This HTML version was knocked up by Tim O'Leary, and kept
on his site, in order to have a Melbourne, Australian site available,
for speedier access. It is faithful to the original, is only
a copy of that original and while occasional efforts are made,
this site does not claim to have the latest FAQ. Tim O'Leary
does not claim any authorship and any mistakes are due to a
virus. Tim O'Leary email is: email@example.com
For the latest FAQ you should always go to David
Harley's home page.
or modified entries are now flagged with two plus symbols at
the beginning of the line. Sorry if I missed any on this update.
@@ Amendments between official upgrades are now flagged with
two ampersands (@@) in the first two columns rather than three
plus signs (+++). This is because I usually edit this document
from home, and +++ has a specific meaning to Hayes-compatible
modems which I invariably forget about.
Maintenance of this FAQ is now shared between the following:
Exactly how (not to mention if) this will work in practice has
yet to be determined. For the moment, it will work as follows.
George will do the real work, like making sure the darn thing
is posted regularly and organizing archiving, posting automagically
etc., keeping an eye on whether URLs are still current etc.
Bruce and I will concentrate on doing what we do best: Bruce
will keep an eye open for sloppy grammar and general imprecision;
I'll sit here claiming credit for the work of others and make
the final decision in the event of any contention. All three
of us will refer to ourselves as "co-maintainer" rather than
Any of us may choose to suggest edits, additions and subtractions
to/from the FAQ, but, with effect from the next revision, all
edits will be agreed between the three of us before inclusion
in the FAQ. If anyone else wishes to contribute a suggestion,
alteration or addition, they can send it to any or all of the
above, and it will be used subject to the agreement of all three
For the present, the authoritative version of the FAQ remains
the one at http://www.sherpasoft.com/acvFAQ/.
Administration of the and the
FAQ remains with David Harley alone.
document is primarily concerned with defending the integrity
of computing systems and preventing damage caused by viruses
or other malicious and/or other unauthorized software. It attempts
to address many of the issues which are frequently discussed
on alt.comp.virus, but does not claim to represent all shades
of opinion among the users of a.c.v. - in particular, it does
not include information which, in my estimation, is likely to
be of more help to those interested in the spreading of unauthorized
and/or malicious software than to those who wish to be protected
This document is an honest attempt to help individuals with
computer virus-related problems and queries. It can *not* be
regarded as being in any sense authoritative, and has no legal
standing. The authors accept no responsibility for errors or
omissions, or for any ill effects resulting from the use of
any information contained in this document. Not all the views
expressed in this document are mine, and those views which *are*
mine are not necessarily shared by my employer. David Harley
on all contributions to this FAQ remains with the authors and
all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or
as a whole with any product for which a charge is made, except
with the prior permission of the copyright holders. To obtain
such permission, please contact one of the co-maintainers of
latest version of this document is available from:
(this is the primary source)
(2) Thanks to the efforts of Ed Fenton, the FAQ is now available
as a hypertext electronic document (DOS). This will be available
from ftp.gate.net (see below).
Derek Giroulle has offered to make the FAQ available in French
and Dutch. More details in due course. If there's any interest
in other non-English versions, perhaps people would let me know
and I'll see what I can do.
A number of individuals and sites have agreed to make it available
via anonymous FTP and/or WWW. These include:
It is also available on AOL: America Online: (Virus Information
Center: Keyword VIRUS
(i) What is the FAQ, and whom is it for?
FAQ is intended to make available answers to questions which
are repeatedly asked on alt.comp.virus, and tries to gather
the most useful information regarding this group and the issues
discussed here into a relatively short document. The hope is
to produce (eventually) an easily-digested document for newcomers,
as a means of saving those who regularly reply to posted questions
having to re-invent the wheel each time.
I recommend that you read this FAQ in conjunction with the comp.virus
(VIRUS-L)FAQ, which gives more detailed information regarding
some issues which are, inevitably, covered in both FAQs.
The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus
newsgroup. The latest version should be available as:
You can get the Mk. 2 version at
which is very long and very thorough. This document is subject
to revision, so the file name may change.
