========
Newsgroups: alt.comp.virus
Subject: Frequently Asked Questions 4/4
From: harley@europa.lif.icnet.uk (David Harley)
Date: 22 Mar 1996 16:04:08 GMT


               alt.comp.virus (Frequently Asked Questions)
               *******************************************

                      Version 1.01c : Part 4 of 4
                     Last-modified 21st March 1996                     


                    ("`-''-/").___..--''"`-._
                     `6_ 6  )   `-.  (     ).`-.__.`)
                     (_Y_.)'  ._   )  `._ `. ``-..-'
                   _..`--'_..-_/  /--'_.' ,'
                  (il),-''  (li),'  ((!.-'




ADMINISTRIVIA
=============
	
Disclaimer
----------

This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects
resulting from the use of any information contained in this document.

Not all the views expressed in this document are mine, and those views
which *are* mine are not necessarily shared by my employer.

Copyright Notice
----------------

Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit. B-)

It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holders. To obtain such permission,
please contact the maintainer of the FAQ.

	David Harley 
	************

--------------------------------------------------------------------------

TABLE OF CONTENTS
*****************

	Part 1
        ------

	(1)	I have a virus - what do I do?
	(2)	Minimal glossary
	(3)	What is a virus (Trojan, Worm)? 
	(4)	How do viruses work?
	(5)	How do viruses spread?
	(6)	How can I avoid infection?
	(7)	How does antivirus software work? 

	Part 2
	------

	(8)  	What's the best anti-virus software 
	  		(and where do I get it)?
	(9)	Where can I get further information?
	(10) 	Does anyone know about 
		* Mac viruses?
		* UNIX viruses?
		* macro viruses?
		* the AOLgold virus?
		* the xyz PC virus?
	(11)	Is it true that...?
	(12)	Favourite myths
		* DOS file attributes protect executable files from
		  infection
		* I'm safe from viruses because I don't use bulletin
		  boards/shareware/Public Domain software
		* FDISK /MBR fixes boot sector viruses
		* Write-protecting suspect floppies stops infection
		* The write-protect tab always stops a disk write
		* I can infect my system by running DIR on an infected
		  disk

	Part 3
	------

	(13) What are the legal implications of computer viruses?

----->	Part 4
	------

----->	(14)	Miscellaneous

----->	Are there anti-virus packages which check zipped files?
----->	What's the genb/genp virus?
----->	Where do I get VCL and an assembler, & what's the password?
----->	Send me a virus.
----->	Is it viruses, virii or what?
----->	Where is alt.comp.virus archived?
----->	What about firewalls?
----->	Viruses on CD-ROM.
----->	Removing viruses.
----->	Can't viruses sometimes be useful?
----->	Do I have a virus, and how do I know?
----->	What should be on a (clean) boot disk?
----->	What other tools might I need?
----->	What are rescue disks?
----->	Are there CMOS viruses?
----->	How do I know I'm FTP-ing 'good' software?
----->	What is 386SPART.PAR?
----->  Can I get a virus to test my antivirus package with?
----->  When I do DIR | MORE I see a couple of files with funny names...
----->	Reasons NOT to use FDISK /MBR
----->	Placeholders

-------------------------------------------------------------------


(14) Miscellaneous
==================

Are there anti-virus packages which check zipped files?
-------------------------------------------------------

An increasing number of packages seem to support checking .ZIP and
other compression formats on the fly. DSAVTK, AVP and NAV 3.0/NAV95
support some formats. The number of formats supported may become as
big a selling point as the total number of viruses detected, but for
most of us it's only really an issue if we do a lot of scanning of
CDs, for instance. Even then, it becomes urgent only if you *unpack*
the archive and want to run programs. Compilers of CDs, however,
are *not* entitled to use this as an excuse for not scanning their
collections.

What's the genb/genp virus?
---------------------------

This is McAfee-ese for "You may have an unrecognised ('generic') 
boot-sector (genb) or partition-sector (genp) virus". Re-check
with a more recent version or the latest version of another 
reputable package.

Where do I get VCL and an assembler, & what's the password? 
-----------------------------------------------------------

Wrong FAQ. You don't learn anything about viruses, programming
or anything else from virus toolkits. You want rec.knitting. B-)

I can't believe there's anyone left on the Internet who doesn't
know the VCL password, but I'm not going to tell you anyway.

