Date: Thu, 19 Mar 1992 15:00:07 EST From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #70 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu VIRUS-L Digest Thursday, 19 Mar 1992 Volume 5 : Issue 70 Today's Topics: VIRUS-L/comp.virus FAQ, 19 March 1992 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 19 Mar 92 14:07:05 -0500 From: Kenneth R. van Wyk Subject: VIRUS-L/comp.virus FAQ, 19 March 1992 Frequently Asked Questions on VIRUS-L/comp.virus Last Updated: 19 March 1992, 2:00 PM EST ==================== = Preface Section: = ==================== This document is intended to answer the most Frequently Asked Questions (FAQs) about computer viruses. As you can see, there are many of them! If you are desperately seeking help after recently discovering what appears to be a virus on your computer, consider skimming through sections A and B to learn the essential jargon, then concentrate on section C. If you may have found a new virus, or are not quite sure if some file or boot sector is infected, it is important to understand the protocol for raising such questions, e.g. to avoid asking questions that can be answered in this document, and to avoid sending "live" viruses except to someone who is responsible (and even then in a safe form!). Above all, remember the time to really worry about viruses is BEFORE your computer gets one! The FAQ is a dynamic document, which changes as people's questions change. Contributions are gratefully accepted -- please e-mail them to me at krvw@cert.sei.cmu.edu. The most recent copy of this FAQ will always be available on the VIRUS-L/comp.virus archives, including the anonymous FTP on cert.sei.cmu.edu (192.88.209.5) in the file: pub/virus-l/FAQ.virus-l Ken van Wyk, moderator VIRUS-L/comp.virus Primary contributors (in alphabetical order): Mark Aitchison Vaughan Bell Matt Bishop Vesselin Bontchev Olivier M.J. Crepin-Leblond David Chess John-David Childs Nick FitzGerald Claude Bersano-Hayes John Kida A. Padgett Peterson Rob Slade Gene Spafford Otto Stolz ==================== Questions answered in this document Section A: Sources of Information and Anti-viral Software (Where can I find HELP..!) A1) What is VIRUS-L/comp.virus? A2) What is the difference between VIRUS-L and comp.virus? A3) How do I get onto VIRUS-L/comp.virus? A4) What are the guidelines for VIRUS-L? A5) How can I get back-issues of VIRUS-L? A6) What is VALERT-L? A7) What are the known viruses, their names, major symptoms and possible cures? A8) Where can I get the latest free/shareware anti-virus programs? A9) Where can I get more information on viruses, etc for my report? Section B: Definitions (What is ...?) B1) What are computer viruses (and why should I worry about them) ? B2) What is a trojan horse? B3) What are "stealth" viruses (and what is special about them) ? B4) What are "polymorphic" viruses (and what is special about them) ? B5) What are "armored" viruses? B6) What different types of PC viruses are there? B7) Miscellaneous Abbreviations and jargon Section C: Virus Detection (Is my computer infected? What do I do?) C1) What are the symptoms and indications of a virus infection? C2) What steps should be taken in diagnosing and identifying viruses? C3) What does the virus do? C4) What are "false positive" (Type I) and "false negative" (Type II) errors ? C5) Could an anti-viral program be infected? C6) Where can I get a virus scanner for my Unix system? C7) Why does an antiviral scanner reports an infection only sometimes? C8) Am I infected with the Stoned virus ? C9) I think I have detected a new virus; what do I do? Section D: Protection Plans (What should I do to prepare against viruses?) D1) What is the best protection policy for my computer? D2) Is it possible to protect a computer system with only software? D3) What can be done with hardware protection? D4) Will setting MSDOS files' attributes to READ ONLY protect them from viruses? D5) Will password protection systems protect my files from viruses? D6) Will the protection systems in DR-DOS work against viruses? D7) Will a write-protect tab on a floppy disk prevent a virus from infecting it? D8) What is the best way to remove the virus? D9) What other ways can I stop viruses before they enter my computer? Section E: Facts and Fibs about computer viruses (Can a virus...?) E1) Can "boot sector" viruses like Stoned infect non-bootable floppy disks? E2) Can a virus hide in a PC's battery-backed CMOS memory? E3) Can viruses infect data files? E4) Can viruses spread from one type of computer to another? E5) Can mainframe computers be susceptible to computer viruses? E6) Some people say that disinfecting viruses is a bad idea. Is that true? E7) Can I avoid viruses by avoiding shareware/free software/games? E8) Can MS-DOS Viruses run on Non-DOS machines (e.g., Mac, Amiga)? Section F: Miscellaneous Questions (I was just wondering...) F1) How many different types of viruses are there? F2) How do viruses spread so quickly? F3) What is the plural of "virus"? "Viruses" or "viri" or "virii" or... F4) When reporting a virus infection (and looking for assistance), what information should be included? F5) How often should we upgrade our anti-virus tools to minimize software and labor costs and maximize our protection? Section G: Specific Virus and Anti-viral software Questions... G1) I was infected by the Jerusalem virus and disinfected the infected files with my favorite anti-virus program. However, Wordperfect and some other programs still refuse to work. Why? G2) I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why? ================================================================ = Section A. Sources of Information and Anti-viral Software. = ================================================================ A1) What is VIRUS-L/comp.virus? It is a discussion forum with a focus on computer virus issues. More specifically, VIRUS-L is an electronic mailing list and comp.virus is a USENET newsgroup. Both groups are moderated; all submissions are sent to the moderator for possible inclusion in the group. For more information, including a copy of the posting guidelines, see the file virus-l.README, available by anonymous FTP on cert.sei.cmu.edu in the pub/virus-l directory. (FTP is the Internet File Transfer Protocol, and is described in more detail in the monthly VIRUS-L/comp.virus archive postings - see below.) Note that there have been, from time to time, other USENET cross-postings of VIRUS-L, including the bit.listserv.virus-l. These groups are generally set up by individual site maintainers and are not as globally accessible as VIRUS-L and comp.virus. A2) What is the difference between VIRUS-L and comp.virus? As mentioned above, VIRUS-L is a mailing list and comp.virus is a newsgroup. In addition, VIRUS-L is distributed in digest format (with multiple e-mail postings in one large digest) and comp.virus is distributed as individual news postings. However, the content of the two groups is identical. A3) How do I get onto VIRUS-L/comp.virus? Send e-mail to LISTSERV@IBM1.CC.LEHIGH.EDU (or LISTSERV@LEHIIBM1 for you Bitnetters) stating: "SUB VIRUS-L your-name". To "subscribe" to comp.virus, simply use your favorite USENET news reader to read the group (assuming that your site receives USENET news). A4) What are the guidelines for VIRUS-L? The list of posting guidelines is available by anonymous FTP on cert.sei.cmu.edu. See the file pub/virus-l/virus-l.README for the most recent copy. In general, however, the moderator requires that discussions are polite and non-commercial. (Objective postings of product availability, product reviews, etc., is fine, but commercial advertising is not.) Also, requests for viruses (binary or disassembly) are not allowed. Technical discussions are encouraged, however, within reason. A5) How can I get back-issues of VIRUS-L? VIRUS-L/comp.virus includes a series of archive sites that carry all the back issues of VIRUS-L, as well as public anti-virus software (for various computers) and documents. The list of archive sites is updated monthly and distributed to the group; it includes a complete listing of the sites, what they carry, access instructions, as well as information on how to access FTP sites by e-mail. The anonymous FTP archive at cert.sei.cmu.edu carries all of the VIRUS-L back issues, as does the LISTSERV at LEHIIBM1 (on BITNET). See the file pub/virus-l/README for more information on the cert.sei.cmu.edu archive site. A6) What is VALERT-L? VALERT-L is a sister group to VIRUS-L, but is intended for virus alerts and warnings only -- NO DISCUSSIONS. There is no direct USENET counterpart to VALERT-L; it is a mailing list only. All VALERT-L postings are re-distributed to VIRUS-L/comp.virus later. This group is also moderated, but on a much higher priority than VIRUS-L. The group is monitored during business hours (East Coast, U.S.A., GMT-5/GMT-4); high priority off-hour postings can be made by submitting to the group and then telephoning the CERT/CC hotline at +1 412 268 7090 -- leave instructions to call Ken van Wyk. Subscriptions to VALERT-L are handled identically to VIRUS-L -- contact the LISTSERV. A7) What are the known viruses, their names, major symptoms and possible cures? There are several major sources of information about viruses. Probably the biggest one is Patricia Hoffman's hypertext VSUM. It describes only MS-DOS viruses, but almost all of them. Unfortunately, it tends to be too verbose and is regarded by many in the field as being inaccurate, so we do not advise people to rely on it. It can be downloaded from most major archive sites -except- SIMTEL20. The second one is the Computer Virus Catalog, published by the Virus Test Center in Hamburg. It contains a highly technical description of computer viruses for several platforms: MS-DOS, Mac, Amiga, Atari ST, Unix. Unfortunately, the MS-DOS section is somewhat incomplete. The CVC is available for anonymous ftp from ftp.informatik.uni-hamburg.de (IP=134.100.4.42), directory pub/virus/texts/catalog. A third source of information is the monthly Virus Bulletin. It regularly publishes very detailed technical information about viruses. Unfortunately it is -very- expensive (the subscription is about $350 per year; US subscriptions can be obtained by calling 203-431-8720). A fourth good source of information on MS-DOS viruses is the "Computer Viruses" report of the National Computer Security Association. This is updated regularly, and is fairly complete. Copies cost approximately $75, and can be ordered by calling +1 202-244-7875. Another source of information is the documentation of Dr. Solomon's Anti-Virus ToolKit. It is more complete than the CVC list, just as accurate (if not more), but lists only MS-DOS viruses. However, it is not available electronically; you must buy his anti-virus package and the virus information is part of the documentation. Yet another source of information is "Virus News International", published by S & S International. And, while not entirely virus-related, "Computers & Security" provides information on many aspects of computer security, including viruses. The best source of information available on Apple Macintosh viruses is the on-line documentation provided with the freeware Disinfectant program by John Norstad. This is available at most Mac archive sites. A8) Where can I get the latest free/shareware anti-virus programs? The VIRUS-L/comp.virus archive sites carry publicly distributable anti-virus software products. See a recent listing of the archive sites (or ask the moderator for a recent listing) for more information on these sites. If you need an MS-DOS anti-virus program urgently, chances are that you can find it via anonymous FTP on WSMR-SIMTEL20.ARMY.MIL (192.88.110.20), in the directory PD1:. (Note that the SIMTEL20 archives are also mirrored at many other anonymous FTP sites, including oak.oakland.edu (141.210.10.117) and wuarchive.wustl.edu (128.252.135.4). Likewise, Macintosh anti-virus programs can be found on SIMTEL20 in the PD3: directory. A9) Where can I get more information on viruses, etc for my report? There are three excellent books on computer viruses available that should cover most of the introductory and technical questions you might have: * "Computers Under Attack: Intruders, Worms and Viruses," edited by Peter J. Denning, ACM Press/Addison-Wesley, 1990. This is a book of collected readings that discuss computer viruses, computer worms, break-ins, legal and social aspects, and many other items related to computer security and malicious software. A very solid, readable collection that doesn't require a highly-technical background. * "Rogue Programs: Viruses, Worms and Trojan Horses," edited by Lance J. Hoffman, Van Nostrand Reinhold, 1990. This is a book of collected readings describing in detail how viruses work, where they come from, what they do, etc. It also has material on worms, trojan horse programs, and other malicious software programs. This book focuses more on mechanism and relatively less on social aspects than does the Denning book; however, there is an excellent piece by Anne Branscomb that covers the legal aspects. * "A Pathology of Computer Viruses," by David Ferbrache, Springer-Verlag, 1992. This is a recent, in-depth book on the history, operation, and effects of computer viruses. It is one of the most complete books on the subject, with an extensive history section, a section on Macintosh viruses, networks worms, and Unix viruses (if they were to exist). A somewhat dated, but still useful, high-level description of viruses, suitable for a complete novice without