|
Part II of frequently asked questions on the Virus
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Frequently Asked Questions about PC viruses. Version 2
By: Tapio Keihanen
--- Opus-CBCS 1.72a
* Origin: PORTTI OPUS * Tampere * 358-31-184385 * (2:222/310.0)
© Tapio Keihanen, 1991.
You can contact me with these ways:
1. Send me a netmail to address 2:222/310 (Portti BBS, 24H)
2. Send a message addressed to me to the virus echo on
FidoNet (note that the message should be on-topic message
- don't send there anything personal / off-topic
messages, because those messages will spread all around
the world)
3. If you have access to internet, send me e-mail to
[email protected]
4. If you can't use any of the ways described above, send me
an old-fashioned letter to address
Tapio Keihanen
Mesiheinankatu 2 B 6
33340 Tampere
Finland.
tel. +358-31-432478 (*only* evenings 18.00-22.00
GMT+2, voice)
Disclaimer:
I don't have anything to do with any of those products
mentioned in this text. I'm not marketing them and I
don't work for them any way.
----------
This FAQ list includes information on following topics:
1. Stoned
2. Write-protected diskettes
3. Trojans / Viruses
4. Virus? Viruses? Viri? Virii?
5. How to remove virus from memory?
6. What you should do if your computer is infected?
7. Addresses to main anti-virus program authors
8. Anti-virus BBS phone numbers
1. Stoned:
This is probably the most widespread virus in PC world. It
has been made in New Zealand in 1988 and after its releasing
it's been isolated all over the world; in USA, in UK, in
Germany, in Finland, in USSR, everywhere. There are several
variants of this virus. Most of them just differ from the
text, but some of them has some modifications in code, too.
Original version of Stoned infected only 360Kb floppies, but
newer and more widespread versions infect also different kind
of floppies and the partition table of the hard disk. This
virus is known by many names, for example New Zealand,
Marijuana and Hawaii.
Stoned is only a boot sector & partition table (=MBR, master
boot record) infector. It doesn't infect any files unlike
most other viruses. When the system is booted from infected
floppy the virus will automatically install itself in hard
disk's partition table. The floppy does not have to be a
bootable floppy, 'data' floppies can carry the virus as well.
If one boots from such non-bootable floppy, the virus will be
infect the computer just like if one boots computer from
bootable floppy. As far as I know, there's no such trojan
which will install the virus on hard disk. So the only way
one can get infected with Stoned is that his machine has been
booted from infected floppy.
Usually in one of eight boot-up from infected floppy will
result a message like 'Your PC is now stoned!' or 'Your
computer is now stoned!' to pop up. This message does not
appear when computer is booted from infected hard disk, only
when it is booted from infected floppy. Because this text is
visible in virus' code, it is very easy to change it. There's
at least one variant in which the text has been replaced by
spaces.
Stoned will install itself in memory when the computer is
booted from an infected disk. It will use 2048 bytes of RAM
and the total system memory & free memory will decrease the
approbiate amount (on 640kb+ systems the amount of total
system memory is normally 655360, but on infected machines,
the amount of total system memory is 653312).
Stoned is not meant to be destructive. However, because it
stores a copy of original boot sector of infected floppy on
the sector 11, it will cause some problems. Sector 11 is
usually part of the root directory - on some DOS versions it
is part of FAT, too. If 360kb floppy has more than 96 file
names or 1.2mb floppy more than 48 file names, the virus will
overwrite the file names on them. Stoned can cause some
problems on non-standard hard disks, too.
There are plenty of Stoned removers. Best-known of them are
probably Clean-Up, M-Disk and F-Prot. All of them can usually
remove the Stoned virus correctly. There might be some
problems with disinfecting Stoned, if the hard disk is not a
standard hard disk. This occurs very rarely, and usually the
disinfectors will notify the user about this. There is one
important point on disinfecting Stoned (this applies to every
other virus, too):
The virus must not be in memory when one tries
to disinfect disks. If the virus is in memory,
it'll infect disk right after it's been
cleaned.