OK, maybe you want an assembler to learn assembly-language, not
just to rehash prefabricated code. Where do you get TASM? 
You buy it from Borland or one of their agents, either stand-alone 
or with one of their high-level languages. If you want freeware
or shareware, I guess you can still get the likes of CHASM and
A86 (SimTel mirror sites in SimTel/asm).

Send me a virus
---------------

Anti-virus researchers don't usually share viruses with people
they can't trust. Pro-virus types are often unresponsive to
freeloaders. And why would you *trust* someone who's prepared
to mail you a virus, bona-fide or otherwise? [A high percentage
of the 'viruses' available over the internet are non-replicating
junk.] 

Requests for viruses by people 'writing a new anti-virus utility'
are usually not taken too seriously. 

* We get rather a lot of such requests, which leads to a certain amount
  of cynicism.
* Writing a utility to detect a single virus is one thing: writing a
  usable, stable, reasonably fast scanner which detects all known
  viruses is a considerable undertaking. There are highly experienced
  and qualified people working more or less full time on adding routines
  to do this to antivirus packages which are already mature, and unless
  you have a distinctly novel approach, you don't have much chance of
  keeping up with them. 
* It may be that the research you're interested in has already been done.
  Say what sort of information you're looking for, and someone may be able
  to help.
* You can't afford to use junk 'viruses' for research, and the best 
  collections are largely in the hands of people who won't allow
  access to them to anyone without cast-iron credentials.

If you want to test anti-virus software with live viruses, this
is *not* the way to get good virus samples. 

Valid testing of antivirus software requires a lot of time, care 
and thought and a valid virus test-set. Virus simulators are 
unhelpful in this context: a scanner which reports a virus when it 
finds one of these is actually false-alarming, which isn't 
necessarily what you want from a scanner.

Read Vesselin Bontchev's paper on maintaining a virus library:

  ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/virlib.zip


It said in a review....
-----------------------

Reviews in the general computing press are rarely useful. Most
journalists don't have the resources or the knowledge to match
the quality of the reviews available in specialist periodicals like 
Virus Bulletin or Secure Computing. Of course, it's possible to 
produce a useful, if limited assessment of a package without 
using live viruses based on good knowledge of the issues involved
(whether the package is NCSA-certified, for instance): unfortunately, 
most journalists are unaware of how little they know and have a vested
interest in giving the impression that they know much more than they
do. Even more knowledgeable writers may not make clear the criteria 
applied in their review.

Is it viruses, virii or what?
-----------------------------

The Latin root of virus has no plural form. Since the use of the 
word virus is borrowed from biology, you might like to conform to 
the usage normally favoured by biologists, doctors etc., which is 
viruses. However, a number of people favour the terms virii/viri, 
either to avoid confusion with the biological phenomenon (but what's
the point of distinguishing in the plural but not in the singular?), 
or to avoid being mistaken for anti-virus researchers..... 

Where is alt.comp.virus archived?
---------------------------------

It isn't, as far as anyone seems to know. No-one currently working on
the FAQ is likely to offer archiving, since a full archive would 
include uploaded viruses. When the FAQ is established, I may do some 
work on making an occasional digest available.

What about firewalls? 
---------------------

Firewalls don't generally screen computer viruses. However, there are
currently two products that scan for viruses at a point either before 
or after a "normal" firewall to the Internet (or internally between post
offices.)  These products can scan incoming and outgoing E-mail
attachments for viruses.  MIMESweeper, by Integralis, uses your
favorite scanner (e.g. F-PROT, Thunderbyte, Dr. Solomon's, Sophos,
etc) for scanning the viruses after it has opened up the E-Mail
attachments in a secure area on the hard drive of the NT machine.
The use of a "batch" file allows the scanning to use any switches or
commands that are available to the scanner program(s) and also allows
multiple scanners to be used with different switches, etc.  which it
runs.   If clean, it sends the E-Mail on. Files which it cannot scan
are 'quarantined' in the secure area to be scanned 'by hand'. 

MIMESweeper ver. 2.1 reads MIME attachments, UUENCODE, and recognises
ZIP and recursive .ZIP archives, OLE, but does not yet read many other
compression or binary encoding formats. (CDA, BinHex, LHA and Stuffit
are expected shortly).  It runs under NT Workstation and requires, as 
minimum, a 486 with 24Mb RAM, 500Mb hard disk, and a CD-ROM drive (for
installation only).  It works with cc:Mail, SMTP with MIME attachments,
Microsoft Mail, or MHS, and is said to be usable as a filter for other
material as well as file viruses such as trojans. (MIMEsweeper will be
adding FTP and HTTP later).

