Archive-name: computer-virus/mini-faq Posting-Frequency: Every 7 days URL: http://www.faqs.org/faqs/computer-virus/mini-faq/ Maintainer: George Wenzel ALT.COMP.VIRUS Mini-FAQ (version 1.13) Last updated May 17, 1997 Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The news group news.announce.newusers includes information on good news group etiquette. Don't reformat, low-level format, or use FDISK before posting: using DOS utilities to remove viruses is not necessary. Especially do not use FDISK unless you know EXACTLY what you're doing - you could lose access to your hard drive. Please, don't just ask "I've got a virus, can anyone help me?" When asking for help, the more relevant information you give, the more help can be returned. It helps to: * Run more than one anti-virus program. Some do make mistakes. * When reporting the output of anti-virus programs, please list them (name and version number), and say what each one said about the possible virus. Posting the exact output can be helpful. * Say what the symptoms are. You *cannot* be too detailed. Include things like CPU, RAM(size), Disk(size), BIOS (name and date), and Operating System. Be as specific as possible. * Please consider the possibility that whatever you are seeing might _not_ be a virus. Many system problems are not virus related. * Note that you cannot catch a virus simply by reading certain e-mail or newsgroup messages. For a virus to spread, infected code must be run. * If you want an e-mail reply to your post, be sure to state that you will post a summary of the responses to the group. Basic answers to common questions: 1) The following "viruses" are in fact hoaxes: "Good Times", "Deeyenda", "Irina", and "Penpal Greetings". Information about these hoaxes and more can be found at http://www.kumite.com/myths/ 2) Many people have asked why alt.comp.virus is decidedly anti-virus in nature. Because of the large proportion of anti-virus producers and end-users in the group, viruses are considered to be poor use of computer resources, and the open distribution of them to be irresponsible. Binaries are not welcome in UseNet discussion newsgroups. Alt.comp.virus is a discussion newsgroup, so the posting of binaries is often met with opposition and complaints to ISPs. In addition, the majority of a.c.v. readers do not want virus source code or binaries to be posted in this newsgroup. Should you post such material, you should be aware that some of those readers will complain to your ISP about it. For your own sake, check your ISP's policies regarding posting such material to newsgroups before risking your account. 3) We can't tell you definitively which is the best anti-virus software. Everybody has different criteria for quality, and different products excel in different areas. It is more important to get a reasonably good anti-virus product and to use it often than it is to worry about having the absolute best anti-virus product. For maximum protection, it is generally recommended that more than one kind of anti-virus program be used. Scanners are generally used as a front-line defense, but they must be updated regularly. Generic anti-virus programs can be of use since they do not need updating as often, and they can catch new viruses that a scanner might miss. There are vendor contacts and comparative reviews at: http://www.virusbtn.com/ 4) Before claiming that a "good" virus exists or could exist, it would be wise to read Vesselin Bontchev's paper "Are 'good' Computer Viruses Still A Bad Idea", available at: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip 5) There are no viruses which damage hardware by modifying how the mechanical parts run or their electro-magnetic characteristics. There *are* reported instances of specific hardware being damaged by the misuse of specific software. A virus which exploited such a problem would have to be so selective and complex that it would be unlikely to survive in the real world. 6) Testing your anti-virus program with a real virus is not generally a good idea. Most reputable PC anti-virus packages will now trigger an alert if tested with a file containing the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* and given a filename with a .COM extension (note that this does not work on a Macintosh). Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Most people in the anti-virus community consider virus simulators unnecessary and unsuitable for this task. 7) There are answers to other frequently asked questions and more details in the other virus FAQ's. They are available at http://www.webworlds.co.uk/dharley/ 8) Before you ask about what a specific virus does, try: http://www.drsolomon.com/vircen/enc/ http://www.datafellows.com/v-descs/ http://www.datarescue.com/avpbase/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/ http://www.metro.ch/avpve/ http://www.mcafee.com/support/techdocs/vinfo/index.html all of which carry virus databases and links to other sites. Disclaimer: The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Copyright Notice We made this information freely available, and maintain it. Please don't abuse our work by using it for profit without getting permission from the FAQ maintainer. Copyright (c) 1997 Contributors: Bruce Burrell Graham Cluley David Harley Gerard Mannig A. Padgett Peterson Robert Slade Dr. Alan Solomon Pierre Vandevenne