extensive computer background is in "Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats," by Eugene H. Spafford, Kathleen A. Heaphy, and David J. Ferbrache, ADAPSO (Arlington VA), 1989. ADAPSO is a computer industry service organization, and not a publisher, so the book cannot be found in bookstores; copies can be obtained directly from ADAPSO @ +1 703-522-5055). There is a discount for ADAPSO members, educators, and law enforcement personnel. Many people have indicated they find this a very understandable reference; portions of it have been reprinted many other places, including Denning & Hoffman's books (above). ====================================================== = Section B. Definitions and General Information = ====================================================== B1) What are computer viruses (and why should I worry about them) ? The term "computer virus" tends to be used to cover many sorts of computer programs that hide their true (malicious) function and try to spread onto as many computers as possible. While the definitions of the various types of computer virus (and other malicious software) in this document are certainly useful, it can still be worth keeping something a "fuzzy" definition of "computer virus", since pre-conceived notions as to what a virus is, and what it exactly does, can lead to a false sense of security. These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses can have serious consequences. For example, a virus that stops your computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even those who created the viruses could not stop them if they wanted to; it requires a concerted effort from computer users to be "virus-aware", rather than the ignorance and ambivalence that have allowed them to grow to such a problem. B2) What is a trojan horse? It is a program that does something the programmer intended, but that the user would not approve of if he knew about it. Thus, a virus is a particular case of a Trojan horse, which is able to spread to other programs (i.e., it turns them into trojans, too). B3) What are "stealth" viruses (and what is special about them) ? Every virus makes changes to executable code; hence every virus can be detected by checking all executable code in a system for discrepancies between presumed and actual contents. A stealth virus camouflages the changes it has made from detection by other programs, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions suitably. However, in order to practise "stealth," the virus must be resident in memory. In every "stealth" virus seen so far, this residence is detectable, often easily. Example: One of the oldest MS-DOS Viruses, Brain, a boot sector infector, monitors physical disk-I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. Countermeasures: To gain unadulterated access to storage media, a "clean" system is needed so that no virus is present to interfere with its operation. Thus, the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With MS-DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation), (2) use only tools from original diskettes until virus-checking has completed. B4) What are polymorphic viruses (and what is special about them) ? In order to eradicate a virus infection, all instances of this particular virus in various places (program files, boot records, etc.) have to be found and identified. A program to accomplish this task is called a Virus Scanner. A polymorphic virus tries to escape virus scanners by producing varied (yet fully operational) copies of itself. One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners. One method for a polymorphic virus is choosing amongst a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind. A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies, by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses. B5) What are "armored" viruses? Armored viruses use special tricks to make the tracing, disassembling and understanding of their code more difficult. A good example is the Whale virus. B6) What different types of PC viruses are there? Generally, there are two main classes of viruses: the first describes file infectors which attach themselves to individual programs that are easily copied/transferred between computers. These attack .COM and .EXE programs though some will infect other classes of program capable of execution (e.g. .DB* and .WK* files). Still others can infect any program for which execution is requested such as .SYS, .OVL, .PRG, & .MNU programs. Generally though, all file infector viruses will infect either .COM or .EXE programs or both. Common examples are Jerusalem, Sunday, Vienna, 4096, or Whale. The second category is System Infectors: those viruses which infect executable code found in specific locations either on a disk or in memory. On DOS systems, for example, most of these viruses infect the Master Boot Record on fixed disks, the DOS Boot Record on both fixed and floppy disks, or the system files (IO.SYS or MSDOS.SYS). Examples include Brain, Stoned, Empire, Azusa, & Michelangelo. Finally, a few viruses are able to infect both (the Tequila virus is one example). B7) Miscellaneous Jargon and Abbreviations... BSI = Boot Sector Infector: the most common PC viruses belong to this family, which take over control when the computer attempts to boot. DOS = Diskette Operating System: We use DOS to mean MS-DOS, PC-DOS, or DR-DOS even though there are operating systems called DOS on unrelated hardware. MBR = Master Boot Record: the first sector on a PC hard disk, that usually contains the partition table (but may simply contain a DOS boot sector). RAM = Random Access Memory: the place programs are loaded into to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare a virus is active simply when it is found in RAM - even though it might be in a disk's buffer area of RAM rather than truly being executed. TOM = Top Of Memory: (this is particularly significant in PC's) The amount of RAM is recorded in the computer; viruses or other software) may try to tell the software that follows there is less memory than there really is, so the virus can hide there. TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other programs; they include pop-up utilities, network software, and (unfortunately) some viruses. These can often be seen using utilities such as MEM and PMAP and INFOPLUS. ================================= = Section C. Virus Detection = ================================= C1) What are the symptoms and indications of a virus infection? There are all kinds of symptoms which virus authors have written into their programs, such as messages, music and graphical displays. These "payloads" may include deleting files, or other destruction. Viruses try to do a lot of spreading before they deliver their