Penn State Anti-Virus Page

This page is available at URL: http://cac.psu.edu/~santoro/cac/virus.html

Purpose of this Page

This page is intended as a resource for Penn State faculty, staff and students in the continuing fight against computer viruses and other forms of nasty software. This page will contain the following information:

• Recommendations for preventative measures
• Links to information on anti-virus software
• Links to online archives of free/shareware antivirus software
• Links to other online sources of virus information
• Links to informative articles about viruses

Recommendations

In order to protect oneself from computer file loss due to nasty software we recommend that every computer owner take the following steps at a minimum:

• Create and maintain program and data file backups
• Obtain anti-virus software for your system. We recommend obtaining commercial anti-virus software since it comes with ongoing support. Free or shareware antivirus software is available for many systems, although it may not be as reliable as commercial software.
• If you own an IBM-type system create a bootable floppy disk, put the antivirus software on it, and set the write-lock tab. This may be useful later.
• If you have a question contact the CAC HelpDesk at 863-1035

Virus News - Penn State

Current virus news will be posted here and on the Usenet NEWS newsgroup psu.comp.virus.

• 19-Aug-96 -- PC Virus with August 22 trigger date

  A newly-discovered PC virus, 'hare' has been discovered with a trigger date of August 22. For more information and a free detector/disinfector follow this link to DataFellows

• 5-Jun-96 -- Virus on CD of Vol 12 Iss. 11 of MacUser

  According to the June-96 Virus Bulletin, the MBDF virus has been included with the CD packaged with Volume 12, Issue 11 of the periodical MacUser. The complete notice is available here.

• 3-Jun-96 -- Netscape (2.00/2.01) Java virus

  Netscape (2.00/2.01) users should disable Java immediately, then upgrade to version 2.02. The complete text of the notice, including info on disabling Java, is available here.

• 31-May-96 -- Win 95 Anti-Virus article

  The May 14, 1996 issue of PC Magazine has an excellent article on anti-virus packages for Windows 95. All Win 95 users should check out this article to ensure that they have AV software that properly supports Win 95.

• 7-May-96 -- Online Virus Report Form

  In order to better track incidents of viral infection, we have created a Virus Report Form. Please see the section below for more information regarding this form.

• 15-Apr-96 -- Windows 95 Information

  Jim Forkner, systems analyst/programmer at CAC, has put together a page of information regarding Windows 95 and anti-virus programs.

• 31-Mar-96 --PKZIP300 Trojan

  Sometimes old news bears repeating. Warnings about a 'trojan horse' subroutine distributed in what appears to be version 3.00 of the popular PKZIP package are again being dirtributed. Although this is old news (having been originally reported in June of 1995) the warning is still valid. This can serve as a reminder to only acquire computer software, even freeware and shareware, from legal and reliable sources.

• 16-Nov-95 -- Copies of the MS-Word Macro Virus have been seen at one Univ. Park public microcomputer laboratory. This virus is multi-platform (ie, both Mac and IBM) and infects MS-Word and Word documents. Microsoft has created a vaccine macro that will eliminate the virus from infected documents and fix your MS-Word version so that the virus cannot infect it.

  You may obtain copies of the macro, and get information, from microsoft at http://www.microsoft.com/msword/freestuff/mvtool/mvtool2.htm

• 16-Nov-95 -- Good times is a HOAX. Rumors continue to circulate regarding a supposed electronic mail virus called 'Good Times.' Please understand that this is a HOAX. There is no Good Times virus. This is simply an effort to cause widespread panic among computer users.

Virus Report Form

In order to better track incidents of viral infection among the Penn State computing community, we have created a virus report form. Please use this form to report any verified virus infections. This information will only be used for tracking purposes.

If you have questions, please contact CAC HelpDesk at 863-1035

Anti-Virus Software Suggestions

Following are suggestions for commercial anti-virus software for various types of computer system and operating system. These are merely suggestions to guide the user in obtaining anti-virus software. These are not endorsements of specific packages or guarantees of reliability.