[The following is included because Integralis' Sales Dept. in the UK
don't seem to have caught up with vs. 2.1 yet.]

MIMESweeper vs. 1.0 reads MIME attachments and recognises ZIP archives,
but does not read other compression formats or binary encoding 
formats such as uuencode. 

Trend's InterScan VirusWall is similar to MIMEsweeper but uses Trend's 
own scanning engine only as the scanner.  Trend also scans FTP traffic.  
Trend currently runs on SUN Solaris 2.4-5 and will be adding NT later. 

These products do real scanning before the mail hits the hard drive but,
at least until the holes are filled in the above products, make sure your
mail attachments, WWW downloads etc. can't be automatically executed and
use a good TSR/VXD in combination with a good scanner.  Note that scanning
FTP traffic is likely to add a heavy network overhead and probably won't
catch as many viruses as checking *all* files from *all* sources with a
desktop scanner

For firewall-related information, see comp.security, comp.security.firewalls,
or, if you don't mind your mail by the ton, the firewalls mailing-lists. 

Books: 

   Firewalls and Internet Security (Cheswick, Bellovin) - Addison-Wesley
   Building Internet Firewalls (Chapman, Zwicky) - O'Reilly

Viruses on CD-ROM 
-----------------

Viruses have been distributed on CD ROM (for instance, Microsoft 
shipped Concept, the first (in the wild) macro virus, on a CD ROM called 
"Windows 95 Software Compatability Test" in 1995).  It is wise to scan CD 
ROMs on arrival for viruses, just like floppies.  If the CD ROM has 
compressed or archived files it is wise to scan it with an anti-virus 
package which can cope with large amounts of compressed and archived 
files. 

[If you scan all drives at every boot, though, you may find that this
gives you a good incentive to remove CDs from your CD drive before
you power down, especially if your scanner isn't set to allow you
to break out of a scan. B-)]

Removing viruses
----------------

It is always better from a security point of view to replace infected
files with clean, uninfected copies.  However, in some circumstances this 
is not convenient.  For example, if an entire network were infected with 
a fast-infecting file virus then it may be a lot quicker to run a quick 
repair with a reliable anti-virus product than to find clean, backup copies 
of the files.  It should also be realised that clean backups are not 
available.  If a site has been hit by Nomenklatura, for example, it may 
take a long time before it is realised that you have been infected.  By 
that time the data in backups has been seriously compromised.

There are virtually no circumstances under which you should need to reformat
a hard disk, however: in general, this is an attempt to treat the symptom
instead of the cause. Likewise re-partitioning with FDISK. 

If you use a generic low-level format program, i.e. one which isn't
specifically for the make and model of drive you actually own, you
stand a good chance of trashing the drive more thoroughly than any
virus yet discovered. 

Can't viruses sometimes be useful?
----------------------------------

Vesselin Bontchev wrote a respected paper on this subject:
  ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Fred Cohen has done some heavy-duty writing in the other direction.
Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley).

In general, it's hard to imagine a situation where (e.g.) a 
maintenance virus is the *only* option. I have yet to see a convincing 
example of a potentially useful virus which *needs* to be a virus.
Such a program would have to be *much* better written and error-trapped 
than viruses usually are.

Do I have a virus, and how do I know?
-------------------------------------

Almost anything odd a computer may do can (and has been)
blamed on a computer "virus," especially if no other
explanation can readily be found.  In most cases, when an
anti-virus program is then run, no virus is found.

A computer virus can cause unusual screen displays, or
messages - but most don't do that.  A virus may slow the
operation of the computer - but many times that doesn't
happen.   Even longer disk activity, or strange hardware
behavior can be caused by legitimate software, harmless
"prank" programs, or by hardware faults.  A virus may cause
a drive to be accessed unexpectedly (and the drive light to
go on) - but legitimate programs can do that also.

One usually reliable indicator of a virus infection is
a change in the length of executable (*.com/*.exe) files, a
change in their content, or a change in their file date/time
in the Directory listing.  But some viruses don't infect
files, and some of those which do can avoid showing changes
they've made to files, especially if they're active in RAM.

Another common indication of a virus infection is a
change to interrupt vectors or the reassignment of system
resources.  Unaccounted use of memory or a reduction in the
amount normally shown for the system may be significant.

In short, observing "something funny" and blaming it on
a computer virus is less productive than scanning regularly
for potential viruses, and not scanning, because "everything
is running OK" is equally inadvisable.

