@L}5 _$% l0$)$$Hȱ$ UhL" `e$$%`$%`  R@P!( L(1   Y I`  d  Ld M * @  $ % CC$$)%1 Udߥ$9%: !0 S$% DD˙`  }J)Lr d M * @  $ % CC$$)%1 Udߥ$9%: !0 S$%} DD˙`  }J)Lr J  ((  p L ()   J}L= ( L 0q A    IB JC;? D W } LL  ` W )LA!  ߰")-݆ p" } $G@LL 08`Q")<2Q0 -G$Ș݆ UL# ; p8(()(0ʥ)NQ` }$GȘ݆LU )L ݆ L GȘ ݆LL )W>Z   HH)H }p h  hyhy D L> L JJ    ! LA*` BF }7'8  M HN H` 8 Z  \LdJJ!"! GFE@F (!L }EE !E^ ^ E E7EȩEdE/EȩE  D } .L }  ;F d  ;?F7F? ( .   Z D LL d } . D  L    p  E` , d)  D L) 0BM݊L݉} ML  N݆ L NLML [ TEqEHȱEqEh 0Gȹ G} HLL GɛL  LFREE SECTORS G) *Gȩ GȽG GȌ*jj >G} C8jJ3j2CD( C202C ԠBX` N 1? l LlD:RAMDISK}.COMLu L1 L ;LHL  T`  `1  ɐ     `TU  } L ? .  t`GBJ ~DEHI B V0dV!}QDEHI VF9 ,0 ,0 s0hhL  L` H hDHEh"}DEL8HI4 0 HI,0 0  9 .G VLO#},0 L4*IJ`llD1:AUTORUN.SYSNEED MEM.SAV TO LOAD THIS FILE.D1:MEM.SAV J y08 B|DEHI$} V0 0`B;DEL`?<0LV`@ʆ v s? F0Ξ05: [ BDEHI%} VY8 B V  @  /DE `E:D1:DUP.SYSERROR-SAVING USER MEMORY ON DISKTYPE Y TO &}STILL RUN DOS B;DE J  (` 9 V⪍ ઍ  -'}LLu ÝDEHILV 9 .l 9 .l  `` s$B BH(}I|DE V BLV nB,DE JLV B V BLVDEIʩ BꭝLu  } 3E:}DISK OPERATING SYSTEM II VERSION COPYRIGHT 1984 ATARI CORP.A. DISK DIRECTORY I. FORMAT DISKB. RUN CARTRIDG*}E J. DUPLICATE DISKC. COPY FILE K. BINARY SAVED. DELETE FILE(S) L. BINARY LOADE. RENAME FILE M. RUN AT ADDRES+}SF. LOCK FILE N. CREATE MEM.SAVG. UNLOCK FILE O. DUPLICATE FILEH. WRITE DOS FILES P. FORMAT SINGLEL !N',}#"&))9(&*)/h)''-&؆莟R'S  vL/ˢ L }Insert DOS 2.0s, type Y Λx -}DEfHI 1莏#q! @ y0ɛ8A0,' ȅ 1 1ild! 1L!NO SUCH ITEMSELECT.} ITEM OR FOR MENU! 0 .z:*{}.|{ 1 0 0JB 18L%|DL/}%DIRECTORY--SEARCH SPEC,LIST FILE?[# 0 0 &|D3" 1L!NOT A DISK FILEN !B 1L!E# 1 !BD0}ED:}:1BJ|DE 1DEBHI 1 h0ߢ 0.1}  0?詛 1 y0YЛ 1 ;#L" ;#L! BL1TYPE "Y" TO DELETE...DELETE FILE SPEC2}COPY--FROM, TO?OPTION NOT ALLOWED736 FREE SECTORS COPYING---D1:DIRECK.COMl# 0|D .L/%#3}##JB|DE 1BHID#E 1#0: B 1L!#͑### B 1#c$0SY4}S1}:## # # .#Ƚ# # 𩛙## 1,#PD#ELJ- <.BJD#E 5}1 1HH 0hh|DL%1}:̳# L% #D#EL% 1 0 . .0O% 1L!WILD CARDS NOT A6}LLOWED IN DESTINATION 0 <.|K}N 2 FORMAT. t* 5) 1L!`) 0NΞ 0 L1) 1 L!BAD LOAD FILELOAD FROM WHAT FILE?) 0 ?}0#B 1L!WHAT FILE TO LOCK?) 0 0$B 1L!WHAT FILE TO UNLOCK?DUP DISK-SOURCE,DEST DRIVES?TYPE "Y" IF OK TO US@}E PROGRAM AREACAUTION: A "Y" INVALIDATES MEM.SAV.FE! +L1   `*  70 2 2A} 0.* 1 y0 0)INSERT BOTH DISKS, TYPE RETURN^, 1 y038逍 N, 1L! ,B}C, t*  Lx+, 0 ^, 1 y0 , ,0,0 ,L+ ,I0 ,Vǭ0C}Ξ, 0 }, 1 y0C,ШC, 0K'!" H H 'h h Lx+!EF 5L1L!D,I,HhD}` NOT ENOUGH ROOMINSERT SOURCE DISK,TYPE RETURNINSERT DESTINATION DISK,TYPE RETURNE}`  `8 rL1`-* 1P* 1 y0Y`hhL!NAME OF FILE TO MOVE?- 0 0|DL% <.F},^ 1 70 0 .@L# .BJ 1  DEHIB V L1 ,} 1 70,L.  G}JB|,#P#DE 1 HI BDEHHII 1 B 1 ,^ 1 70,0La- B V,#PH},^ 1 70 0L#L!-* 1P* 1 y0Yj383}mm ݭI}}`8}``|* ? ɛ,`|:-)| / 1L!`DESTINATION CANT BE DOJ}S.SYS0 0H{ 24Δ 28/L!/) 2 Π 2 0 ξK}hAΞB,0 J 1 BDEHI,HÝDE 1HIHIDELSAVE-GIVE L}FILE,START,END(,INIT,RUN)O S0 1`BDEPHI V` S0H 1 L!M}0 0 1L~0`PLEASE TYPE 1 LETTER,0`hhL! 70 1L0L<1 ,;ɛ7,"ɛ:ݦ1ݥN}A"D|ݤD|ȩ:|ȩ|ɛ,,(/+.ީ1 1,ɛ`轤{NAMEO} TOO LONG B VL!` L1I H1EΝDL1|mDiE` V0`8d/8 i:222 1 LP}!ERROR- 138ɛ+,' 20*.. өr2 1``2TOO MANY DIGITSINVALID HEXAQ}DECIMAL PARAMETER800 0 8 00`,0'D800 H,ɛh`2L1NEED D1 THRU D8uR} Path: bloom-beacon.mit.edu!senator-bedfellow.mit.edu!faqservFrom: "Kenneth R. van Wyk" Newsgroups: comp.viruT}s,comp.answers,news.answersSubject: VIRUS-L/comp.virus Frequently Asked Questions (FAQ)Supersedes: Followup-To: comp.virusDate: 27 Mar 1994 10:34:36 GMTOrganization: CERT Coordination CenterLines: 1751V}Approved: news-answers-request@MIT.EduExpires: 10 May 1994 10:34:18 GMTMessage-ID: Reply-To: NNTP-Posting-Host: bloom-picayune.mit.eduSummary: This posting contains a list of FrequeX}ntly Asked Questions, and their answers, about computer viruses. It should be read by anyone who wishes toY} post to VIRUS-L/comp.virus.X-Last-Updated: 1993/02/08Originator: faqserv@bloom-picayune.MIT.EDUXref: bloom-beacon.mit.eduZ} comp.virus:4437 comp.answers:4329 news.answers:16888Archive-name: computer-virus-faqLast-modified: 18 November 1992, 7:45[} AM EST Frequently Asked Questions on VIRUS-L/comp.virus Last Updated: 18 November 1992, 7:45 AM EST\}===================== Preface Section: =====================This document is intended to answer the most Frequently Ask]}edQuestions (FAQs) about computer viruses. As you can see, there aremany of them! If you are desperately seeking help aft^}er recentlydiscovering what appears to be a virus on your computer, considerskimming through sections A and B to learn the _}essential jargon, thenconcentrate on section C.If you may have found a new virus, or are not quite sure if some fileor bo`}ot sector is infected, it is important to understand the protocolfor raising such questions, e.g. to avoid asking questions a}that can beanswered in this document, and to avoid sending "live" viruses exceptto someone who is responsible (and even theb}n in a safe form!).Above all, remember the time to really worry about viruses is BEFOREyour computer gets one!The FAQ isc} a dynamic document, which changes as people's questionschange. Contributions are gratefully accepted -- please e-mail themd}to me at krvw@cert.org. The most recent copy of this FAQ will alwaysbe available on the VIRUS-L/comp.virus archives, inclue}ding theanonymous FTP on cert.org (192.88.209.5) in the file:pub/virus-l/FAQ.virus-lKen van Wyk, moderator VIRUS-L/comp.vf}irusPrimary contributors (in alphabetical order): Mark Aitchison Vaughan Bell Matt Bishop Vesselin Bontchev Olivier M.J. Crepin-Leblond David Chess John-David Childs Nick FitzGerald Claude Bersano-Hayesj} John Kida Donald G. Peters A. Padk}gett Peterson Y. Radai Rob Slade Gene Spl}afford Otto Stolz ==================== Questions answerem}d in this documentSection A: Sources of Information and Anti-viral Software (Where can I find HELP..!)A1) n} What is VIRUS-L/comp.virus?A2) What is the difference between VIRUS-L and comp.virus?A3) How do I get onto VIRUS-L/comp.o}virus?A4) What are the guidelines for VIRUS-L?A5) How can I get back-issues of VIRUS-L?A6) What is VALERT-L?A7) What p}are the known viruses, their names, major symptoms and possible cures?A8) Where can I get free or shareware anti-virusq} programs?A9) Where can I get more information on viruses, etc.?Section B: Definitions (What is ...?)B1r}) What are computer viruses (and why should I worry about them)?B2) What is a Trojan Horse?B3) What are the main types os}f PC viruses?B4) What is a stealth virus?B5) What is a polymorphic virus?B6) What are fast and slow infectors?B7) What}t is a sparse infector?B8) What is a companion virus?B9) What is an armored virus?B10) Miscellaneous Jargon and Abbreviau}tionsSection C: Virus Detection (Is my computer infected? What do I do?)C1) What are the symptoms and iv}ndications of a virus infection?C2) What steps should be taken in diagnosing and identifying viruses?C3) What is the bestw} way to remove a virus?C4) What does the virus do?C5) What are "false positives" and "false negatives"x}?C6) Could an anti-viral program itself be infected?C7) Where can I get a virus scanner for my Unix system?C8) Why doesy} an antiviral scanner report an infection only sometimes?C9) Is my disk infected with the Stoned virus?C10) I think I havez} detected a new virus; what do I do?C11) CHKDSK reports 639K (or less) total memory on my system; am I infected?C12) I{} have an infinite loop of sub-directories on my hard drive; am I infected?Section D: Protection Plans |}(What should I do to prepare against viruses?)D1) What is the best protection policy for my computer?D2) Is it possible }}to protect a computer system with only software?D3) Is it possible to write-protect the hard disk with only software?D4) ~}What can be done with hardware protection?D5) Will setting DOS file attributes to READ ONLY protect them from viruses?}D6) Will password/access control systems protect my files from viruses?D7) Will the protection systems in DR DOS wor}k against viruses?D8) Will a write-protect tab on a floppy disk stop viruses?D9) Do local area networks (LANs) help to st}op viruses or do they facilitate their spread?D10) What is the proper way to make backups?Section E: Facts and Fi}bs about computer viruses (Can a virus...?)E1) Can boot sector viruses infect non-bootable floppy disks?E2)} Can a virus hide in a PC's CMOS memory?E3) Can a virus hide in Extended or in Expanded RAM?E4) Can a virus hide in Uppe}r Memory or in High Memory?E5) Can a virus infect data files?E6) Can viruses spread from one type of computer to another?}E7) Can DOS viruses run on non-DOS machines (e.g. Mac, Amiga)?E8) Can mainframe computers be susceptible to computer viru}ses?E9) Some people say that disinfecting files is a bad idea. Is that true?E10) Can I avoid viruses by avoiding shar}eware/free software/games?E11) Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk?E12) I}s there any risk in copying data files from an infected floppy disk to a clean PC's hard disk?E13) Can a DOS virus surv}ive and spread on an OS/2 system using the HPFS file system?E14) Under OS/2 2.0, could a virus infected DOS session inf}ect another DOS session?E15) Can normal DOS viruses work under MS Windows?Section F: Miscellaneous Questions } (I was just wondering...)F1) How many viruses are there?F2) How do viruses spread so quickly?F3) What is the pl}ural of "virus"? "Viruses" or "viri" or "virii" or...F4) When reporting a virus infection (and looking for assistance), wha}t information should be included?F5) How often should we upgrade our anti-virus tools to minimize software and labor} costs and maximize our protection?Section G: Specific Virus and Anti-viral software Questions...G1) I was infected b}y the Jerusalem virus and disinfected the infected files with my favorite anti-virus program. However, Wordperfect a}nd some other programs still refuse to work. Why?G2) I was told that the Stoned virus displays the text "Your PC is now } Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why?G3) I wa}s infected by both Stoned and Michelangelo. Why has my computer became unbootable? And why, each time I run my favorite} scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus} is still there?================================================================= Section A. Sources of Information} and Anti-viral Software. =================================================================A1) What is VIRUS-L/comp.virus?}It is a discussion forum with a focus on computer virus issues. Morespecifically, VIRUS-L is an electronic mailing list a}nd comp.virus isa USENET newsgroup. Both groups are moderated; all submissions aresent to the moderator for possible inclu}sion in the group. For moreinformation, including a copy of the posting guidelines, see the filevirus-l.README, available }by anonymous FTP on cert.org in thepub/virus-l directory. (FTP is the Internet File Transfer Protocol,and is described in }more detail in the monthly VIRUS-L/comp.virusarchive postings - see below.)Note that there have been, from time to time, o}ther USENETcross-postings of VIRUS-L, including the bit.listserv.virus-l. Thesegroups are generally set up by individual s}ite maintainers and are notas globally accessible as VIRUS-L and comp.virus.A2) What is the difference between VIRUS-L an}d comp.virus?As mentioned above, VIRUS-L is a mailing list and comp.virus is anewsgroup. In addition, VIRUS-L is distribu}ted in digest format (withmultiple e-mail postings in one large digest) and comp.virus isdistributed as individual news pos}tings. However, the content of thetwo groups is identical.A3) How do I get onto VIRUS-L/comp.virus?Send e-mail to LIST}SERV@LEHIGH.EDU stating: "SUB VIRUS-L your-name".To "subscribe" to comp.virus, simply use your favorite USENET newsreader t}o read the group (assuming that your site receives USENETnews).A4) What are the guidelines for VIRUS-L?The list of post}ing guidelines is available by anonymous FTP oncert.org. See the file pub/virus-l/virus-l.README for the most recentcopy. } In general, however, the moderator requires that discussionsare polite and non-commercial. (Objective postings of product}availability, product reviews, etc., are fine, but commercialadvertisements are not.) Also, requests for viruses (binary or}disassembly) are not allowed. Technical discussions are stronglyencouraged, however, within reason.A5) How can I get ba}ck-issues of VIRUS-L?VIRUS-L/comp.virus includes a series of archive sites that carry allthe back issues of VIRUS-L, as we}ll as public anti-virus software (forvarious computers) and documents. The back-issues date back to thegroup's inception, }21 April 1988. The list of archive sites isupdated monthly and distributed to the group; it includes a completelisting of }the sites, what they carry, access instructions, as well asinformation on how to access FTP sites by e-mail. The anonymous }FTParchive at cert.org carries all of the VIRUS-L back issues. See thefile pub/virus-l/README for more information on the }cert.org archivesite.A6) What is VALERT-L?VALERT-L is a sister group to VIRUS-L, but is intended for virusalerts and w}arnings only -- NO DISCUSSIONS. There is no direct USENETcounterpart to VALERT-L; it is a mailing list only. All VALERT-L}postings are re-distributed to VIRUS-L/comp.virus later. This groupis also moderated, but on a much higher priority than VI}RUS-L. Thegroup is monitored during business hours (East Coast, U.S.A.,GMT-5/GMT-4); high priority off-hour postings can b}e made bysubmitting to the group and then telephoning the CERT/CC hotline at +1412 268 7090 -- instruct the person answerin}g the hotline to call orpage Ken van Wyk.Subscriptions to VALERT-L are handled identically to VIRUS-L --contact the LISTS}ERV.A7) What are the known viruses, their names, major symptoms and possible cures?First of all, the reader must be }aware that there is no universallyaccepted naming convention for viruses, nor is there any standardmeans of testing. As a }consequence nearly ALL viral information ishighly subjective and subject to interpretation and dispute.There are several m}ajor sources of information on specific viruses.Probably the biggest one is Patricia Hoffman's hypertext VSUM. Itdescribes} only DOS viruses, but almost all of them which are knownat any given time. Unfortunately, it is regarded by many in the fi}eldas