IBM-PC with DOS and/or Windows 3.1

• IBM AntiVirus -- http://www.brs.ibm.com/ibmav.html
• F-Prot Professional -- http://www.datafellows.com/
• McAfee VirusScan -- http://netra.mcafee.com:80/prod/av/av.html
• Dr. Solomon's AV Toolkit -- http://www.sands.com/

IBM-PC with Windows 95

• IBM AntiVirus -- http://www.brs.ibm.com/ibmav.html
• F-Prot Professional for Windows 95 -- http://www.datafellows.com/
• Norton's Anti-Virus for Windows 95 -- http://www.onanalysis.com/symcorp/win95/nav.html
• McAfee VirusScan for Windows 95 -- http://netra.mcafee.com:80/prod/av/av.html\
• Dr. Solomon's AV Toolkit for Windows 95 -- http://www.sands.com/

IBM-PC with Windows NT

• Carmel Anti-Virus for Windows NT -- http://fbsolutions.com:80/ntav/default.htm
• F-Prot Professional for Windows NT -- http://www.datafellows.com/
• McAfee VirusScan for Windows NT -- http://netra.mcafee.com:80/prod/av/av.html
• Dr. Solomon's AV Toolkit for Windows NT -- http://www.sands.com/

IBM-PC with OS/2

• Dr. Solomon's Anti-Virus Toolkit for OS/2 -- http://www.sands.com/
• IBM AntiVirus -- http://www.brs.ibm.com/ibmav.html
• F-Prot Professional for OS/2 -- http://www.datafellows.com/
• McAfee VirusScan for OS/2 -- http://netra.mcafee.com:80/prod/av/av.html

Macintosh

• Symantic Anti-Virus for Macintosh -- http://www.symantec.com/avcenter/macvir.html
• McAfee VirusScan for Macintosh -- http://netra.mcafee.com:80/prod/av/av.html
• Virex for the Macintosh -- www.datawatch.com

PSU-CAC Antivirus Archives

The Center for Academic Computing maintains a library of many current shareware antivirus packages and information for IBM-PC and Macintosh computers. Following are links to these libraries. Links to virtually all antivirus sites on the Internet are included further down in this page. If you use any of this software you may want to bookmark the archives to more easily check for newer versions at a later time.

Again, we strongly recommend that you purchase commercial anti-virus software since this usually more reliable than the free/shareware software and comes with vendor support and documentation.

• Macintosh Antivirus Software
• IBM-PC Antivirus Software

Other Antivirus Archives

Here are some other archives of antivirus software. The many links further down on this page also contain links to these, and other, sites.

• Oakland University DOS antivirus archives
• Oakland University Windows antivirus archives

Virus documentation and Conferences

Following are some useful documents and conferences regarding viruses.

• Virus-L FAQ

• The NETNEWS newsgroup COMP.VIRUS contains numerous postings from computer users and support personnel at other educational, industrial and governmental sites.

• VIRUS-L Forum is a moderated, digested mail forum for discussing computer virus issues.

• The LISTSERV conference L-VIRUS@psuvm.psu.edu may be used by interested members of the Penn State computing community to keep abreast of local anti-virus issues.

  To subscribe to L-VIRUS@psuvm.psu.edu, send the following command in an email note, to the address LISTSERV@PSUVM.PSU.EDU

     SUBSCRIBE L-VIRUS 
  
  as in
  
     SUBSCRIBE L-VIRUS Alfred E. Neuman
  
  

• The netnews newsgroup psu.comp.virus also carries discussion of Penn State anti-virus issues.

Catalogs, Organizations, Clearinghouses, etc.

• TheVirus Bulletin page is a catalog of many useful links to virus information

• National Institute of Standards and Technology (NIST) Computer Security Resource Clearinghouse
• NIST Virus page.

