Newsgroups: alt.comp.virus Subject: Virus-related FAQs vs. 1.02d Summary: ...what and where Archive-name: virFAQs Posting-Frequency: fortnightly. Last-modified: Fri Nov 29 11:30 GMT 1996 Guide to Virus-related FAQs (vs. 1.02f) --------------------------------------- Modified Nov 29th 1996 Where can you find out what you want to know about viruses when you're in a hurry (or a panic!)? This resource lists the contents pages of four FAQs and some ways to get hold of them, and is now being made available as a supplement to the alt.comp.virus FAQ. * The alt.comp.virus FAQ * The comp.virus/Virus-L FAQ * The macro-virus FAQ * The alt.comp.virus mini-FAQ * The Antiviral Software Evaluation FAQ * Viruses and the Macintosh FAQ I may expand this list to include other security FAQs, but this is a low-priority project. Please notify me of any errors by e-mail. Suggestions for other FAQs are welcome, but will be acted upon sooner if someone else actually gathers the information. ;-) There is an excellent Firewalls FAQ maintained by Marcus Ranum at: http://www.v-one.com/newpages/faq.htm There is information on security mailing lists, security surveys etc. at: http://www.iss.net/ -- David Harley Support & Security Analyst Imperial Cancer Research Fund ------------------------------------------ 1) The alt.comp.virus FAQ [version 1.02f] ---------------------- The latest version of the alt.comp.virus FAQ document, maintained by David Harley, is available as follows: (i) It's posted to alt.comp.virus every two weeks or so. (ii) http://www.webworlds.co.uk/dharley/ (this is the primary source) ftp://ftp.icnet.uk/icrf-public/acv.FAQ (iii) e-mail to: [temporarily withdrawn] (iv) FTP://ftp.gate.net/pub/users/ris1/acvfaq.zip http://www.drsolomon.com/ http://www.innet.net/~ewillems/ http://www.agora.stm.it/N.Ferri/infos.htm (v) America Online: (Virus Information Center: Keyword VIRUS) (vi) As a (single) hypertext electronic document (DOS) ftp.gate.net/pub/users/ris1/acvfaqht.zip ftp.gate.net/pub/users/ris1/acvfaq.zip www.webworlds.co.uk/dharley/ It's currently split into 4 sections and contains the following items. [Though this resource is posted at the same time as the FAQ, it may not be 100% up-to-date.] Part 1 ------ (1) I have a virus - what do I do? (2) Minimal glossary (3) What is a virus (Trojan, Worm)? (4) How do viruses work? (5) How do viruses spread? (6) How can I avoid infection? (7) How does antivirus software work? Part 2 ------ (8) What's the best anti-virus software (and where do I get it)? (9) Where can I get further information? (10) Does anyone know about * Mac viruses? * UNIX viruses? * macro viruses? * the AOLGold virus? * the xyz PC virus? * the PKZIP300 Virus Trojan? * the Blem Wit virus? * the Irina virus? * Ghost +++ * General Info on Hoaxes/Erroneous Alerts ++ [Additions above from memory because I'm in a rush: caveat lector....] (11) Is it true that...? (12) Favourite myths * DOS file attributes protect executable files from infection * I'm safe from viruses because I don't use bulletin boards/shareware/Public Domain software * FDISK /MBR fixes boot sector viruses * Write-protecting suspect floppies stops infection * The write-protect tab always stops a disk write * I can infect my system by running DIR on an infected disk Part 3 ------ (13) What are the legal implications of computer viruses? Part 4 ------ (14) Miscellaneous Are there anti-virus packages which check zipped files? What's the genb/genp virus? Where do I get VCL and an assembler, & what's the password? Send me a virus. Is it viruses, virii or what? Where is alt.comp.virus archived? What about firewalls? Viruses on CD-ROM. Removing viruses. Can't viruses sometimes be useful? Do I have a virus, and how do I know? What should be on a (clean) boot disk? How do I know I have a clean boot disk? What other tools might I need? What are rescue disks? Are there CMOS viruses? How do I know I'm FTP-ing 'good' software? What is 386SPART.PAR? Can I get a virus to test my antivirus package with? When I do DIR | MORE I see a couple of files with funny names... Reasons NOT to use FDISK /MBR Why do people write/distribute