So the computer must be booted from 100% clean floppy and the
disinfector must be ran after it.
If one doesn't have access to any Stoned disinfector, there
are practically two different ways to remove Stoned. One is
to low-level format the infected hard disk and re-format
infected disks. The other is more convenient: MS DOS 5's
F-DISK program has an undocumented switch, which will replace
the current partition table on hard disk with new one. The
switch is /MBR. Infected floppies can be cleaned with SYS
command, too.
2. Write-protected diskettes
A diskette can be protected against writing by these ways:
a) On 5.25" floppies (360kb, 1.2mb) there's a small hole on
the right side of the diskette. If that hole is covered
by either silver or black sticker, the diskette is write
protected.
b) On 3.5" floppies (720kb, 1.44mb) there's a small hole on
the right side of the diskette (there's a hole on left
side, too, if the diskette is a 1.44mb floppy). There's
on the back of the diskette a small switch which can
cover the hole or open the hole. If the switch is set so
that the hole is open (i.e. you can see through the
hole), then the diskette is write protected. If the
switch covers the hole, the diskette is write enabled.
There are several programs which claim that they'll protect
either diskette drives or hard disks from writing. But
because they are just software and not hardware, it is fairly
easy to by-pass those protections. Most viruses can do it
easily.
A virus can't infect write-protected diskettes on PCs and
compatibles (this applies also for ATs, 386s, 486s,
MacIntoshes, Amigas and Ataris) with standard disk drives.
There is no possible software tricks which can by-pass the
write protect check or fake that the disk is not write
protected.
The older 5.25" disk drives usually had a mechanical 'arm'
which checked the write protect tab. If the 'arm' found that
it couldn't get through the hole, it reported to computer that
the diskette is write protected. Nowadays the diskette drives
check the write protect status by infra-red light censors. If
the light gets through the hole on 5.25" diskette, the
diskette is not write protected. Some drives check this with
a infra-red light and mirror, too.
If on these 'mirror' drives one uses a very shiny write
protection sticker, the infra-red light can get mirrored and
the disk drive might assume that write protected floppy is not
write protected. If the write protection sticker is
transparent (a piece of normal scotch tape, for example), the
light can get through it and drive assumes that the diskette
has no write protection sticker. These can be successfully
prevented by using matt black stickers.
3. Trojans / Viruses
A trojan (=trojan horse) is a program which performs something
what it is not supposed to do. For example, when you execute
a trojan which was said to show some people doing some
interesting sexual things, it might display a message like
"ARF, ARF, GOTCHA!" or "HAVE A NICE DAY!" and then format your
hard disk. Trojan does not try to spread to files or anything
like that - nearly all trojans work only from the trojan file
(there are some exceptions to this, for example 12 Tricks
Trojan copies a part of itself to partition table and works
from there, too).
First trojan, EGABTR.COM appeared in 1985. After it there's
been many different trojans; the best-known trojans are AIDS
Information Trojan (1989) and 12 Tricks Trojan (1990). First
virus appeared approximately a year later than the first
trojan - in January 1986. It was named as Brain - it's been
estimated that this virus has infected well over 300 000
floppies all around the world.
Trojans might cause many different effects. There are several
trojans which try to steal passwords from BBS systems, which
try to format your hard disk, which try to delete your files,
which try to do some strange screen effects etc.
There's one big difference between viruses and trojans.
Viruses try to spread to somewhere (files, boot sector,
partition table) but trojans don't. Trojans are much rarer
than viruses, because trojans can't spread. They're in their
own programs - user has to copy the trojan program to make it
'spread'. Viruses and trojans are often mixed up - especially
among press.
4. Virus, Viruses, Viri, Virii
There are several different words for those little beasties,
which try to spread in computers. All of those names listed
above are valid, except that 'virii'. But it is not important
what name to use about
'those-things-that-spread-in-computers', if everyone knows
what one means. However, the virus - viruses is most used
expression in both VIRUS and VIRUS_INFO echoes. You can be
sure that everyone understands you if you use that expression.