being inaccurate, so we do not advise people to rely solely on it.It can be downloaded from most major archive sites }except SIMTEL20.The second one is the Computer Virus Catalog, published by the VirusTest Center in Hamburg. It contains a} highly technical description ofcomputer viruses for several platforms: DOS, Mac, Amiga, Atari ST,Unix. Unfortunately, the} DOS section is quite incomplete. The CVCis available for anonymous FTP from ftp.informatik.uni-hamburg.de(IP=134.100.4.42}), directory pub/virus/texts/catalog. (A copy of theCVC is also available by anonymous FTP on cert.org in thepub/virus-l/d}ocs/vtc directory.)A third source of information is the monthly Virus Bulletin, publishedin the UK. Among other things, i}t gives detailed technicalinformation on viruses (see also A9 below). Unfortunately, it is veryexpensive (the subscription} price is $395 per year). US subscriptionscan be obtained by calling 203-431-8720 or writing to 590 DanburyRoad, Ridgefiel}d, CT 06877; for European subscriptions, the number is+44-235-555139 and the address is: The Quadrant, Abingdon, OX14 3YS,E}ngland.A fourth good source of information on DOS viruses is the "ComputerViruses" report of the National/International Co}mputer SecurityAssociation. This is updated regularly, and is fairly complete.Copies cost approximately $75, and can be or}dered by calling +1-202-244-7875. ICSA/NCSA also publishes the monthly "Virus News andReviews" and other publications.An}other source of information is the documentation of Dr. Solomon'sAnti-Virus ToolKit. It is more complete than the CVC list,} just asaccurate (if not more), but lists only DOS viruses. However, it isnot available electronically; you must buy his a}nti-virus package andthe virus information is part of the documentation.Yet another source of information is "Virus News I}nternational",published by S & S International. And, while not entirely virus-related, "Computers & Security" provides inf}ormation on manyaspects of computer security, including viruses.The best source of information available on Apple Macintos}h viruses isthe on-line documentation provided with the freeware Disinfectantprogram by John Norstad. This is available at} most Mac archive sites.A8) Where can I get free or shareware anti-virus programs?The VIRUS-L/comp.virus archive sites c}arry publicly distributableanti-virus software products. See a recent listing of the archivesites (or ask the moderator fo}r a recent listing) for more informationon these sites.Many freeware/shareware anti-virus programs for DOS are available v}iaanonymous FTP on WSMR-SIMTEL20.ARMY.MIL (192.88.110.20), in thedirectory PD1:. Note that the SIMTEL20 }archivesare also "mirrored" at many other anonymous FTP sites, includingoak.oakland.edu (141.210.10.117, pub/msdos/trojan-p}ro),wuarchive.wustl.edu (128.252.135.4, /mirrors/msdos/trojan-pro),and nic.funet.fi (128.214.6.100, /pub/msdos/utilities/tr}ojan-pro).They can also be obtained via e-mail in uuencoded form from variousTRICKLE sites, especially in Europe.Likewise}, Macintosh anti-virus programs can be found on SIMTEL20 inthe PD3: directory.A list of many anti-viral p}rograms, incl. commercial products and oneperson's rating of them, can be obtained by anonymous ftp fromcert.org (192.88.20}9.5) in pub/virus-l/docs/reviews as fileslade.quickref.rvw.A9) Where can I get more information on viruses, etc.?There} are four excellent books on computer viruses available thatshould cover most of the introductory and technical questions yo}umight have: * "Computers Under Attack: Intruders, Worms and Viruses," edited by Peter J. Denning, ACM Press/Addison}-Wesley, 1990. This is a book of collected readings that discuss computer viruses, computer worms, break-ins, legal an}d social aspects, and many other items related to computer security and malicious software. A very solid, readable col}lection that doesn't require a highly-technical background. Price: $20.50. * "Rogue Programs: Viruses, Worms and Tro}jan Horses," edited by Lance J. Hoffman, Van Nostrand Reinhold, 1990. This is a book of collected readings describing }in detail how viruses work, where they come from, what they do, etc. It also has material on worms, trojan horse progr}ams, and other malicious software programs. This book focuses more on mechanism and relatively less on social aspects tha}n does the Denning book; however, there is an excellent piece by Anne Branscomb that covers the legal aspects. Price: }$32.95. * "A Pathology of Computer Viruses," by David Ferbrache, Springer-Verlag, 1992. This is a recent, in-depth }book on the history, operation, and effects of computer viruses. It is one of the most complete books on the subject, }with an extensive history section, a section on Macintosh viruses, network worms, and Unix viruses (if they were to exi}st). * "A Short Course on Computer Viruses", by Dr. Fred B. Cohen, ASP Press, 1990. This book is by a well-known pi}oneer in virus research, who has also written dozens of technical papers on the subject. The book can be obtained by w}riting to ASP Press, P.O. Box 81270, Pittsburgh, PA 15217. Price: $24.00.A somewhat dated, but still useful, high-level} description of viruses,suitable for a complete novice without extensive computer backgroundis in "Computer Viruses: Dealin}g with Electronic Vandalism andProgrammed Threats," by Eugene H. Spafford, Kathleen A. Heaphy, andDavid J. Ferbrache, ADAPS}O (Arlington VA), 1989. ADAPSO is acomputer industry service organization and not a publisher, so thebook cannot be found }in bookstores; copies can be obtained directlyfrom ADAPSO @ +1 703-522-5055). There is a discount for ADAPSOmembers, educa}tors, and law enforcement personnel. Many people haveindicated they find this a very understandable reference; portions of}it have been reprinted many other places, including Denning &Hoffman's books (above).It is also worth consulting various p}ublications such as _Computers &Security_ (which, while not restricted to viruses, contains many ofCohen's papers) and the }_Virus Bulletin_ (published in the UK; itstechnical articles are considered good, although there has been muchcriticism in }VIRUS-L of some of its product evaluations).======================================================= Section B. Definiti}ons and General Information =======================================================B1) What are computer viruses (and wh}y should I worry about them)?According to Fred Cohen's well-known definition, a COMPUTER VIRUS is acomputer program that c}an infect other computer programs by modifyingthem in such a way as to include a (possibly evolved) copy of itself.Note tha}t a program does not have to perform outright damage (such asdeleting or corrupting files) in order to to be called a "virus}".However, Cohen uses the terms within his definition (e.g. "program"and "modify") a bit differently from the way most anti}-virusresearchers use them, and classifies as viruses some things which mostof us would not consider viruses.Many people }use the term loosely to cover any sort of program thattries to hide its (malicious) function and tries to spread onto asman}y computers as possible. (See the definition of "Trojan".) Beaware that what constitutes a "program" for a virus to infect} mayinclude a lot more than is at first obvious - don't assume too muchabout what a virus can or can't do!These software }"pranks" are very serious; they are spreading fasterthan they are being stopped, and even the least harmful of virusescould} be fatal. For example, a virus that stops your computer anddisplays a message, in the context of a hospital life-supportc}omputer, could be fatal. Even those who created the viruses couldnot stop them if they wanted to; it requires a concerted e}ffort fromcomputer users to be "virus-aware", rather than the ignorance andambivalence that have allowed them to grow to su}ch a problem.B2) What is a Trojan Horse?A TROJAN HORSE is a program that does something undocumented which theprogramme}r intended, but that the user would not approve of if he knewabout it. According to some people, a virus is a particular ca}se of aTrojan Horse, namely one which is able to spread to other programs(i.e., it turns them into Trojans too). According} to others, a virusthat does not do any deliberate damage (other than merely replicating)is not a Trojan. Finally, despite} the definitions, many people usethe term "Trojan" to refer only to a *non-replicating* maliciousprogram, so that the set o}f Trojans and the set of viruses aredisjoint.B3) What are the main types of PC viruses?Generally, there are two main cl}asses of viruses. The first classconsists of the FILE INFECTORS which attach themselves to ordinaryprogram files. These u}sually infect arbitrary .COM and/or .EXEprograms, though some can infect any program for which execution isrequested, such }as .SYS, .OVL, .PRG, & .MNU files.File infectors can be either DIRECT ACTION or RESIDENT. A direct-action virus selects o }ne or more other programs to infect each timethe program which contains it is executed. A resident virus hidesitself somew }here in memory the first time an infected program isexecuted, and thereafter infects other programs when *they* areexecuted } (as in the case of the Jerusalem) or when certain otherconditions are fulfilled. The Vienna is an example of a direct-acti }onvirus. Most other viruses are resident.The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruseswhich infe }ct executable code found in certain system areas on a diskwhich are not ordinary files. On DOS systems, there are ordinary }boot-sector viruses, which infect only the DOS boot sector, and MBRviruses which infect the Master Boot Record on fixed dis }ks and the DOSboot sector on diskettes. Examples include Brain, Stoned, Empire,Azusa, and Michelangelo. Such viruses are }always resident viruses.Finally, a few viruses are able to infect both (the Tequila virus isone example). These are often } called "MULTI-PARTITE" viruses, thoughthere has been criticism of this name; another name is "BOOT-AND-FILE"virus.FILE S }YSTEM or CLUSTER viruses (e.g. Dir-II) are those which modifydirectory table entries so that the virus is loaded and execute }dbefore the desired program is. Note that the program itself is notphysically altered, only the directory entry is. Some }consider theseinfectors to be a third category of viruses, while others considerthem to be a sub-category of the file infec }tors.B4) What is a stealth virus?A STEALTH virus is one which hides the modifications it has made inthe file or boot re }cord, usually by monitoring the system functionsused by programs to read files or physical blocks from storage media,and fo }rging the results of such system functions so that programswhich try to read these areas see the original uninfected form of } thefile instead of the actual infected form. Thus the viral modificationsgo undetected by anti-viral programs. However, i }n order to do this,the virus must be resident in memory when the anti-viral program isexecuted.Example: The very first DO }S virus, Brain, a boot-sector infector,monitors physical disk I/O and re-directs any attempt to read aBrain-infected boot s }ector to the disk area where the original bootsector is stored. The next viruses to use this technique were thefile infect }ors Number of the Beast and Frodo (= 4096 = 4K).Countermeasures: A "clean" system is needed so that no virus ispresent to }distort the results. Thus the system should be built froma trusted, clean master copy before any virus-checking is attempte }d;this is "The Golden Rule of the Trade." With DOS, (1) boot fromoriginal DOS diskettes (i.e. DOS Startup/Program diskette }s from amajor vendor that have been write-protected since their creation);(2) use only tools from original diskettes until }virus-checking hascompleted.B5) What is a polymorphic virus?A POLYMORPHIC virus is one which produces varied (yet fully }operational) copies of itself, in the hope that virus scanners (seeD1) will not be able to detect all instances of the viru }s.One method to evade signature-driven virus scanners is self-encryptionwith a variable key; however these viruses (e.g. C }ascade) are nottermed "polymorphic," as their decryption code is always the same andthus can be used as a virus signature e }ven by the simplest, signature-driven virus scanners (unless another virus or program uses theidentical decryption routine) }.One method to make a polymorphic virus is to choose among a variety ofdifferent encryption schemes requiring different de }cryption routines:only one of these routines would be plainly visible in any instance ofthe virus (e.g. the Whale virus). }A signature-driven virus scannerwould have to exploit several signatures (one for each possibleencryption method) to reliab }ly identify a virus of this kind.A more sophisticated polymorphic virus (e.g. V2P6) will vary thesequence of instructions }in its copies by interspersing it with"noise" instructions (e.g. a No Operation instruction, or aninstruction to load a cur !}rently unused register with an arbitraryvalue), by interchanging mutually independent instructions, or even byusing various "} instruction sequences with identical net effects (e.g.Subtract A from A, and Move 0 to A). A simple-minded, signature-base #}dvirus scanner would not be able to reliably identify this sort ofvirus; rather, a sophisticated "scanning engine" has to b $}e constructedafter thorough research into the particular virus.The most sophisticated form of polymorphism discovered so f %}ar is theMtE "Mutation Engine" written by the Bulgarian virus writer who callshimself the "Dark Avenger". It comes in the &}form of an object module.Any virus can be made polymorphic by adding certain calls to theassembler source code and linking '}to the mutation-engine andrandom-number-generator modules.The advent of polymorphic viruses has rendered virus-scanning an (} evermore difficult and expensive endeavor; adding more and more searchstrings to simple scanners will not adequately deal )}with theseviruses.B6) What are fast and slow infectors?A typical file infector (such as the Jerusalem) copies itself to *}memory when a program infected by it is executed, and then infectsother programs when they are executed.A FAST infector i +}s a virus which, when it is active in memory, infectsnot only programs which are executed, but even those which are merelyo ,}pened. The result is that if such a virus is in memory, running ascanner or integrity checker can result in all (or at leas -}t many)programs becoming infected all at once. Examples are the Dark Avengerand the Frodo viruses.The term "SLOW infecto .