tanu@beach.csulb.edu (Tanu Kartawiria) (11/02/90)
I don't know if this has been posted before, but How safe are anonymous FTP sites from viruses? Thanks, tanu@wren.acs.csulb.edu tanu@beach.csulb.edu
mitchell@thesis1.hsch.utexas.edu (Philip Mitchel) (11/13/90)
The question was asked, "How safe are anonymous FTP sites from
viruses"? I'd like to know the answer as well. A user at our site
just retrieved some text files from the anonymous ftp server at
apple.com and found that her floppies began to be corrupted. McAfee's
virus scan identified the Stoned virus in the partition table. The
only known route of "infection" was the ftp connection.
By the way, what is the usual process for removing a virus such
as this once found? (I know, rank beginner question...we all start
somewhere). Thanks.
[Ed. The only way (that I know of) to get infected by a virus via an
anonymous FTP site would be to download an infected executable file
and then execute it; I don't believe that this could have happened by
merely downloading a text file. As such, a properly administered
anonymous FTP site is as safe as a properly administered bboard
system. It is always a good idea (in my opinion) to use a virus
scanning product on any new software, shrinkwrap or public/shareware.]
- --
Phil Mitchell mitchell@thesis1.hsch.utexas.edu
"No one is to be blamed for any damned fool thing I say, either."schriste@uceng.UC.EDU (Steven V. Christensen) (11/16/90)
mitchell@thesis1.hsch.utexas.edu (Philip Mitchel) writes: >...A user at our site >just retrieved some text files from the anonymous ftp server at >apple.com and found that her floppies began to be corrupted. >[Ed. The only way (that I know of) to get infected by a virus via an >anonymous FTP site would be to download an infected executable file >and then execute it; I don't believe that this could have happened by >merely downloading a text file. I totally agree. But the executable file you download doesn't have to be infected at the FTP source to get you. Let me explain: I downloaded a Self- Extracting Archive (something I loathe to do) from wuarchive directly to a clean floppy on a PC at school. But what I didn't know was that the PC was infected. When I brought the program home to my PC, all ^%#* broke loose. I too thought that wuarchive had an infected file. But I checked things out, and old Typhoid Mary PC at school was the culprit. The moral? Always work in archive files (quite hard/impossible to infect if the files are orifinally clean) and check, check, check everything when you get it out of the archive. Steven >[Ed cont.] It is always a good idea (in my opinion) to use a virus >scanning product on any new software, shrinkwrap or public/shareware.] Amen! - -- Steven V. Christensen U.C. College of Eng. schriste@uceng.uc.edu For the adventurous: svc@elf0.uucp
maven@rata.vuw.ac.nz (Jim Baltaxe) (11/20/90)
mitchell@thesis1.hsch.utexas.edu (Philip Mitchel) writes: >The question was asked, "How safe are anonymous FTP sites from >viruses"? I'd like to know the answer as well. A user at our site >just retrieved some text files from the anonymous ftp server at >apple.com and found that her floppies began to be corrupted. McAfee's >virus scan identified the Stoned virus in the partition table. The >only known route of "infection" was the ftp connection. Just a reminder that the Stoned virus is a boot sector invader and executes only when a machine is booted from an infected disk. Simply running _any_ program whether FTP'd or not will not result in activating this virus. Therefore, there must have been another route of infection (vector?). For beginners (aren't we all...) tell people never to leave a disk in a drive when you turn a machine either on or off. On is obvious - to avoid executing a boot sector virus (this can happen even if the diskette is not a system disk). Off is included simply to prevent people from forgetting to take it out before they turn the machine on again. > By the way, what is the usual process for removing a virus such >as this once found? (I know, rank beginner question...we all start >somewhere). Thanks. Most of the major anti-virals will find and remove the stoned virus but if you want a specific for the Stoned virus, try using our NOSTONE.EXE which is available for anonymous FTP from several sites including our own, rata.vuw.ac.nz. Get /pub/nostone.exe. Jim Baltaxe - MAVEN@vuw.ac.nz - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= There are some days when I can't be sure whether life is trying to pass me by or trying to run me over.
sauron@stretch.cs.mun.ca (Patrick Ryan) (11/29/90)
maven@rata.vuw.ac.nz (Jim Baltaxe) writes: > Just a reminder that the Stoned virus is a boot sector invader > and executes only when a machine is booted from an infected disk. > Simply running _any_ program whether FTP'd or not will not result > in activating this virus. Therefore, there must have been another Are you SURE? I would disagree... the lab in our building has Stoned infections occurring very frequently, and not all of them are due to people booting from infected disks. If that WERE the case, how would it spread to a floppy from hard drive? +-----------------------------------------/ | WARNING!!!! Temporary .signature / | New one under construction!! Thank you\ +--------------------------------------/
CHESS@YKTVMV.BITNET (David.M.Chess) (11/30/90)
Patrick Ryan <sauron@stretch.cs.mun.ca>: > Are you SURE? I would disagree... the lab in our building has Stoned > infections occurring very frequently, and not all of them are due to > people booting from infected disks. If that WERE the case, how would > it spread to a floppy from hard drive? Every Stoned virus that I've ever seen infects only when a machine is booted from an infected diskette or hard disk. When a machine with a hard disk is booted from an infected floppy, the virus infects the hard disk and loads itself into memory; when a machine is booted from an infected hard disk, it just loads into memory. While the virus is in memory, it will infect any diskette used in Drive A: (roughly). It is of course possible that someone's written a Trojan Horse (or even a virus) that lives in an EXE or COM file, and installs the Stoned virus on hard disks under some circumstances. I've never seen such a program, though... DC
sturdee@troa02.enet.dec.com (Peter Sturdee) (11/30/90)
In Virus-l V3 #190, Patrick Ryan <sauron@stretch.cs.mun.ca> writes: >... the lab in our building has Stoned infections occurring very frequently, >and not all of them are due to people booting from infected disks. If that >WERE the case, how would it spread to a floppy from hard drive? The only time I have had the misfortune to have to deal with a virus, was when my portable came back from the shop with someone else's (infected) hard drive in it. I didn't notice until after I had formatted several 1.44 meg floppies. I then puzzled over why they were not able to be read by the drive. Remembering that the Stoned virus was written before 3.5" disks and had a hard time dealing with them, I had a look at the boot sector. Bingo, Stoned on all the floppies and the hard drive. I do not know by what other means the stoned virus spreads from hard drive to floppy, but the format utility did do it for me. On the other hand, I still do not see how the Stoned virus got off of an FTP site and onto a PC. Peter (We don't get .sig files here)