5. How to remove virus from memory?
If computer is infected with a virus, it is necessary that the
virus is not in memory when one tries to disinfect the
computer. If the virus is in memory, it is highly possible
that the computer becomes infected right after the cleaning
process.
To remove virus from memory, there are practically only one
safe possibility: turn off the power and reboot from *clean*
and writeprotected floppy (if your computer has the RESET
button, it will kill the virus from memory, too). You should
always have a clean copy of DOS - if you don't have, make such
now! Make it from original DOS disks - not from hard disk.
In most cases you can kill virus from memory just by pressing
CTRL-ALT-DEL. However, there are some viruses (for example
Joshi) which can trap the CTRL-ALT-DEL and do a fake reboot.
You can't disinfect memory of such viruses by pressing
CTRL-ALT-DEL. It is always recommended that you use power
switch or reset to remove virus from memory.
Note: There are and there won't be (at least on PCs) such
virus which can survive in memory when the power is
turned off. Virus can't hide in CMOS RAM because
there can't be any executable code. If virus
copies itself to CMOS RAM, it'll destroy the
configuration information, but it won't get
executed or activated any way.
6. What you should do when you notice your computer is infected?
If your computer is infected, you don't need to panic. Just
turn off the power and then think carefully what you should
do. It is important that when you start disinfection process
you boot your computer from clean disk and don't execute any
programs from infected disks (this is for file viruses).
You can do many things on infected disks without getting your
computer infected. You can insert infected disk in drive, you
can do a DIR on infected disk, you can copy files but you
should NOT execute ANY program on the disk. A virus can get
in computer only when it is executed. Virus can't get
executed if one does not boot from infected disk (this is for
boot sector and partition table infectors) or if one doesn't
execute any executable file.
Try to find the most recent virus scanner available. There are
several good scanners and disinfectors, for example F-Prot
from Fridrik Skulason and ViruScan & Clean-Up from McAfee
Associates. Then use them to determine how wide the virus has
been spread on your system. These scanners can't find every
virus, but the most recent versions of them will find really
many of them. There are some very rare viruses which these
scanners won't pick up. Scanners won't find new viruses,
either.
The last step is to remove the virus from system. If you have
clean copies of infected files, it is recommended that you
delete infected files and then copy clean copies over them.
If you don't have clean copies, then you should use a
disinfector. I've found F-Prot as a very good disinfector,
but there are some others, too.
7. Addresses to main anti-virus programmers
You can contact theses virus researchers if you have problem
with viruses or you suspect that your system is infected.
Clean-Up, NetScan, Vcopy, ViruScan, Vshield:
-------------------------------------------
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A. (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
CompuServe GO VIRUSFORUM
InterNet [email protected]
F-Prot
------
Fridrik Skulason Phone: +354-1-694749
Frisk Software International Fax: +354-1-28801
Postholf 7180 E-mail: [email protected]
IS-127 Reykjavik
Iceland
8. Anti-virus BBS numbers
Here are some well-known and reliable anti-virus BBSes around
the globe. If you have any trouble with viruses, feel free to
call these BBSes.
INFOdesk BBS The Hague
2:512/2@fidonet
+31-70-3898822
contact: Righard Zwienenberg [RiZwi]
Harry Thijssen {HT} <HTSCAN>
Bamestra RBBS
2:512/10@fidonet
+31-02998-3603
contact: Jan Terpstra <JT>
Thunderbyte BBS
2:280/200@fidonet
+31-85-212395
contact: Frans Veldman <TBSCAN(X)>
Danbo BBS
2:359/1@fidonet
+31-359-52-235866
contact: Daniel Kalchev
Excalibur!
1:204/869@fidonet
+1-408-244-0813
contact: Patricia Hoffman <VSUM>
|
|