A very terse mini-FAQ maintained by George Wenzel is posted
more or less daily to alt.comp.virus. I am now regularly posting
a guide to virus-related FAQs (contact details and digest of
contents), which I plan to extend to other security areas eventually,
as a supplement to this FAQ. Both these resources will eventually
be available by FTP/WWW.
The following have contributed text and/or ideas and/or proofreading/corrections
and/or URLs to the a.c.v. FAQ. Vesselin Bontchev, Bruce Burrell,
Graham Cluley, Henri Delger, Edward Fenton, Nicola Ferri, Sarah
Gordon, David Harley,R. Wallace Hale, Norman Hirsch, Matthew
Holtz, Mikko H. Hypponen, Douglas A. Kaufman, Tom Kelchner,
Paul Kerrigan, Chengi Jimmy Kuo, Susan Lesch, Gerard Mannig,
Mike Ramey, Perry Rovers, Megan Skinner, Fridrik Skulason, Robert
Slade, Alan Solomon, Ken Stieers, Hector Ugalde, George Wenzel,
Caroline Wilson, Tarkan Yetiser.
Acknowledgement is also due to the work of Ken Van Wyk, former
moderator of VIRUS-L/comp.virus, and the contributors to the
comp.virus FAQ (both versions).
Thanks also to firstname.lastname@example.org (aka Phreex), who mailed me a copy
of the FAQ he posted to a.c.v. some months before this one was
begun, David J. Loundy for assistance regarding legal issues,
and to Nick FitzGerald, the moderator of comp.virus and maintainer
of the Mk. II comp.virus FAQ.
And especially to George Wenzel and Lucky the Cat.
(iii) Guide to posting etiquette
Messages asking for help posted to alt.comp.virus are more likely
to receive a useful response if they conform to accepted standards
of civility. The newsgroup news.announce.newusers includes information
on good newsgroup etiquette, or try
However, adhering to the following guidelines would be particularly
Keep your lines short (say 72 characters per line), so that
anyone who follows up doesn't have to reformat quoted text to
keep it readable).
Don't quote all or most of a message you're following up unless
it's either very short, or necessary in order to address each
point made. In the latter case, please put the point you're
answering close to your answer and try to format it so that
it's readable. Remember that some people have to pay for connection/download
On the other hand, a message which says something like 'I totally
agree' without including enough of the original for us to tell
what you're agreeing with is a waste of bandwidth.
Keep it polite. It's unlikely that anyone who replies to your
posting is being paid to do so, and it wouldn't excuse bad manners
if they were. Of course, the cut and thrust of debate may be
a different matter altogether....
Asking for a reply by direct e-mail may be reasonable if you
need an urgent solution or are using a borrowed account. It
isn't reasonable if you simply can't be bothered to check newsgroups.
At least try to think up a good excuse, and be prepared to offer
a summary to the group.
Check that there isn't already a thread on the subject you're
asking about before posting yet another 'Has anyone heard of
the GOOD TIMES virus?' message. If there is, check it first:
the answer to your question may already be there (if it isn't
in this document!). Please remember that many people have to
pay for connect time, and don't appreciate duplicate postings
or uuencoded binaries.
If you want to follow up a message which doesn't seem particularly
relevant to alt.comp.virus, check the 'Newsgroups:' header:
there have been a lot of responses to spammings recently which
have made increased the bandwidth used, often quite unnecessarily.
Please don't post test messages here unless you really need
to: use one of the newsgroups intended for the purpose: there
is probably one local to your news server - ask your Systems
Administrator, provider or local helpdesk. If you must post
to the entire Internet, use misc.test - if you do, put the word
IGNORE in your Subject: field, or you'll get auto-responder
messages in your mail for weeks afterwards. Look through the
postings in news.announce.newusers for relevant guidelines before
If you get into an exchange of E-mail, please remember that
not everyone can handle all forms of E-mail attachment (uuencoded,
MIME format etc. - if it's text, *send* it as text. NB also
that (uu)encoding text makes it longer as well as unreadable,
(iv) How to ask on the alt.comp.virus newsgroup for help
The more relevant information you give us, the more we can help
It helps to tell us the following:
you think the problem is (you might think it's a virus,
but maybe it isn't)
the symptoms are.
you ran some software that gave you a message, tell us which
package, version number, and the exact wording of the message.