}r" is sometimes used for a virus which, if it isactive in memory, infects only files as they are modified (orcreated). The /} purpose is to fool people who use integrity checkersinto thinking that the modification reported by the integrity checkeri 0}s due solely to legitimate reasons. An example is the Darth Vadervirus.B7) What is a sparse infector?The term "SPARSE 1}infector" is sometimes given to a virus whichinfects only occasionally, e.g. every 10th executed file, or onlyfiles whose l 2}engths fall within a narrow range, etc. By infectingless often, such viruses try to minimize the probability of beingdisco 3}vered by the user.B8) What is a companion virus?A COMPANION virus is one which, instead of modifying an existing file,c 4}reates a new program which (unknown to the user) gets executed by thecommand-line interpreter instead of the intended progra 5}m. (On exit,the new program executes the original program so that things willappear normal.) The only way this has been d 6}one so far is by creatingan infected .COM file with the same name as an existing .EXE file.Note that those integrity checke 7}rs which look only for *modifications*in *existing* files will fail to detect such viruses.(Note that not all researchers 8}consider this type of malicious codeto be a virus, since it does not modify existing files.)B9) What is an armored virus? 9}An ARMORED virus is one which uses special tricks to make the tracing,disassembling and understanding of their code more d :}ifficult. A goodexample is the Whale virus.B10) Miscellaneous Jargon and AbbreviationsBSI = Boot Sector Infector: a vi ;}rus which takes control when the computer attempts to boot (as opposed to a file infector).CMOS = Complementary Metal Oxid <}e Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery b =}acked RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is n >}ot in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a vi ?}rus cannot hide there.DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS sy @}stems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines.MBR = M A}aster Boot Record: the first Absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partit B}ion table (but on some PCs may simply contain a boot sector). This is not the same as the first DOS sector (Logical sector C} 0).RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is th D}at, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is act E}ive simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly bein F}g active.TOM = Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. G} Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a H} PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the I}beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but ther J}e are also legitimate reasons why it may change (see C11). A very few PCs with unusual memory managers/settings may report K} in excess of 640K.TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use L}the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. These M} can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.================================== Sec N}tion C. Virus Detection ==================================C1) What are the symptoms and indications of a virus infecti O}on?Viruses try to spread as much as possible before they deliver their"payload", but there can be symptoms of virus infect P}ion before this,and it is important to use this opportunity to spot and eradicate thevirus before any destruction.There a Q}re various kinds of symptoms which some virus authors havewritten into their programs, such as messages, music and graphical R}displays. However, the main indications are changes in file sizes andcontents, changing of interrupt vectors or the reassi S}gnment of othersystem resources. The unaccounted use of RAM or a reduction in theamount known to be in the machine are imp T}ortant indicators. Theexamination of the code is valuable to the trained eye, but even thenovice can often spot the gross U}differences between a valid bootsector and an infected one. However, these symptoms, along withlonger disk activity and st V}range behavior from the hardware, can alsobe caused by genuine software, by harmless "prank" programs, or byhardware faults W}.The only foolproof way to determine that a virus is present is for anexpert to analyze the assembly code contained in all X} programs andsystem areas, but this is usually impracticable. Virus scanners gosome way towards that by looking in that co Y}de for known viruses; somewill even try to use heuristic means to spot viral code, but this isnot always reliable. It is w Z}ise to arm yourself with the latestanti-viral software, but also to pay close attention to your system;look particularly fo [}r any change in the memory map or configuration assoon as you start the computer. For users of DOS 5.0, the MEM programwit \}h the /C switch is very handy for this. If you have DRDOS, use MEMwith the /A switch; if you have an earlier version, use C ]}HKDSK or thecommonly-available PMAP or MAPMEM utilities. You don't have to knowwhat all the numbers mean, only that they c ^}hange. Mac users have"info" options that give some indication of memory use, but may needResEdit for more detail.C2) W _}hat steps should be taken in diagnosing and identifying viruses?Most of the time, a virus scanner program will take care of `} that foryou. (Remember, though, that scanning programs must be kept up todate. Also remember that different scanner auth a}ors may call the samevirus by different names. If you want to identify a virus in order toask for help, it is best to run b}at least two scanners on it and, whenasking, say which scanners, and what versions, gave the names.) Tohelp identify probl c}ems early, run it on new programs and diskettes;when an integrity checker reports a mismatch, when a genericmonitoring prog d}ram sounds an alarm; or when you receive an updatedversion of a scanner (or a different scanner than the one you havebeen u e}sing). However, because of the time required, it is notgenerally advisable to insert into your AUTOEXEC.BAT file a command f}torun a scanner on an entire hard disk on every boot.If you run into an alarm that the scanner doesn't identify, ordoesn' q}B%DOS SYSB*)DUP SYSBSCOMP_VIRATAB FAXTECH TXTBTHUNDERDOMEt properly clean up for you, first verify that the version thatyou are using is the most recent, and then get in touch with r}one ofthe reputable antivirus researchers, who may ask you to send a copyof the infected file to him. See also question C1 s}0.C3) What is the best way to remove a virus?In order that downtime be short and losses low, do the minimum thatyou mus t}t to restore the system to a normal state, starting withbooting the system from a clean diskette. It is very unlikely that u}you need to low-level reformat the hard disk!If backups of the infected files are available and appropriate carewas taken v}when making the backups (see D10), this is the safestsolution, even though it requires a lot of work if many files areinvol w}ved.More commonly, a disinfecting program is used. If the virus is a bootsector infector, you can continue using the comp x}uter with relativesafety if you boot it from a clean system diskette, but it is wise togo through all your diskettes removi y}ng infection, since sooner orlater you may be careless and leave a diskette in the machine when itreboots. Boot sector inf z}ections on PCs can be cured by a two-stepapproach of replacing the MBR (on the hard disk), either by using abackup or by th {}e FDISK/MBR command (from DOS 5 and up), then using theSYS command to replace the DOS boot sector.C4) What does the virus do?If an anti-virus program has detected a virus on your computer, don'trush to post a question to thi }}s list asking what it does. First, itmight be a false positive alert (especially if the virus is found onlyin one file), a ~}nd second, some viruses are extremely common, so thequestion "What does the Stoned virus do?" or "What does the Jerusalemvi }rus do?" is asked here repeatedly. While this list is monitored byseveral anti-virus experts, they get tired of perpetually } answeringthe same questions over and over again. In any case, if you reallyneed to know what a particular virus does (as }opposed to knowingenough to get rid of it), you will need a longer treatise than couldbe given to you here.For example, t }he Stoned virus replaces the disk's boot record with itsown, relocating the original to a sector on the disk that may (or ma }ynot) occur in an unused portion of the root directory of a DOSdiskette; when active, it sits in an area a few kilobytes be }low thetop of memory. All this description could apply to a number of commonviruses; but the important points of where the } original boot sectorgoes - and what effect that has on networking software, non-DOSpartitions, and so on are all major que }stions in themselves.Therefore, it is better if you first try to answer your questionyourself. There are several sources }of information about the knowncomputer viruses, so please consult one of them before requestinginformation publicly. Chanc }es are that your virus is rather well knownand that it is already described in detail in at least one of thesesources. (Se }e the answer to question A7, for instance.)C5) What are "false positives" and "false negatives"?A FALSE POSITIVE (or Typ }e-I) error is one in which the anti-viralsoftware claims that a given file is infected by a virus when inreality the file i }s clean. A FALSE NEGATIVE (or Type-II) error is onein which the software fails to indicate that an infected file isinfecte }d. Clearly false negatives are more serious than falsepositives, although both are undesirable.It has been proven by Dr. }Fred Cohen that every virus detector musthave either false positives or false negatives or both. This isexpressed by sayin }g that detection of viruses is UNDECIDABLE.However his theorem does not preclude a program which has no falsenegatives and }*very few* false positives (e.g. if the only falsepositives are those due to the file containing viral code which isnever a }ctually executed, so that technically we do not have a virus).In the case of virus scanners, false positives are rare, but }they canarise if the scan string chosen for a given virus is also present insome benign programs because the string was not } well chosen. Falsenegatives are more common with virus scanners because scanners willmiss a completely new or a heavily m }odified virus.One other serious problem could occur: A positive that is misdiagnosed(e.g., a scanner that detects the Empi }re virus in a boot record butreports it as the Stoned). In the case of a boot sector infector, useof a Stoned specific "cu }re" to recover from the Empire could result inan unreadable disk or loss of extended partitions. Similarly,sometimes "gene }ric" recovery can result in unusable files, unless acheck is made (e.g. by comparing checksums) that the recovered file isi }dentical to the original file. Some more recent products storeinformation about the original programs to allow verification } ofrecovery processes.C6) Could an anti-viral program itself be infected?Yes, so it is important to obtain this softwar }e from good sources, andto trust results only after running scanners from a "clean" system.But there are situations where a } scanner appears to be infected whenit isn't.Most antiviral programs try very hard to identify only viralinfections, but }sometimes they give false alarms. If two differentantiviral programs are both of the "scanner" type, they will contain"sig }nature strings" to identify viral infections. If the strings arenot "encrypted", then they will be identified as a virus by } anotherscanner type program. Also, if the scanner does not remove thestrings from memory after they are run, then another } scanner maydetect the virus string "in memory".Some "change detection" type antiviral programs add a bit of code ordata }to a program when "protecting" it. This might be detected byanother "change detector" as a change to a program, and therefo }resuspicious.It is good practice to use more than one antiviral program. Do beaware, however, that antiviral programs, b }y their nature, may confuseeach other.C7) Where can I get a virus scanner for my Unix system?Basically, you shouldn't b }other scanning for Unix viruses at thispoint in time. Although it is possible to write Unix-based viruses,we have yet to s }ee any instance of a non-experimental virus in thatenvironment. Someone with sufficient knowledge and access to write anef }fective virus would be more likely to conduct other activities thanvirus-writing. Furthermore, the typical form of software } sharing inan Unix environment would not support virus spread.This answer is not meant to imply that viruses are impossibl }e, or thatthere aren't security problems in a typical Unix environment -- thereare. However, true viruses are highly unlik }ely and would corrupt fileand/or memory integrity. For more information on Unix security, seethe book "Practical Unix Secu }rity" by Garfinkel and Spafford, O'Reilly& Associates, 1991 (it can be ordered via e-mail from nuts@ora.com).However, ther }e are special cases for which scanning Unix systems fornon-Unix viruses does make sense. For example, a Unix system which i }sacting as a file server (e.g., PC-NFS) for PC systems is quite capableof containing PC file infecting viruses that are a d }anger to PC clients.Note that, in this example, the UNIX system would be scanned for PCviruses, not UNIX viruses.Another }example is in the case of a 386/486 PC system running Unix,since this system is still vulnerable to infection by MBR infecto }rssuch as Stoned and Michelangelo, which