payload, but there can be symptoms of virus infection before this, and it is important to use this opportunity to spot and eradicate the virus before any destruction. The main indications are changes to file sizes and contents, changing of interrupt vectors (on a PC), and the unaccounted use of RAM (but, of course, viruses try to hid such effects). On a PC it can be very worthwhile looking at the amount of RAM known to the CHKDSK program, which should be 655360 bytes (or at least a multiple of 16384 bytes); and boot sector infections are often easily identified to the trained eye (or heuristic checkers such as CHECKOUT). These symptoms, along with longer disk activity and strange behavior from the hardware, can also be caused by genuine software, or by harmless "prank" programs, or by hardware faults, unfortunately. The only foolproof way to determine that a virus is present is for an expert to analyze the assembly code contained in all programs and system areas, but this is usually impracticable. Virus scanners go some way towards that by looking in that code for known viruses; some will even try to use artificial intelligence means to spot viral activity, but this is usually only reliable for boot sectors. It is wise to arm yourself with the latest anti-viral software, but also to pay close attention to your system... look particularly for any change in the memory map or configuration as soon as you start the computer. For users of MS-DOS 5.0, the MEM program with the /C switch is very handy for this. If you have DRDOS, use MEM with the /A switch; if you have an earlier version use CHKDSK or the commonly-available PMAP or MAPMEM utilities. You don't have to know what all the numbers mean, only that they change. C2) What steps should be taken in diagnosing and identifying viruses? Most of the time, a virus scanner program will take care of that for you. Running it often and on new disks will help identify problems early! If you run into one that the scanner doesn't identify, or doesn't properly clean up for you, first verify that the version that you are using is the most recent, and then get in touch with one of the reputable antivirus researchers and send a copy of the infected file to them, after they ask you to send it. See also question C9. C3) What does the virus do? If an anti-virus program has detected a virus on your computer, don't rush to post a question to this list asking what it does. First, it might be a false positive alert (especially if the virus is found only in one file), and second, some viruses are extremely common, so the question "What does the Stoned virus do?" or "What does the Jerusalem virus do?" is asked here repeatedly. While this list is monitored by several anti-virus experts, they get tired of perpetually answering the same questions over and over again. In any case, if you really *need* to know what a particular virus does (as opposed to knowing enough to get rid of it), you will need a longer treatise than could reasonably be given to you. For example, the Stoned virus replaces the disk's boot sector with its own, relocating the original to a sector on the disk that may (or may not) occur in an unused portion of the root directory of a DOS diskette; when active, it sits in an area a few kilobytes below the top of memory. All this description could apply to a number of common viruses; but the important points of where the original boot sector goes - and what effect that has on networking software, non-DOS partitions, and so on are all major questions in themselves. Therefore, it is better if you first try to answer your question yourself. There are several sources of information about the known computer viruses, so please consult one of them before requesting information publicly. Chances are that your virus is rather well known and that it is already described in detail in at least one of these sources. (See the answers to questions A7 and A9, for instance.) C4) What are "false positive" (Type I) and "false negative" (Type II) errors? Most virus scanners do not identify viruses exactly. What they do is to use a characteristic sequence of bytes from the virus code, called "scan string" and to scan the files for this string. While the authors of most scanners do their best to select good scan strings, it is possible that the same string happens to be present in a benign program. If a non-virus program is flagged as a virus by the scanner, this is called a "false positive" error. On the other hand, a virus scanner searches only for known viruses. Most probably it will miss a completely new or a heavily modified virus. If the scanner does not detect a program, which in fact contains a virus, this is called a "false negative" error. Obviously the false negative errors are more dangerous than the false positive ones. Therefore, producers of virus scanners usually attempt to minimize both kinds of errors, but they are more concerned with the false negative ones. One other serious problem could occur: A "positive" that is misdiagnosed. E.g., a scanner that detects the Empire virus in a boot record but reports it as the Stoned. In the case of a boot sector infector, use of a Stoned specific "cure" to recover from the Empire could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" recovery can result in unusable files. "Second generation" products store information about "clean" programs to allow verification of recovery processes. C5) Could an anti-viral program itself be infected? Yes, so it is important to obtain this software from good sources, and to only trust results after running scanners from a "clean" system. But there are situations where one scanner appears to be infected when it isn't. Most antiviral programs try very hard to identify only viral infections, but sometimes they give false alarms. If two different antiviral programs are both of the "scanner" type, they will contain "signature strings" to identify viral infections. If the strings are not "encrypted", then they will be identified as a virus by another scanner type program. Also, if the scanner does not remove the strings from memory after they are run, then another scanner may detect the virus string "in memory". Note that a recent example of this type of false alarm regards F-PROT "detecting" viruses in two Central Point Anti-Virus (CPAV) files. Some "change detection" type antiviral programs add a bit of code or data to a program when "protecting" it. This might be detected by another "change detector" as a change to a program, and therefore suspicious. It is good practice to use more than one antiviral program. Do be aware, however, that antiviral programs, by their nature, may confuse each other. C6) Where can I get a virus scanner for my Unix system? Basically, you shouldn't bother