Please be as accurate as possible about the order in which
just one file is infected, give the filename.
you're running more than one anti-virus product, please
list them (including version number), and say what each
one said about the possible virus.
version of which operating system you are running.
other configuration information which you think may have
take action, then ask if that was the right action - if
it wasn't, it's too late.
just ask "I've got xyz virus, can anyone help me".
I have a virus - what do I do?
(2) Minimal glossary
(3) What is a virus (Trojan, Worm)?
(4) How do viruses work?
(5) How do viruses spread?
(6) How can I avoid infection?
(7) How does antivirus software work?
What's the best anti-virus software (and where do I get it)?
(9) Where can I get further information?
(10) Does anyone know about
* Mac viruses?
* UNIX viruses?
* macro viruses?
* the AOLGold virus?
* the PKZip300 trojan virus?
* the xyz PC virus?
* the Psychic Neon Buddha Jesus virus?
* the blem wit virus
* The Irina Virus
* General Info on Hoaxes/Erroneous Alerts
Is it true that...?
(12) Favourite myths
DOS file attributes protect executable files from infection
* I'm safe from viruses because I don't use bulletin boards/shareware/Public
* FDISK /MBR fixes boot sector viruses
* Write-protecting suspect floppies stops infection
* The write-protect tab always stops a disk write
* I can infect my system by running DIR on an infected disk
What are the legal implications of computer viruses?
there anti-virus packages which check zipped files?
What's the genb/genp virus?
Where do I get VCL and an assembler, & what's the password?
Send me a virus.
It said in a review......
Is it viruses, virii or what?
Where is alt.comp.virus archived?
++ What about firewalls?
Viruses on CD-ROM.
Can't viruses sometimes be useful?
Do I have a virus, and how do I know?
What should be on a (clean) boot disk?
How do I know I have a clean boot disk?
What other tools might I need?
What are rescue disks?
Are there CMOS viruses?
How do I know I'm FTP-ing 'good' software?
What is 386SPART.PAR?
++ Can I get a virus to test my antivirus package with?
When I do DIR | MORE I see a couple of files with funny names...
Reasons NOT to use FDISK /MBR
Why do people write/distribute viruses?
Where can I get an anti-virus policy?
Are there virus damage statistics?
What is NCSA approval?
++ What language should I write a virus in?
++ No, seriously, what language are they written in?
++ [DRD], Doren Rosenthal, the Universe and Everything
++ What are CARO and EICAR?
Supplement: Virus-related FAQs vs. 1.02b
* The alt.comp.virus FAQ
* The comp.virus/Virus-L FAQ
* The macro-virus FAQ
* The alt.comp.virus mini-FAQ
* The Antiviral Software Evaluation FAQ
I have a virus problem - what do I do?
following guidelines will, one hopes, be of assistance. However,
you may get better use out of them if you read the rest of this
document before acting rashly...
If you think you may have a virus infection, *stay calm*. Once
detected, a virus will rarely cause (further) damage, but a
panic action might. Bear in mind that not every one who thinks
s/he has a virus actually does (and a well-documented, treatable
virus might be preferable to some problems!). Reformatting your
hard disk is almost certainly unnecessary and very probably
won't kill the virus.
If you've been told you have something exotic, consider the
possibility of a false alarm and check with a different package.
If you have a good antivirus package, use it. Better still,
use more than one. If there's a problem with the package, use
the publisher's tech support and/or try an alternative package.
If you don't have a package, get one (see section on sources
below). If you're using Microsoft's package (MSAV) get something
Follow the guidelines below as far as is practicable and applicable
to your situation.
