[Comp.Sci.Dept, Utrecht] Note from archiver<at>cs.uu.nl: This page is part of a big collection of Usenet postings, archived here for your convenience. For matters concerning the content of this page, please contact its author(s); use the source, if all else fails. For matters concerning the archive as a whole, please refer to the archive description or contact the archiver.

Subject: Mini-FAQ: alt.comp.virus

This article was archived around: 12 Mar 2000 09:55:04 GMT

All FAQs in Directory: computer-virus
All FAQs posted in: alt.comp.virus, comp.virus
Source: Usenet Version


Archive-name: computer-virus/mini-faq Posting-Frequency: Every 7 days
-----BEGIN PGP SIGNED MESSAGE----- ALT.COMP.VIRUS Mini-FAQ (version 1.2) Last updated August 23, 1999 Maintained by George Wenzel <gwenzel@telusplanet.net> Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The news group news.announce.newusers includes information on good newsgroup etiquette. Don't reformat, low-level format, or use FDISK in an effort to remove a virus. Using DOS utilities to remove viruses is not necessary. Especially do not use FDISK unless you know EXACTLY what you're doing; you could lose access to your hard drive. It is always preferable, if at all possible, to use an anti-virus product to remove a virus. If anything, it's safer. Please, don't just ask "I've got a virus, can anyone help me?" When asking for help, the more relevant information you give, the more help can be returned. It helps to: * Run more than one anti-virus program. Anti-virus programs do false alarm once in a while (some more than others). * When reporting the output of anti-virus programs, please list them (name and version number), and say what each one said about the possible virus. Posting the exact output can be helpful. * Please consider the possibility that whatever you are seeing might not be a virus. Many system problems are not virus related. * Note that you cannot catch a virus simply by reading certain e-mail or newsgroup messages. For a virus to spread, infected code must be run. Basic answers to common questions: 1) The following "viruses" are in fact hoaxes (warnings about viruses that do not, or cannot, exist): * "Good Times" * "Deeyenda Maddick" * "Irina" * "Penpal Greetings" * "Join the Crew" * "Returned or Unable to Deliver" * "NaughtyRobot". * "It takes guts to say Jesus" * "Win a Holiday" As a general rule, any "Virus Warning" that you receive unexpectedly in your e-mailbox that asks you to pass the message along (similar to a chain letter) is highly likely to be a hoax. Information about these hoaxes and more can be found at the Computer Virus Myths Website: http://www.kumite.com/myths/ 2) Many people have asked why alt.comp.virus is decidedly anti-virus in nature. Because of the large proportion of anti-virus producers and end users in the group, viruses are considered to be poor use of computer resources, and the open distribution of them to be irresponsible. Binaries are not welcome in UseNet discussion newsgroups. Alt.comp.virus is a discussion newsgroup, so the posting of binaries is often met with opposition and complaints to ISPs. Alt.comp.virus exists for the discussion of computer viruses, not their distribution. The majority of a.c.v. readers do not want virus source code or binaries to be posted in this newsgroup. Should you post such material, you should be aware that some of those readers will complain to your ISP about it. For your own sake, check your ISP's policies regarding posting such material to newsgroups before risking your account. 3) There is no such thing as the "best" anti-virus software. Everybody has different criteria for quality, and different products excel in different areas. It is more important to get a reasonably good anti-virus product and to use it often than it is to worry about having the absolute best anti-virus product. For maximum protection, it is generally recommended that more than one kind of anti-virus program be used. Scanners are generally used as a front line defense, but they must be updated regularly. Generic anti-virus programs can be of use since they do not need updating as often, and they can catch new viruses that a scanner might miss. Independent comparative reviews can be found at the following sites: _Virus Bulletin_ http://www.virusbtn.com/ _Secure Computing_ http://www.westcoast.com/ University of Tampere http://www.uta.fi/laitokset/virus/ University of Hamburg ftp://ftp.informatik.uni-hamburg.de/pub/virus/ and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm 4) Before claiming that a "good" virus exists or could exist, it would be wise to read Vesselin Bontchev's paper "Are 'Good' Computer Viruses Still A Bad Idea", available at: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip 5) There are no viruses which damage hardware by modifying how the mechanical parts run or their electro-magnetic characteristics. There *are* reported instances of specific hardware being damaged by the misuse of specific software. No known viruses damage hardware, and despite many suggestions to the contrary, it is unlikely that one will ever exist. That said, there is a virus (CIH) which corrupts a system BIOS, which is not hardware damage, but is as difficult to fix. With a corrupt BIOS, it is not possible for the system to start; the BIOS chip would need to be returned to the factory to get re-programmed. Hardware write protection of the BIOS should be used whenever possible, as should current anti-virus software. 6) Testing your anti-virus program with a real virus is not generally a good idea. Most reputable anti-virus packages will now trigger an alert if they scan a file beginning with the following text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* To make this file, copy the above text string into a text file using the DOS edit program or Windows Notepad, and save it with a .com extension. Virtually all Windows anti-virus programs and commercial Macintosh anti-virus programs can recognise this test file. Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Most people in the anti-virus community consider "virus simulators" unnecessary and unsuitable for testing proper installation of anti-virus products. 7) There are answers to other frequently asked questions and more details in the other virus FAQ's. They are available at various sites, but most of them are available at: http://www.sherpasoft.com/acvFAQ/ and http://www.faqs.org/faqs/computer-virus/ 8) Before you ask about what a specific virus does, try: http://www.drsolomon.com/vircen/enc/ http://www.datafellows.com/v-descs/ http://www.avpve.com/ http://vil.mcafee.com/villib/alpha.asp These sites have reasonably-comprehensive virus databases. Be aware, though, that there are many thousands of viruses and descriptions are only available for the more common ones. Also, keep in mind that different anti-virus products may use different names for the same virus. Project VGREP is a virus name cross-referencing service which allows you to find out what name is being used for a virus by different anti-virus products. Project VGREP is available at http://www.virusbtn.com/VGrep/ Disclaimer: The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Copyright Notice: We made this information freely available, and maintain it. Please don't abuse our work by using it for profit without getting permission from the FAQ maintainer. Copyright (c) 1999 Contributors: Bruce Burrell, Graham Cluley, David Harley, Gerard Mannig, A. Padgett Peterson, Robert Slade, Dr. Alan Solomon, and Pierre Vandevenne. Special thanks to those out there that thought this work was worth something, and decided to send the maintainer a thank-you. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> Comment: PGP Key ID 0xDCC35C75 available on Keyservers iQCVAwUBN8IYhrcpzG7cw1x1AQElxgQAkwQdMsIyzTOMOEXCX2WTgkxKx12TAZnz h/3Ma3O96Pla7yJo6W2N6n6OgrwZxmBFZ0CWaY9gnjNL+AU+m9K5shPaLm0j9zcC G394eudklIWy37349wxvGq+JB/kbcL6TFLCCjKtrDIK+syGPQ71iyqlkAwAy6ROD cI87IkIyGd0= =Nlvt -----END PGP SIGNATURE-----