This page is available at URL: http://cac.psu.edu/~santoro/cac/virus.html
This page is intended as a resource for Penn State faculty, staff and students in the continuing fight against computer viruses and other forms of nasty software. This page will contain the following information:
In order to protect oneself from computer file loss due to nasty software we recommend that every computer owner take the following steps at a minimum:
Current virus news will be posted here and on the Usenet NEWS newsgroup psu.comp.virus.
A newly-discovered PC virus, 'hare' has been discovered with a trigger date of August 22. For more information and a free detector/disinfector follow this link to DataFellows
According to the June-96 Virus Bulletin, the MBDF virus has been included with the CD packaged with Volume 12, Issue 11 of the periodical MacUser. The complete notice is available here.
Netscape (2.00/2.01) users should disable Java immediately, then upgrade to version 2.02. The complete text of the notice, including info on disabling Java, is available here.
The May 14, 1996 issue of PC Magazine has an excellent article on anti-virus packages for Windows 95. All Win 95 users should check out this article to ensure that they have AV software that properly supports Win 95.
In order to better track incidents of viral infection, we have created a Virus Report Form. Please see the section below for more information regarding this form.
Jim Forkner, systems analyst/programmer at CAC, has put together a page of information regarding Windows 95 and anti-virus programs.
Sometimes old news bears repeating. Warnings about a 'trojan horse' subroutine distributed in what appears to be version 3.00 of the popular PKZIP package are again being dirtributed. Although this is old news (having been originally reported in June of 1995) the warning is still valid. This can serve as a reminder to only acquire computer software, even freeware and shareware, from legal and reliable sources.
You may obtain copies of the macro, and get information, from microsoft at http://www.microsoft.com/msword/freestuff/mvtool/mvtool2.htm
In order to better track incidents of viral infection among the Penn State computing community, we have created a virus report form. Please use this form to report any verified virus infections. This information will only be used for tracking purposes.
If you have questions, please contact CAC HelpDesk at 863-1035
Following are suggestions for commercial anti-virus software for various types of computer system and operating system. These are merely suggestions to guide the user in obtaining anti-virus software. These are not endorsements of specific packages or guarantees of reliability.
The Center for Academic Computing maintains a library of many current shareware antivirus packages and information for IBM-PC and Macintosh computers. Following are links to these libraries. Links to virtually all antivirus sites on the Internet are included further down in this page. If you use any of this software you may want to bookmark the archives to more easily check for newer versions at a later time.
Again, we strongly recommend that you purchase commercial anti-virus software since this usually more reliable than the free/shareware software and comes with vendor support and documentation.
Here are some other archives of antivirus software. The many links further down on this page also contain links to these, and other, sites.
Following are some useful documents and conferences regarding viruses.
To subscribe to L-VIRUS@psuvm.psu.edu, send the following command in an email note, to the address LISTSERV@PSUVM.PSU.EDU
as in SUBSCRIBE L-VIRUS Alfred E. Neuman
As online articles regarding computer viruses and nasty software are found, they will be added to this list.
These sites may have useful infromation and/or links to other useful anti-virus or computer security sites.
Following is a locally-written article about viruses for new computer owners.
Microcomputer viruses, trojan horses, and bombs are various forms of 'nasty' or 'destructive' software. These are program segments written to cause destruction to the computer files of the unwary computer user. They typically attach themselves to legitimate computer programs and use these legitimate programs as a means of spreading themselves among computer users.
Computer viruses and other nasty software are created by programmers with malicious intent. The programmer typically does not know the intended victim of the nasty software. The nasty software is then 'released' into the world of computer users in one of a number of ways.
The typical virus or trojan horse attaches itself to a legitimate computer program in a process called 'infection'. The infection is usually done in a way that does not noticeably interfere with the running of the program itself. However, behind the scenes, the nasty software uses its 'host' program as a platform from which to infect other available programs. A virus or trojan horse can only infect program code files.
When a given program is infected it will not 'look' any different to the casual observer. There may be a small increase in file size, and there will likely be a change in any file checksum, but otherwise the program will appear to work the same as always. If the program is copied and given to another user, or copied onto a network for wide distribution, the infection will have an opportunity to spread. As a result, most infections are passed among users through program-sharing mechanisms such as bulletin-board systems, computer clubs, and network servers. Infections also spread through normal disk sharing and there have actually been cases where commercial software was infected while still in its shrink-wrap container!
The second stage of virus activity is the 'damage' stage. This is where the virus carries out whatever destructive programming it was developed for. Examples include deleting files, randomly rewriting the disk FAT table, displaying a useless graphic and freezing up the system, etc. Usually once this stage is reached it is too late to do anything other than erasing the infected files and restoring the system from your backup archives.
(2) Step 2 - Backup Your Computer Files. Although the threat from nasty software is quite real, the fact remains that MOST computer files are damaged as a result of either hardware error, environmental hazard (heat, spills, etc.) or user mistakes. When adequate and regular file backups are made it will be possible to recover from such damage and avoid losing programs or data. A separate document "Backing up Microcomputer Files" is also available from the Center for Academic Computing.
(3) Step 3 - Have a Good Detection/Removal Program Available. A number of good commercial and SHAREWARE anti-virus programs are available to help with the detection and removal of nasty software. These programs typically take one of 3 forms:
(b) A 'shield' program usually sits in RAM memory as a 'terminate-and-stay-ready' (TSR) program and attempts to prevent any known virus code from executing. Many shields can also be configured to trap any 'suspected' activity (such as changing the write-protection on files) in an attempt to protect against unknown nasty software.
(c) A 'disinfectant' program is usually run after a virus or trojan horse has been detected and identified. The disinfectant will effectively disable the nasty software by overwriting the viral code in all files and other locations where it may be found. Such disinfection may require that infected program be restored from backups, however the virus will no longer be able to reproduce or cause destruction.
Your most important initial step is to identify the virus, determine the extent of the infection, and attempt to locate the source of the initial infection. If you religiously run a scan or shield program you will likely have caught the virus or trojan horse as it attempted to enter your system. If you are part of an office or network that frequently shares programs and data files you will want to notify the other users in your area as they will need to check out their systems as well.
Boot your computer from the write-locked system disk and run your scan program from a different write-locked floppy disk. Make sure you scan all hard disk volumes first. You will also want to scan all floppy disks if possible. This should identify the virus and tell you the extent of the infection on your system. What you do next depends on the exact virus found. Most viruses can be disabled with a disinfectant program, however you will typically have to tell the disinfectant the name of the virus to be disabled. You will then have to restore program files that were infected from your backup archives. If you have caught the virus early enough the amount of work required to completely eliminate it from your system, or from all of the systems in your office, will be fairly short. However, be wary of the potential for reinfection! Many users would want to install a shield program at this point, even if only for a few weeks, to identify other floppy disks or disk volumes that may have evaded the original scanning.