Try to get expert help *
Try to get expert help *before* you do anything else. If the
problem is in your office rather than at home there may be someone
whose job includes responsibility for dealing with virus incidents.
Follow the guidelines below as far as is practicable and applicable.
not attempt to continue to work with an infected system,
or let other people do so.
it's considered preferable to switch an infected system
off until a competent person can deal with it: don't allow
other people to use it in the meantime. If possible, close
down applications, Windows etc. properly and allow any caches/buffers
to flush, rather than just hit the power switch.
you have the means of checking other office machines for
infection, you should do so and take appropriate steps if
an infection is found.
you are unable to check other machines, assume that all
machines are infected and take all possible steps to avoid
spreading infection any further.
there are still uninfected systems in the locality, don't
use floppy disks on them [except known clean write-protected
DOS boot floppies]users of infected machines should not
*under any circumstances * trade disks with others until
their systems and disks are cleaned.
the infected system is connected to a Novell network, Appleshare
etc., it should be logged off all remote machines unless
someone knowledgeable says different. If you're not sure
how to do this, contact whoever is responsible for the administration
of the network. You should in any case ensure that the network
administrator or other responsible and knowledgeable individual
is fully aware of the situation.
files should be exchanged between machines by any other
means until it's established that this can be done safely.
that all people in your office and anyone else at risk are
aware of the situation.
*all* floppy disks together for checking and check every
one. This includes write-protected floppies and program
master disks. Check all backups too (on tape or file servers
as well as on floppy).
is room for improvement and expansion here. Contributions will
be gratefully accepted.]
- AntiVirus. Sometimes applied as a shorthand term for anti-virus
researchers/programmers/publishers - may include those whose
work is not AV research, but includes virus-control. (See
- Boot Sector Infector (= BSV - Boot Sector Virus)
- Basic Input Output System
- Memory used to store hardware configuration information
- DOS Boot Record
- DOS Boot Sector
Positive - When an antivirus program incorrectly reports
a virus in memory or infecting a file. Scanners in heuristic
mode and integrity checkers are, by definition, somewhat
more prone to these.
Negative - Essentially, a virus undetected by an antivirus
- describes viruses known to be spreading uncontrolled to
real-life systems, as opposed to those which exist only
in controlled situations such as anti-virus research labs.
Virus code which has been published but not actually found
spreading out of control is not usually regarded as being
- Master Boot Record (Partition Sector)
- A memory-resident DOS program, i.e one which remains in
memory while other programs are running. A good TSR should
at least detect all known in-the-wild viruses and a good
percentage of other known viruses. Generally, TSRs are not
so good with polymorphic viruses, and should not be relied
- Those who study, exchange and write viruses, not necessarily
with malicious intentions (So I'm frequently told here...)
- A Windows program which can run in the background. A scanner
implemented as a VxD has all the advantages of a DOS TSR,
but can have additional advantages: for instance, a good
VxD will scan continuously *and* for all the viruses detected
by a command-line scanner.
- suite of viruses used for testing.
the comp.virus FAQ for fuller definitions of some of these
terms and others which aren't addressed here.
are some commonly referred to anti-virus packages, including
acronyms (hence their inclusion in this section). [Suggestions
for expansion are, again, welcomed.]
- AntiViral Toolkit Pro
- Dr. Solomon's AntiVirus ToolKit
- Central Point AntiVirus
Doctor (Not Dr. Solomon!)
- Dr. Solomon's AntiVirus ToolKit
- DSAVTK scanner
- MicroSoft AntiVirus
- Norton AntiVirusSCAN -
- Scanner by Sophos
- Thunderbyte AntiVirus
What is a virus (and what are Trojans and Worms)?
(computer) virus is a program (a block of executable code) which
attaches itself to, overwrites or otherwise replaces another
program in order to reproduce itself without the knowledge of
the PC user.