scanning for Unix viruses at this point in time. Although it is possible to write Unix-based viruses, we have yet to see any instance of a non-experimental virus in that environment. Someone with sufficient knowledge and access to write an effective virus would be more likely to conduct other activities than virus-writing. Furthermore, the typical form of software sharing in an Unix environment would not support virus spread. This answer is not meant to imply that viruses are impossible, or that there aren't security problems in a typical Unix environment -- there are. However, true viruses are highly unlikely and should be found quite readily with normal Unix file integrity procedures. For more information on Unix security, see the book "Practical Unix Security" by Garfinkel and Spafford, O'Reilly & Associates, 1991 (it can be ordered via e-mail from nuts@ora.com). However, there are special cases for which scanning Unix systems for non-Unix viruses does make sense. For example, a Unix system which is acting as a file server (e.g., PC-NFS) for PC systems is quite capable of containing PC file infecting viruses that are a danger to PC clients. Note that, in this example, the UNIX system would be scanned for PC viruses, not UNIX viruses. Another example is in the case of a 386/486 PC system running Unix, since this system is still vulnerable to infection by BIOS infectors such as Stoned and Michelangelo, which are operating system independent. (Note that an infection on such a Unix PC system would probably result in disabling the Unix disk partition(s) from booting.) In addition, a file integrity checker (to detect unauthorized changes in executable files) on Unix systems is a very good idea. (One free program which can do this test, as well as other tests, is the COPS package, available by anonymous FTP on cert.sei.cmu.edu.) Unauthorized file changes on Unix systems are very common, although they usually are not due to virus activity. C7) Why does my anti-viral scanner report an infection only sometimes? There are circumstances where part of a virus exists in RAM without being active; if your scanner reports a virus in memory only sometimes it could be due to the operating system buffering disk reads, keeping disk contents that include a virus in memory (harmlessly) - in which case it should also find it on disk, or after running another scanner there may be scan strings left (again harmlessly) in memory. C8) Is my disk infected with the Stoned virus ? Of course the answer to this, and many similar questions, is to obtain a good virus detector. However, the Stoned virus is one that occurs often and you may spend a lot of time going through disks looking for it. Also, there are several versions of this virus (and similar ones) that may just possibly escape detection by conventional scanners. Since it is so easy to detect "by hand", it is worth using the CHKDSK method (mentioned in C2) to make sure it isn't in memory, then looking at the first 11 bytes in diskettes using your favorite hex disk editor; what you should look for is the third byte should be "90" hex for a good diskette, and "00" for an infected diskette (anything else may or may not imply an infection). There are even better methods of determining the presence of such a virus, e.g. contained in the freeware CHECKOUT program and the shareware SCANBOOT program, but this is good enough for a quick check. The advantage of the system is that it can be a lot faster than running some scanners over the disk, if there are many to check. There are disadvantages - the main one being that a few "good" diskettes, such as "immunized" ones, may show up as having a virus - in which case you refer them to a better scan before disinfecting them. A more time-efficient method is to load the SCANBOOT TSR and let it check diskettes automatically as you access them in the normal way (e.g. when listing their files). C9) I think I have detected a new virus; what do I do? Whenever there is doubt over a virus, you should obtain the latest versions of several (not just one) major virus scanner. If you use F-PROT, which has several methods of scanning, try each method in turn. The "heuristic" methods in one of these scan methods, and in several other programs (CHECKOUT and SCANBOOT, for example), can report a disk or file as being possibly infected, when it is, in fact perfectly safe (odd, perhaps, but not infected). If no string-matching scan finds a virus, but a heuristic program does (or there are other reasons to suspect the file, e.g. change in size of files) then it is possible that you have found a new virus, although the chances are probably greater that it is an odd-but-okay disk or file. Start by looking in recent VIRUS-L postings about "known" false positives, then contact the author of the anti-virus software that reports it as virus-like. Read the section explaining what to do if you think you have found a new virus, and consider using the BOOTID or CHECKOUT programs to calculate the "hashcode" of the diskette, in the case of boot sector infectors. =================================== = Section D. Protection plans = =================================== D1) What is the best protection policy for my computer? There is no "best" anti-virus program. In fact, there is no program that can magically protect you against all viruses. But you can design a whole anti-virus protection strategy and build multiple layers of defense. There are three main kinds of anti-virus detectors, plus several other means of protection (such as hardware write-protect methods). 1) Monitoring programs; these look for viral activity when it happens, such as attempts to write to another executable, reformat the disk, etc, etc. Examples: FluShot+ (PC), and GateKeeper (Macintosh). 2) Scanners. Most look for known virus strings (byte sequences known to occur in certain viruses, but hopefully not in good software), but some use AI or heuristic techniques to recognize viral code. They may also include virus removers. Examples: Dr Solomon's Anti-Virus Toolkit, FRISK's F-Prot, McAfee's VIRUSCAN (all PC), Disinfectant (Macintosh). 