Archive-name: computer-virus/mini-faq
Posting-Frequency: Every 7 days

            ALT.COMP.VIRUS Mini-FAQ (version 1.03)
                 Last updated October 1, 1996
   Maintained by George Wenzel <gwenzel@gpu.srv.ualberta.ca>

**Copyright notice: This document is copyrighted and may not be 
modified in any way or sold.  It may be freely distributed providing 
all sections are intact and complete.**

When asking for help, the more relevant information you give, the more
help can be returned.  It helps to:
* Run more than one anti-viral scanning program.  Some do make mistakes.
* If you're running more than one anti-virus product, please list 
  them (including version number), and say what each one said about 
  the possible virus. 
* Say what the symptoms are. If you ran some software that gave you a 
  message, tell us which package, version number, and the exact wording 
  of the message.  You *cannot* be too detailed.
* Please be as accurate as possible about the order in which events 
  happened. 
* Give any other configuration information which you think may have a bearing.
* Please consider the possibility that whatever you are seeing might *not*
  be a virus.  Not all system problems are due to viruses.  
* Note that you cannot catch a virus simply by reading certain e-mail or 
  newsgroup messages.  For a virus to spread, infected code must be run.
* Expect your reply to be posted to the newsgroup, not sent to you via e-mail.

  Don't reformat, low-level format, or use FDISK, before posting: it's most 
unlikely that this will be necessary.  Especially do not use FDISK unless 
you know EXACTLY what you're doing - you could lose access to your 
hard drive.

Don't just ask "I've got xyz virus, can anyone help me?"

  Messages asking for help posted to alt.comp.virus are more likely to 
receive a useful response if they conform to accepted standards of 
civility. The newsgroup news.announce.newusers includes information 
on good newsgroup etiquette, or try

      ftp://rtfm.mit.edu/pub/usenet/news.answers
      http://www.fau.edu/rinaldi/netiquette.html

Basic answers to common questions:

1) The Good Times virus that supposedly damages hardware is a hoax.
   A FAQ about the Good Times hoax is at:

      ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
      ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt

2) Many people have asked why alt.comp.virus is decidedly anti-virus in
   nature.  Because of the large proportion of anti-virus producers and
   end-users in the group, viruses are considered to be poor use of 
   computer resources, and the open distribution of them to be irresponsible.

   Alt.comp.virus is not moderated, but posting of binaries, viruses, 
   and virus source code will be reported to the poster's Internet 
   Service Provider (ISP), who will take appropriate action.  Posting of this 
   sort of material is not illegal in most areas, but it often does violate 
   the agreements between users and their respective ISP's.  As a result,
   people who post this sort of material tend to have their Internet accounts
   cancelled.

3) We can't tell you definitively which is the best anti-virus software.
   Everybody has different criteria for quality, and different products
   excel in different areas.  It is more important to get a reasonably 
   good anti-virus product and to use it often than it is to worry about
   having the absolute best anti-virus product.

   There are vendor contacts and comparative reviews at:
      
      http://www.virusbtn.com/

   This is where you can see independent evaluations of various anti-virus
   software.

4) Before claiming that a "good" virus exists or could exist, it would be 
   wise to read Vesselin Bontchev's paper "Are 'good' Computer Viruses Still
   A Bad Idea", available at:

      ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip

5) There are no viruses which damage hardware by modifying how the mechanical 
   parts run or their electro-magnetic characteristics.  There *are* reported 
   instances of specific hardware being damaged by the misuse of specific 
   software. A virus which exploited such a problem would have to be so 
   selective and complex that it would be unlikely to survive in the real 
   world.

6) Testing your anti-virus program with a real virus is not generally a 
   good idea.  Most reputable anti-virus packages will now trigger an alert 
   if tested with a file containing the following text:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

   and given a filename with a .COM extension. Running the file displays the 
   text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Most people in the anti-virus
   community consider virus simulators unnecessary and unsuitable for this 
   task.

7) There are answers to other frequently asked questions and more details
   in the following FAQs:

      alt.comp.virus FAQ - ftp://ftp.icnet.uk/icrf-public/acv.FAQ/
      comp.virus - FAQ - ftp://cs.ucr.edu/pub/virus-l/vlfaq200.zip
      macrovirus FAQ - ftp://ftp.gate.net/pub/users/ris1/word.faq

8) Before you ask about what a specific virus does, try:
      
      http://www.drsolomon.com/virus/enc/enc.htm
      http://www.datafellows.com/v-descs/
      http://www.datarescue.com/avpbase/
      ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/
      http://www.metro.ch/avpve/ 

   all of which carry virus databases and links to other sites.

Disclaimer

  The authors accept no responsibility for errors or omissions, or for any 
ill effects resulting from the use of any information contained in this 
document.

Copyright Notice

  We made this information freely available, and maintain it.  Please don't
abuse our work by using it for profit without contacting the FAQ
maintainer.

Copyright (c) 1996 by the contributors.  Copyright remains with the authors.

Contributors

      Bruce Burrell (bpb@umich.edu)
      Graham Cluley (gcluley@uk.drsolomon.com)
      David Harley (harley@icrf.icnet.uk)
      Gerard Mannig (mannig@world-net.sct.fr)
      Robert Slade (roberts@decus.ca or rslade@vcn.bc.ca)
      Dr. Alan Solomon (drsolly@ibmpcug.co.uk)
      George Wenzel (gwenzel@gpu.srv.ualberta.ca)