are operating systemindependent. (Note that an infection on such a Unix PC system } wouldprobably result in disabling the Unix disk partition(s) from booting.)In addition, a file integrity checker (to dete }ct unauthorized changesin executable files) on Unix systems is a very good idea. (One freeprogram which can do this test, }as well as other tests, is the COPSpackage, available by anonymous FTP on cert.org.) Unauthorizedfile changes on Unix syst }ems are very common, although they usuallyare not due to virus activity.C8) Why does my anti-viral scanner report an infe }ction only sometimes?There are circumstances where part of a virus exists in RAM withoutbeing active: If your scanner rep }orts a virus in memory onlyoccasionally, it could be due to the operating system buffering diskreads, keeping disk contents } that include a virus in memory(harmlessly), in which case it should also find it on disk. Or afterrunning another scanner }, there may be scan strings left (againharmlessly) in memory. This is sometimes called a "ghost positive"alert.C9) Is m }y disk infected with the Stoned virus?Of course the answer to this, and many similar questions, is to obtaina good virus d }etector. There are many to choose from, including onesthat will scan diskettes automatically as you use them. Remember to }check all diskettes, even non-system ("data") diskettes.It is possible, if you have an urgent need to check a system wheny }ou don't have any anti-viral tools, to boot from a clean systemdiskette, and use the CHKDSK method (mentioned in C1) to see }if it isin memory, then look at the boot sector with a disk editor. Usuallythe first few bytes will indicate the character }istic far jump of theStoned virus; however, you could be looking at a perfectly good diskthat has been "innoculated" agains }t the virus, or at a diskette thatseems safe but contains a totally different type of virus.C10) I think I have detected }a new virus; what do I do?Whenever there is doubt over a virus, you should obtain the latestversions of several (not just }one) major virus scanners. Some scanningprograms now use "heuristic" methods (F-PROT, CHECKOUT and SCANBOOTare examples), a }nd "activity monitoring" programs can report a disk orfile as being possibly infected when it is in fact perfectly safe(odd }, perhaps, but not infected). If no string-matching scan finds avirus, but a heuristic program does (or there are other rea }sons tosuspect the file, e.g., change in size of files) then it is possiblethat you have found a new virus, although the ch }ances are probablygreater that it is an odd-but-okay disk or file. Start by looking inrecent VIRUS-L postings about "known }" false positives, then contactthe author of the anti-virus software that reports it as virus-like;the documentation for th }e software may have a section explaining whatto do if you think you have found a new virus. Consider using theBootID or Ch }eckout programs to calculate the "hashcode" of a diskettein the case of boot sector infectors, rather than send a completed }iskette or "live" virus until requested.C11) CHKDSK reports 639K (or less) total memory on my system; am I infected? }If CHKDSK displays 639K for the total memory instead of 640K (655,360bytes) - so that you are missing only 1K - then it is }probably due toreasons other than a virus since there are very few viruses which takeonly 1K from total memory. Legitimate } reasons for a deficiency of 1Kinclude:1) A PS/2 computer. IBM PS/2 computers reserve 1K of conventional RAM for an Ext }ended BIOS Data Area, i.e. for additional data storage required by its BIOS.2) A computer with American Megatrends Inc. (A }MI) BIOS, which is set up (with the built-in CMOS setup program) in such a way that the BIOS uses the upper 1K of memory }for its internal variables. (It can be instructed to use lower memory instead.)3) A SCSI controller.4) The DiskSecure pr }ogram.5) Mouse buffers for older Compaqs.If, on the other hand, you are missing 2K or more from the 640K, 512K,or whateve }r the conventional memory normally is for your PC, thechances are greater that you have a boot-record virus (e.g. Stoned,Mi }chelangelo), although even in this case there may be legitimatereasons for the missing memory:1) Many access control progr }ams for preventing booting from a floppy.2) H/P Vectra computers.3) Some special BIOSes which use memory (e.g.) for a built }-in calendar and/or calculator.However, these are only rough guides. In order to be more certainwhether the missing mem }ory is due to a virus, you should:(1) run several virus detectors;(2) look for a change in total memory every now and then; }(3) compare the total memory size with that obtained when cold booting from a "clean" system diskette. The latter should }show the normal amount of total memory for your configuration.Note: in all cases, CHKDSK should be run without software s }uch asMS-Windows or DesqView loaded, since GUIs seem to be able to open DOSboxes only on whole K boundaries (some seem to b }e even coarser); thusCHKDSK run from a DOS box may report unrepresentative values.Note also that some machines have only 5 }12K or 256K instead of 640K ofconventional memory.C12) I have an infinite loop of sub-directories on my hard drive; am I } infected?Probably not. This happens now and then, when something sets the"cluster number" field of some subdirectory } the same cluster as anupper-level (usually the root) directory. The /F parameter of CHKDSK,and any of various popular uti }lity programs, should be able to fixthis, usually by removing the offending directory. *Don't* erase anyof the "replicated }" files in the odd directory, since that will erasethe "copy" in the root as well (it's really not a copy at all; just asec }ond pointer to the same file).==================================== Section D. Protection plans ===================== }===============D1) What is the best protection policy for my computer?There is no "best" anti-virus policy. In particula }r, there is noprogram that can magically protect you against all viruses. But youcan design an anti-virus protection strat }egy based on multiple layersof defense. There are three main kinds of anti-viral software, plusseveral other means of prot }ection (such as hardware write-protectmethods).1) GENERIC MONITORING programs. These try to prevent viral activity bef }ore it happens, such as attempts to write to another executable, reformat the disk, etc. Examples: SECURE and FluShot+ }(PC), and GateKeeper (Macintosh).2) SCANNERS. Most look for known virus strings (byte sequences which occur in known vi }ruses, but hopefully not in legitimate software) or patterns, but a few use heuristic techniques to recognize viral cod }e. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program } which is about to be executed. Most scanners also include virus removers. Examples: FindViru in Dr Solomon's Anti- }Virus Toolkit, FRISK's F-Prot, McAfee's VIRUSCAN (all PC), Disinfectant (Macintosh). Resident scanners: McAfee's V-Shie }ld, and VIRSTOP. Heuristic scanners: the Analyse module in FRISK's F-PROT package, and SCANBOOT.3) INTEGRITY CHECKERS } or MODIFICATION DETECTORS. These compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files }when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files } have been modified. This catches unknown viruses as well as known ones and thus provides *generic* detection. On the }other hand, modifications can also be due to reasons other than viruses. Usually, it is up to the user to decide which }modifications are intentional and which might be due to viruses, although a few products give the user help in making t }his decision. As in the case of scanners, integrity checkers may be called to checksum entire disks or specified files } on demand, or they may be resident, checking each program which is about to be executed (the latter is sometimes calle }d an INTEGRITY SHELL). A third implementation is as a SELF-TEST, i.e. the checksumming code is attached to each execut }able file so that it checks itself just before execution. Examples: Fred Cohen's ASP Integrity Toolkit (commercial), and } Integrity Master and VDS (shareware), all for the PC.3a) A few modification detectors come with GENERIC DISINFECTION. I. }e., sufficient information is saved for each file that it can be restored to its original state in the case of the grea }t majority of viral infections, even if the virus is unknown. Examples: V-Analyst 3 (BRM Technologies, Israel), markete }d in the US as Untouchable (by Fifth Generation), and the VGUARD module of V-care.Of course, only a few examples of e }ach type have been given. All ofthem can find their place in the protection against computer viruses,but you should apprec }iate the limitations of each method, along withsystem-supplied security measures that may or may not be helpful indefeating } viruses. Ideally, you would arrange a combination ofmethods that cover the loopholes between them.A typical PC installat }ion might include a protection system on thehard disk's MBR to protect against viruses at load time (ideally thiswould be h }ardware or in BIOS, but software methods such as DiskSecureand PanSoft's Immunise are pretty good). This would be followed }byresident virus detectors loaded as part of the machine's startup(CONFIG.SYS or AUTOEXEC.BAT), such as FluShot+ and/or Vir }Stop togetherwith ScanBoot. A scanner such as F-Prot or McAfee's SCAN could beput into AUTOEXEC.BAT to look for viruses as } you start up, but thismay be a problem if you have a large disk to check (or don't rebootoften enough). Most importantly, } new files should be scanned as theyarrive on the system. If your system has DR DOS installed, you shoulduse the PASSWORD }command to write-protect all system executables andutilities. If you have Stacker or SuperStore, you can get someimproved }security from these compressed drives, but also a risk thatthose viruses stupid enough to directly write to the disk could d }omuch more damage than normal; using a software write-protect system(such as provided with Disk Manager or Norton Utilities }) may help, butthe best solution (if possible) is to put all executables on a disk oftheir own, protected by a hardware rea }d-only system that sounds analarm if a write is attempted.If you do use a resident BSI detector or a scan-while-you-copyd }etector, it is important to trace back any infected diskette to itssource; the reason why viruses survive so well is that us }ually youcannot do this, because the infection is found long after theinfecting diskette has been forgotten with most peopl }e's lax scanningpolicies.Organizations should devise and implement a careful policy, that mayinclude a system of vetting }new software brought into the building andfree virus detectors for home machines of employees/students/etc whotake work hom }e with them.Other anti-viral techniques include:(a) Creation of a special MBR to make the hard disk inaccessible when }booting from a diskette (the latter is useful since booting from a diskette will normally bypass the protection in the CO }NFIG.SYS and AUTOEXEC.BAT files of the hard disk). Example: GUARD.(b) Use of Artificial Intelligence to learn about new } viruses and extract scan patterns for them. Examples: V-Care (CSA Interprint, Israel; distributed in the U.S. by Se }la Consultants Corp.), Victor Charlie (Bangkok Security Associates, Thailand; distributed in the US by Computer Secur }ity Associates).(c) Encryption of files (with decryption before execution).D2) Is it possible to protect a computer syste }m with only software?Not perfectly; however, software defenses can significantly reduceyour risk of being affected by viru }ses WHEN APPLIED APPROPRIATELY.All virus defense systems are tools - each with their own capabilitiesand limitations. Lear }n how your system works and be sure to workwithin its limitations.From a software standpoint, a very high level of protect }ion/detectioncan be achieved with only software, using a layered approach.1) ROM BIOS - password (access control) and sel }ection of boot disk. (Some may consider this hardware.)2) Boot sectors - integrity management and change detection.3 }) OS programs - integrity management of existing programs, scanning of unknown programs. Requirement of authentication } values for any new or transmitted software.4) Locks that prevent writing to a fixed or floppy disk.As each layer is }added, invasion without detection becomes moredifficult. However complete protection against any possible attackcannot be }provided without dedicating the computer to pre-existing orunique tasks. The international standardization of the world on }theIBM PC architecture is both its greatest asset and its greatestvulnerability.D3) Is it possible to write-protect the }hard disk with only software?The answer is no. There are several programs which claim to do that,but *all* of them can be } bypassed using only the currently knowntechniques that are used by some viruses. Therefore you shouldnever rely on such p }rograms *alone*, although they can be useful incombination with other anti-viral measures.D4) What can be done with hardw }are protection?Hardware protection can accomplish various things, including: writeprotection for hard disk drives, memory }protection, monitoring andtrapping unauthorized system calls, etc. Again, no tool is foolproof.The popular idea of write- }protection (see D3) may stop virusesspreading to the disk that is protected, but doesn't, in itself,prevent a virus from ru }nning.Also, some of the existing hardware protections can be easilybypassed, fooled, or disconnected, if the virus writer }knows themwell and designs a virus which is aware of the particular defense.D5) Will setting DOS file attributes to READ }ONLY protect them from viruses?No. While the Read Only attribute will protect your files from a fewviruses, most simp }ly override it, and infect normally. So, whilesetting executable files to Read Only is not a bad idea, it iscertainly not !