What should be on a (clean) boot disk?
--------------------------------------

To make an emergency bootable floppy disk, FORMAT A: /S with a disk 
in A> which is the proper "density" for the drive. I'd suggest you also 
COPY these commands from C:\DOS to it: ATTRIB, CHKDSK (or SCANDISK if you 
have DOS6), FDISK, FORMAT, SYS, and BACKUP and RESTORE (or whatever backup
program you use, if it will fit).  They may come in handy if you can't 
access the hard disk, or it won't boot up.

The boot disk should have been created with the same version of DOS as
you have on your hard disk.  It should also include any drivers necessary
to access your hard disk and other devices.  If you become virus-infected
it can be very helpful to have backup of your hard disk's boot sector and
partition sector (also known as MBR).  Other useful tools to include are a
small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so
forth), a copy of the DOS commands COMP or FC (for comparing files),
FDISK and SYS (make sure they are from the same version of DOS as you are
booting).  There is a school of thought that your boot disk should also
include your anti-virus software.  The problem with this is that
anti-virus software should be updated frequently, and you may forget to
update your boot disk each time.  Ideally you will have been sent a
clean, write-protected copy of the latest version of your anti-virus
software by your anti-virus vendor.

If you want to use the DOS program EDIT, remember that you need both
EDIT.* and QBASIC.* on the same disk.

What other tools might I need?
------------------------------

Other suggestions have included a sector editor, and Norton Utilities 
components such as Disk Doctor (NDD). These are not suitable for use by
the technically-challenged - any tool which can manipulate disks at a
low-level is potentially dangerous. If you do use tools like this, make
sure they're good quality and up-to-date. If you attack a 1Gb disk with
a package that thinks 32Mb is the maximum for a partition and MFM disk
controllers are leading edge, you're in for trouble....

A copy of PKZIP/PKUNZIP or similar compression/decompression utility may 
be useful both for retrieving data and for cleaning (some) stealth viruses. 
The MSD diagnostic tool supplied with recent versions of DOS and Windows 
is a useful addition. QEMM includes a useful diagnostic tool called 
Manifest. Heavy duty diagnostic packages like CheckIt! may be of use. 
There are some useful shareware/freeware diagnostic packages, too.

Obviously, these are not all going to go on one bootdisk. When you 
prepare a toolkit like this, make sure *all* the disks are 
write-protected!

Tech support types are likely to find that an assortment of bootable
disks including various versions of DOS comes in useful on occasion.
If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS
or PC-DOS), they can be a useful addition. DoubleSpaced or similar
drives will need DOS 6.x; Stacked drives will need appropriate 
drivers loaded.

What are rescue disks?
----------------------

Many antivirus and disk repair utilities can make up a (usually 
bootable) rescue disk for a specific system. This needs a certain
amount of care and maintenance, especially if you make up more than
one of these for a single PC with more than one utility. Make sure
you update *all* your rescue disks when you make a significant
change, and that you understand what a rescue disk does and how it
does it before you try to use it. Don't try to use a rescue disk
made up on one PC on another PC, unless you're very sure of what 
you're doing: you may lose data.

Are there CMOS viruses?
-----------------------

Although a virus (e.g. antiCMOS) CAN write to (and corrupt) a 
PC's CMOS memory, it can NOT "hide" there.  The CMOS memory 
used for system information (and backed up by battery power) is 
not "addressable," and requires Input/Output ("I/O") instructions 
to be usable.

Data stored there are not loaded from there and executed, so virus 
code written to CMOS memory would still need to infect an 
executable program in order to load and execute whatever it wrote.

A virus could use CMOS memory to store part of its code,
and some tamper with the CMOS Setup's values.  However,
executable code stored there must first be first moved to
DOS memory in order to be executed.  Therefore, a virus
can NOT spread from, or be hidden in CMOS memory.

[There are also reports of a trojanized AMI BIOS - this is 
not a virus, but a 'joke' program which does not replicate.
If the date is 13th of November, it stops the bootup process  
and plays 'Happy Birthday' through the PC speaker. In this 
case, the only cure is a new BIOS - contact your dealer.]

[There are also reports of a trojanized 3rd-party keyboard
which puts the string 'Welcome to Datacomp' to the console,
if I can use such archaic terminology in a Mac context B-)
- both the Virus-L FAQ versions include information on this.]