viruses? Where can I get an anti-virus policy? Are there virus damage statistics? What is NCSA approval? Placeholders --------------------------------------------------------------------- 2) The VIRUS-L/comp.virus FAQ [vs. 2.00] -------------------------- You can get the Mk. 2 version of the VIRUS-L FAQ, maintained by Nick FitzGerald, at ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip ftp://cs.ucr.edu/pub/virus-l/ http://www.drsolomon.com/ This document is subject to revision, so the filename may change in due course. Version 2.00 contains the following sections/items. [Items marked with an asterisk are also in the version 1 document, which continues to be posted on a monthly basis to the newsgroup, but the numbering doesn't always correspond between the two versions. The Mk. 2 version is generally more detailed than the Mk. 1. However, the Mk. 1 may sometimes be easier to get hold of in a hurry] Section A: Sources of Information and Antivirus Software (Where can I find HELP?!!) *A1) What is Virus-L/comp.virus? *A2) What is the difference between Virus-L and comp.virus? *A3) How do I get onto or off Virus-L/comp.virus? *A4) What are the guidelines for Virus-L? *A5) How can I get back-issues of Virus-L? *A6) What are the known viruses, their names, major symptoms and possible cures? *A7) Where can I get free or shareware antivirus programs? *A8) Where can I get more information on viruses, etc? A9) Why is so much of the discussion in Virus-L/comp.virus about PCs and DOS? Is this forum only for the PC world? Section B: Definitions (What is ...?) *B1) What are computer viruses (and why should I worry about them)? B2) What is a Worm? *B3) What is a Trojan Horse? *B4) What are the main types of PC viruses? *B5) What is a stealth virus? *B6) What is a polymorphic virus? *B7) What are "fast" and "slow" infectors? *B8) What is a sparse infector? *B9) What is a companion virus? *B10) What is an armored virus? B11) What is a cavity virus? B12) What is a tunnelling virus? B13) What is a dropper? B14) What is an ANSI bomb? *B15) Miscellaneous Jargon and Abbreviations Section C: Virus Detection (Is my computer infected? What do I do?) *C1) What are the symptoms and indications of a virus infection? *C2) What steps should be taken in diagnosing and identifying viruses? *C3) What is the best way to remove a virus? *C4) What does the virus do? *C5) What are "false positives" and "false negatives"? *C6) Can an antivirus program itself be infected? *C7) Where can I get a virus scanner for my Unix system? *C8) Why does my scanner report an infection only sometimes? *C9) I think I have detected a new virus; what do I do? *C10) CHKDSK reports 639K (or less) total memory on my system; am I infected? *C11) I have an infinite loop of sub-directories on my hard drive; am I infected? C12) Can a PC not running DOS be infected with a common DOS virus? C13) My hard-disk's file system has been garbled: Do I have a virus? Section D: Protection Plans (What should I do to prepare against viruses?) D1) What is the best antivirus program? *D2) Is it possible to protect a computer system with only software? *D3) Is it possible to write-protect the hard disk with software only? *D4) What can be done with hardware protection? *D5) Does setting a file's attributes to READ ONLY protect it from viruses? *D6) Do password/access control systems protect my files from viruses? *D7) Do the protection systems in DR DOS work against viruses? *D8) Does a write-protect tab on a floppy disk stop viruses? *D9) Do local area networks (LANs) help to stop viruses or do they facilitate their spread? *D10) What is the proper way to make backups? Section E: Facts and Fibs About Computer Viruses (Can a virus...?) *E1) Can boot sector viruses infect non-bootable DOS floppy disks? *E2) Can a virus hide in a PC's CMOS memory? *E3) Can a PC virus hide in Extended or in Expanded RAM in a PC? *E4) Can a virus hide in a PC's Upper Memory or its High Memory Area? *E5) Can a virus infect data files? *E6) Can viruses spread from one type of computer to another? *E7) Are mainframe computers susceptible to computer viruses? *E8) Some