}a thorough protection against viruses!D6) Will password/access control systems protect my files from viruses?All pas "}sword and other access control systems are designed to protectthe user's data from other users and/or their programs. Remem #}ber,however, that when you execute an infected program the virus in itwill gain your current rights/privileges. Therefore, $} if the accesscontrol system provides *you* the right to modify some files, it willprovide it to the virus too. Note that %}this does not depend on theoperating system used - DOS, Unix, or whatever. Therefore, an accesscontrol system will protect &} your files from viruses no better than itprotects them from you.Under DOS, there is no memory protection, so a virus coul '}d disable theaccess control system in memory, or even patch the operating systemitself. On the more advanced operating sys (}tems (Unix) this is notpossible, so at least the protection cannot be disabled by a virus.However it will still spread, due )} to the reasons noted above. Ingeneral, the access control systems (if implemented correctly) areable only to slow down th *}e virus spread, not to eliminate virusesentirely.Of course, it's better to have access control than not to have it atall. +} Just be sure not to develop a false sense of security and torely *entirely* on the access control system to protect you. ,}D7) Will the protection systems in DR DOS work against viruses?Partially. Neither the password file/directory protection -}availablefrom DR DOS version 5 onwards, nor the secure disk partitionsintroduced in DR DOS 6 are intended to combat viruses .}, but they do tosome extent. If you have DR DOS, it is very wise to password-protectyour files (to stop accidental damage /}too), but don't depend on it asthe only means of defense.The use of the password command (e.g. PASSWORD/W:MINE *.EXE *.COM 0})will stop more viruses than the plain DOS attribute facility, but thatisn't saying much! The combination of the password 1}system plus a diskcompression system may be more secure (because to bypass the passwordsystem they must access the disk dir 2}ectly, but under SuperStore orStacker the physical disk is meaningless to the virus). There may besome viruses which, rathe 3}r than invisibly infecting files oncompressed disks in fact very visibly corrupt the disk.The "secure disk partitions" sys 4}tem introduced with DR DOS 6 may be ofsome help against a few viruses that look for DOS partitions on adisk. The main use 5}is in stopping people fiddling with (andinfecting) your hard disk while you are away.Furthermore, DR DOS is not very compa 6}tible with MS/PC-DOS, especiallydown to the low-level tricks that some viruses are using. Forinstance, some internal memor 7}y structures are "read-only" in the sensethat they are constantly updated (for DOS compatibility) but notreally used by DR 8}DOS, so that even if a sophisticated virus modifiesthem, this does not have any effect.In general, using a less compatible 9} system diminishes the number ofviruses that can infect it. For instance, the introduction of harddisks made the Brain vir :}us almost disappear; the introduction of 80286and DOS 4.x+ made the Yale and Ping Pong viruses extinct, and so on.D8) Wil ;}l a write-protect tab on a floppy disk stop viruses?In general, yes. The write-protection on IBM PC (and compatible) andM <}acintosh floppy disk drives is implemented in hardware, not software,so viruses cannot infect a diskette when the write-prot =}ection mechanismis functioning properly.But remember:(a) A computer may have a faulty write-protect system (this happens >}!) - you can test it by trying to copy a file to the diskette when it is presumably write-protected.(b) Someone may ?}have removed the tab for a while, allowing a virus on.(c) The files may have been infected before the disk was protected. @} Even some diskettes "straight from the factory" have been known to be infected in the production processes.So it is w A}orthwhile scanning even write-protected disks for viruses.D9) Do local area networks (LANs) help to stop viruses or do the B}y facilitate their spread?Both. A set of computers connected in a well managed LAN, withcarefully established securit C}y settings, with minimal privileges foreach user, and without a transitive path of information flow betweenthe users (i.e., D} the objects writable by any of the users are notreadable by any of the others) is more virus-resistant than the sameset of E} computers if they are not interconnected. The reason is thatwhen all computers have (read-only) access to a common pool of F}executable programs, there is usually less need for diskette swappingand software exchange between them, and therefore less G} ways throughwhich a virus could spread.However, if the LAN is not well managed, with lax security, it couldhelp a virus H}to spread like wildfire. It might even be impossible toremove the infection without shutting down the entire LAN.A networ I}k that supports login scripting is inherently more resistantto viruses than one that does not, if this is used to validate t J}heclient before allowing access to the network.D10) What is the proper way to make backups?Data and text files, and pro K}grams in source form, should be backed upeach time they are modified. However, the only backups you shouldkeep of COM, EXE L} and other *executable* files are the *original*versions, since if you back up an executable file on your hard diskover and M} over, it may have become infected meanwhile, so that you mayno longer have an uninfected backup of that file. Therefore: N} 1. If you've downloaded shareware, copy it (preferably as a ZIP orother original archive file) onto your backup medium and O}do notre-back it up later. 2. If you have purchased commercial software, it's best to create aZIP (or other) archive from P} the original diskettes (assuming they'renot copy protected) and transfer the archive onto that medium. Again,do not re-ba Q}ck up. 3. If you write your own programs, back up only the latest versionof the *source* programs. Depend on recompilatio R}n to reproduce theexecutables. 4. If an executable has been replaced by a new version, then ofcourse you will want to kee S}p a backup of the new version. However, ifit has been modified as a result of your having changed configurationinformation T}, it seems safer *not* to back up the modified file; youcan always re-configure the backup copy later if you have to. 5. T U}heoretically, source programs could be infected, but until sucha virus is discovered, it seems preferable to treat such file V}s asnon-executables and back them up whenever you modify them. The sameadvice is probably appropriate for batch files as w W}ell, despite thefact that a few batch file infectors have been discovered.=============================================== X}========= Section E. Facts and Fibs about computer viruses ========================================================E1) Y} Can boot sector viruses infect non-bootable floppy disks?Any diskette that has been properly formatted contains an executa Z}bleprogram in the boot sector. If the diskette is not "bootable," allthat boot sector does is print a message like "Non-sy [}stem disk or diskerror; replace and strike any key when ready", but it's stillexecutable and still vulnerable to infection. \} If you accidentallyturn your machine on with a "non-bootable" diskette in the drive, andsee that message, it means that a ]}ny boot virus that may have been onthat diskette *has* run, and has had the chance to infect your harddrive, or whatever. ^}So when thinking about viruses, the word"bootable" (or "non-bootable") is really misleading. All formatteddiskettes are ca _}pable of carrying a virus.E2) Can a virus hide in a PC's CMOS memory?No. The CMOS RAM in which system information is st `}ored and backed upby batteries is ported, not addressable. That is, in order to getanything out, you use I/O instructions. a} So anything stored there isnot directly sitting in memory. Nothing in a normal machine loads thedata from there and exec b}utes it, so a virus that "hid" in the CMOS RAMwould still have to infect an executable object of some kind in orderto load c}and execute whatever it had written to CMOS. A maliciousvirus can of course *alter* values in the CMOS as part of its paylo d}ad,but it can't spread through, or hide itself in, the CMOS.A virus could also use the CMOS RAM to hide a small part of it e}sbody (e.g., the payload, counters, etc.). However, any executablecode stored there must be first extracted to ordinary me f}mory in orderto be executed.E3) Can a virus hide in Extended or in Expanded RAM?Theoretically yes, although no such vir g}uses are known yet. However,even if they are created, they will have to have a small part residentin conventional RAM; the h}y cannot reside *entirely* in Extended or inExpanded RAM.E4) Can a virus hide in Upper Memory or in High Memory?Yes, it i} is possible to construct a virus which will locate itselfin Upper Memory (640K to 1024K) or in High Memory (1024K to 1088K) j},and a few currently known viruses (e.g. EDV) do hide in Upper Memory.It might be thought that there is no point in scanni k}ng in these areasfor any viruses other than those which are specifically known toinhabit them. However, there are cases wh l}en even ordinary viruses canbe found in Upper Memory. Suppose that a conventional memory-residentvirus infects a TSR progr m}am and this program is loaded high by theuser (for instance, from AUTOEXEC.BAT). Then the virus code will alsoreside in Up n}per Memory. Therefore, an effective scanner must be ableto scan this part of memory for viruses too.E5) Can a virus infe o}ct data files?Some viruses (e.g., Frodo, Cinderella) modify non-executable files.However, in order to spread, the virus mu p}st be executed. Thereforethe "infected" non-executable files cannot be sources of furtherinfection.However, note that it q} is not always possible to make a sharpdistinction between executable and non-executable files. One man'scode is another m r}an's data and vice versa. Some files that are notdirectly executable contain code or data which can under someconditions b s}e executed or interpreted.Some examples from the IBM PC world are .OBJ files, libraries, devicedrivers, source files for a t}ny compiler or interpreter, macro filesfor some packages like MS Word and Lotus 1-2-3, and many others.Currently there are u}viruses that infect boot sectors, master bootrecords, COM files, EXE files, BAT files, and device drivers, althoughany of t v}he objects mentioned above can theoretically be used as aninfection carrier. PostScript files can also be used to carry a v w}irus,although no currently known virus does that.E6) Can viruses spread from one type of computer to another?The simple x} answer is that no currently known viruses can do this.Although the disk formats may be the same (e.g. Atari ST and DOS), th y}edifferent machines interpret the code differently. For example, theStoned virus cannot infect an Atari ST as the ST canno z}t execute thevirus code in the bootsector. The Stoned virus contains instructionsfor the 80x86 family of CPU's that the 68 {}0x0-family CPU (Atari ST)can't understand or execute.The more general answer is that such viruses are possible, butunlike |}ly. Such a virus would be quite a bit larger than currentviruses and might well be easier to find. Additionally, the lowi }}ncidence of cross-machine sharing of software means that any suchvirus would be unlikely to spread -- it would be a poor env ~}ironmentfor virus growth.E7) Can DOS viruses run on non-DOS machines (e.g. Mac, Amiga)?In general, no. However, on mac }hines running DOS emulators (eitherhardware or software based), DOS viruses - just like any DOS program -may function. The }se viruses would be subject to the file accesscontrols of the host operating system. An example is when running aDOS emula }tor such as VP/ix under a 386 UNIX environment, DOSprograms are not permitted access to files which the host UNIX systemdoe }s not allow them to. Thus, it is important to administer thesesystems carefully.E8) Can mainframe computers be susceptib }le to computer viruses?Yes. Numerous experiments have shown that computer viruses spreadvery quickly and effectively on m }ainframe systems. However, to ourknowledge, no non-research computer virus has been seen on mainframesystems. (The Intern }et worm of November 1988 was not a computer virusby most definitions, although it had some virus-like characteristics.)Com }puter viruses are actually a special case of something else called"malicious logic", and other forms of malicious logic -- n }otablyTrojan horses -- are far quicker, more effective, and harder to detectthan computer viruses. Nevertheless, on person }al computers many moreviruses are written than Trojans. There are two reasons for this:(1) Since a virus propagates, the n }umber of users to which damage canbe caused is much greater than in the case of a Trojan; (2) It'salmost impossible to trac }e the source of a virus since viruses arenot attached to any particular program.For further information on malicious progr }ams on multi-user systems,see Matt Bishop's paper, "An Overview of Malicious Logic in a ResearchEnvironment", available by }anonymous FTP on Dartmouth.edu(129.170.16.4) as "pub/security/mallogic.ps".E9) Some people say that disinfecting files is } a bad idea. Is that true?Disinfecting a file is completely "safe" only if the disinfectingprocess restores the non-i }nfected state of the object completely. Thatis, not only the virus must be removed from the file, but the originallength o }f the file must be restored exactly, as well as its time anddate of last modification, all fields in the header, etc. Somet }imesit is necessary to be sure that the file is placed on the sameclusters of the disk that it occupied prior to infection. } If this isnot done, then a program which uses some kind of self-checking orcopy protection may stop functioning properly, } if at all.None of the currently available disinfecting programs do all this.For instance, because of the bugs that exist }in many viruses, some ofthe information of the original file is destroyed and cannot berecovered. Other times, it is even i }mpossible to detect that thisinformation has been destroyed and to warn the user. Furthermore,some viruses corrupt informa }tion