• The EINETComputer Viruses and Security page has many useful links to papers and antivirus resources.
• Index - WAVC [new] - Anti-virus sites. Possibility of free anti-virus consultancy.
• National Computer Security Association
• Online Virus Encyclopedia is a set of resources with descriptions of the thousands of known computer viruses.
• Here is a fairly comprehensive list of antivirus software sites from which you can download free, shareware or demo copies of antivirus software.
• Here is another excellent page of antivirus links

• Here is a link to the set of antivirus links found on YAHOO

Articles Regarding Viruses & Nasty Software

As online articles regarding computer viruses and nasty software are found, they will be added to this list.

• Computer Virus Myths -- There is a lot of misinformation regarding computer viruses. This page attempts to enlighten.
• Viruses of the Mind -- an article by Richard Dawkins

Security and Anti-Virus Sites

These sites may have useful infromation and/or links to other useful anti-virus or computer security sites.

• Symantic Corp Anti-Virus Resource Center - library of documents on computer viruses including the top ten list of most common viruses and new viruses to be on the alert for, as well as general virus Q&A.
• ALWIL Software - anti-virus information many other anti-virus links AVAST! anti-virus package support place to report virus incidents over the Net
• Data Fellows Ltd. - Data Fellows Ltd is a Finnish software development company with subsidiaries in the United States and Estonia. The company specializes in anti-virus software and groupware products.
• EMD Armor Plus - The Home Page of MIS Europe, distributors of EMD Armor Plus and related anti-virus and security products for Europe and the Middle East. The site holds information on viruses, software updates, manuals and access to product support as well as the ability to order EMD Armor Plus or make queries.

• LOOK Software Systems Inc. - Developers of Virus Alert - a "State-of-the-Art" anti-virus program. The "EASY TO USE" Virus Alert features full 32 bit compatibility (Windows/Windows95) and Internet Security options.
• NH&A - NH&A is a small company based in New York City that specializes in anti-virus, security, and network management software sales and support. Information on the Caibua virus (triggered May 5, 1995) that swept the BBS community because it was undetected by present anti-virus scanners.
• S&S International PLC - The developers of Dr.Solomon's Anti-Virus Toolkit
• Sophos Plc - Anti-virus and data security software, produces anti-virus sol'ns for these systems: MSDOS, Windows, Windows NT, NetWare, OS/2 and VMS as well as encryption software
• McAfee Associates - Antivirus, Network Management, and Support Management software.

• Carmel Anti-virus for Windows NT - NTAV is designed to identify and eliminate viruses and diagnose suspicious files which may be infected by new virus strains.
• Rosenthal Engineering - Rosenthal Engineering develops hardware and software. Rosenthal Engineering has also developed several popular shareware products, including Rosenthal UnInstall, Disk Drive Cleaner, Rosenthal WinLite, and Virus Simulator.
• Stiller Research - We provide current anti-virus news, a list of myths regarding viruses, a virus information list and a list of in-the-wild viruses.

• Large Listing of companies with anti-virus materials.

Following is a locally-written article about viruses for new computer owners.

What are Microcomputer Viruses?

Microcomputer viruses, trojan horses, and bombs are various forms of 'nasty' or 'destructive' software. These are program segments written to cause destruction to the computer files of the unwary computer user. They typically attach themselves to legitimate computer programs and use these legitimate programs as a means of spreading themselves among computer users.

WHERE DO COMPUTER VIRUSES COME FROM?

Computer viruses and other nasty software are created by programmers with malicious intent. The programmer typically does not know the intended victim of the nasty software. The nasty software is then 'released' into the world of computer users in one of a number of ways.

The typical virus or trojan horse attaches itself to a legitimate computer program in a process called 'infection'. The infection is usually done in a way that does not noticeably interfere with the running of the program itself. However, behind the scenes, the nasty software uses its 'host' program as a platform from which to infect other available programs. A virus or trojan horse can only infect program code files.