3) Integrity (change-of-state) checkers. These take a "snapshot" of code, and periodically compare code with the original and (what is supposed to be) uninfected snapshot. Examples: V-Analyst (commercial, BRM Technologies, Israel) and Integrity Master (shareware), both for the PC. Plus, there are mixtures and variations on these approaches, such as resident scanners (e.g. VShield, VIRSTOP) and heuristic search versions (e.g. SCANBOOT). Of course, only a few examples of each type were given. All of them can find their place in the protection against the computer viruses, but you should appreciate the limitations of each method, along with system-supplied security measures that may or may not be helpful in defeating viruses. Ideally, you would arrange a combination of methods that cover the loopholes between them. A typical PC installation might include a protection system on the hard disk's MBR to protect against viruses at load time (ideally this would be hardware or in BIOS, but software methods such as DiskSecure and PanSoft's Immunise are pretty good). This would be followed by resident virus detectors loaded as part of the machine's startup (config.sys or autoexec.bat), such as FluShot+ and/or VirStop together with ScanBoot. A scanner such as F-Prot or McAfee's scan should be put into autoexec.bat to look for viruses as you start up, but this may be a problem if you have a large disk to check (or don't reboot often enough). Most importantly, new files should be scanned as they arrive on the system. If your system has DR-DOS installed, you should use the password command to write-protect all system executables and utilities. If you have Stacker or SuperStore, you can get some improved security from these compressed drives, but also a risk that those viruses stupid enough to directly write to the disk could do much more damage than normal; using a software write-protect system (such as provided with Disk Manager or Norton Utilities) may help, but the best solution (if possible) is to put all executables on a disk of their own, protected by a hardware read-only system that sounds an alarm if a write is attempted. If you do use a resident BSI detector or a scan-while-you-copy detector, it is important to trace back any infected diskette to its source; the reason why viruses survive so well is that usually you cannot do this, because the infection is found long after the infecting diskette has been forgotten with most people's lax scanning policies. Organizations should devise and implement a careful policy, that may include a system of vetting new software brought into the building and free virus detectors for home machines of employees/students/etc who take work home with them. D2) Is it possible to protect a computer system with only software? Not perfectly, however, software defenses can significantly reduce your risk of being affected by viruses WHEN APPLIED APPROPRIATELY. All virus defense systems are tools - each with their own capabilities and limitations. Learn how your system works and be sure to work within its limitations. From a software standpoint, a very high level of protection/detection can be achieved with only software, using a layered approach. 1) ROM Bios - password (access control) and selection of boot disk. (some may consider this hardware) 2) Boot sectors - integrity management and change detection 3) OS programs - integrity management of existing programs, scanning of unknown programs. Requirement of authentication values for any new or transmitted software. 4) Locks that prevent writing to a fixed or floppy disk. As each layer is added, invasion without detection becomes more difficult. However complete protection against any possible attack cannot be provided without dedicating the computer to pre-existing or unique tasks. The international standardization of the world on the IBM PC architecture is both its greatest asset and its greatest vulnerability. D3) What can be done with hardware protection? Hardware protection can accomplish various things, including: write protection for hard disk drives, memory protection, monitoring and trapping unauthorized system calls, etc. Again, no tool is foolproof. The popular idea of write-protection (see D6) may stop viruses spreading to the disk that is protected, but doesn't, in itself, prevent a virus from running. D4) Will setting DOS file attributes to READ ONLY protect them from viruses? No. While the Read Only attribute will protect your files from a few viruses, most simply override it, and infect normally. So, while setting executable files to Read Only is not a bad idea, it is certainly not a thorough protection against viruses! D5) Will password/access control systems protect my files from viruses? Some will, some won't. Many file access control systems for PCs will do a great deal to guard against existing PC viruses. A good operating system (not wishing to start a "Unix vs MSDOS" war!) combined with use of memory management hardware is best. But they are not foolproof. The important thing is that they be properly installed and administered. (There's a recurring theme here...) D6) Will the protection systems in DR-DOS 5 or 6 work against viruses ? Partially. Neither the password file/directory protection available from DRDOS version 5 onwards, nor the secure disk partitions introduced in DRDOS 6 are intended to combat viruses, but they do to some extent. If you have DRDOS, it is very wise to password-protect your files (to stop accidental damage too), but don't depend on it as the only means of defense. The use of the password command (e.g. PASSWORD/W:MINE *.EXE *.COM) will stop more viruses than the plain DOS attribute facility, but that isn't saying much! The combination of the password system plus a disk compression system may be more secure (because to bypass the password system they must access the disk directly, but under SuperStore or Stacker the physical disk is meaningless to the virus). There may be some viruses which, rather than invisibly infecting files on compressed disks in fact very visibly corrupt the disk. The "secure disk partitions" system introduced with DRDOS 6 may be of some help against a few viruses that look for DOS partitions on a disk. The main use is in stopping people fiddling with (and infecting) your hard disk while you are away. D7) Will a write-protect tab on a floppy disk stop viruses ? In general, yes. The write-protection on IBM PC (and compatible) and Macintosh floppy disk drives is implemented in hardware, not software, so viruses cannot infect a diskette with a properly-functioning write-protection mechanism is functioning properly. But remember: (a) A computer may have a faulty write-protect system (this happens!) - you can test it by trying to copy a file to the diskette. (b) Someone may have removed the tab for a while, allowing a virus on. (c) The files may have been infected before the disk was protected. Even some diskettes "straight from the factory" have been known to be infected in the production processes. So, it is worthwhile to scan even write-protected disks for viruses. D8) What is the best way to remove the virus so that downtime is short and losses are low? Do the minimum that you must to restore the system to a normal state, starting with booting the system from a clean diskette. It is very unlikely you need to "low level reformat" the hard disk! If a disinfecting program will remove the virus, do that. If not, and