very slightly and in a random way(Nomenklatura, Phoenix), so that it is not even possible to tell whichfiles have been } corrupted.Therefore, it is usually better to replace the infected objects withclean backups, provided you are certain tha }t your backups areuninfected (see D10). You should try to disinfect files only if theycontain some valuable data that cann }ot be restored from backups orcompiled from their original source.E10) Can I avoid viruses by avoiding shareware/free sof }tware/games?No. There are many documented instances in which even commercial"shrink wrap" software was inadvertently dist }ributed containingviruses. Avoiding shareware, freeware, games, etc. only isolates youfrom a vast collection of software ( }some of it very good, some of itvery bad, most of it somewhere in between...).The important thing is not to avoid a certai }n type of software, but tobe cautious of ANY AND ALL newly acquired software. Simply scanningall new software media for kn }own viruses would be rather effective atpreventing virus infections, especially when combined with some otherprevention/det }ection strategy such as integrity management ofprograms.E11) Can I contract a virus on my PC by performing a "DIR" of an } infected floppy disk?If you assume that the PC you are using is virus free before youperform the DIR command, then th }e answer is no. However, when youperform a DIR, the contents of the boot sector of the diskette areloaded into a buffer fo }r use when determining disk layout etc., andcertain anti-virus products will scan these buffers. If a boot sectorvirus has } infected your diskette, the virus code will be contained inthe buffer, which may cause some anti-virus packages to give the }message "xyz virus found in memory, shut down computer immediately".In fact, the virus is not a threat at this point since }control of theCPU is never passed to the virus code residing in the buffer. But,even though the virus is really not a thre }at at this point, thismessage should not be ignored. If you get a message like this, andthen reboot from a clean DOS diske }tte and scan your hard-drive andfind no virus, then you know that the false positive was caused by thefact that the infecte }d boot-sector was loaded into a buffer, and thediskette should be appropriately disinfected before use. The use ofDIR will } not infect a clean system, even if the diskette it is beingperformed on does contain a virus.E12) Is there any risk in c }opying data files from an infected floppy disk to a clean PC's hard disk?Assuming that you did not boot or run any exec }utable programs from theinfected disk, the answer is generally no. There are two caveats: 1)you should be somewhat concern }ed about checking the integrity of thesedata files as they may have been destroyed or altered by the virus,and 2) if any of } the "data" files are interpretable as executable bysome other program (such as a Lotus macro) then these files should betr }eated as potentially malicious until the symptoms of the infectionare known. The copying process itself is safe (given the }abovescenario). However, you should be concerned with what type of filesare being copied to avoid introducing other proble }ms.E13) Can a DOS virus survive and spread on an OS/2 system using the HPFS file system?Yes, both file-infecting an }d boot sector viruses can infect HPFSpartitions. File-infecting viruses function normally and can activateand do their dir }ty deeds, and boot sector viruses can prevent OS/2from booting if the primary bootable partition is infected. Virusesthat }try to directly address disk sectors cannot function because OS/2prevents this activity.E14) Under OS/2 2.0, could a viru }s infected DOS session infect another DOS session?Each DOS program is run in a separate Virtual DOS Machine (theirmemo }ry spaces are kept separated by OS/2). However, any DOS programhas almost complete access to the files and disks, so infect }ion canoccur if the virus infects files; any other DOS session that executesa program infected by a virus that makes itself } memory resident woulditself become infected.However, bear in mind that all DOS sessions share the same copy of thecomman }d interpreter. Hence if it becomes infected, the virus will beactive in *all* DOS sessions.E15) Can normal DOS viruses w }ork under MS Windows?Most of them cannot. A system that runs exclusively MS Windows is,in general, more virus-resistant t }han a plain DOS system. The reasonis that most resident viruses are not compatible with the memorymanagement in Windows. }Furthermore, most of the existing viruses willdamage the Windows applications if they try to infect them as normalEXE files }. The damaged applications will stop working and this willalert the user that something is wrong.However, virus-resistant } is by no means virus-proof. For instance,most of the well-behaved resident viruses that infect only COM files(Cascade is }an excellent example), will work perfectly in a DOSwindow. All non-resident COM infectors will be able to run and infectto }o. And currently there exists at least one Windows-specific viruswhich is able to properly infect Windows applications (it }iscompatible with the NewEXE file format).Any low level trapping of Interrupt 13, as by resident boot sector andMBR virus }es, can also affect Windows operation, particularly ifprotected disk access (32BitDiskAccess=ON in SYSTEM.INI) is used.== }======================================== Section F. Miscellaneous Questions ========================================== }F1) How many viruses are there?It is not possible to give an exact number because new viruses arebeing created literally e }very day. Furthermore, different anti-virusresearchers use different criteria to decide whether two viruses aredifferent o }r one and the same. Some count viruses as different ifthey differ by at least one bit in their non-variable code. Othersg }roup the viruses in families and do not count the closely relatedvariants in one family as different viruses.Taking a roug }h average, as of October 1992 there were about 1,800 IBMPC viruses, about 150 Amiga viruses, about 30 Macintosh viruses, abo }uta dozen Acorn Archimedes viruses, several Atari ST viruses, and a fewApple II viruses.However, very few of the existing } viruses are widespread. Forinstance, only about three dozen of the known IBM PC viruses arecausing most of the reported i }nfections.F2) How do viruses spread so quickly?This is a very complex issue. Most viruses don't spread very quickly.Th }ose that do spread widely are able to do so for a variety ofreasons. A large target population (i.e., millions of compatibl }ecomputers) helps... A large virus population helps... Vendors whosequality assurance mechanisms rely on, for example, ou }tdated scannershelp... Users who gratuitously insert new software into their systemswithout making any attempt to test for } viruses help... All of thesethings are factors.F3) What is the plural of "virus"? "Viruses" or "viri" or "virii" or... }The correct English plural of "virus" is "viruses." The Latin word isa mass noun (like "air"), and there is no correct La }tin plural.Please use "viruses," and if people use other forms, please don't useVIRUS-L/comp.virus to correct them.F4) W }hen reporting a virus infection (and looking for assistance), what information should be included?People frequently pos }t messages to VIRUS-L/comp.virus requestingassistance on a suspected virus problem. Quite often, the informationsupplied i }s not sufficient for the various experts on the list to beable to help out. Also note that any such assistance from members } ofthe list is provided on a volunteer basis; be grateful for any helpreceived. Try to provide the following information i }n your requestsfor assistance: - The name of the virus (if known); - The name of the program that detected i }t; - The version of the program that detected it; - Any other anti-virus software that you are running andwh }ether it has been able to detect the virus or not, and if yes, bywhat name did it call it; - Your software and hardw }are configuration (computer type,kinds of disk(ette) drives, amount of memory and configuration(extended/expanded/conventio }nal), TSR programs and device driversused, OS version, etc.)It is helpful if you can use more than one scanning program to }identify a virus, and to say which scanner gave which identification.However, some scanning programs leave "signatures" in }memory whichwill confuse others, so it is best to do a "cold reboot" between runsof successive scanners, particularly if yo }u are getting confusingresults.F5) How often should we upgrade our anti-virus tools to minimize software and labor co }sts and maximize our protection?This is a difficult question to answer. Antiviral software is a kindof insurance, and the }se type of calculations are difficult.There are two things to watch out for here: the general "style" of thesoftware, and }the signatures which scanners use to identify viruses.Scanners should be updated more frequently than other software, and it }is probably a good idea to update your set of signatures at least onceevery two months.Some antiviral software looks for }changes to programs or specifictypes of viral "activity," and these programs generally claim to begood for "all current and } future viral programs." However, even theseprograms cannot guarantee to protect against all future viruses, andshould pro }bably be upgraded once per year.Of course, not every anti-virus product is effective against allviruses, even if upgraded }regularly. Thus, do *not* depend on thefact that you have upgraded your product recently as a guarantee thatyour system is } free of viruses!====================================================================== Section G. Specific Virus and }Anti-viral software Questions... ======================================================================G1) I was infected } by the Jerusalem virus and disinfected the infected files with my favorite anti-virus program. However, Wordperfect } and some other programs still refuse to work. Why?The Jerusalem virus and WordPerfect 4.2 program combination is anexamp }le of a virus and program that cannot be completely disinfectedby an anti-virus tool. In some cases such as this one, the v }irus willdestroy code by overwriting it instead of appending itself to thefile. The only solution is to re-install the pro }grams from clean(non-infected) backups or distribution media. (See question D10.)G2) I was told that the Stoned virus di }splays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have nev }er seen the message. Why?The "original" Stoned message was ".Your PC is now Stoned!", where the"." represents the "bell" }character (ASCII 7 or "PC speaker beep").The message is displayed with a probability of 1 in 8 only when a PC isbooted from } an infected diskette. When booting from an infected harddisk, Stoned never displays this message.Recently, versions of S }toned with no message whatsoever or only theleading bell character have become very common. These versions ofStoned are li }kely to go unnoticed by all but the most observant, evenwhen regularly booting from infected diskettes.Contrary to some re }ports, the Stoned virus -does NOT- display themessage "LEGALISE MARIJUANA", although such a string is quite clearlyvisible }in the boot sectors of diskettes infected with the "original"version of Stoned in "standard" PC's.G3) I was infected by b }oth Stoned and Michelangelo. Why has my computer became unbootable? And why, each time I run my favorite scanner, d }oes it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still t }here?These two viruses store the original Master Boot Record at one and thesame place on the hard disk. They do not recog }nize each other, andtherefore a computer can become infected with both of them at the sametime.The first of these viruses } that infects the computer will overwritethe Master Boot Record with its body and store the original MBR at acertain place }on the disk. So far, this is normal for a boot-recordvirus. But if now the other virus infects the computer too, it willr }eplace the MBR (which now contains the virus that has come first)with its own body, and store what it believes is the origin }al MBR (butin fact is the body of the first virus) AT THE SAME PLACE on the harddisk, thus OVERWRITING the original MBR. W }hen this happens, thecontents of the original MBR are lost. Therefore the disk becomesnon-bootable.When a virus removal }program inspects such a hard disk, it will seethe SECOND virus in the MBR and will try to remove it by overwritingit with t }he contents of the sector where this virus normally storesthe original MBR. However, now this sector contains the body of t }heFIRST virus. Therefore, the virus removal program will install thefirst virus in trying to remove the second. In all pr }obability itwill not wipe out the sector where the (infected) MBR has been stored.When the program is run again, it will f }ind the FIRST virus in theMBR. By trying to remove it, the program will get the contents of thesector where this virus nor }mally stores the original MBR, and willmove it over the current (infected) MBR. Unfortunately, this sectorstill contains t }he body of the FIRST virus. Therefore, the body ofthis virus will be re-installed over the MBR ad infinitum.There is no e }asy solution to this problem, since the contents of theoriginal MBR is lost. The only solution for the anti-virus program i }sto detect that there is a problem, and to overwrite the contents ofthe MBR with a valid MBR program, which the anti-virus }program willhave to carry with itself. If your favorite anti-virus program is notthat smart, consider replacing it with a }better one, or just boot froma write-protected uninfected DOS 5.0 diskette, and execute the programFDISK with the option /M }BR. This will re-create the executable codein the MBR without modifying the partition table data.In general, infection by } multiple viruses of the same file or area ispossible and vital areas of the original may be lost. This can makeit difficu }lt or impossible for virus disinfection tools to beeffective, and replacement of the lost file/area will be necessary.