people say that disinfecting files is a bad idea. Is that true? *E9) Can I avoid viruses by avoiding shareware, free software or games? *E10) Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk? *E11) Is there any risk in copying data files from an infected floppy disk to a clean PC's hard disk? *E12) Can a DOS virus survive and spread on an OS/2 system using the HPFS file system? *E13) Under OS/2 2.0+, could a virus infected DOS session infect another DOS session? *E14) Can normal DOS viruses work under MS Windows? E15) Can I get a virus from reading e-mail, BBS message forums or USENET News? E16) Can a virus "hide" in a GIF or JPEG file? Section F: Miscellaneous Questions (I have heard... I was just wondering...) *F1) How many viruses are there? *F2) How do viruses spread so quickly? *F3) What is the correct plural of "virus"? "Viruses" or "viri" or "virii" or "vira" or... *F4) When reporting a virus infection (and looking for assistance), what information should be included? *F5) How often should we upgrade our antivirus tools to minimize software and labor costs and maximise our protection? F6) What are "virus simulators" and what use are they? F7) I've heard talk of "good viruses". Is it really possible to use a computer virus for something useful? F8) Wouldn't adding self-checking code to your programs be a good idea? Section G: Specific Virus and Antivirus Software Questions... *G1) I was infected by the Jerusalem virus and disinfected the infected files with my favourite antivirus program. However, WordPerfect and some other programs still refuse to work. Why? *G2) Is my disk infected with the Stoned virus? *G3) I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why? *G4) I was infected by both Stoned and Michelangelo. Why has my computer become unbootable? And why, each time I run my favourite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there? *G5) My scanner finds the Filler and/or Israeli Boot virus in memory, but after I boot from a clean floppy it reports no viruses. Am I infected? G6) I was infected with Flip and now a large part of my hard disk seems to have disappeared. What has happened? G7) What does the GenB and/or the GenP virus do? G8) How do I "boot from a clean floppy"? G9) My PC diagnostic utility lists "Cascade" amongst the hardware interrupts (IRQs). Does this mean I have the Cascade virus? G10) Occasionally the text "welcome datacomp" appears in my Mac documents without me typing it. Is this a virus? G11) How good are the antivirus tools included with MS-DOS 6? G12) When I do a "DIR | MORE", I see two files with random names that are not there when I just use "DIR". On my friends's system they cannot be seen. Do I have a virus? G13) What is the ChipAway virus? (Or ChipAwayVirus?) --------------------------------------------------------------------- 3) Macro-virus FAQ [version 2.0] --------------- Richard Martin maintains an FAQ on macro viruses. It is frequently posted to alt.comp.virus, and also available from: ftp.gate.net/pub/users/ris1/word.faq http://learn.senecac.on.ca/~jeashe/hsdemonz.htm E-mail to Bd326@TorFree.Net Subject: "PLEASE SEND FAQ" *OR* Subject: "ADD TO MAIL LIST" *OR* Subject: "REMOVE FROM FAQ MAIL LIST" VIRUS WATCH BBS (416)654-3814 The Word macro FAQ contains the following. TOPICS/QUESTIONS: Preface: INTRODUCTION ===================== 1) WHAT IS A MACRO? WHAT IS A WORD MACRO? 1.1> WHAT IS A VIRUS? 1.2> WHAT IS A MS WORD MACRO VIRUS? 2) HOW DOES INFECTION OCCUR? 3) KNOWN FEATURES AND LIMITATIONS OF THE WINWORD FAMILY OF VIRUSES 4) VIRUS EXAMPLES - 4.1 - CONCEPT - 4.2 - NUCLEAR - 4.3 - COLORS - 4.4 - DMV - 4.5 - HOT * NEW * - 4.6 - MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN * NEW* - 4.7 - AMI PRO 3.0 MACRO VIRUS GREEN STRIPE * NEW * - 4.8 - WORDMACRO ATOM / ATOMIC * NEW * - 4.9 - FORMATC MACRO TROJAN * NEW * 5) STRATEGY FOR CLEANING AND PREVENTING WORD MACRO INFECTIONS 6) SUGGESTED SOFTWARE: -PRODUCTS THAT CAN DETECT/CLEAN WINWORD VIRUSES INFECTIONS IN DOCUMENTS 7) CREDITS & THANKS 8) DISTRIBUTION INFORMATION 9) WHERE CAN I OBTAIN UPDATED COPIES OF THIS FAQ? 10) QUESTIONS THAT STILL NEED TO BE ANSWERED... 