How do I know I'm FTP-ing 'good' software?
------------------------------------------

Reputable sites like SimTel and Garbo check uploaded utilities for
viruses before making them publicly available. However, it makes
sense not to take anything for granted. I'm aware of at least one
instance of a virus-infected file being found on a SimTel mirror:
you can't scan a newly-uploaded file for a virus your scanner 
doesn't know about. Good A/V packages include self-checking code, 
though it's unsafe to depend even on this 100%. Be paranoid: you
know it makes sense....

In general, don't run *anything* downloaded from the Internet,
BBSs etc. until it's been checked with at least one reputable
and up-to-date antivirus scanner.

What is 386SPART.PAR?
---------------------

People are sometimes alarmed at finding they have a hidden file
with this name. It is, in fact, created by Windows 3.x when you
configure it to use a permanent swap file (a way of allowing Windows
to work as if you had more memory than you really do. On no account 
should you delete it, as it will upset your configuration. If you wish
to remove it or adjust the size, do so via the 386 Enhanced 
setting in Control Panel. However, a permanent swap file usually
improves performance on a machine with relatively little memory.
The file is not executable as such, and reports of virus infection
are usually false positives.

Can I get a virus to test my antivirus package with?
----------------------------------------------------

Well, I won't send you one... Most packages have some means of allowing
you to trigger a test alert. There is a standard EICAR test file which
is recognized by F-Prot and Dr. Solomon's AntiVirus ToolKit, and possibly
other antivirus packages.

Type or copy/paste the following text into a file called EICAR.COM,
or TEST.COM or whatever.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Running the file displays the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE.

Scanning the file with one of the components of these packages should 
trigger an alert.

There has been a long thread recently on whether the Rosenthal 
Simulator is useful for this sort of job. This will be considered
at length here when I have the time to look at it, but it should be
noted that many of the anti-virus researchers who have contributed
to this document have expressed considerable scepticism.

When I do DIR | MORE I see a couple of files with funny names...
----------------------------------------------------------------

Actually, this is in the Virus-L FAQ. Read that and post the question
to comp.virus or alt.comp.virus if you're still worried. Basically,
the answer is that MORE creates a couple of temporary files, being
considerably less efficient than the Unix utility it attempts to
emulate. Most versions of DOS since the Middle Ages support the
syntax DIR /P, which does the same job less messily. In fact,
if you have a version of DOS later than 5, you might consider
incorporating it into the environment variable DIRCMD, so that it
becomes your default on directory listings which exceed 1 screenful.

Of course, other utilities such as ATTRIB can also be filtered through
MORE like this, which may result in similar symptoms.

------------------------------------------------------------

Reasons NOT to use FDISK /MBR
-----------------------------

See Section 12 in part 2 of this FAQ for further information about FDISK
with the undocumented /MBR switch. However, people with virus problems
are frequently advised, out of ignorance or maliciousness, to use this 
switch in circumstances where it can lead to an inability to access your
disk drive and possible loss of data (not to mention hair and sanity).

Essentially, you should avoid using FDISK /MBR unless you have it on good 
authority that it's safe and necessary to do so. In most circumstances, it's
safer to clean a partition sector with a good anti-virus program.

You should avoid FDISK /MBR at all costs under the following circumstances:

1. Under an infection of viruses that don't preserve the Partition Table
   e.g., Monkey, reported at 7.2% of the infections reported to _Virus
   Bulletin_ for December '95, the last report for which I have data
2. Under an infection that encrypts data on the hard drive and keeps
   the key in the MBR, e.g, One_half  -- reported at 0.8% worldwide
3. When security software, e.g., PC-DACS is in use
4. When a driver like Disk Manager or EZDrive is installed
5. When a controller that stores data in (0,0,1) is in use
6. When more than one BSI virus is active, in some conditions
7. When a data diddler is active, e.g. Ripper, accountable for 3.8% of
   the infections reported in the study cited above  (N.B.: while this
   case won't be fixed by AV utilities, at least one will know why
   there are problems with the drive)


Placeholders
------------

[How do I know I have a clean boot disk?]

I made some exhaustive notes on this a few months back. Can I find
them now? No. Will I write them up again? Sometime....

The Virus-L FAQ includes some relevant info, though.

[Problems with PC disks in  macs and vice versa)]
An altogether expanded Mac section could be quite nice.

[nomenclature]
This merits lots of discussion. However, life may be too short...

------------------------------------------------------------

End of a.c.v. FAQ Part 4 of 4