==== }================[End of VIRUS-L/comp.virus FAQ]2Technischer Hintergrund einer Fax-Uebertragung:aus: Unterrichtsblaetter der Deutschen Bundespost TELEKOM, 10.02.1990 }Dipl.-Ing. Klaus Wolf, Muenchen -------------------------------------- [ } ] [ GRUNDLAGEN DER FERNKOPIERTECHNIK ] [ ] } --------------------------------------UEBERSICHT:1 Ausgangslage2 Technischer Aufbau von Fernkopierern3 A}btastverfahren3.1 Abtastung mit einem Fotodetektor3.2 Abtastung mit einer Fotodiodenzeile3.3 Direktabtastverfahren3.4 } Grauabtastung4 Aufzeichnungsverfahren4.1 Elektrosensgtives Verfahren4.2 Tintenstrahlverfahren4.3 Elektrostatisches} Verfahren4.4 Thermosensitives Verfahren5 Codierung und Decodierung5.1 Eindimensionale Lauflaengencodierung5.2 Zwei}dimensionale Codierung6 Verstaendigung und Signalisierung7 Modulationsverfahren7.1 Modem nach V.27ter7.2 Modem na}ch V.297.3 Modem fuer Geraete der Gruppe 28 Anschalteeinheit9 Zentralsteuerung 1 AUS}GANGSLAGEDie Fernkopiertechnik umfasst die Abtastung und Uebertragung von un-bewegten Bildern sowie die Erzeugung einer} Kopie des UebertragenenBildes am Empfangsort. Es wird deshalb auch haeufig die Bezeich-nung Faksimiletechnik (lat. "f}ac simile" - mache aehnlich; eine miteinem Original in Groesse und Ausfuehrung genau UebereinstimmendeNachbildung) verwe}ndet. Die Dienstleistung Fernkopieren wird von derDeutschen Bundespost (DBP) unter der Bezeichnung "Telefax-Dienst"angeb}oten. Fernkopierer sind national und international in zuneh-mender Anzahl im Einsatz. Sie koennen eine geschriebene o}der ge-zeichnete Darstellung ohne Aufbereitung sofort originalgetreu zumEmpfaenger uebertragen und dadurch bestimmte Arb}eitsablaeufe wesent-lich erleichtern. Fernkopierer werden gemaess CCITT (Comite Consul-tatif International Telegraphique} et Telephonique, InternationalerBeratender Ausschuss fuer den Telegraphen- und Telefondienst) invier Gruppen unterteil}t. Der Betrieb in diesen vier Gruppen ist un-ter anderem durch folgende Merkmale beschrieben:Gruppe 1: Uebertragungszeit }von 6 Minuten fuer eine DIN- A4-Seite, analoge Uebertragung, vertikale (senkrechte) Aufloesung von 3,85 L}inien je Millimeter. Fernkopierer der Gruppe 1 haben heute keine Bedeutung mehr.Gruppe 2: Uebertragungs }zeit von 3 Minuten fuer eine DIN- A4-Seite, analoge Uebertragung im Telefon- netz, vertikale Aufloesung v!}on 3,85 Linien je Millimeter. Geraete der Gruppe 2 haben nur noch sehr geringe Bedeutung.Gruppe 3: Auf "}einen sogenannten Standardbrief, der nach CCITT genormt ist, bezogene Uebertra- gungszeit von etwa einer #}halben Minute je DIN-A4-Seite, analoge Uebertragung eines modulierten digitalen Signals im Telefon- $} netz, vertikale Aufloesung von 3,85 oder 7,7 Linien je Millimeter und einer horizontalen (waagerecht%}en) Aufloesung von 8 Bildpunkten je Millimeter.Gruppe 4: Die Merkmale der Gruppe 4 sind netzunabhaen- g&}ig definiert. Die folgende Darstellung gilt fuer das ISDN (Integrated Services Digital Network, dienstein'}tegriertes digitales Fernmeldenetz) und damit fuer den Bereich der DBP TELEKOM. Uebertragungsze(}it von 8 Sekunden je DIN-A4- Seite (Standardbrief nach CCITT), digitale Uebertragung in Digitalnetzen mit)} bis zu 64 kbit/s Uebertragungsgeschwindigkeit; die Aufloesung betraegt etwa 8 bis 16 Punkte je *} Millimeter vertikal und horizontal.Von Fernkopierern der Gruppen 1 und 2, die zu Beginn des Telefax-Dienstes angebote+}n wurden, sind heute nur noch wenige Geraete inBetrieb. Fernkopierer der Gruppe 3 gewinnen zunehmend an Bedeutung,weil ,} sie kuerzere Uebertragungszeiten und groesseren Bedienkomfortbieten. Fernkopierer der Gruppe 4 sind fuer den Betrieb im IS-}DN vor-gesehen (gilt nur im Bereich der DBP TELEKOM). 2 TECHNISCHER AUFBAU VON FERNKOPIERERNFernkopiere.}r werden ihrem Aufbau entsprechend in Trommel- undFlachbettgeraete unterteilt. Bei den Trommelgeraeten wird die Vor/}-lage zur Abtastung oder das Papier zur Aufzeichnung auf eine Trommelgespannt. Flachbettgeraeten wird die Vorlage oder0} das Papier inflacher Form zugefuehrt. Fernkopierer der Gruppe 2 arbeiten ueber-wiegend als Trommelgeraete, Fernkopier1}er der Gruppe 3 oder 4 alsFlachbettgeraete. ... Die Leseeinheit hat die Aufgabe, die Infor-mation der zu uebertragende2}n Vorlage in analoge elektrische Signaleumzuwandeln. Sie gelangen dann zum Codierer und werden dort in digi-tale Signale 3}mit Redundanzminderung umgewandelt (s. Abschnitt 5)und an das Modem weitergeleitet. In einem Modem werden die digi-ta4}len Signale mit besonderen Modulationsverfahren ( z. B. Phasen-Differenzmodulation, s. Abschnitt 7.1) umgesetzt. Die Ans5}chalteein-heit uebernimmt die elektrische Anpassung an das Fernsprechnetz(gilt fuer Geraete der Gruppe 3). Die empfa6}ngenen Signale gelangenueber die Anschalteeinheit und Modem zum Decodierer, der es in eindigitales Signal umwandelt und s7}omit in seine Ursprungsform zurueck-bildet. Die Aufzeichnungseinheit druckt dann die Zeile auf das Pa-pier. Die zentra8}le Steuerung steuert das gesamte Fernkopiersystemund koordiniert die Fernkopie-Uebertragung. Der Ablauf einer Ueber-tragun9}g wird durch Verstaendigungssignale, die die an der Ueber-tragung beteiligten Fernkopiergeraete miteinander austau:}schen,ueberwacht und geordnet. Diese Signale dienen u.a. der Erkennungder Geraetegruppe, der moeglichen Geraetefunk;}tionen und der Be-staetigung der Uebertragung. 3 ABTASTVERFAHREN3.1 Abtastung mit einem Foto<}detektorBei diesem Abtastverfahren wird die Sendevorlage durch einen mitkonstanter Geschwindigkeit ueber die Vorlag=}e gelenkten Lichtpunktabgetastet. Dies wird dadurch erreicht, indem die Vorlage auf eineTrommel gespannt wird. Durch >} die Drehbewegung der Trommel undgleichzeitiges Ablenken des Lichtpunktes zum Trommelende hin wirddie Vorlage zeilenw?}eise abgetastet. Vor Beginn des Abtastvorgangeswird durch ein zusaetzliches Phasensignal des Senders veranlasst,dass d@}ie Trommeln beider an der Uebertragung beteiligten Geraete ineine auf den Abtast- oder Schreibkopf bezogene gleiche PhaseA}nlagekommen. Die von der Sendevorlage reflektierte Lichtmenge wird voneinem Fotodetektor (lichtempfindliches Bauelement)B} gemessen. Als Er-gebnis erhaelt man ein zu der Abtastzeile zeitanaloges Signal, wel-ches moduliert und ueber das TelefoC}nnetz zur Gegenstelle uebermit-telt wird. Dieses Verfahren wurde hauptsaechlich bei Geraeten derGruppe 2 angewendet.3D}.2 Abtastung mit einer FotodiodenzeileIn neu entwickelten Fernkopiergeraeten wird ausschliesslich dieFlachbettabtastuE}ng verwendet. Bei diesen Geraeten ist die stoeran-faellige und wartungsintensive Mechanik durch integrierte optischeundF} elektronische Baugruppen ersetzt worden. Mit Hilfe einer CCD-Zeile (Charge Coupled Device, Speicherbaustein) wird niG}cht jedereinzelne Bildpunkt, sondern die gesamte Zeile auf einmal abgetastet.Die zu uebertragende Vorlage wird an der AbtaH}ststelle ueber die ge-samte Breite von einer Leuchtstofflampe beleuchtet. Das von der Vor-lage reflektierte Licht gelangI}t, umgelenkt durch einen Spiegel,durch eine hochwertige Optik im richtigen Masstab verkleinert aufeine hochaufloesendeJ} lichtempfindliche Halbleiter-Zeile (CCD). Diesebesteht zum Beispiel bei einer Abtastbreite von 216 Millimetern(entsprK}icht DIN A4) aus 1728 einzelnen, in einer Reihe angeordnetenFotodioden. Bei Lichteinfall wird der Innenwiderstand dieser L}Foto-dioden niederohmig, so dass ein geladener, parallel geschalteterKondensator verhaeltnismaessig schnell entladen M}wird. Faellt keinLicht auf die Dioden, halten die entsprechenden Kondensatoren kurz-zeitig ihre Ladung. Der LadungszustN}and der Kondensatoren - geladenoder ungeladen - wird ueber eine elektrische Spannung zeitlich nach-einander abgefragt, diO}gitalisiert und anschliessend an einen RAM-Speicher (Random Access Memory, Schreib-Lese-Speicher) zur Weiter-verarbeitunP}g gegeben.3.3 DirektabtastverfahrenNeuester Stand der Abtasttechnik ist das sogenannte direkte Abtastender Vorlagen miQ}t einer CIS-Zeile (Contact Image Sensor, Halbleiter-kontaktsensor; lichtempfindliche Halbleiter, die bei der Bildab-tasR}tung in direkten Kontakt mit dem Papier der Vorlage gebrachtwerden). Durch den Fortfall der optischen Bauteile (Linsen,S} Spiegel)sind diese Geraete wartungsfreundlicher. Beeintraechtigungen wegenVerstaubens optischer Teile sind nahezu aT}usgeschlossen. Die zuuebertragende Vorlage wird an der Abtaststelle ueber die gesamteBreite von Leuchtdioden beleucU}htet; dies hat gegenueber der her-koemmlichen Lichtquelle den Vorteil einer geringeren Leis-tungsaufnahme und V}einer hoeheren Lebensdauer. Das von den Leucht-dioden erzeugte Licht faellt durch kleine Oeffnungen in den Sensorenauf dieW} Vorlage. Es wird dann von der Vorlage reflektiert und uebereine Lichtleitfaseroptik mit kurzer Brennweite im Masstab 1:X}1 aufden Halbleiter-Kontaktsensor (CIS) gelenkt. Dieser besteht z.B.aus 1728 in einer Reihe angeordneten FotoelemenY}ten, welches einerAbtastbreite von 216 Millimetern (DIN A4) entspricht. BeiLichteinfall entsteht in den FotoeleZ}menten eine elektrische Ladung,deren Groesse proportional zur eingefallenen Lichtmenge ist. DieLadung wird unter Ein[}fluss einer von aussen angelegten Spannungmittels einer elektrischen Schaltung abgefragt, digitalisiert undanschliesse\}nd an einen RAM-Speicher weitergegeben.3.4 GrauabtastungIm Normalbetrieb werden bei Fernkopiergeraeten der Gruppe 3 u]}nd 4schwarze und weisse Bildpunkte bei der Abtastung erkannt unduebertragen. Im Bedarfsfall koennen jedoch auc^}h Halbtoene, d.h.Fotos und Vorlagen mit unterschiedlichen Grauwerten uebertragenwerden. Grauwerte sind Halbtoene, die_} jeden beliebigen Helligkeits-grad zwischen weiss und schwarz annehmen. Dabei gilt: je mehrGraustufen erkannt werd`}en, desto besser ist die Aufloesung und dergesamte Eindruck des wiedergegebenen Bildes. Die heutigen Fern-kopiergeraeta}e arbeiten mit 16 Graustufen Aufloesungsvermoegen. Damitdie Graustufen ausschliesslich mit schwarzen und weissen Bildpunktenb}dargestellt werden koennen, muessen die Halbtoene in mehr oderweniger dichte Muster von schwarzen und weissen Bildc}punkten umge-setzt werden. Dadurch wird das Auge getaeuscht, es ernennt ver-schiedene Schwarz-Weiss-Muster als Graueind}druck. Um diese Umsetzungvorzunehmen, wird das aus der Drucktechnik bekannte "Dither-Verfah-ren" angewendet. Die Abtase}teinheit bewertet entsprechend den ana-logen Spannungswerten, die von der reflektierenden Flaeche empfangenwerden, die Haf}lbtoene (z.B. 16 Stufen) und legt diese in einemSpeicher ab. Eine weisse Flaeche entspricht dabei dem Grauwert 0 undeing}e schwarze dem Grauwert 16. Anschliessend wird die Umsetzung jeFlaecheneinheit vorgenommen, d.h. bei einem niedrigen Grah}uwert we-nige schwarze Bildpunkte je Flaecheneinheit und bei einem hohenGrauwert mehr schwarze Bildpunkte je Flaechenei}inheit. Die umgesetz-te Information kann jetzt als schwarzer oder weisser Bildpunkt wei-terverarbeitet werden. Dadurchj} kann ein Fernkopiergeraet, dasselbst keine Grauabtastung hat, ebenfalls Grauwerte empfangen undausdrucken. Die Hak}lbtonabtastung faehrt jedoch zu laengeren Ueber-tragungszeiten, weil die Lauflaengen haeufiger unterbrochen werden. l} 4 AUFZEICHNUNGSVERFAHRENBei der Aufzeichnung werden die empfangenen elektrischen Signalewieder als sm}ichtbare Linienelemente (bei Geraeten der Gruppe 2) oderals Bildpunkte (bei Geraeten der Gruppen 3 und 4) auf einen Traeger,n}meist ein Spezialpapier, abgebildet.4.1 Elektrosensitive VerfahrenDas elektrosensitive (empfindlich in Bezug auf eleko}trische Stroemeoder Spannungen) Aufzeichnungsverfahren wurde vorwiegend bei Trom-melgeraeten der aelteren Bauart angep}wendet. Das verwendete Em-pfangspapier (Spezialpapier) besteht aus einer Traegerschicht, dieeine schwarze Farbschicht uq}nd eine helle Deckschicht enthaelt. Eineelektrisch betriebene Brennadel brennt die helle Deckschicht ab, sodass an dieser}n Stellen die schwarze Farbschicht sichtbar wird. Beidiesem Verfahren entstehen durch den Abbrand Geruch und Staub,ws}odurch Geraet und Umgebung nicht unwesentlich beeintraechtigt wer-den. Daher wird dieses Verfahren heute nicht mehr angewent}det.4.2 TintenstrahlverfahrenBei diesem - auch ink-jet genannten - Verfahren wird ein in der Tin-tenmenge gesteuerteru} Tintenstrahl auf das Empfangspapier ge-spritzt. Das Tintenschreibwerk besteht aus einem Schreibkopf mitmehreren v}Duesenkanaelen und einem Tintenvorratsbehaelter und ist aufeinem Wagen angebracht. Das hier beschriebene Schreibwerk arbw}ei-tet nach dem sogenannten Unterdruckherfahren, d.h. es herrscht,wenn gerade kein Troepfchen ausgestossen wird, Ux}nterdruck in derDuese. Zum Ausstoss eines Troepfchens wird der Druck in der Duesekurzzeitig durch einen jeden Dueseny}kanal umschliessenden piezo-elektrischen Wandler, an den kurzzeitig eine elektrische Spannungangelegt wird, erhoeht. z} Mit genau bemessenen Spannungsimpulsenkoennen gezielt einzelne Troepfchen abgegeben werden. Dieses Ver-fahren wird j{}edoch fuer das Fernkopieren nicht mehr angewendet.4.3 Elektrostatisches VerfahrenAuf dem Empfangspapier werden die zu sc|}hwaerzenden Stellen von einemNadeldruckwerk mit einer elektrischen Ladung versehen. In einemweiteren Arbeitsgang wi}}rd Trocken-Toner (ein feines schwarzesPulver) aufgebracht, der nur an den aufgeladenen Stellen haftet.Anschliessend~} werden die Tonerpartikel durch Hitze geschmolzen undsomit dauerhaft an der Papieroberflaeche befestigt. Dieses Auf-}zeichnungsverfahren wird in der Zukunft fuer HochleistungsgeraeteBedeutung erlangen, wenn die Ladung nicht mehr mit einz}elnen Nadelnauf das Spezialpapier aufgebracht werden muss, sondern ein Zwischen-traeger und Normalpapier verwen- det we}rden kann. Die abzudruk-kende Information wird wie bei Buero-Kopiergeraeten durch Licht(z.B. einen Laserstrahl) auf }den Zwischentraeger (Walze) gebracht.4.4 Thermosensitives VerfahrenDas thermosensitive (waermeempfindliche) Aufzeichnun}gsverfahren istdas am haeufigsten angewendete Verfahren. Die Aufzeichnung wird miteinem Thermokamm auf thermosensitivem} Rollenpapier durchgefuehrt.Der Thermokamm wird z.B. mittels einer Andruckfeder an die Andruck-walze gedrueckt. Der Schri}ttmotor zieht das Papier Zeile fuer Zeileam Thermokamm entlang. Der Thermokamm besteht bei der Breite einesDIN-A4-Blattes} (216 mm) aus 1728 in einer Reihe angeordnetenWiderstandselementen die jeweils ueber einen Matrixschaltkreis nach-e}inander angesteuert werden. Die angesteuerten Widerstandsele-mente werden durch den Strom erwaermt. Die Waerme b}ewirkt eineReaktion zwischen den in der Farbentwicklungsschicht des Thermopa-piers enthaltenen Farbkoernchen und des Farb}entwicklers. Das Papierfaerbt sich an den entsprechenden Stellen schwarz. Die Matrixan-steuerung vermindert den Sch}altungsaufwand und ermoeglicht, dassThermokamm und Ansteuerung gemeinsam auf einen Traeger (z.B. einerKeramikplatte) ang}eordnet werden koennen. 