When a given program is infected it will not 'look' any different to the casual observer. There may be a small increase in file size, and there will likely be a change in any file checksum, but otherwise the program will appear to work the same as always. If the program is copied and given to another user, or copied onto a network for wide distribution, the infection will have an opportunity to spread. As a result, most infections are passed among users through program-sharing mechanisms such as bulletin-board systems, computer clubs, and network servers. Infections also spread through normal disk sharing and there have actually been cases where commercial software was infected while still in its shrink-wrap container!

THE TWO STAGES OF VIRUS ACTIVITY

The second stage of virus activity is the 'damage' stage. This is where the virus carries out whatever destructive programming it was developed for. Examples include deleting files, randomly rewriting the disk FAT table, displaying a useless graphic and freezing up the system, etc. Usually once this stage is reached it is too late to do anything other than erasing the infected files and restoring the system from your backup archives.

PREVENTION - THE BEST MEDICINE

(1) Step 1 - Keep a Write-Locked System Disk Available. It is important that you keep available a write-locked copy of your system 'boot' disk in case of an emergency. Many species of nasty software will infect the system files on a computer's hard disk, thus making it impossible to cleanly start the computer without use of a floppy-based system disk. Write-locking a system disk and keeping it available ensures that you will be able to do a clean restart if your system should become infected by nasty software.

(2) Step 2 - Backup Your Computer Files. Although the threat from nasty software is quite real, the fact remains that MOST computer files are damaged as a result of either hardware error, environmental hazard (heat, spills, etc.) or user mistakes. When adequate and regular file backups are made it will be possible to recover from such damage and avoid losing programs or data. A separate document "Backing up Microcomputer Files" is also available from the Center for Academic Computing.

(3) Step 3 - Have a Good Detection/Removal Program Available. A number of good commercial and SHAREWARE anti-virus programs are available to help with the detection and removal of nasty software. These programs typically take one of 3 forms:

(a) A 'scan' program will examine any mounted disk volume searching for programs that have been infected with a known virus or trojan horse. The information regarding known versions of nasty software is usually encoded in the scanner or available as an auxiliary file. Scan programs are especially useful for examining any foreign disks before copying files or running programs from them.

(b) A 'shield' program usually sits in RAM memory as a 'terminate-and-stay-ready' (TSR) program and attempts to prevent any known virus code from executing. Many shields can also be configured to trap any 'suspected' activity (such as changing the write-protection on files) in an attempt to protect against unknown nasty software.

(c) A 'disinfectant' program is usually run after a virus or trojan horse has been detected and identified. The disinfectant will effectively disable the nasty software by overwriting the viral code in all files and other locations where it may be found. Such disinfection may require that infected program be restored from backups, however the virus will no longer be able to reproduce or cause destruction.

WHAT DO I DO IF I SUSPECT A VIRUS?

Your most important initial step is to identify the virus, determine the extent of the infection, and attempt to locate the source of the initial infection. If you religiously run a scan or shield program you will likely have caught the virus or trojan horse as it attempted to enter your system. If you are part of an office or network that frequently shares programs and data files you will want to notify the other users in your area as they will need to check out their systems as well.

Boot your computer from the write-locked system disk and run your scan program from a different write-locked floppy disk. Make sure you scan all hard disk volumes first. You will also want to scan all floppy disks if possible. This should identify the virus and tell you the extent of the infection on your system. What you do next depends on the exact virus found. Most viruses can be disabled with a disinfectant program, however you will typically have to tell the disinfectant the name of the virus to be disabled. You will then have to restore program files that were infected from your backup archives. If you have caught the virus early enough the amount of work required to completely eliminate it from your system, or from all of the systems in your office, will be fairly short. However, be wary of the potential for reinfection! Many users would want to install a shield program at this point, even if only for a few weeks, to identify other floppy disks or disk volumes that may have evaded the original scanning.