11) DISCLAIMER ---------------------------------------------------~ 4) alt.comp.virus mini-FAQ [vs 1.01g at time of posting] ----------------------- ^^^^^^^^^^^^^^^^^^^^^^^ BZZZZZZT! Seems to have crept up to 1.03! I'll catch up with it Real Soon Now. This is maintained by George Wenzel, and contains some of the information we'd most like people to see *before* they post frequently-asked questions. It is posted very frequently to alt.comp.virus, and contains * advice on what info to include when asking for help, what to do and what not to do. * pointers to information on newsgroup etiquette * Basic answers to common questions: - Good Times virus hoax - PKZip 3.00 trojan - Psychic Neon Buddha Jesus 'virus' - where to get evaluation copies/shareware, contact info, & comparative reviews - why there are no known viruses which damage hardware - testing your antivirus software with the EICAR test file - where to get FAQs - where to get info on specific viruses. -------------------------------------------------------------------- 5) Antiviral Software Evaluation FAQ [alpha release 2] --------------------------------- ++I think this is probably well out-of-date, but I don't have time to check the most recent version right now. RSN....... Maintained by Robert M. Slade, who posts it to Virus-L and alt.comp.virus. Along with "Antiviral contacts listing" (CONTACTS.LST) and "Quick reference antiviral review chart" (QUICKREF.RVW) [the FAQ is AVREVIEW.FAQ], obtainable from the Computer Virus SIG of the Victoria (BC, Canada) Freenet. telnet://guest@freenet.victoria.bc.ca and give the command "go virus". "This list of questions is intended to provide a framework and background information for review, evaluation and decisions regarding antiviral protection software and systems." Contents 1) Why can't I get 100% protection? 2) Why isn't there any one "best" antiviral? 3) What is an activity monitor? 3a) What are the strengths of activity monitors? 3b) What are the weaknesses of activity monitors? 3c) How should activity monitors be evaluated? 4) What is authentication/change-detection software? 4a) What are the strengths of change-detection software? 4b) What are the weaknesses of change-detection software? 4c) How should change-detection software be evaluated? 5) What is a scanner? 5a) What are the strengths of scanners? 5b) What are the weaknesses of scanners? 5c) How should scanners be evaluated? 6) What is resident software? 7) What is heuristic scanning? 8) What is a false negative? 9) What is a false positive? 10) How does disinfection work? 10a) What is "generic" disinfection? 10b) What is "heuristic generic" disinfection? 11) Can I get hardware antiviral protection? 12) Why can a "so-so" antiviral actually be harmful? 13) What aspects of an antiviral are important? 14) What aspects of an antiviral are *not* important? 15) What about "number of viruses detected"? 16) Why isn't disinfection very important? 17) Why should I support "free" software? 18) What about published reviews? 19) Where can I find published reviews? 6) Viruses and the Macintosh FAQ (draft) Maintained by David Harley, and currently available as a draft from http://www.webworlds.co.uk/dharley/ ++Now at release version 1.0b. Again, I don't have time to update the contents list here right now. Contents list as follows: 1. Copyright Notice 2. Preface 3. Availability of this FAQ 4. Mission Statement 5. Where to get further information. 5.1 alt.comp.virus FAQ 5.2 VIRUS-L/comp.virus FAQ 5.3 Disinfectant on-disk manual 5.4 Virus Test Center, Hamburg 5.5 'Robert Slade's Guide to Computer Viruses' 5.6 Symantec's web page 5.7 Virus Bulletin 5.8 Information on macro viruses 6. How many Mac viruses are there? 7. What viruses can affect Mac users? 8. What's the best antivirus package for the Macintosh? 9. Welcome Datacomp 10. Hoaxes and myths 10.1 Good Times virus 10.2 Psychic Neon Buddha Jesus virus 10.3 Modem virus 10.4 PKZIP300 trojan virus 10.5 Irina virus 10.6 E-mail viruses 10.7 JPEG/GIF viruses 11. Glossary 12. Bits to be filled in ----------------------------------- End of Guide to Virus-related FAQs