5 CODIERUNG UND DECODIERUNGBei Fernkopierern der Gruppe 2 wird die Vor}lage - unabhaengig vonihrem Informationsgehalt - entlang der Abtastlinie "Punkt fuerPunkt" abgetastet und die dabei} entstehenden Signale werden analogweiterverarbeitet; somit ist auch die Uebertragungszeit fuer jedeDIN-A4-Seite festge}legt. Das heisst, auch bei einem weissen BlattPapier muessen alle weissen Bildpunkte erkannt und einzeln ueber-tragen } werden. Um diese langwierige Uebertragung abzukuerzen, wirdbei den Fernkopierern der Gruppe 3 die Bildinformation in For}m vonBildpunkten entlang einer Abtastlinie zunaechst digital aufbereitet,die enthaltene Redundanz (lat. Ueberfluss, Uebe}rreichlichkeit; imgeschilderten Zusammenhang ist hierunter eine laengere Folgegleichartiger Informationen, z.B. }weisse Bildpunkte zu verstehen)durch eine Quellencodierung vor der Uebertragung weitgehend entferntund nach der Uebertra}gung wieder zusammengesetzt, wodurch eineDIN-A4-Seite innerhalb einer Minute oder weniger ueber einenFernsprechk}anal uebertragen werden kann.5.1 Eindimensionale LauflaengencodierungDieses digitale Uebertragungsverfahren ermoeglicht }eine kurze Ueber-tragungszeit bei hoher Aufloesung und guter Bildqualitaet. Dazuwerden Bildpunkte gleicher Helligkeit} (z.B. weiss oder schwarz) ineinem Codewort zusammengefasst und somit ein Teil der im Bild ent-haltenen Redundanz vor }der Uebertragung beseitigt. Der Bildinhaltlaesst sich dadurch ohne Informationsverlust in geraffter Formuebertragen.} Eindimensionale Codierung bedeutet, dass die vorlie-gende Information Zeile fuer Zeile codiert wird. Bei der Codierung}werden Bildpunkte zu einer Gruppe - auch Lauflaenge genannt - zusam-mengefasst und durch ein Codewort aus der Tabelle erse}tzt. Bei demangewendeten MHC-Verfahren (Modified Huffmann Code, besondereCodierungsvorschrift) ist fuer die Lauflae}nge von 0 bis 63 Bildpunk-ten jeweils ein Basiscodewort, getrennt fuer schwarze und weisseLauflaengen, festgelegt. Fue}r dieLauflaengen 64 bis 2560 Bildpunktewird ein zweites Codewort vorangestellt. Dieses sogenannte Ab-schnitts-Codewor}t ist ein Vielfaches von 64, wodurch der zeitlicheAufwand vermindert wird. Nach jeder vollstaendig codierten Zeilen-inf}ormation folgt das Codewort EOL (End of Line, Zeilenende).Dadurch ist eine Wiederherstellung der Lauflaengensynchr}onisationnach einer Zeile gewaehrleistet. Das Codewort EOL wird auch zumFeststellen von Uebertragungsfehlern benutzt}. Die Summe aller ge-sendeten Bildpunkte muss mit der Summe aller empfangenen Bildpunkteuebereinstimmen. Sie wird vor de}r Bilduebertragung als Basismerkmaldem Empfangsgeraet mitge- teilt. Stimmt die empfangene Summe einerZeile nicht mit d}em zuvor empfangenen Basismerkmal ueberein, wirdein Fehlerzaehler hochgezaehlt und bei einer bestimmten vorherfestgel}egten Fehlerrate eine Fehlermeldung beim Empfaenger ausge-druckt. Fuer Fernkopierer der Gruppe 3 sind minimale Uebertrag}ungs-zeiten einer Zeile festgelegt. Dadurch wird erreicht, dass sich un-abhaengig vom Vorlageninhalt - Sender und Empfae}nger auf die kuer-zestmoegliche Zeit fuer die Uebermittlung einer Zeile einstellenkoennen. Um diese Zeiten auszufuell}en, werden vom Sender Fuellbitszwischen der letzten codierten Zeileninformation und dem EOL-Zeichen eingefuegt. De}r Empfaenger teilt dem Sender in der digita-len Verstaendigung die minimale Zeilenuebertragungszeit mit, aufwelche sich} der Sender einstellt und eine entsprechende Anzahl Fuell-bits sendet. Fuer eine fehlerfreie Uebertragung muessen ausserd}emnoch weitere Punkte erfuellt werden:- Um eine originalgetreue Wiedergabe der Weiss- und Schwarzwerte zu erreichen, mus}s jede Zeile immer mit einer weissen Lauflaenge beginnen. Beginnt die Zeile mit der Farbe Schwarz, wird zuerst die weisse} Lauflaenge Null gesendet.- Um Zeilensynchronisation zu erreichen, wird zu Beginn einer Seite und am Ende jeder Zeile das} Codewort EOL gesendet.- Das Uebertragungsende einer Vorlage wird durch das Aussenden von sechs Codewoertern EOL gekennze}ichnet.... Um die einzelnen Bildpunkte positionsgerecht auf der Empfangs-kopie wiedergeben zu koennen, muessen empfangss}eitig die Lauflaengenwieder decodiert werden. Dies wird vom empfangsseitigen Decodierervorgenommen. Das Codewort EOL wur}de so ausge- waehlt, dass das Auf-treten dieser Kombination innerhalb einer Folge ausgeschlossen ist(EOL ^= 000000000001)}.5.2 Zweidimensionale CodierungZu einer weiteren Verkuerzung der Uebertragungszeit besteht dieMoeglichkeit, die } Information in einem zweidimensionalen Verfah-ren, mit dem Modified Read Code (MRC), zu codieren. Hierbei wirdzunaec}hst eine Zeile als Bezugszeile abgetastet und codiert. Vonden nachfolgenden Zeilen werden dann lediglich die Abweichung}en vonder Bezugszeile festgestellt und codiert. Die Schwierigkeit derzweidimensionalen Codierung besteht in der Fehle}rfortpflanzung beimEmpfang einer gestoerten Zeile. Um diesen gestoerten Bereich einzu-schraenken, duerfen nach jeder }eindimensional codierten Zeilehoechstens K-1 aufeinander folgenden Zeilen zweidimensional codiertwerden. Der Faktor K} ist bei Geraeten der Gruppe 3 auf K = 2 bei3,85 Zeilen/mm (entspricht Standardaufloesung) und auf K = 4 bei 7,7Zeilen/mm } (entspricht Feinaufloesung) festgelegt (CCITT-EmpfehlungT4). Daneben gibt es den Modified Modified Read Code (MMR) mit d}emnach einer codierten Bezugszeile eine groessere Anzahl von Folge-zeilen zweidimensional codiert werden kann. Der MMR}-Code wird z.Z.ausschliesslich bei Fernkopierern der Gruppe 4 verwendet. Da dieseGeraete in Datennetzen eine nahezu fehl}erfreie Uebertragung ermoeg-lichen, kann der Faktor K gegen Unendlich gehen. 6 Verstaendigung und Sig}nalisierungUm ein reibungsloses Zusammenarbeiten zweier Fernkopierer im oef-fentlichen Telefonnetz sicherzustellen, }sind bestimmte Prozedurenvorgeschrieben. Der zeitliche Ablauf einer Fernkopieruebertragungwird in fuenf Phasen unterteil}t. Die tonale Verstaendigung wird mitder Uebermittlung bestimmter Tonfrequenzen vorgenommen und ist fuerdie einfachen B}etriebsarten der Gruppe 2 vorgesehen. Die digitaleVerstaendigung ist Geraeten der Gruppe 3 vorbehalten. Da die Ge-raet}e der Gruppe 3 aber auch abwaertskompatibel mit den Geraeten derGruppe 2 sind, d.h. sie muessen sich auf die Betriebsa}rten derGruppe 2 einstellen koennen, senden sie in der Anfangsphase sowohltonale als auch digitale Signale zur Gegenstel}le; bei Fernkopierernder Gruppe 3 ist die digitale Verstaendigung entsprechend CCITT-Empfehlung T.30 erforderlich. Mi}ttels der digitalen Verstaendigungwird durch den Austausch von umfangreichen Prozedursignalen in Formvon Befehlen und Me}ldungen zwischen beiden Geraeten ein sichererBetriebsablauf gewaehrleistet. Dabei wird eine HDLC- Blockstruktur(High-Lev}el Data Link Control; international festgelegte Datenueber-tragungsprozedur, blockweise Zusammenfassung von Daten) verwend}et.Die HDLC-Blockstruktur setzt sich aus mehreren Bloecken zusammen,von denen jeder in eine Anzahl von Feldern untert}eilt ist. DieseStruktur ermoeglicht eine Rahmen- kennung, Fehlerpruefung und Be-staetigung einwandfrei empfangener Info}rmationen. Befindet sich dieGegenstelle (Empfaenger) in der Betriebsart "automatischer Empfang",wird von dieser die Ansch}lusskennung des sendenden Geraetes automa-tisch erkannt und das CED-Rufbeantwortungssignal (Called StationIdentificatio}n) mit einer Frequenz von 2100 Hz zum Sender ueber-tragen. Beide Geraete sind jetzt an das Telefonnetz angeschaltet.}Der Empfaenger sendet seine Parametermeldung NSF (Non StandardFacilities, Sondermerkmale), die digitale Parameter}meldung DIS(Digital Identification Signal) und CSI (Called SubscriberIdentification). Die Meldungen NSF und DI}S enthalten die Informat-ionen ueber die auf der Empfangsseite vorhandenen Leistungsmerkmale(Papierbreite, Uebertragungsg}eschwindigkeit, Druckgeschwindigkeit,Aufloesung, Teilnehmerkennung usw.). Das sendende Geraet meldet da-raufhin ebenfal}ls seine Parameter NSS (Non Standard Set Up,Einstellbefehl fuer Sondermerkmale) und TSI (Transmitting SubscriberIden}tification, Teilnehmerkennung der sendenden Station). Die Sig-nale NSF und NSS sind keine Basismerkmale und muessen da}her auchnicht in jedem Falle uebertragen werden. Die Signale werden mit ei-ner Uebertragungsgeschwindigkeit von 300 bi}t/s uebertragen. An-schliessend uebertraegt der Sender das Trainingssignal TCF (Trai-ning Check) entsprechend der CCI}TT-Empfehlung V.29 (fuer 9600/7200bit/s) oder V.27ter (lat. dreimal; der Zusatz "ter" bedeutet: drit-te Ausfuehrung der CC}ITT-Empfehlung V.27) (fuer 4800/2400 bit/s), jenach technischer Moeglichkeit des Empfaengers. Bei diesem soge-nannten } Training wird der Leitungszustand oder die Qualitaet derFernsprechleitung ueberprueft und je nach deren Zustand die Ue}ber-tragungsgeschwindigkeit festgelegt. Dieses Signal bewirkt auf derEmpfangsseite die automatische Anpassung und Synchr}onisierung. Nachvorgenommener Synchronisierung meldet der Empfaenger dem Senderseine Empfangsbereitschaft mit dem } Signal CFR (Confirmation ToReceive). Nun beginnt die eigentliche Bilduebertragung der Vorlagegemaess V.27ter oder V}.29, je nach Moeglichkeiten des Empfaengersund Eigenschaften der Leitung. Bei Uebertragungsende sendet derSender das } Endezeichen EOP (End Of Procedure). Der Empfaengersendet daraufhin dem Sender eine positive Quittung mit MCF (Message}Confirmation); nach Erhalt des Signals wird der Sender den Ausloe-sebefehl DCN (Disconnect) aussenden. Die Verbindung zw}ischen beidenGeraeten wird daraufhin getrennt, die Anschlussleitungen stehen dannwieder fuer den Telefonbetrieb zur Verfueg}ung. 7 MODULATIONSVERFAHRENFuer die Uebertragung von Fernkopien stehen analoge Kanaele im Tele-}fonnetz zur Verfuegung. Der fuer die Fernkopieruebertragung nutz-bare Frequenzbereich eines Telefonkanals (300 Hz bis 3}400 Hz) liegtetwa zwischen 800 Hz und 2800 Hz. In den darunter- und darueber-liegenden Bereichen sind die Daempfungs- u}nd Laufzeitverzerrungen sogross, dass die Bandbreite des Telefonkanals fuer die Uebertragungeines Bildsignals nicht volls}taendig nutzbar ist. Heute sind in derFernkopiertechnik der Gruppe 3 Modems mit Uebertragungsgeschwindig-keiten von 240}0/4800 bit/s nach V.27ter und Modems mit Ueber-tragungsgeschwindigkeiten von 7200/9600 bit/s nach V.29 im Einsatz.7.}1 Modem nach V.27terDie bei der Uebertragung der Bildinformation eingesetzte Phasen-Differenzmodulation ermoeglicht} bei einer Traegerfrequenz von 1800Hz und konstanter Amplitude bei vier moeglichen Phasenaenderungen (0Grad, 90 Grad, 1}80 Grad und 270 Grad) eine synchrone Uebertragungvon 2400 bit/s oder bei acht moeglichen Phasenaenderungen (0 Grad,45 Gr}ad, 90 Grad usw.) eine synchrone Uebertragung von 4800 bit/s.Der zu uebertragende Datenstrom wird bei Datenraten von 2400} bit/sin Gruppen von zwei aufeinanderfolgenden Bits sogenannte Dibits (2^2= 4 Phasenzustaende) oder bei Datenraten von 48}00 bit/s in Gruppenvon drei aufeinanderfolgenden Bits, sogenannten Tribits (2^3 = 8Phasenaenderungen) aufgeteilt. Die }Zeigerbilddarstellung zeigt dieZuordnung der vier moeglichen Phasenspruenge zu den Dibits 00, 01,11 und 10, die Zeige}rbilddarstellung beinhaltet acht moeglichePhasenspruenge mit den zugehoerigen Tribits 000, 010, 011, 111, 110,100, 101 un}d 001.7.2 Modem nach V.29Zusaetzlich besteht die Moeglichkeit, ueber eine Amplituden/Phasen-Differenzmodulation die }Uebertragungsgeschwindigkeit zu erhoehen.Dabei ergibt sich bei einer Traegerfrequenz von 1700 Hz bei achtmoeglichen P}hasenaenderungen und zwei moeglichen Amplitudenstufeneine Uebertragungsgeschwindigkeit von 7200 bit/s, oder bei acht}moeglichen Phasenaenderungen und vier moeglichen Amplitudenstufeneine Uebertragungsgeschwindigkeit von 9600 bit/s.7.3 }Modem fuer Geraete der Gruppe 2Fuer die Uebertragung zwischen Geraeten der Gruppe 2 wird eine kom-binierte Amplituden- }und Phasenmodulation mit Restseitenbandueber-tragung (AM-PH-VSB (Vestigal Sideband) angewendet. Die Modulatorenarbeiten m}it einem Traeger von 2100 Hz. Ein weisses Bildsignal wirddurch die hoechstmoegliche Traegeramplitude dargestellt, ein schwa}r-zes Bildsignal durch einen niedrigeren Wert. Zusaetzlich muss nachjedem Weiss-Schwarz-Durchgang die Phasenlage des }Traegers um 180Grad verschoben werden. Die Amplitudenmodulation ermoeglicht aucheine Grautonuebertragung. } 8 ANSCHALTEEINHEITDie Anschalteeinheit - auch Leitungsanschluss genannt - ist dasBindeglied zwischen d}em Fernkopierer und dem Telefonnetz und hatu.a. folgende Aufgaben:- Ueberwachung des bei angeschlossenem Geraet fliesse}nden Leitungs- stromes,- Erkennen des Rufsignals,- Impedanzanpassung (scheinwiderstandsmaessige Anpassung des Geraetes }an das Telefonnetz) sowie- Entkoppelung des Geraetes von der Telefonleitung entsprechend den Sicherheitsvorschriften (Funk}entstoerung, Schutz gegen Ueberspannungen). 9 ZENTRALSTEUERUNGIn Geraeten neuerer Bauart wird }die gesamte Steuerung der Module voneinem Mikroprozessor uebernommen. Er hat im wesentlichen folgendeAufgaben:- Steuer}n des mechanischen und elektrischen Betriebs der Abtast- und Druckeinheit sowie der Papierantriebe,- Anzeigen und Auswert}en von Bediener- und Signalisierungsinfor- mationen,- Steuern der Leitungsanschaltung, z.B. Auswerten der anliegen- den} Rufwechselspannung, Umschalten von Telefon- auf Fernkopierbetrieb und umgekehrt,- Pruefen auf bestehende Verbindungen vo}r und nach der Uebertra- gung,- Signalisierungsaustausch vor und nach der Uebertragung,- Steuern des Codierers/Decodier}ers und- Steuern des Modems.  Downloaded at Thunderdome, the ATARI 8-Bit BBS. +31 416-279990 21:00 => 8:00 hours CETd/