Most viruses are comparatively harmless, and may be present
for years with no noticeable effect: some, however, may cause
random damage to data files (sometimes insidiously, over a long
or attempt to destroy files and disks. Others cause unintended
damage. Even benign viruses (apparently non-destructive viruses)
cause significant damage by occupying disk space and/or main
memory, by using up CPU processing time, and by the time and
expense wasted in detecting and removing them.
A Trojan Horse is a program intended to perform some covert
and usually malicious act which the victim did not expect or
want. It differs from a destructive virus in that it doesn't
reproduce, (though this distinction is by no means universally
A dropper is a program which installs a virus or Trojan, often
A worm is a program which spreads (usually) over network connections.
Unlike a virus, it does not attach itself to a host program.
In practice, worms are not normally associated with personal
computer systems. There is an excellent and considerably longer
definition in the Mk. 2 version of the Virus-L FAQ.
(The following is a slightly academic diversion)
A lot of bandwidth is spent on precise definitions of some of
the terms above. I have Fridrik Skulason's permission to include
the following definition of a virus, which I like because it
demonstrates most of the relevant issues.
virus is a program that is able to replicate - that is,
create (possibly modified) copies of itself.
replication is intentional, not just a side-effect.
least some of the replicants are also viruses, by this definition.
virus has to attach itself to a host, in the sense that
execution of the host implies execution of the virus.
#1 is the main definition, which distinguishes between viruses
and Trojans and other non-replicating malware.
#2 is necessary to exclude for example a disk-copying program
copying a disk, which contains a copy of itself.
#3 is necessary to exclude "intended" not-quite-viruses.
#4 is necessary to exclude "worms", but at the same time it
has to be broad enough to include companion viruses and .DOC
How do viruses work?
file virus attaches itself to a file (but see the section below
or the comp.virus FAQ on the subject of companion viruses),
usually an executable application (e.g. a word processing program
or a DOS program). In general, file viruses don't infect data
data files can contain embedded executable code such as macros,
which may be used by virus or trojan writers. Text files such
as batch files, postscript files, and source code which contain
commands that can be compiled or interpreted by another program
are potential targets for malware (malicious software), though
such malware is not at present common.
Boot sector viruses alter the program that is in the first sector
(boot sector) of every DOS-formatted disk. Generally, a boot
sector infector executes its own code (which usually infects
the boot sector or partition sector of the hard disk), then
continues the PC bootup (start-up) process. In most cases, all
write-enabled floppies used on that PC from then on will become
Multipartite viruses have some of the features of both the above
types of virus. Typically, when an infected *file* is executed,
it infects the hard disk boot sector or partition sector, and
thus infects subsequent floppies used or formatted on the target
The following virus types are more fully defined in the comp.virus
FAQs (see preamble):
VIRUSES - viruses that go to some length to conceal their
presence from programs which might notice.
VIRUSES - viruses that cannot be detected by searching for
a simple, single sequence of bytes in a possibly-infected
file, since they change with every replication.
VIRUSES - viruses that spread via a file which runs instead
of the file the user intended to run, and then runs the
original file. For instance, the file MYAPP.EXE might be
'infected' by creating a file called MYAPP.COM. Because
of the way DOS works, when the user types MYAPP at the C>
prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM
runs its infective routine, then quietly executes MYAPP.EXE.
N.B. this is not the *only* type of companion (or 'spawning')
VIRUSES - viruses that are specifically written to make
it difficult for an antivirus researcher to find out how
they work and what they do.
How do viruses spread?
PC is infected with a boot sector virus (or partition sector
virus) if it is (re-)booted (usually by accident) from an infected
floppy disk in drive A. Boot Sector/MBR infectors are the most
commonly found viruses, and cannot normally spread across a
network. These (normally) spread by accident via floppy disks
which may come from virtually any source: unsolicited demonstration
disks, brand-new software (even from reputable sources), disks
used on your PC by salesmen or engineers, new hardware, or repaired
A file virus infects other files when the program to which it
is attached is run, and so *can* spread across a network (often
very quickly). They may be spread from the same sources as boot
sector viruses, but also from sources such as Internet FTP sites
and bulletin boards. (This applies also to Trojan Horses.)