the virus is a program (or file) infector, remove the infected file and reinstall the software from the original (write-protected) disks. If the virus is a boot sector infector, you can continue using the computer with relative safety if you boot it from a clean system diskette, but it is wise to go through all your diskettes removing infection, since sooner or later you may be careless and leave a diskette in the machine when it reboots. Boot sector infectors on PC's can be cured by a two-step approach of replacing the MBR then using the SYS command. ======================================================= = Section E. Facts and Fibs about computer viruses = ======================================================= E1) Can "boot sector" viruses like Stoned infect non-bootable floppy disks? Any diskette that has been properly formatted contains an executable program in the boot sector. If the diskette is not "bootable," all that boot sector does is print a message like "Non-system disk or disk error; replace and strike any key when ready" but it's still executable and still vulnerable to infection. If you accidentally turn your machine on with a "non-bootable" diskette in the drive, and see that message, it means that any boot virus that may have been on that diskette *has* run, and has had the chance to infect your hard drive, or whatever. So when thinking about viruses, the word "bootable" (or "non-bootable") is really misleading. All formatted diskettes are capable of carrying a virus. E2) Can a virus hide in a PC's battery-backed CMOS memory? No. The CMOS RAM in which system information is stored and backed up by batteries is ported, not addressable. That is, in order to get anything out, you use I/O commands. So anything stored there is not directly sitting in memory. Nothing in a normal machine loads the data from there and executes it, so a virus that "hid" in the CMOS RAM would still have to infect an executable object of some kind, in order to load and execute whatever it had written to CMOS. A malicious virus can of course *alter* values in the CMOS as part of its payload, but it can't spread through, or "hide" itself in, the CMOS. E3) Can a virus infect data files? Several viruses (Frodo, Cinderella) contain bugs, which make them infect non-executable programs. However, in order to spread, the virus must be executed. Therefore, the "infected" non-executable files cannot be sources of infection. However, note that it is not always possible to make a distinct difference between executable and non-executable files. One man's code is another man's data and vice versa. Several files that are not directly executable contain code or data, which is at some time executed or interpreted. Some examples from the IBM PC world are .OBJ files, libraries, device drivers, source files for any compiler or interpreter, macro files for some packages like MS Word and Lotus 1-2-3, and many others. Currently there are viruses that infect boot sectors, master boot sectors, COM files, EXE files, BAT files, and device drivers, although any of the objects mentioned above can theoretically be used as an infection carrier. PostScript files can also be used to carry a virus, although no currently known virus does that. E4) Can viruses spread from one type of computer to another? (e.g., Amiga to PC), even if they can both read the same format disks, like the Atari ST reading MS-DOS format disks. The simple answer is that no currently known viruses can do that. Although the disk formats may be the same, the different machines interpret the code differently. For example, the Stoned virus cannot infect an ST as the ST cannot execute the virus code in the bootsector. The Stoned virus contains instructions for the 80x86 family of CPU's that the 680x0-family CPU (Atari ST) can't understand or execute. The more general answer is that such viruses are possible, but unlikely. Such a virus would be quite a bit larger than current viruses and might well be easier to find. Additionally, the low incidence of cross-machine sharing of software means that any such virus would be unlikely to spread -- it would be a poor environment for virus growth. E5) Can mainframe computers be susceptible to computer viruses? Yes. Numerous experiments have shown that computer viruses spread very quickly and effectively on mainframe systems. However, to our knowledge, no non-research computer virus has been seen on mainframe systems. (The Internet worm of November 1988 was not a computer virus by most definitions, although it definitely had some virus-like characteristics.) Computer viruses are actually a special case of something else called "malicious logic", and other forms of malicious logic -- notably Trojan horses -- are far quicker, more effective, and harder to detect than computer viruses. Hence those tend to be used to attack mainframe systems, rather than computer viruses. For further information on malicious programs on multi-user systems, see Matt Bishop's paper, "An Overview of Malicious Logic in a Research Environment". The paper is available via anonymous FTP on Dartmouth.edu (129.170.16.4) as "pub/security/mallogic.ps". E6) Some people say that disinfecting viruses is a bad idea. Is that true? Disinfecting a virus is completely "safe" only if the disinfecting process restores the non-infected state of the object completely. That is, not only the virus must be removed from the file, but the original length of the file must be restored exactly, as well as its time and date of last modification, all fields in the header, etc. Sometimes, it is necessary to to be sure that the file is placed on the same clusters of the disk that it occupied prior to infection. If this is not done, then a program, which uses some kind of self-checking or copy protection may stop functioning properly, if at all. None of the currently available disinfecting programs do all this. For instance, because of the bugs that exist in many viruses, some of the information of the original file is destroyed and cannot be recovered. Other times, it is even impossible to detect that this information has been destroyed and to warn the user. Furthermore, some viruses corrupt information very slightly and in a random way (Nomenklatura, Phoenix), so that it is even not possible to tell which files have been corrupted. Therefore, it is always better to determine the infected objects, and to destroy them by replacing them with clean backups. You should try to disinfect files only if they contain some valuable data that cannot be restored from backups or compiled from their original source. E7) Can I avoid viruses by avoiding shareware/free software/games? No. There are many documented instances in which commercial "shrink wrap" software was inadvertently distributed