Posting information for alt.comp.virus

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)


Main Menu

Written by: Frederic Bonroy

Alt.comp.virus is a newsgroup where you can ask for help if you ever become infected with a virus. Please read the following tips before you post to the newsgroup.

1.1 How to formulate your question

There are a few things that you should heed when you post a request for help:

• If you suspect a virus, run an up-to-date virus scanner. It's generally not possibly to identify a virus by its file name or a couple of symptoms.
• If you want information on a virus, search for a description of the virus on the web sites of different anti-virus producers (preferably on the web site of the producer of the scanner that reported the virus because different producers often give different names to the same virus).
• Describe your problem precisely.
  Details should include:
  
  • the name and version of the virus scanner as well as the date of the virus definition files
  • the operating system
  • the exact name of the virus as reported by the scanner or
  • an exact description of problems and symptoms
• Please do not post suspicious code or binaries or links to suspicious code or binaries to the newsgroup!
• Please do not ask for viruses.

Please read the FAQ before posting a question as it may already have been answered.

The FAQ is here: http://www.faqs.org/faqs/computer-virus/alt-faq/part1/index.html

The Macintosh user FAQ is here: http://www.faqs.org/faqs/computer-virus/macintosh-faq/index.html


1.2 Viruses in alt.comp.virus

Please note that there is a lot of noise (rubbish) in alt.comp.virus. The Hybris worm posts its plugins there and the VBS/Sorry virus posts infection reports. These messages are not dangerous - you could open them and read them - but they are terribly obnoxious and therefore you should killfile them. You can either filter by subject (the VBS/Sorry reports have subject lines such as "Statistics", "Da word on da street is..." or "FREE TIBET!") or you can filter by the sender. If you filter out messages sent using anonymous remailers, you will not see these virus generated messages and you may also at the same time filter out silly messages posted by anonymous cowards who just want to wreak havoc.

If you post to alt.comp.virus, you might be sent Hybris via email. This virus is not sent intentionally. If you do not open attachments sent to you from unknown people, then you are safe. Also you don't need to be afraid of receiving 10 copies of this virus every day - I post to alt.comp.virus almost daily and I have received the virus only once or twice in several months. You may also receive the Badtrans virus. It is unlikely, but it is possible.

It is quite possible that you will come across messages with binary files attached. Do not open an attachment under any circumstances, even if the author of the message claims it is benign!

If you synchronize messages (i.e. you tell your newsreader to download all messages in order to be able to read them offline), binary files will also be downloaded including the virus if they contain one. Effectively this means that you will have a virus on your computer, but this virus is totally inoffensive as long as you do not execute the binary file. If you have a memory resident anti-virus program, it will likely alert on that virus but you can ignore the alert if you do not execute the file. If your newsreader allows you to delete single messages from your hard disk, take advantage of that option.


1.3 Malicious scripts in alt.comp.virus

A script is a set of instructions that can be embedded in a news or email message. They can be malicious, which is why you should disable script support in your newsreader.

Netscape 4.5 and above, Netscape 6, 7 and Mozilla:
Choose "Edit", "Preferences", "Advanced", and uncheck the option "Enable JavaScript for Mail and News"

Netscape 4.0x:
JavaScript for Mail and News and the browser cannot be disabled separately - at least not in the GUI. You could try the following (untested): Close Netscape, open the file prefs.js located in the Netscape\users\<your_profile_name> folder in a text editor and add the following line to it:
user_pref("javascript.allow.mailnews", false);

Outlook Express (by Paul Schmehl):
Preventing scripts from running in Outlook Express newsreader is done through the Tool/Options/Security menu. In the Security Zones menu, select the radio button beside "Restricted sites zone (More secure)". Note that the settings for the Restricted sites zone are actually controlled through the Internet Explorer interface. To verify that scripting is disabled (and really everything should be disabled for Restricted sites), open Internet Explorer, go to Tools/Internet Options, click on the Security tab, click on the red icon for Restricted sites, and select Default level. This will disable all forms of active content. Note: these instructions are written for the most current versions of Internet Explorer (Version 4.40.4522.1800IC) and Outlook Express (5.50.4522.1200) running on Windows. If you have older versions, you should update. You must also run Windows Update to apply all Critical Patches, or even the Restricted sites zone will not protect you from malicious content.

Alternatively, you may want to switch to a safe newsreader which is not vulnerable to malicious scripts:

• Agent and Free Agent: http://www.forteinc.com
• XNews: http://xnews.newsguy.com/
• Netscape: http://browser.netscape.com/ns8/
• Mozilla: http://mozilla.org/

1.4 Trolls

There are a few trolls in alt.comp.virus. A troll is an annoying person who repeatedly posts offensive messages. For a more comprehensive definition, see this web site. Don't bother responding to them - that is exactly what they want and expect you to do and your arguments, no matter how eloquent and correct they are, won't stop them. Add trolls to your killfile immediately; they are not worth a single nanosecond of your attention.


1.5 Alternative newsgroup

The paragraphs above may have discouraged you from posting to alt.comp.virus. That was not their purpose. If you are prudent and do not click on everything that moves, then you have absolutely nothing to fear. If you still don't want to post to alt.comp.virus, try alt.comp.anti-virus instead. Note that everything mentioned in this section also applies to alt.comp.anti-virus, except for the Hybris and VBS/Sorry viruses. They do not (yet) haunt alt.comp.anti-virus.