FDISK, before posting: it's most 
unlikely that this will be necessary.  Especially do not use FDISK unless 
you know EXACTLY what you're doing - you could lose access to your 
hard drive.

Don't just ask "I've got xyz virus, can anyone help me".

  Messages asking for help posted to alt.comp.virus are more likely to 
receive a useful response if they conform to accepted standards of 
civility. The newsgroup news.announce.newusers includes information 
on good newsgroup etiquette, or try

      ftp://rtfm.mit.edu/pub/usenet/news.answers
      http://www.fau.edu/rinaldi/netiquette.html

Basic answers to common questions:

1) The Good Times virus that supposedly damages hardware is a hoax.
   A FAQ about the Good Times hoax is at:

      ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
      ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt

2) We know about the PKZIP 3.00 trojan.  It is not in the wild, nor is 
   it likely to be.  

3) We can't tell you definitively which is the best anti-virus software.
   Many freeware/shareware DOS antivirus programs are available from the
   Simtel.Net archive.  This collection of software is available via
   anonymous FTP from ftp.simtel.net, with antivirus software in the
   directory /pub/simtelnet/msdos/virus.  Note that the Simtel.Net archive
   is "mirrored" at many anonymous FTP sites--so many in fact, you should
   check the regularly updated listing of them at
   http://www.simtel.net/simtel.net/mirrors.txt to find the site nearest you 
   before downloading.

   There are vendor contacts and comparative reviews at
      
      http://www.virusbtn.com/

   This is where you can see independent evaluations of various anti-virus
   software.

4) There are no viruses which trash monitors or hard drives by modifying
   how the mechanical parts run or their electro-magnetic characteristics. 
   There *are* reported instances of specific hardware being damaged by the 
   misuse of specific software. A virus which exploited such a problem would 
   have to be so selective and complex that it would be unlikely to survive 
   in the real world.

5) Testing your anti-virus program with a real virus is not generally a 
   good idea. Most reputable anti-virus packages will now trigger an alert 
   if tested with a file containing the following text:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

   and given a filename with a .COM extension. Running the file displays the 
   text EICAR-STANDARD-ANTIVIRUS-TEST-FILE. Most people in the anti-virus
   community consider virus simulators unnecessary and unsuitable for this 
   task.

6) There are answers to other frequently asked questions in the
   following FAQs:

      alt.comp.virus FAQ - ftp://ftp.icnet.uk/icrf-public/acv.FAQ/
      comp.virus - FAQ - ftp://cs.ucr.edu/pub/virus-l/vlfaq200.zip
      macrovirus FAQ - ftp://ftp.gate.net/pub/users/ris1/word.faq

A shorter version of the comp.virus FAQ is posted monthly to comp.virus.
The other two are posted more or less regularly to alt.comp.virus.

7) Before you ask about what a specific virus does, try:
      
      http://www.drsolomon.com/virus/enc/enc.htm
      http://www.datafellows.com/v-descs/
      http://www.datarescue.com/avpbase/
      ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/
      http://www.metro.ch/avpve/ 

   all of which carry virus databases and links to other sites.

8) Javascript has many interesting properties, but virus-detection is not
   one of them. The Psychic Neon Buddha Jesus virus is a joke, and is not 
   a real virus.

Disclaimer

  The authors accept no responsibility for errors or omissions, or for any 
ill effects resulting from the use of any information contained in this 
document.

Copyright Notice

  We made this information freely available, and maintain it.  Please don't
abuse our work by using it for profit without contacting the FAQ
maintainer.

Copyright (c) 1996 by the contributors.  Copyright remains with the authors.

Contributors

      Bruce Burrell (bpb@umich.edu)
      Graham Cluley (gcluley@uk.drsolomon.com)
      David Harley (harley@icrf.icnet.uk)
      Gerard Mannig (mannig@world-net.sct.fr)
      Robert Slade (roberts@decus.ca or rslade@vcn.bc.ca)
      Dr. Alan Solomon (drsolomon@drsolomon.com)
      George Wenzel (gwenzel@gpu.srv.ualberta.ca)

 ("`-''-/").___..--''"`-._       George Wenzel
  `6_ 6  )   `-.  (    ).`-.__.`)<gwenzel@gpu.srv.ualberta.ca>
  (_Y_.)'  ._   )  `._ `.``-..-' Student of Wado Kai Karate
 _..`--'_..-_/  /--'_.' ,'       U of A Karate Club
(il),-''  (li),'  ((!.-'         http://www.ualberta.ca/~gwenzel/