A multipartite virus infects boot sectors *and* files. Often,
an infected file is used to infect the boot sector: thus, this
is one case where a boot sector infector could spread across
How can I avoid infection?
is no way to guarantee that you will avoid infection. However,
the potential damage can be minimized by taking the following
sure you have a clean boot disk - test with whatever (up-to-date!)
antivirus software you can get hold of and make sure it
is (and stays) write-protected. Boot from it and make a
couple of copies.
reputable, up-to-date and properly-installed anti-virus
software regularly. (See below) If you use a shareware package
for which payment and/or registration is required, do it.
Not only does it encourage the writer and make you feel
virtuous, it means you can legitimately ask for technical
support in a crisis.
some reading (see below). If you're a home user, you may
well get an infection sooner or later. If you're a business
user, it'll be sooner. Either way you'll benefit from a
you're a business user you (or your enterprise) need a policy.
rely *solely* on newsgroups like this to get you out of
trouble: it may be a while before you get a response (especially
from a moderated group like comp.virus), and the first response
you act upon may not offer the most appropriate advice for
your particular problem.
you use a shareware/freeware package, make sure you have
hard copy of the documentation *before* your system falls
run a memory-resident scanner to monitor disk access and
executable files before they're run.
you run Windows, a reputable anti-virus package which includes
DOS *and* Windows components is likely to offer better protection
than a DOS only package. If you run Windows 95, you need
a proper Win95 32-bit package for full protection.
sure your home system is protected, as well as your work
all new systems and all floppy disks when they're brought
in (from *any* source) with a good virus-scanning program.
software from reputable sources: 2nd-hand software is frequently
unchecked and sometimes infected. Bear in mind that shrinkwrapped
software isn't necessarily unused. In any case, reputable
firms have shipped viruses unknowingly.
formatted, keep floppies write-disabled except when you
need to write a file to them: then write-disable them again.
sure your data is backed up regularly and that the procedures
for restoring archived data *work* properly.
pre-formatted diskettes before use.
to know all the components of the package you're using and
consider which bits to use and how best to use them. Different
packages have different strengths: diversifying and mixing
and matching can, if carefully and properly done, be a good
antivirus strategy, especially in a corporate environment
your PC can be prevented with a CMOS setting from booting
with a disk in drive A, do it (and re-enable floppy booting
temporarily when you need to clean-boot).
CMOSes come with special anti-virus settings. These are normally
vague about what they do but typically they write-protect your
hard disk's boot sector and partition sector (MBR). This can
be some use against boot sector viruses but may false alarm
when you upgrade your operating system.
One sensible setting to make (if your CMOS allows) is to adjust
the boot sequence of your PC. Changing the default boot-up drive
order from A: C: to C: will mean that the PC will attempt to
boot from drive C: even if a floppy disk has been left in drive
A:. This way boot sector virus infection can often be avoided.
Remember, however, to set your CMOS back temporarily if you
ever *do* want to boot clean from floppy (for example, when
running a cryptographical checksummer after a cold boot).
SCSI controllers have their own BIOS. On some systems, this
will override the boot sequence set in CMOS. It's always a good
idea to check with a (known clean) bootable floppy after you've
disabled floppy booting that it really is disabled. I don't
think it's necessary to use the Rosenthal Simulator to do this,
thank you, Doren.
How does antivirus software work?
(conventional scanner, command-line scanner, on-demand scanner)
- a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
scanner - a TSR (memory-resident program) that checks for
viruses while other programs are running. It may have some
of the characteristics of a monitor and/or behaviour blocker.
scanner - a scanner that works under Windows or perhaps
under Win 95, or both), which checks for viruses continuously
while you work.
scanners - scanners that inspect executable files for code
using operations that might denote an unknown virus.
Blocker - a TSR that monitors programs while they are running
for behaviour which might denote a virus.
Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable
files on a system and check for changes which might signify
an attack by an unknown virus.
Checksummers use an encryption algorithm to lessen the risk
of being fooled by a virus which targets that particular