containing viruses. Avoiding shareware, freeware, games, etc., only isolates you from a vast collection of software (some of it very good, some of it very bad, most of it somewhere in between...). The important thing is not to avoid a certain type of software, but to be cautious of ANY AND ALL newly acquired software. Simply scanning all new software media for known viruses would be rather effective at preventing virus infections, especially when combined with some other prevention/detection strategy such as integrity management of programs. E8) Can MS-DOS Viruses run on Non-DOS machines (e.g., Mac, Amiga)? In general, no. However, on machines running DOS emulators (either hardware or software based), DOS viruses - just like any DOS program - may function. These viruses would be subject to the file access controls of the host operating system. An example is when running a DOS emulator such as VP/ix under a 386 UNIX environment, DOS programs are not permitted access to files which the host UNIX system does not allow them to. Thus, it is important to administer these systems carefully. ========================================= = Section F. Miscellaneous Questions = ========================================= F1) How many different types of viruses are there? It is not possible to give an exact number because new viruses are being created literally every day. Furthermore, the different anti-virus researchers use different criteria to decide whether two viruses are different or one and the same. Some count two viruses as two different ones if they differ by at least one bit in their non-variable code. Others group the viruses in families and do not count the closely related variants in one family as different viruses. As of March 1992, there were about 1,200 different IBM PC viruses, about 150 Amiga viruses, about 30 Macintosh viruses, several Atari ST viruses and a few Apple II viruses. F2) How do viruses spread so quickly? This is a very complex issue. Most viruses don't spread very quickly. Those that do spread widely are able to do so for a variety of reasons. A large target population (i.e., millions of compatible computers) helps... A large virus population helps... Vendors whose quality assurance mechanisms rely on, for example, outdated scanners help... Users who gratuitously insert new software into their systems without making any attempt to test for viruses help... All of these things are factors. F3) What is the plural of "virus"? "Viruses" or "viri" or "virii" or... The correct English plural of "virus" is "viruses." The Latin word is a mass noun (like "air"), and there is no correct Latin plural. Please use "viruses," and if people use other forms, please don't use VIRUS-L/comp.virus to correct them. F4) When reporting a virus infection (and looking for assistance), what information should be included? People frequently post messages to VIRUS-L/comp.virus requesting assistance on a suspected virus problem. Quite often, the information supplied is not sufficient for the various experts on the list to be able to help out. Also note that any such assistance from members of the list is provided on a volunteer basis; be grateful for any help received. Try to provide the following information in your requests for assistance: - The name of the virus (if known); - The name of the program that detected it; - The version of the program that detected it; - Any other anti-virus software that you are running and whether it has been able to detect the virus or not, and if yes, by what name did it call it; - Your software and hardware configuration (computer type, kinds of disk(ette) drives, amount of memory and configuration (extended/expanded/conventional), TSR programs and device drivers used, OS version, etc.) F5) How often should we upgrade our anti-virus tools to minimize software and labor costs and maximize our protection? This is a difficult question to answer. Antiviral software is a kind of insurance, and those type of calculations are difficult. There are two things to watch out for here: the general "style" of the software, and the signatures which scanners use to identify viruses. Scanners should be updated more frequently than other software, and it is probably a good idea to have a new set of signatures at least every two to three months. Some antiviral software looks for changes to programs or specific types of viral "activity," and these programs generally claim to be good for "all current and future viral programs." However, even these programs cannot guarantee to protect against all future viruses, and should probably be upgraded once per year. Of course, not every anti-virus product is effective against all (or any!) viruses, even if upgraded regularly. Thus, do *not* depend on the fact that you have upgraded your product recently as a guarantee that your system is free of viruses! ===================================================================== = Section G. Specific Virus and Anti-viral software Questions... = ===================================================================== G1) I was infected by the Jerusalem virus and disinfected the infected files with my favorite anti-virus program. However, Wordperfect and some other programs still refuse to work. Why? The Jerusalem virus and Wordperfect program combination is an example of a virus and program that cannot be completely disinfected by an anti-virus tool. In some cases such as this one, the virus will destroy file header information by overwriting it. The only solution is to re-install the programs from clean (non-infected) backups or distribution media. (See question C4.) G2) I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why? The "original" Stoned message was ".Your PC is now Stoned!", where the "." represents the "bell" character (ASCII 7 or "PC speaker beep"). The message is displayed with a probability of 1 in 8 only when a PC is booted from an infected diskette -- when booting from an infected hard disk Stoned never displays this message. Recently, versions of Stoned with -no message whatsover- or only the leading bell character have become very common. These versions of Stoned are likely to go unnoticed by all but the most observant, even when regularly booting from infected diskettes. Contrary to the information in Patricia Hoffman's VSUM and derivative works (apparently including the Central Point Anti-Virus ad's in PC-Magazine, et al.), the Stoned virus -does NOT- display the message "LEGALISE MARIJUANA", although such a string is quite clearly visible in the boot sectors of diskettes infected with the "original" version of Stoned in "standard" PC's. ==================== [End of VIRUS-L/comp.virus FAQ] ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 70] *****************************************